Cisco Acs 57 User Guide
Have a look at the manual Cisco Acs 57 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
17 Managing System Administrators Working with Administrative Access Control —Active Directory ID store —LDAP ID store In cases where Deny Access is selected as the result, the access of the administrator is denied. In a rule-based policy, each rule contains one or more conditions and a result, which is the identity source to use for authentication. The supported conditions are these: System username System time and date Administrator client IP address An identity policy in the AAC service does not support the identity store sequence as a result. You can create, duplicate, edit, and delete rules within the identity policy, and you can enable and disable them. Caution: If you switch between the simple policy and the rule-based policy pages, you will lose your previously saved policy configuration. To configure a simple identity policy, complete the following steps: 1.Select System Administration > Administrative Access Control > Identity. By default, the Simple Identity Policy page appears with the fields as described in Table 20 on page 17. 2.Select an identity source for authentication; or, choose Deny Access. 3.Click Save Changes to save the policy. Viewing Rule-Based Identity Policies Select System Administration > Administrative Access Control > Identity. By default, the Simple Identity Policy page appears with the fields as described in Table 20 on page 17. If it is configured, the Rule-Based Identity Policy page appears with the fields as described in Table 21 on page 18: Table 20 Simple Identity Policy Page Option Description Policy type Defines the type of policy to configure: Simple—Specifies the result to apply to all requests. Rule-based—Configures rules to apply different results, depending on the request. If you switch between policy types, you will lose your previously saved policy configuration. Identity Source Identity source to apply to all requests. The default is Deny Access. For password-based authentication, choose a single identity store or an identity store sequence.
18 Managing System Administrators Working with Administrative Access Control To configure a rule-based policy, see these topics: Creating Policy Rules, page 37 Duplicating a Rule, page 38 Editing Policy Rules, page 39 Deleting Policy Rules, page 39 Table 21 Rule-Based Identity Policy Page Option Description Policy type Defines the type of policy to configure: Simple—Specifies the results to apply to all requests. Rule-based—Configures rules to apply different results depending on the request. Caution: If you switch between policy types, you will lose your previously saved policy configuration. Status The current status of the rule. The rule statuses are: Enabled—The rule is active. Disabled—ACS does not apply the results of the rule. Monitor—The rule is active, but ACS does not apply the results of the rule. Results such as hit count are written to the log, and the log entry includes an identification that the rule is monitor only. The Monitor option is especially useful for watching the results of a new rule. Name Rule name. Conditions Conditions that determine the scope of the policy. This column displays all current conditions in sub columns. Results Identity source that is used for authentication as a result of the evaluation of the rule. Hit Count Number of times that the rule is matched. Click the Hit Count button to refresh and reset this column. Default Rule ACS applies the Default rule when: Enabled rules are not matched. No other rules are defined. Click the link to edit the Default Rule. You can edit only the results of the Default Rule; you cannot delete, disable, or duplicate it. Customize button Opens the Customize page in which you choose the types of conditions to use in policy rules. A new Conditions column appears in the Policy page for each condition that you add. Caution: If you remove a condition type after defining rules, you will lose any conditions that you configured for that condition type. Hit Count button Opens a window that enables you to reset and refresh the Hit Count display in the Policy page. See Displaying Hit Counts, page 9.
19 Managing System Administrators Working with Administrative Access Control Configuring Identity Policy Rule Properties You can create, duplicate, or edit an identity policy rule to determine the identity databases that are used to authenticate the administrator and retrieve attributes for the administrator. The retrieval of attributes is possible only if you use an external database. To display this page, complete the following steps: 1.Choose System Administration > Administrative Access Control > Identity, then do one of the following: Click Create. Check a rule check box, and click Duplicate. Click a rule name or check a rule check box, then click Edit. 2.Complete the fields as shown in the Identity Rule Properties page, as described in Table 22 on page 19. Table 22 Identity Rule Properties Page Option Description General Rule Name Name of the rule. If you are duplicating a rule, you must enter a unique name as a minimum configuration; all other fields are optional. Rule Status Rule statuses are: Enabled—The rule is active. Disabled—ACS does not apply the results of the rule. Monitor—The rule is active, but ACS does not apply the results of the rule. Results such as hit count are written to the log, and the log entry includes an identification that the rule is monitor only. The Monitor option is especially useful for watching the results of a new rule. Conditions conditions Conditions that you can configure for the rule. By default the compound condition appears. You can change the conditions that appear by using the Customize button in the Policy page. The default value for each condition is ANY. To change the value for a condition, check the condition check box, then specify the value. If you check Compound Condition, an expression builder appears in the conditions frame. For more information, see Configuring Compound Conditions, page 40. Results Identity Source Identity source to apply to requests. The default is Administrators Internal Identity store. For password-based authentication, choose a single identity store or an identity store sequence.
