Cisco Acs 57 User Guide
Have a look at the manual Cisco Acs 57 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![Page 298
42
Managing Access Policies
Configuring Compound Conditions
Figure 25 Compound Expression - Atomic Condition
Single Nested Compound Condition
Consists of a single operator followed by a set of predicates (>=2). The operator is applied between each of the
predicates. See Figure 26 on page 42 for an example. The preview window displays parentheses [()] to indicate
precedence of logical operators.
Figure 26 Single Nested Compound Expression
Multiple Nested Compound Condition
You can extend the simple...](http://img.usermanuals.tech/thumb/17/104529/w64_acs-57-user-guide-1523997061_d-297.png "Page 298
42
Managing Access Policies
Configuring Compound Conditions
Figure 25 Compound Expression - Atomic Condition
Single Nested Compound Condition
Consists of a single operator followed by a set of predicates (>=2). The operator is applied between each of the
predicates. See Figure 26 on page 42 for an example. The preview window displays parentheses [()] to indicate
precedence of logical operators.
Figure 26 Single Nested Compound Expression
Multiple Nested Compound Condition
You can extend the simple...")
45 Managing Access Policies Security Group Access Control Pages Related Topics Compound Condition Building Blocks, page 40 Types of Compound Conditions, page 41 Security Group Access Control Pages This section contains the following topics: Egress Policy Matrix Page, page 45 Editing a Cell in the Egress Policy Matrix, page 46 Defining a Default Policy for Egress Policy Page, page 46 NDAC Policy Page, page 47 NDAC Policy Properties Page, page 48 Network Device Access EAP-FAST Settings Page, page 49 Egress Policy Matrix Page The Egress policy, also known as an SGACL policy, determines which SGACLs to apply at the Egress points of the network, based on the source and destination SGTs. ACS presents the Egress policy as a matrix; it displays all the security groups in the source and destination axes. Each cell in the matrix can contain a set of ACLs to apply to the corresponding source and destination SGTs. The network devices add the default policy to the specific policies that you defined for the cells. For empty cells, only the default policy applies. Use the Egress policy matrix to view, define, and edit the sets of ACLs to apply to the corresponding source and destination SGTs. Current Condition SetUse this section to organize the order of conditions and the logical operators that operate on or between binary conditions. Condition list Displays a list of defined binary conditions for the compound conditions and their associated logical operators. Add After you define a binary condition, click Add to add it to the Condition list. Edit To edit a binary condition, select the condition in the Condition list and click Edit. The condition properties appear in the Condition fields. Modify the condition as required, then click Replace. Replace Click to replace the selected condition with the condition currently defined in the Condition fields. And OrSpecifies the logical operator on a selected condition, or between the selected condition and the one above it. Click the appropriate operator, and click Insert to add the operator as a separate line; click the operator and click Replace, to replace the selected line. Delete Click to delete the selected binary condition or operator from the condition list. Preview Click to display the current expression in corresponding parenthesis representation. The rule table displays the parenthesis representation after the compound expression is created. Table 101 Expression Builder Fields (continued) Field Description
46 Managing Access Policies Security Group Access Control Pages To display this page, choose Access Policies > Security Group Access Control > Egress Policy. Related Topic Creating an Egress Policy, page 25 Editing a Cell in the Egress Policy Matrix Use this page to configure the policy for the selected cell. You can configure the SGACLs to apply to the corresponding source and destination security group. To display this page, choose Access Policies > Security Group Access Control > Egress Policy, select a cell, then click Edit. Related Topic Creating an Egress Policy, page 25 Defining a Default Policy for Egress Policy Page Use this page to define the default Egress policy. The network devices add the default policy to the specific policies defined for the cells. For empty cells, only the default policy applies. To display this page, choose Access Policies > Security Group Access Control > Egress Policy, then click Default Policy. Table 102 Egress Policy Matrix Page Option Description Destination Security GroupColumn header displaying all destination security groups. Source Security GroupRow header displaying all source security groups. Cells Contain the SGACLs to apply to the corresponding source and destination security group. Edit Click a cell, then click Edit to open the Edit dialog box for that cell. See Editing a Cell in the Egress Policy Matrix, page 46. Default Policy Click to open a dialog box to define the default Egress policy. See Defining a Default Policy for Egress Policy Page, page 46. Set Matrix View To change the Egress policy matrix display, choose an option, then click Go: All—Clears all the rows and columns in the Egress policy matrix. Customize View—Launches a window where you can customize source and destination security groups corresponding to the selected cell. Table 103 Edit Cell Page Option Description Configure Security GroupsDisplay only. Displays the source and destination security group name for the selected cell. General Description for the cell policy. ACLs Move the SGACLs that you want to apply to the corresponding source and destination security group from the Available list to the Selected list. To specify the order of the list of SGACLs, use the Up (^) and Down (v) arrows.
