Cisco Acs 5x User Guide
Have a look at the manual Cisco Acs 5x User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
CH A P T E R 9-1 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 9 Managing Policy Elements A policy defines the authentication and authorization processing of clients that attempt to access the ACS network. A client can be a user, a network device, or a user associated with a network device. Policies are sets of rules. Rules contain policy elements, which are sets of conditions and results that are organized in rule tables. See Chapter 3, “ACS 5.x Policy Model” for more information on policy design and how it is implemented in ACS. Before you configure your policy rules, you must create the policy elements, which are the conditions and results to use in those policies. After you create the policy elements, you can use them in policy rules. See Chapter 10, “Managing Access Policies” for more information on managing services, policies, and policy rules. These topics contain. Managing Policy Conditions, page 9-1 Managing Authorizations and Permissions, page 9-17 Creating, Duplicating, and Editing Downloadable ACLs, page 9-31 NoteWhen Cisco Security Group Access license is installed, you can also configure Security Groups and Security Group Access Control Lists (SGACLs), which you can then use in Security Group Access authorization policies. For information about configuring security groups for Security Group Access, see Creating Security Groups, page 4-24. Managing Policy Conditions You can configure the following items as conditions in a rule table: Request/Protocol Attributes—ACS retrieves these attributes from the authentication request that the user issues. Identity Attributes—These attributes are related to the identity of the user performing a request. These attributes can be retrieved from the user definition in the internal identity store or from user definitions that are stored in external repositories, such as LDAP and AD. Identity Groups—ACS maintains a single identity group hierarchy that is used for all types of users and hosts. Each internal user or host definition can include an association to a single identity group within the hierarchy.
9-2 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Policy Conditions You can map users and hosts to identity groups by using the group mapping policy. You can include identity groups in conditions to configure common policy conditions for all users in the group. For more information about creating identity groups, see Managing Identity Attributes, page 8-7. Network Device Groups (NDGs)—Devices issuing requests are included in one or more of up to 12 device hierarchies. You can include hierarchy elements in policy conditions. For more information about creating NDGs, see Network Device Groups, page 7-2. Date and Time Conditions—You can create named conditions that define specific time intervals across specific days of the week. You can also associate expiry dates with date and time conditions. A date and time condition is a condition that takes the current date and time and effectively returns either true or false to indicate whether or not the condition is met. There are two components within the date and time condition: –Enable Duration—You have the option to limit the duration during which the condition is enabled by specifying an optional start time, end time, or both. This component allows you to create rules with limited time durations that effectively expire. If the condition is not enabled, then this component of the date and time condition returns false. –Time Intervals—On the ACS web interface, you see a grid of time that shows the days of the week and the hours within each day. Each cell in the grid represents one hour. You can either set or clear the cells. If the date and time when a request is processed falls at a time when the corresponding time interval is set, then this component of the date and time condition returns true. Both components of the date and time condition are considered while processing a request. The date and time condition is evaluated as true only if both components return a true value. Network Conditions—You can create filters of the following types to restrict access to the network: –End Station Filters—Based on end stations that initiate and terminate the connection. End stations may be identified by IP address, MAC address, calling line identification (CLI), or dialed number identification service (DNIS) fields obtained from the request. –Network Device Filters—Based on the AAA client that processes the request. A network device can be identified by its IP address, by the device name that is defined in the network device repository, or by the NDG. –Device Port Filters—Network device definition might be supplemented by the device port that the end station is associated with. Each network device condition defines a list of objects that can then be included in policy conditions, resulting in a set of definitions that are matched against those presented in the request. The operator that you use in the condition can be either match, in which case the value presented must match at least one entry within the network condition, or no matches, in which case it should not match any entry in the set of objects that is present in the filter. You can include Protocol and Identity attributes in a condition by defining them in custom conditions or in compound conditions. You define compound conditions in the policy rule properties page and not as a separate named condition. See Configuring Compound Conditions, page 10-40. Custom conditions and Date and Time conditions are called session conditions. This section contains the following topics: Creating, Duplicating, and Editing a Date and Time Condition, page 9-3 Creating, Duplicating, and Editing a Custom Session Condition, page 9-5
9-3 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Policy Conditions Deleting a Session Condition, page 9-6 Managing Network Conditions, page 9-6 See Chapter 3, “ACS 5.x Policy Model” for information about additional conditions that you can use in policy rules, although they are not configurable. Creating, Duplicating, and Editing a Date and Time Condition Create date and time conditions to specify time intervals and durations. For example, you can define shifts over a specific holiday period. When ACS processes a rule with a date and time condition, the condition is compared to the date and time information of the ACS instance that is processing the request. Clients that are associated with this condition are subject to it for the duration of their session. The time on the ACS server is used when making policy decisions. Therefore, ensure that you configure date and time conditions that correspond to the time zone in which your ACS server resides. Your time zone may be different from that of the ACS server. You can duplicate a session condition to create a new session condition that is the same, or similar to, an existing session condition. After duplication is complete, you access each session condition (original and duplicated) separately to edit or delete them. To create, duplicate, or edit a date and time condition: Step 1Select Policy Elements > Session Conditions > Date and Time. The Date and Time Conditions page appears. Step 2Do one of the following: Click Create. Check the check box next to the condition you want to duplicate and click Duplicate. Click the name that you want to modify; or, check the check box next to the condition that you want to modify and click Edit. The Date and Time Properties page appears. Step 3Enter valid configuration data in the required fields as described in Ta b l e 9 - 1: Table 9-1 Date and Time Properties Page Option Description General Name Enter a name for the date and time condition. Description Enter a description, such as specific days and times of the date and time condition.
