Cisco Acs 57 User Guide
Have a look at the manual Cisco Acs 57 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
7 Managing System Administrators Creating, Duplicating, Editing, and Deleting Administrator Accounts Administrator Accounts and Role Association Administrator account definitions consist of a name, status, description, e-mail address, password, and role assignment. Note: It is recommended that you create a unique administrator for each person. In this way, operations are clearly recorded in the audit log. Administrators are authenticated against the internal and external databases. You can edit and delete existing accounts. However, the web interface displays an error message if you attempt to delete or disable the last super administrator. Only appropriate administrators can configure identities and certificates. The identities configured in the System Administration drawer are available in the Users and Identity Stores drawer, but they cannot be modified there. When you create a new administrator, you have an option to choose the type of identity store for the password type. The new administrator is authenticated based on this password type. The password type can be internal administrator, AD, or LDAP. The default value of all the existing administrators is AdminsIDStore. The password type has a new association defined to create an association between the administrator account and the identity store. During the internal administrator authentication, if the administrator is present in the internal database, then the value in the password type field is read and populated in the attribute list.If this attribute value is not equal to AdminsIDStore, then the authentication is routed to either LDAP or an AD identity store, based on the value that is configured in the password type field. ACS use PAP authentication to authenticate administrators against AD and LDAP. Recovery Administrator Account ACS 5.7 requires the system administrator to keep at least one administrator account as a recovery account. If an account is configured as a recovery account, then ACS bypasses the administrator identity policy and authorization policy to authenticate that particular administrator. This recovery administrator account is authenticated against the administrator internal identity store. If you try to access ACS using the recovery account, you are authenticated against internal administrator users, and roles are assigned statically. You can have more than one recovery account. By default, the Super Admin account is set as a recovery account. When you create a new administrator account, ACS does not set that account as a recovery account, but you need to configure it as a recovery account in account settings. To configure an administrator account as a recovery account, you need to perform the following actions: Assign a static role to the administrator account. Assign the Super Admin role to the administrator account. Do not use the password type to set an external identity store to the administrator account. Related Topics Understanding Roles, page 3 Creating, Duplicating, Editing, and Deleting Administrator Accounts, page 7 Creating, Duplicating, Editing, and Deleting Administrator Accounts To create, duplicate, edit, or delete an administrator account: 1.Choose System Administration > Administrators > Accounts. The Administrators page appears with a list of configured administrators as described in Table 14 on page 8:
8 Managing System Administrators Creating, Duplicating, Editing, and Deleting Administrator Accounts 2.Do any of the following: Click Create. Check the check box the account that you want to duplicate and click Duplicate. Click the account that you want to modify; or, check the check box for the Name and click Edit. Check the check box the account for which you want to change the password and click Change Password. See Resetting Another Administrator’s Password, page 25 for more information. Note: On the Duplicate page, you must change at least the Admin Name. Check one or more check boxes the accounts that you want to delete and click Delete. ACS deletes the selected administrator account only if there is at least one recovery administrator account with superadmin role in the ACS database other than the selected administrator account. Note: Firefox does not display a warning message when you try to delete the last recovery admin account from ACS web interface if you have enabled "Prevent this page from creating additional dialogs" checkbox. 3.Complete the Administrator Accounts Properties page fields as described in Table 15 on page 8: Table 14 Accounts Page Option Description Status Current status of this administrator: Enabled—This administrator is active. Disabled—This administrator is not active. You cannot log into ACS with a disabled administrator account. Name Name of the administrator. Role(s) Roles assigned to the administrator. Description Description of this administrator. Table 15 Administrator Accounts Properties Page Option Description General Administrator Name Configured name of this administrator. If you are duplicating a rule, be sure to enter a unique name. Status From the Status drop-down menu, select whether the account is enabled or disabled. This option is disabled if you check the Account never disabled check box. Description A description of this administrator. Email Address Administrator e-mail address. ACS View sends alerts to this e-mail address. ACS uses this email address to notify the internal administrators about their password expiry n days before their password expires. Recovery Account Check this option to configure an account as a recovery account. ACS bypasses the administrator identity policies and authorization policies to authenticate the administrators when you use this option. See Recovery Administrator Account, page 7 for more information.