47 Managing Access Policies Security Group Access Control Pages Related Topics Creating an Egress Policy, page 25 Creating a Default Policy, page 26 NDAC Policy Page The Network Device Admission Control (NDAC) policy determines the SGT for network devices in a Security Group Access environment. The NDAC policy handles: Peer authorization requests from one device about its neighbor. Environment requests (a device is collecting information about itself). The policy returns the same SGT for a specific device, regardless of the request type. Note: Yo u d o n o t a d d a n N D A C p o l i c y t o a n a c c e s s s e r v i c e ; i t is implemented by default. However, for endpoint admission control, you must define an access service and session authorization policy. See Configuring Network Access Authorization Rule Properties, page 31, for information about creating a session authorization policy. Use this page to configure a simple policy that assigns the same security group to all devices, or configure a rule-based policy. To display this page, choose Access Policies > Security Group Access Control > Network Device Access > Authentication Policy. If you have already configured an NDAC policy, the corresponding Simple Policy page or Rule-based Policy page opens; otherwise, the Simple Policy page opens by default. Simple Policy Page Use this page to define a simple NDAC policy. Rule-Based Policy Page Use this page for a rule-based policy to: Table 104 Default Policy Page Option Description ACLs Move the SGACLs that you want to apply to the corresponding source and destination security group from the Available list to the Selected list. To specify the order of the list of SGACLs, use the Up (^) and Down (v) arrows. Select Permit All or Deny All as a final catch-all rule. Table 105 Simple NDAC Policy Page Option Description Policy type Defines the type of policy to configure: Simple—Specifies that the result applies to all requests. Rule-based—Configure rules to apply different results depending on the request. If you switch between policy types, you will lose your previously saved policy configuration. Security Group Select the security group to assign to devices. The default is Unknown.
48 Managing Access Policies Security Group Access Control Pages View rules. Delete rules. Open pages that create, duplicate, edit, and customize rules. Related Topics: Configuring an NDAC Policy, page 23 NDAC Policy Properties Page, page 48 NDAC Policy Properties Page Use this page to create, duplicate, and edit rules to determine the SGT for a device. Table 106 Rule-Based NDAC Policy Page Option Description Policy type Defines the type of policy to configure: Simple—Specifies the result to apply to all requests. Rule-based—Configure rules to apply different results depending on the request. If you switch between policy types, you will lose your previously saved policy configuration. Status Rule statuses are: Enabled—The rule is active. Disabled—ACS does not apply the results of the rule. Monitor—The rule is active, but ACS does not apply the results of the rule. Results such as hit count are written to the log, and the log entry includes an identification that the rule is monitor only. The monitor option is especially useful for watching the results of a new rule. Name Name of the rule. The Default Rule is available for conditions for which: Enabled rules are not matched. Rules are not defined. Click a link to edit or duplicate a rule. You can edit the Default Rule but you cannot delete, disable, or duplicate it. Conditions Conditions that you can use to define policy rules. To change the display of rule conditions, click the Customize button. You must have previously defined the conditions that you want to use. Results Displays the security group assigned to the device when it matches the corresponding condition. Hit Count Number of times that the rule is matched. Click the Hit Count button to refresh and reset this column. Customize button Opens the Customize page in which you choose the types of conditions to use in policy rules. A new Conditions column appears in the Policy page for each condition that you add. You do not need to use the same set of conditions as in the corresponding authorization policy. Caution: If you remove a condition type after defining rules, you will lose any conditions that you configured for that condition type. Hit Count button Opens a window that enables you to reset and refresh the Hit Count display in the Policy page. See Displaying Hit Counts, page 9.
49 Managing Access Policies Security Group Access Control Pages To display this page, choose Access Policies > Security Group Access Control > Network Device Access > Authentication Policy, then click Create, Edit, or Duplicate. Note: For endpoint admission control, you must define an access service and session authorization policy. See Configuring Network Access Authorization Rule Properties, page 31 for information about creating a session authorization policy. Related Topics: Configuring an NDAC Policy, page 23 NDAC Policy Page, page 47 Network Device Access EAP-FAST Settings Page Use this page to configure parameters for the EAP-FAST protocol that the NDAC policy uses. To display this page, choose Access Policies > Security Group Access Control > Network Device Access. Table 107 NDAC Policy Properties Page Option Description General Name Name of the rule. If you are duplicating a rule, you must enter a unique name as a minimum configuration; all other fields are optional. Status Rule statuses are: Enabled—The rule is active. Disabled—ACS does not apply the results of the rule. Monitor—The rule is active, but ACS does not apply the results of the rule. Results such as hit count are written to the log, and the log entry includes an identification that the rule is monitor only. The monitor option is especially useful for watching the results of a new rule. Conditions conditions Conditions that you can configure for the rule. The default value for each condition is ANY. To change the value for a condition, check the condition check box, then enter the value. If compound expression conditions are available, when you check Compound Expression, an expression builder appears. For more information, see Configuring Compound Conditions, page 40. To change the list of conditions for the policy, click the Customize button in the NDAC Policy Page, page 47. Results Security Group Select the security group to assign to the device when it matches the corresponding conditions. Table 108 Network Device Access EAP-FAST Settings Page Option Description EAP-FAST Settings Tunnel PAC Time To Live Time to live (TTL), or duration, of a PAC before it expires and requires replacing. Proactive PAC Update When % of PAC TTL is LeftPercentage of PAC TTL remaining when you should update the PAC.