9-4 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Policy Conditions To add date and time conditions to a policy, you must first customize the rule table. See Customizing a Policy, page 10-4. Step 4Click Submit. The date and time condition is saved. The Date and Time Conditions page appears with the new date and time condition that you created or duplicated. Related Topics Creating, Duplicating, and Editing a Custom Session Condition, page 9-5 Deleting a Session Condition, page 9-6 Configuring Access Service Policies, page 10-21 Duration Start Click one of the following options: Start Immediately—Specifies that the rules associated with this condition are valid, starting at the current date. Start On—Specify a start date by clicking the calendar icon next to the associated field to choose a specific start date, at which the condition becomes active (at the beginning of the day, indicated by the time 00:00:00 on a 24-hour clock). You can specify time in the hh:mm format. End Click one of the following options: No End Date—Specifies that the rules associated with this date and time condition are always active, after the indicated start date. End By—Specify an end date by clicking the calendar icon next to the associated field to choose a specific end date, at which the date and time condition becomes inactive (at the end of the day, indicated by the time 23:59:59 on a 24-hour clock) You can specify time in the hh:mm format. Days and Time Days and Time section gridEach square in the Days and Time grid is equal to one hour. Select a grid square to make the corresponding time active; rules associated with this condition are valid during this time. A green (or darkened) grid square indicates an active hour. Ensure that you configure date and time conditions that correspond to the time zone in which your ACS server resides. Your time zone may be different from that of the ACS server. For example, you may receive an error message if you configure a date and time condition that is an hour ahead of your current time, but that is already in the past with respect to the time zone of your ACS server. Select All Click to set all squares in the grid to the active state. Rules associated with this condition are always valid. Clear All Click to set all squares in the grid to the inactive state. Rules associated with this condition are always invalid. Undo All Click to remove your latest changes for the active and inactive day and time selections for the date and time group. Table 9-1 Date and Time Properties Page (continued) Option Description
9-5 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Policy Conditions Creating, Duplicating, and Editing a Custom Session Condition The protocol and identity dictionaries contain a large number of attributes. To use any of these attributes as a condition in a policy rule, you must first create a custom condition for the attribute. In this way, you define a smaller subset of attributes to use in policy conditions, and present a smaller focused list from which to choose condition types for rule tables. You can also include protocol and identity attributes within compound conditions. See Configuring Compound Conditions, page 10-40 for more information on compound conditions. To create a custom condition, you must select a specific protocol (RADIUS or TACACS+) or identity attribute from one of the dictionaries, and name the custom condition. See Configuring Global System Options, page 18-1 for more information on protocol and identity dictionaries. When you create a custom condition that includes identity or RADIUS attributes, you can also include the definition of the attributes. You can thus easily view any existing custom conditions associated with a particular attribute. To create, duplicate, or edit a custom session condition: Step 1Select Policy Elements > Session Conditions > Custom. The Custom Conditions page appears. Step 2Do one of the following: Click Create. Check the check box next to the condition you want to duplicate and click Duplicate. Click the name that you want to modify; or, check the check box next to the condition that you want to modify and click Edit. The Custom Condition Properties page appears. Step 3Enter valid configuration data in the required fields as shown in Ta b l e 9 - 2: To add custom conditions to a policy, you must first customize the rule table. See Customizing a Policy, page 10-4. Table 9-2 Policy Custom Condition Properties Page Option Description General Name Name of the custom condition. Description Description of the custom condition. Condition Dictionary Choose a specific protocol or identity dictionary from the drop-down list box. Attribute Click Select to display the list of external identity store dictionaries based on the selection you made in the Dictionary field. Select the attribute that you want to associate with the custom condition, then click OK. If you are editing a custom condition that is in use in a policy, you cannot edit the attribute that it references.