20 Managing System Administrators Working with Administrative Access Control Authenticating Administrators against RADIUS Identity and RSA SecurID Servers Note: This feature works only after installing ACS 5.7 patch 1. ACS 5.7 supports authenticating administrators against RADIUS Identity Server and RSA SecurID Servers. This feature is available in both ACS web interface and acs-config m o d e o f AC S C L I . T h i s f e at u re e n h an c e s se c u r i t y t o ad m i n i st r at o r authentications using the One Time Password (OTP) that RADIUS Identity servers or RSA SecurID servers generates. ACS has the following two use cases for authenticating administrators against external identity source: Administrator account is in ACS. Password type is set as External Identity source. The password type is set as external identity source under System Administration >Administrators > Accounts. Therefore, the authentication password for the administrator account must be retrieved from the specified external identity source. Administrator account is in external identity source. Therefore, ACS uses the external identity source to verify both the administrator account and its password to authenticate the administrator against external identity source. Authenticating Administrators against RADIUS Identity Server To authenticate administrators against RADIUS Identity Server: 1.Add the RADIUS Identity Server in ACS. See Creating, Duplicating, and Editing RADIUS Identity Servers, page 78 for more information. 2.Add ACS and administrator account in RADIUS Identity Server. You need to refer the RADIUS Identity server documentation to perform these operations. 3.Choose System Administration > Administrative Access Control > Identity in ACS web interface. 4.Click Single result selection radio button. 5.Select the RADIUS Identity Server as Identity Source and click Save Changes. 6.Log out from ACS web interface. 7.Launch ACS web interface to authenticate the administrator account against RADIUS Identity server for the first time. 8.Enter the username in the Username field, password set in the RADIUS Identity Server in the Password field, and click Login. ACS allows the administrator to login to the web interface using the password set in RADIUS Identity Server. Note: To authenticate ACS administrators against RADIUS Identity server from ACS CLI, use the same procedure discussed above in acs-config mode of ACS CLI. Authenticating Administrators against RSA SecurID Server To authenticate administrators against RSA SecurID Server as external identity source: Setting RSA SecurID Server as external identity source for ACS administrator authentications 1.Add the RSA SecurID Server in ACS. See Configuring RSA SecurID Agents, page 70 for more information. 2.Add ACS and administrator account in RSA SecurID Server. See RSA Authentication Manager Administrator’s Guide for more information. 3.Choose System Administration > Administrative Access Control > Identity in ACS web interface. 4.Click Single result selection radio button. 5.Select the RSA SecurID Server as Identity Source and click Save Changes. You have now configured RSA SecurID server as the external identity source for authenticating administrators.
21 Managing System Administrators Working with Administrative Access Control Performing First ACS administrator authentication using RSA SecurID Server 1.Launch ACS web interface. 2.Enter the username in the Username field. 3.Generate a To k e n c o d e using RSA SecurID device and enter the token code in the Password field of ACS web interface and click Login. ACS displays the following message with a system generated PIN: PIN: Please remember your new PIN then press Return to continue. Note: Copy the PIN displayed in the above message and store it in your system. You have to use this PIN to generate the subsequent token codes for logging in to ACS web interface. 4.Click Login. ACS allows the administrator to login to the web interface. The first administrator authentication against RSA SecurID server is successful. When you use RSA SecurID server to authenticate administrator account for the first time: If you click Cancel when ACS displays the challenge message, you can start the authentication procedure from the beginning. If you click Cancel after ACS displays a system generated PIN, it means that you have canceled the first authentication and you can use the system generated PIN to perform the subsequent authentications. When you use RSA SecurID server for subsequent administrator authentications, if you enter the wrong passcode, ACS prompts for the correct password. If you enter the correct password now and click Login, ACS prompts for the next token code to ensure security. Performing Subsequent ACS administrator authentications using RSA SecurID Server. 1.Launch ACS web interface. 2.Enter the username in the Username field. 3.Enter the system generated PIN that ACS has displayed in the RSA SecurID device and click the arrow icon. RSA SecurID device displays a passcode. 