50 Managing Access Policies Maximum User Sessions Related Topics: Configuring an NDAC Policy, page 23 Configuring EAP-FAST Settings for Security Group Access, page 24 NDAC Policy Page, page 47 Maximum User Sessions For optimal performance, you can limit the number of concurrent users accessing network resources. ACS 5.7 imposes limits on the number of concurrent service sessions per user. The limits are set in several different ways. You can set the limits at the user level or at the group level. Depending upon the maximum user session configurations, the session count is applied to the user. Note: To make the maximum sessions work for user access, the administrator should configure RADIUS accounting. Note: To make the maximum sessions work for device management, the administrator should configure TACACS+ session authorization and accounting. This section contains the following topics: Maximum Session User Settings, page 50 Maximum Session Group Settings, page 51 Maximum Session Global Settings, page 52 Purging User Sessions, page 53 Maximum User Session in Distributed Environment, page 54 Maximum User Session in Proxy Scenario, page 54 Maximum Session User Settings You can configure maximum user sessions for each user globally. To configure maximum user sessions: 1.Choose Access Policies > Max User Session Policy > Max Session User Settings. 2.Specify a Max User Session Value, for the maximum number of concurrent sessions permitted. 3.Check the Unlimited Sessions check box if you want users to have unlimited sessions. 4.Click Submit. Note: If the maximum number of sessions is configured at both the user and group level, the smaller value will have precedence. For example: Given a user Bob in the group America:US:West with a maximum session value of 5 sessions for the group and a maximum session value of 10 for the user. In this case, user Bob can have a maximum of 5 sessions only. Related Topics Maximum Session Group Settings, page 51
51 Managing Access Policies Maximum User Sessions Maximum Session Global Settings, page 52 Purging User Sessions, page 53 Maximum User Session in Distributed Environment, page 54 Maximum User Session in Proxy Scenario, page 54 Maximum Session Group Settings You can configure the maximum number of sessions for the identity groups. All the sessions can sometimes be used by a few users in the group. Requests from other users to create a new session are rejected because the number of sessions has already reached the maximum configured value. ACS 5.7 allows you to configure a maximum session limit for any user in the group; for example, each user belonging to a specific Identity Group may open not more than the session limit, no matter how many sessions other users from the same group have opened. There is no option to set up a session limit for a particular user. From the ACS web interface, you can configure the Maximum Sessions limit for a user belonging to an identity group from the ACS web interface. The ACS 4.x migration utility includes migrating the maximum session configuration. When calculating the session limit for a particular user, the lowest configuration value takes the precedence—whether the global session limit per user, the session limit per identity group that the user belongs to, or the session limit per user in the group. To configure maximum sessions for a group: 1.Choose Access Policies > Max User Session Policy > Max Session Group Settings. All the configured identity groups are listed. 2.Check the check box the group for which you want to configure a maximum number of sessions. 3.Click Edit. 4.Complete the fields as described in Table 109 on page 51. 5.Click Submit. Table 109 Max User Session Global Settings Page Option Description General Name Name of the Identity Group. Description Description of the Identity Group. Max Session Group Settings Unlimited Session Check this check box if you want to provide unlimited sessions to the group. Max Session for Group Specify a value for the maximum number of concurrent sessions permitted for the group. Unlimited Sessions for Users in GroupCheck this check box if you want to provide unlimited sessions for each user in a group. Max Session for User in Group Specify a value for the maximum number of concurrent sessions permitted for each user in a group. This option overrides the maximum number of sessions for a group.