9-6 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Policy Conditions Step 4Click Submit. The new custom session condition is saved. The Custom Condition page appears with the new custom session condition. Clients that are associated with this condition are subject to it for the duration of their session. Related Topics Creating, Duplicating, and Editing a Date and Time Condition, page 9-3 Deleting a Session Condition, page 9-6 Configuring Access Service Policies, page 10-21 Deleting a Session Condition To delete a session condition: Step 1Select Policy Elements > Session Conditions > session condition, where session condition is Date and Time or Custom. The Session Condition page appears. Step 2Check one or more check boxes next to the session conditions that you want to delete and click Delete. The following message appears: Are you sure you want to delete the selected item/items? Step 3Click OK. The Session Condition page appears without the deleted custom session conditions. Related Topics Creating, Duplicating, and Editing a Date and Time Condition, page 9-3 Creating, Duplicating, and Editing a Custom Session Condition, page 9-5 Managing Network Conditions Filters are reusable network conditions that you create for end stations, network devices, and network device ports. Filters enable ACS 5.3 to do the following: Decide whether or not to grant network access to users and devices. Decide on the identity store, service, and so on to be used in policies. After you create a filter with a name, you can reuse this filter multiple times across various rules and policies by referring to its name. NoteThe filters in ACS 5.3 are similar to the NARs in ACS 4.x. In ACS 4.x, the NARs were based on either the user or user group. In 5.3, the filters are independent conditions that you can reuse across various rules and policies.
9-7 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Policy Conditions ACS offers three types of filters: End Station Filter—Filters end stations, such as a laptop or printer that initiates a connection based on the end station’s IP address, MAC address, CLID number, or DNIS number. The end station identifier can be the IP address, MAC address, or any other string that uniquely identifies the end station. It is a protocol-agnostic attribute of type string that contains a copy of the end station identifier: –In a RADIUS request, this identifier is available in Attribute 31 (Calling-Station-Id). –In a TACACS request, ACS obtains this identifier from the remote address field of the start request (of every phase). It takes the remote address value before the slash (/) separator, if it is present; otherwise, it takes the entire remote address value. The end station IPv4 is an IPv4 version of the end station identifier. The end station MAC is a normalized MAC address of the end station identifier. Device Filter—Filters a network device (AAA client) that acts as a Policy Enforcement Point (PEP) to the end station based on the network device’s IP address or name, or the network device group that it belongs to. The device identifier can be the IP address or name of the device, or it can be based on the network device group to which the device belongs. The IP address is a protocol-agnostic attribute of type IPv4 that contains a copy of the device IP address obtained from the request: –In a RADIUS request, if Attribute 4 (NAS-IP-Address) is present, ACS obtains the IP address from Attribute 4; otherwise, if Attribute 32 (NAS-Identifier) is present, ACS obtains the IP address from Attribute 32, or it obtains the IP address from the packet that it receives. –In a TACACS request, the IP address is obtained from the packet that ACS receives. The device name is an attribute of type string that contains a copy of the device name derived from the ACS repository. The device dictionary (the NDG dictionary) contains network device group attributes such as Location, Device Type, or other dynamically created attributes that represent NDGs. These attributes, in turn, contain the groups that the current device is related to. Device Port Filter—Filters the physical port of the device that the end station is connected to. Filtering is based on the device’s IP address, name, NDG it belongs to, and port. The device port identifier is an attribute of type string: –In a RADIUS request, if Attribute 5 (NAS-Port) is present in the request, ACS obtains the value from Attribute 5; or, if Attribute 87 (NAS-Port-Id) is present in the request, ACS obtains the request from Attribute 87. –In a TACACS request, ACS obtains this identifier from the port field of the start request (of every phase). The device name is an attribute of type string that contains a copy of the device name derived from the ACS repository. The device dictionary (the NDG dictionary) contains network device group attributes such as Location, Device Type, or other dynamically created attributes that represent NDGs. These attributes, in turn, contain the groups that the current device is related to. You can create, duplicate, and edit these filters. You can also do a bulk import of the contents within a filter from a .csv file and export the filters from ACS to a .csv file. See Importing Network Conditions, page 9-8 for more information on how to do a bulk import of network conditions.