9 Managing System Administrators Creating, Duplicating, Editing, and Deleting Administrator Accounts 4.Click Submit. The new account is saved. The Administrators page appears, with the new account that you created or duplicated. Note: A SuperAdmin with static role assignment can create, assign, or remove SuperAdmin roles for other administrators whereas a SuperAdmin with dynamic role assignment cannot create, assign, or remove SuperAdmin roles for other administrators. Related Topics Understanding Roles, page 3 Administrator Accounts and Role Association, page 7 Viewing Predefined Roles, page 10 Configuring Authentication Settings for Administrators, page 11 Exporting Administrator Accounts, page 10 Account never disabled Check to ensure that your account is never disabled. Your account will not be disabled even when: Your password expires Your account becomes inactive You exceed the specified number of login retries Authentication Information Password Type Displays (only AD and LDAP) configured external identity store names, along with internal administrator, which is the default password type. You can choose any identity store from the list. During administrator authentication, if an external identity store is configured for the administrator, then the internal identity store forwards the authentication request to the configured external identity store. If an external identity store is selected, you cannot configure a password for the administrator. The password edit box is disabled. You cannot use identity sequences as external identity stores for the password type. You can change the password type using the Change Password button, which is located in the System Administration > Administrators > Accounts page. Password Authentication password. Confirm Password Confirmation of the authentication password. Change password on next loginCheck to prompt the user for a new password at the next login. Note: If you enable Change password on next login option for an administrator account, then the administrator cannot add ACS instances to a distributed deployment. Role Assignment Available Roles List of all configured roles. Select the roles that you want to assign for this administrator and click >. Click >> to assign all the roles for this administrator. Assigned Roles Roles that apply to this administrator. Table 15 Administrator Accounts Properties Page (continued) Option Description
10 Managing System Administrators Viewing Predefined Roles Exporting Administrator Accounts ACS 5.7 allows you to export the administrator accounts to a .csv file using the export option available on the Administrator Accounts page. This option exports all administrator accounts that are created and listed in the administrator accounts page to a .csv file. You can save this file to a local drive for audit purposes. You can also encrypt the exported file using an encryption password option. You need this password to decrypt the exported file. However, you cannot import the exported administrator account details back into ACS. For dynamic administrator accounts, the roles column in the exported file is empty. If you have assigned multiple roles for an administrator, a semicolon is used in between the roles. You can also export the administrator accounts from the ACS CLI, but you cannot export administrator accounts using REST PI. Note: To export the administrator accounts, you must have an administrator account with Super Admin, System Admin, or User Admin roles. To export the administrator accounts from the ACS web interface: 1.Choose System Administration > Administrators > Accounts. The Administrators page appears with a list of configured administrators as described in Table 14 on page 8. 2.Click Export. The Export properties dialog box appears. 3.Check the check box the Password field, and enter the encryption password if you want to encrypt the exported file. 4.Click Start Export. The Export Progress dialog box appears and displays the progress of the export operation. This dialog box also displays the export logs that helps the user to identify the errors during export operation. Note: To export the administrator accounts from the ACS CLI, run the export-data administrator command in ACS configuration mode. Related Topics Understanding Roles, page 3 Administrator Accounts and Role Association, page 7 Viewing Predefined Roles, page 10 Configuring Authentication Settings for Administrators, page 11 Viewing Predefined Roles See Table 13Predefined Role Descriptions, page 4 for description of the predefined roles included in ACS. To view predefined roles: Choose System Administration > Administrators > Roles. The Roles page appears with a list of predefined roles. Table 16Roles Page, page 11 describes the Roles page fields.
11 Managing System Administrators Configuring Authentication Settings for Administrators Viewing Role Properties Use this page to view the properties of each role. Choose System Administration > Administrators > Roles, and click a role or choose the role’s radio button and click View. The Roles Properties page appears as described in Table 17 on page 11: Related Topics Understanding Roles, page 3 Administrator Accounts and Role Association, page 7 Configuring Authentication Settings for Administrators, page 11 Configuring Authentication Settings for Administrators Authentication settings are a set of rules that enhance security by forcing administrators to use strong passwords, regularly change their passwords, and so on. Any password policy changes that you make apply to all ACS system administrator accounts. To configure a password policy: 1.Choose System Administration > Administrators > Settings > Authentication. The Password Policies page appears with the Password Complexity and Advanced tabs. 2.In the Password Complexity tab, check each check box that you want to use to configure your administrator password. Table 18 on page 12 describes the fields in the Password Complexity tab. Ta b l e 1 6 R o l e s P a g e Field Description Name List of all configured roles. See Predefined Roles, page 4 for a list of predefined roles. Description Description of each role. Table 17 Roles Properties Page Field Description Name Name of the role. If you are duplicating a role, you must enter a unique name as a minimum configuration; all other fields are optional. Roles cannot be created or edited. See Table 16Roles Page, page 11 for a list of predefined roles. Description Description of the role. See Predefined Roles, page 4 for more information. Permissions List Resource List of available resources. Privileges Privileges that can be assigned to each resource. If a privilege does not apply, the privilege check box is dimmed (not available). Row color is irrelevant to availability of a given privilege and is determined by the explicit text in the Privileges column.