52 Managing Access Policies Maximum User Sessions Unlimited is selected by default. Group-level session limits are applied based on the hierarchy. For example: The group hierarchy is America:US:West:CA and the maximum sessions are as follows: America: 100 max sessions US: 80 max sessions West: 75 max sessions CA: 50 max sessions If “Max Session for User in Group X” is set to N, each user belonging to the group X may open not more than N sessions. If the user belongs to America/US/West, ACS checks that the number of sessions does not exceed the limit that is specified for the parent groups America/US/West, America/US, America. When you set the maximum number of sessions of a user group to 100, the total count of all sessions established by all members of that group cannot exceed 100. Once the session is allowed, the Number of Active Sessions Availed counter for the three nodes is increased by one. The ACS runtime component takes care of this validation during authentication. Note: If the maximum number of sessions is configured at the group level, at the user level within a group level, and at the user level globally, then ACS considers the least value among them. Related Topics Maximum Session User Settings, page 50 Maximum Session Global Settings, page 52 Purging User Sessions, page 53 Maximum User Session in Distributed Environment, page 54 Maximum User Session in Proxy Scenario, page 54 Maximum Session Global Settings You can assign session keys for RADIUS and TACACS+ requests. A session key is provided with a set of attributes for RADIUS and TACACS+. You can customize the session key attribute s a c c o r d i n g t o yo u r e n v i r o n m e n t . I f yo u d o n o t a ss i g n a session key, ACS uses the default session key values. A session key is a unique key that is used to track user sessions. The session key helps ACS differentiate between a user re-authenticating to the same session and a user starting a new session. The session key attributes for a single session should be the same in the access request and in the accounting start packet. The Session key helps ACS to identity the session properly. When ACS re-authenticates the same session again, the same key is retained. To configure the global settings for maximum user sessions, choose System Administration > Users > Max User Session Global Settings.
53 Managing Access Policies Maximum User Sessions Related Topics Maximum Session User Settings, page 50 Maximum Session Group Settings, page 51 Purging User Sessions, page 53 Maximum User Session in Distributed Environment, page 54 Maximum User Session in Proxy Scenario, page 54 Purging User Sessions You can use the Purge option only when users are listed as Logged-in but connection to the AAA client has been lost and the users are no longer actually logged in. Purging will not log off the user from the AAA client, however it will decrease the session count by one. While the count is zero, any interim updates or STOP packet that arrives from the device will be discarded. Due to this purging, if a user logged in with the same user name and password in another AAA client, this session will not be affected. Note: A fake accounting stop is sent irrespective of the session count value. To purge the User session: 1.Go to System Administration > Users > Purge User Sessions. The Purge User Session page appears with a list of all AAA clients. 2.Select the AAA client for which you want to purge the user sessions. 3.Click Get Logged-in User List. Table 110 Max User Session Global Settings Page Option Description RADIUS Session Key Assignment Available Session Keys RADIUS sessions keys available for assignment. Note: To use the RADIUS Acct-Session-Id (attribute #44) in the RADIUS session key, you should configure the Acct-Session-Id to be sent in the access request: Router(config)# radius-server attribute 44 include-in-access-req Assigned Session Keys RADIUS session key assigned. The default session keys for RADIUS are: UserName:NAS-Identifier:NAS-Port:Calling-Station-ID TACACS+ Session Key Assignment Available Session Keys TACACS+ sessions keys available for assignment. Assigned Session Keys TACACS+ session key that have been assigned. The default session keys for TACACS+ are: User:NAS-Address:Port:Remote-Address Max User Session Timeout Settings Unlimited Session Timeout No timeout. Max User Session Timeout Once the session timeout is reached, ACS sends a fake STOP packet to close the respective session and updates the session count. Note: The user is not forced to log out of the device.
54 Managing Access Policies Maximum User Sessions A list of all the logged in users is displayed. 4.Click Purge All Sessions to purge all the user session logged in to the particular AAA client. Related Topics Maximum Session User Settings, page 50 Maximum Session Group Settings, page 51 Maximum Session Global Settings, page 52 Maximum User Session in Distributed Environment, page 54 Maximum User Session in Proxy Scenario, page 54 Maximum User Session in Distributed Environment In distributed environment, all the user and identity group configurations are replicated to the secondaries except the session cache related information with respect to maximum user session maintained by runtime. Hence, each server has its own session established details in the runtime. Also, the maximum session count gets applied based on which ACS server the authentication/accounting request is received on. Related Topics Maximum Session User Settings, page 50 Maximum Session Group Settings, page 51 Maximum Session Global Settings, page 52 Purging User Sessions, page 53 Maximum User Session in Proxy Scenario, page 54 Maximum User Session in Proxy Scenario Authentication and accounting requests should be sent to the same ACS server; else the Maximum Session feature will not work as desired. Related Topics Maximum User Sessions, page 50 Maximum Session User Settings, page 50 Maximum Session Group Settings, page 51 Maximum Session Global Settings, page 52 Purging User Sessions, page 53 Maximum User Session in Distributed Environment, page 54