9-8 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Policy Conditions This section contains the following topics: Importing Network Conditions, page 9-8 Exporting Network Conditions, page 9-9 Creating, Duplicating, and Editing End Station Filters, page 9-9 Creating, Duplicating, and Editing Device Filters, page 9-12 Creating, Duplicating, and Editing Device Port Filters, page 9-14 Importing Network Conditions You can use the bulk import function to import the contents from the following network conditions: End station filters Device filters Device port filters For bulk import, you must download the .csv file template from ACS, add the records that you want to import to the .csv file, and save it to your hard drive. Use the Download Template function to ensure that your .csv file adheres to the requirements. The .csv templates for end station filters, device filters, and device port filters are specific to their type; for example, you cannot use a downloaded template accessed from the End Station Filters page to import device filters or device port filters. Within the .csv file, you must adhere to these requirements: Do not alter the contents of the first record (the first line, or row, of the .csv file). Use only one line for each record. Do not imbed new-line characters in any fields. For non-English languages, encode the .csv file in utf-8 encoding, or save it with a font that supports Unicode. The import process does not add filters to the existing list of filters in ACS, but instead replaces the existing list. When you import records from a .csv file, it replaces the existing filter configuration in ACS and replaces it with the filter configuration from the .csv file. Step 1Click the Replace from File button on the End Station Filter, Device Filter, or Device Port Filter page of the web interface. The Replace from File dialog box appears. Step 2Click Download Template to download the .csv file template if you do not have it. Step 3Click Browse to navigate to your .csv file. Step 4Click Start Replace to start the bulk import process. The import progress is shown on the same page. You can monitor the bulk import progress. Data transfer failures of any records within your .csv file are displayed. Step 5Click Close to close the Import Progress window. You can submit only one .csv file to the system at one time. If an import is under way, an additional import cannot succeed until the original import is complete.
9-9 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Policy Conditions TimesaverInstead of downloading the template and creating an import file, you can use the export file of the particular filter, update the information in that file, save it, and reuse it as your import file. Exporting Network Conditions ACS 5.3 offers you a bulk export function to export the filter configuration data in the form of a .csv file. You can export the following filter configurations: End Station Filters Device Filters Device Port Filters From the create, edit, or duplicate page of any of the filters, click Export to File to save the filter configuration as a .csv file on your local hard drive. Creating, Duplicating, and Editing End Station Filters Use the End Station Filters page to create, duplicate, and edit end station filters. To do this: Step 1Choose Policy Elements > Session Conditions > Network Conditions > End Station Filters. The End Station Filters page appears with a list of end station filters that you have configured. Step 2Click Create. You can also: Check the check box next to the end station filter that you want to duplicate, then click Duplicate. Check the check box next to the end station filter that you want to edit, then click Edit. Click Export to save a list of end station filters in a .csv file. For more information, see Exporting Network Conditions, page 9-9. Click Replace from File to perform a bulk import of end station filters from a .csv import file. For more information, see Importing Network Conditions, page 9-8. Step 3Enter the values for the following fields: Name—Name of the end station filter. Description—A description of the end station filter. Step 4Edit the fields in one or more of the following tabs: IP Address—See Defining IP Address-Based End Station Filters, page 9-10 for a description of the fields in this tab. MAC Address—See Defining MAC Address-Based End Station Filters, page 9-11 for a description of the fields in this tab. CLI/DNIS—See Defining CLI or DNIS-Based End Station Filters, page 9-11 for a description of the fields in this tab. NoteTo configure a filter, at a minimum, you must enter filter criteria in at least one of the three tabs.
9-10 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Policy Conditions Step 5Click Submit to save the changes. Related Topics Managing Network Conditions, page 9-6 Importing Network Conditions, page 9-8 Creating, Duplicating, and Editing Device Filters, page 9-12 Creating, Duplicating, and Editing Device Port Filters, page 9-14 Defining IP Address-Based End Station Filters You can create, duplicate, and edit the IP addresses of end stations that you want to permit or deny access to. To do this: Step 1From the IP Address tab, do one of the following: Click Create. Check the check box next to the IP-based end station filter that you want to duplicate, then click Duplicate. Check the check box next to the IP-based end station filter that you want to edit, then click Edit. A dialog box appears. Step 2Choose either of the following: Single IP Address—If you choose this option, you must enter a valid IPv4 address of the format x.x.x.x, where x can be any number from 0 to 255. IP Range(s)—If you choose this option, you must enter a valid IPv4 address and subnet mask to filter a range of IP addresses. By default, the subnet mask value is 32. Step 3Click OK. Related Topics Managing Network Conditions, page 9-6 Creating, Duplicating, and Editing End Station Filters, page 9-9 Defining MAC Address-Based End Station Filters, page 9-11 Defining CLI or DNIS-Based End Station Filters, page 9-11