12 Managing System Administrators Configuring Authentication Settings for Administrators 3.In the Advanced tab, enter the values for the criteria that you want to configure for your administrator authentication process. Table 19 on page 12 describes the fields in the Advanced tab. Ta b l e 1 8 P a s s w o r d C o m p l e x i t y Ta b Option Description Applies to all ACS system administrator accounts Minimum length Required minimum length; the valid options are 4 to 127. Password may not contain the username or its characters in reversed orderCheck to specify that the password cannot contain the username or reverse username. For example, if your username is john, your password cannot be john or nhoj. Password may not contain ‘cisco’ or its characters in reversed orderCheck to specify that the password cannot contain the word cisco or its characters in reverse order, that is, ocsic. Password may not contain ‘’ or its characters in reversed orderCheck to specify that the password does not contain the string that you enter or its characters in reverse order. For example, if you specify a string, polly, your password cannot be polly or yllop. Password may not contain repeated characters four or more times consecutivelyCheck to specify that the password cannot repeat characters four or more times consecutively. For example, you cannot have the string apppple as your password. The letter p appears four times consecutively. Password must contain at least one character of each of the selected types Lowercase alphabetic characters Password must contain at least one lowercase alphabetic character. Upper case alphabetic characters Password must contain at least one uppercase alphabetic character. Numeric characters Password must contain at least one numeric character. Non alphanumeric characters Password must contain at least one nonalphanumeric character. Table 19 Advanced Tab Options Description Password History Password must be different from the previous n versionsSpecifies the number of previous passwords for this administrator to be compared against. This option prevents the administrators from setting a password that was recently used. Valid options are 1 to 99. Password Lifetime: Administrators are required to periodically change password Require a password change after n days Specifies that the password must be changed after n days; the valid options are 1 to 365. This option, when set, ensures that you change the password after n days. Disable administrator account after n days if password is not changedSpecifies that the administrator account must be disabled after n days if the password is not changed; the valid options are 1 to 365. ACS does not allow you to configure this option without configuring the Display reminder after n days option.
13 Managing System Administrators Configuring Session Idle Timeout Note: ACS automatically deactivates or disables your account based on your last login, last password change, or number of login retries. The CLI and PI user accounts are blocked and they receive a notification that they can change the password through ACS web interface. If your account is disabled, contact another administrator to enable your account. 4.Click Submit. The administrator password is configured with the defined criteria. These criteria will apply only for future logins. Related Topics Understanding Roles, page 3 Administrator Accounts and Role Association, page 7 Viewing Predefined Roles, page 10 Configuring Session Idle Timeout A GUI session, by default, is assigned a timeout period of 30 minutes. You can configure a timeout period for anywhere from 5 to 90 minutes. The session timeout option is not applicable for the Active Directory and Distributed System Management pages. The AD page is automatically refreshed to verify the AD connectivity status based on the refresh Send Email for password expiry before n daysSpecifies that an email notification a day must be sent to the internal administrators starting from nth day before their password expires if the password is not changed; the valid options are 1 to 365. The default value is 5 days. This option, when set, ensures that an email notification is sent to the internal administrator accounts n days before their password expires. ACS does not allow you to configure this option without configuring the Disable administrator account after n days if password is not changed. Display reminder after n days Displays a reminder after n days to change password; the valid options are 1 to 365. This option, when set, only displays a reminder. It does not prompt you for a new password. Account Inactivity: Inactive accounts are disabled Require a password change after n days of inactivitySpecifies that the password must be changed after n days of inactivity; the valid options are 1 to 365. This option, when set, ensures that you change the password after n days. ACS does not allow you to configure this option without configuring the Display reminder after n days option. Disable administrator account after n days of inactivitySpecifies that the administrator account must be disabled after n days of inactivity; the valid options are 1 to 365. ACS does not allow you to configure this option without configuring the Display reminder after n days option. Incorrect Password Attempts Disable account after n successive failed attemptsSpecifies the maximum number of login retries after which the account is disabled; the valid options are 1 to 10. Table 19 Advanced Tab Options Description
14 Managing System Administrators Configuring Administrator Access Settings interval that is defined in the application. The Distributed System Management page is automatically refreshed for the configured interval of time. You can configure the refresh interval from the Distributed System Management page of ACS web interface. To configure the timeout period: 1.Choose System Administration > Administrators > Settings > Session. The GUI Session page appears. 2.Enter the Session Idle Timeout value in minutes. Valid values are 5 to 90 minutes. 3.Click Submit. Note: The CLI client interface has a default session timeout value of 6 hours. You cannot configure the session timeout period in the CLI client interface. Configuring Administrator Access Settings ACS 5.7 allows you to restrict administrative access to ACS based on the IP address of the remote client. You can filter IP addresses in any one of the following ways: Allow All IP Addresses to Connect, page 14 Allow Remote Administration from a Select List of IP Addresses, page 14 Reject Remote Administration from a Select List of IP Addresses, page 15 Allow All IP Addresses to Connect You can choose the Allow all IP addresses to connect option to allow all connections; this is the default option. Allow Remote Administration from a Select List of IP Addresses To allow administrators to access ACS remotely: 1.Choose System Administration > Administrators > Settings > Access. The IP Addresses Filtering page appears. 2.Click Allow only listed IP addresses to connect radio button. The IP Range(s) area appears. 3.Click Create in the IP Range(s) area. A new window appears. Enter the IPv4 or IPv6 address of the machine from which you want to allow remote access to ACS. Enter a subnet mask for an entire IP address range. ACS checks if the address that is entered is in a format that is supported by IPv4 or IPv6. 4.Click OK. The IP Range(s) area is populated with the IP addresses. Repeat Step 3 to add other IP addresses or ranges for which you want to provide remote access. 5.Click Submit.