4.Copy the passcode from RSA SecurID device and enter the same in the password field of ACS web interface and click Login. ACS allows the administrator to login to the web interface. The subsequent administrator authentication against RSA SecurID server is successful. You can find the administrator authentication related logs in Monitoring and Reports > Reports > ACS Reports > ACS Instance > ACS Administrator Logins page. Note: To authenticate ACS administrators against RSA SecurID server from ACS CLI, use the same procedure discussed above in acs-config mode of ACS CLI. When you authenticate administrator against RSA SecurID server from ACS CLI, you can see two log entries for one CLI authentication. One entry is logged against ACS web interface and another one is logged against CLI. Both the entries will have the IP address as loop back address (127.0.0.1). The ACS web interface log entry displays the authentication summary and the detailed steps whereas the CLI entry will only list the authentication summary but not the detailed steps. Note: You can download the RSA SecurID software token from the following link: http://www.emc.com/security/rsa-securid/rsa-securid-software-authenticators/ms-windows.htm
22 Managing System Administrators Working with Administrative Access Control Administrator Authorization Policy The authorization policy in the Administrative Access Control is used for dynamically assigning roles to administrators upon login. The role of the administrator is set according to the rules that are defined in the policy. According to the rules that are defined in the policy, the condition can include attributes and groups if authenticated with an external database. ACS can use the retrieved attributes in subsequent policies. The authorization policy-based role assignment is applicable for both internal and external administrator accounts. This is the only method that is available to assign roles to the external administrator accounts. In the administrator authorization policy, each rule contains one or more conditions that are used for authentication and a result. The supported conditions are: System username System time and date Administrator client IP address AD dictionary or LDAP dictionary (external groups and attributes) The administrator identity policy and the password type feature enable administrators to authenticate the requests in external identity stores like Active Directory or LDAP identity stores and to retrieve the administrator groups and attributes. The administrator authorization policy rules can be configured based on these retrieved groups and attributes. You can configure the administrator authorization policy results with a set of administrator roles that are to be assigned to the administrators. The supported authorization policy results are: Administrator Role Result—One or more administrator roles Deny Access—Failed authorization You can create, duplicate, edit, and delete rules within the authorization policy, and you can enable and disable rules. Configuring Administrator Authorization Policies The administrator authorization policy determines the role for ACS administrators. See Configuring General Access Service Properties, page 13 for a description of the AAC Access Service properties page. Use this page to do the following: View rules. Delete rules. Open pages that enable you to create, duplicate, edit, and customize rules. Select System Administration > Administrative Access Control > Authorization > Standard Policy. The Administrator Authorization Policy page appears as described in Table 23 on page 23.
23 Managing System Administrators Working with Administrative Access Control Configuring Administrator Authorization Rule Properties Use this page to create, duplicate, and edit the rules to determine administrator roles in the AAC access service. Select System Administration > Administrative Access Control > Authorization > Standard Policy, and click Create, Edit, or Duplicate. The Administrator Authorization Rule Properties page appears as described in Table 24 on page 24. Table 23 Administrators Authorization Policy Page Option Description Status Rule statuses are: Enabled—The rule is active. Disabled—ACS does not apply the results of the rule. Monitor—The rule is active, but ACS does not apply the results of the rule. Results such as hit count are written to the log, and the log entry includes an identification that the rule is monitor-only. The monitor option is especially useful for watching the results of a new rule. Name Name of the rule. Conditions Conditions that define the scope of the rule. To change the types of conditions that the rule uses, click the Customize button. You must have previously defined the conditions that you want to use. Results Displays the administrator roles that are applied when the corresponding rule is matched. You can customize rule results; a rule can apply administrator roles. The columns that appear reflect the customization settings. Hit Count Number of times that the rule is matched. Click the Hit Count button to refresh and reset this column. Default Rule ACS applies the Default rule when: Enabled rules are not matched. No other rules are defined. Click the link to edit the Default Rule. You can edit only the results of the Default Rule; you cannot delete, disable, or duplicate it. Customize buttonOpens the Customize page in which you choose the types of conditions and results to use in policy rules. The Conditions and Results columns reflect your customized settings. Caution: If you remove a condition type after defining rules, you will lose any conditions that you configured for that condition type. Hit Count buttonOpens a window that enables you to reset and refresh the Hit Count display in the Policy page. See Displaying Hit Counts, page 9.