15 Managing System Administrators Working with Administrative Access Control Reject Remote Administration from a Select List of IP Addresses To reject administrators from accessing ACS remotely: 1.Choose System Administration > Administrators > Settings > Access. The IP Addresses Filtering page appears. 2.Click Reject connections from listed IP addresses radio button. The IP Range(s) area appears. 3.Click Create in the IP Range(s) area. A new window appears. 4.Enter the IP address of the machine that you do not want to access ACS remotely. Enter a subnet mask for an entire IP address range. 5.Click OK. The IP Range(s) area is populated with the IP addresses. Repeat Step 3 to add other IP addresses or ranges that you want to reject. 6.Click Submit. It is possible to reject connection from all IP addresses. You cannot reset this condition through the ACS web interface. However, you can use the following CLI command: access-setting accept-all Refer to the CLI Reference Guide for Cisco Secure Access Control System 5.7 for more information. Working with Administrative Access Control ACS 5.7 introduces a new service type called the Administrative Access Control (AAC) service. The AAC service handles the authentications and authorization of the ACS administrators. The enhanced AAC web interface includes: Policy-based authentication and authorization Authentication against an external database is feasible by: —Password type on administrator accounts in the Internal Administrators ID store. —Configuring the identity policy (the authentication policy) against an external database. This AAC service is automatically created at the time of installation. You cannot remove or add a new AAC service. AAC is not available under the service selection policy and is automatically selected upon administrator login. The AAC service identifies a set of policies for administrator login. The policies that are provided within the AAC service are these: The Administrator identity policy determines the identity database that is used to authenticate the administrator and also retrieves attributes for the administrator that may be used in subsequent authorization policy.
16 Managing System Administrators Working with Administrative Access Control The Administrator authorization policy determines the role of the administrator for the session in ACS. The assigned role determines the permission of the administrator. Each role has a predefined list of permissions, and it can be viewed in the roles page. The AAC service processes these two policies in a sequence. You need to configure both the Administrator identity policy and the Administrator authorization policy. The default for both the policies are: Identity policy—The default is Internal Identity Store. Authorization policy—The default is Deny Access. The AAC service supports only the PAP authentication type. Only the Super Admin is permitted to configure administrator access control. While upgrading the ACS application to ACS 5.7, AAC undergoes the following changes: Single AAC service is automatically created during upgrade. The identity policy in AAC service is set to Administrators Internal Identity Store. All existing administrators are validated with a static role assignment. All administrators with the Super Admin role are automatically set as the recovery account. After upgrading the ACS application to 5.7, if the administrator accounts are not updated, the upgraded administrator accounts are authenticated against the administrator internal identity store and get their roles through static assignment. While restoring the backup when upgrading, ACS 5.7 takes care of upgrading the schema files as well as the data. Note: Administrator accounts created in external identity stores cannot access CARS mode of ACS CLI. But, they can access acs-config mode of ACS CLI. This section contains the following topics: Administrator Identity Policy, page 16 Administrator Authorization Policy, page 22 Administrator Identity Policy The identity policy in administrative access control defines the identity source that ACS uses for authentication and attribute retrieval. The attributes and groups can be retrieved only from the external database. ACS can use the retrieved attributes only in subsequent authorization policies. The AAC service supports two types of identity policies. They are: Single result selection Rule-based result selection Super Admin can configure and modify this policy. You can configure a simple policy, which applies the same identity source for authentication of all requests, or you can configure a rule-based identity policy. The supported identity methods for a simple policy are: Deny Access—Access to the user is denied and no authentication is performed. Identity Store—A single identity store. You can select any one of the following identity stores: —Internal Administrator ID store