24 Managing System Administrators Working with Administrative Access Control Administrator Login Process When an administrator logs in to the ACS web interface, ACS 5.7 performs the authentication as given below. If an administrator account is configured as a recovery account in the administrator internal identity store, then ACS bypasses the identity and authorization policies, authenticates the administrator against the administrator internal identity store, and assigns the role statically. If an administrator account is not a recovery account, then ACS proceeds with policy-based authentication. As a part of policy-based authentication, ACS fetches the AAC service with identity policy and authorization policy configuration. ACS evaluates the identity policy and gets the identity store as a result. If the identity policy result is the administrator internal identity store, then ACS evaluates the password type and retrieves the identity store as the result. ACS authenticates the administrator against the selected identity store, and retrieves the user groups and user attributes, if the administrator account is configured in an external identity store. If the administrator account is configured in the internal identity store, and it has a static role assignment, then ACS extracts the list of administrator roles. If the administrator account is configured in an external or internal identity store and has a dynamic role assignment, ACS evaluates the authorization policy, gets a list of administrator roles, and uses it dynamically, or gets Deny Access as the result. Based on the selected role, ACS authenticates and manages the administrator access restrictions and authentications. If Deny Access is the result of the evaluation, then ACS denies access to the administrator and logs the reason for failure in the customer logs. Note: An administrator with Super Admin role has the rights to change the roles and privileges of other administrators. Table 24 Administrators Authorization Rule Properties Page Option Description General Name Name of the rule. If you are duplicating a rule, you must enter a unique name as a minimum configuration; all other fields are optional. Status Rule statuses are as follows: Enabled—The rule is active. Disabled—ACS does not apply the results of the rule. Monitor—The rule is active, but ACS does not apply the results of the rule. Results such as hit count are written to the log, and the log entry includes an identification that the rule is monitor-only. The monitor option is especially useful for viewing watching the results of a new rule. Conditions conditions These are conditions that you can configure for the rule. By default the compound condition appears. You can change the conditions that appear by using the Customize button in the Policy page. The default value for each condition is ANY. To change the value for a condition, check the condition check box, then specify the value. If you check Compound Condition, an expression builder appears in the conditions frame. For more information, see Configuring Compound Conditions, page 40. Results Roles Roles to apply for the rule.
25 Managing System Administrators Resetting the Administrator Password Note: If the administrator password on the AD or LDAP server is expired or reset, then ACS denies the administrator access to the web interface. Resetting the Administrator Password While configuring administrator access settings, it is possible for all administrator accounts to get locked out, with none of the administrators able to access ACS from any IP address in your enterprise. If this happens, you must reset the administrator password from the ACS Config CLI. You must use the following command to reset all administrator passwords: access-setting accept-all For more information on this command, refer to CLI Reference Guide for Cisco Secure Access Control System 5.7. Note: You cannot reset the administrator password through the ACS web interface. Changing the Administrator Password ACS 5.7 introduces a new role Change Admin Password that entitles an administrator to change another administrator’s password. If an administrator’s account is disabled, any other administrator who is assigned the Change Admin Password role can reset the disabled account through the ACS web interface. This section contains the following topics: Changing Your Own Administrator Password, page 25 Resetting Another Administrator’s Password, page 25 Changing Your Own Administrator Password Note: All administrators can change their own passwords. You do not need any special roles to perform this operation. To change your password: 1.Choose My Workspace > My Account. The My Account page appears. See My Account Page, page 2 for valid values. 2.In the Password field section, enter the current administrator password. 3.In the New Password field, enter a new administrator password. 4.In the Confirm Password field, re-enter the new administration password. 5.Click Submit. The administrator password is created. You can also use the acs reset-password command to reset your ACS Administrator account password. For more information on this command, refer to CLI Reference Guide for Cisco Secure Access Control System 5.7. Resetting Another Administrator’s Password An internal web administrator who has the Super Admin role or ChangeAdminPassword role can reset or change the passwords for other administrators. To reset another administrator’s password: 1.Choose System Administration > Administrators > Accounts.
26 Managing System Administrators Changing the Administrator Password The Accounts page appears with a list of administrator accounts. 2.Check the check box the administrator account for which you want to change the password and click Change Password. The Authentication Information page appears, listing the date when the administrator’s password was last changed. 3.In the Password field, enter a new administrator password. 4.In the Confirm Password field, re-enter the new administrator password. 5.Check the Change password on next login check box for the other administrator to change password at first login. 6.Click Submit. The administrator password is reset. Related Topics Configuring Authentication Settings for Administrators, page 11 Understanding Roles, page 3 Administrator Accounts and Role Association, page 7 Viewing Predefined Roles, page 10