Home > Cisco > Control System > Cisco Acs 57 User Guide

Cisco Acs 57 User Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual Cisco Acs 57 User Guide. The Cisco manuals for Control System are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 131

    Page 131 1 Cisco Systems, Inc.www.cisco.com Managing Users and Identity Stores This chapter describes the following topics: Overview, page 1 Managing Internal Identity Stores, page 4 Managing External Identity Stores, page 29 Configuring CA Certificates, page 83 Configuring Certificate Authentication Profiles, page 89 Configuring Identity Store Sequences, page 90 Overview ACS manages your network devices and other ACS clients by using the ACS network resource repositories and identity stores. When a host... 
    1
Cisco Systems, Inc.www.cisco.com
 
Managing Users and Identity Stores
This chapter describes the following topics:
Overview, page 1
Managing Internal Identity Stores, page 4
Managing External Identity Stores, page 29
Configuring CA Certificates, page 83
Configuring Certificate Authentication Profiles, page 89
Configuring Identity Store Sequences, page 90
Overview
ACS manages your network devices and other ACS clients by using the ACS network resource repositories and identity stores. 
When a host...

    Page 132

    Page 132 2 Managing Users and Identity Stores Overview Fixed components are: Name Description Password Enabled or disabled status Email Address Identity group to which users belong Configurable components are: Enable password for TACACS+ authentication Sets of identity attributes that determine how the user definition is displayed and entered Disable Account if Date Exceeds Disable account after n successive failed attempts Enable Password Hash Password Never Expired/Disabled Cisco recommends that... 
    2
Managing Users and Identity Stores
 
Overview
Fixed components are:
Name
Description
Password
Enabled or disabled status
Email Address
Identity group to which users belong
Configurable components are:
Enable password for TACACS+ authentication
Sets of identity attributes that determine how the user definition is displayed and entered
Disable Account if Date Exceeds
Disable account after n successive failed attempts
Enable Password Hash
Password Never Expired/Disabled
Cisco recommends that...

    Page 133

    Page 133 3 Managing Users and Identity Stores Overview Identity Stores with Two-Factor Authentication You can use the RSA SecurID Token Server and RADIUS Identity Server to provide two-factor authentication. These external identity stores use an OTP that provides greater security. The following additional configuration options are available for these external identity stores: Identity caching—You can enable identity caching for ACS to use the identity store while processing a request in cases where... 
    3   
Managing Users and Identity Stores
Overview
Identity Stores with Two-Factor Authentication
You can use the RSA SecurID Token Server and RADIUS Identity Server to provide two-factor authentication. These external 
identity stores use an OTP that provides greater security. The following additional configuration options are available for these 
external identity stores:
Identity caching—You can enable identity caching for ACS to use the identity store while processing a request in cases where...

    Page 134

    Page 134 4 Managing Users and Identity Stores Managing Internal Identity Stores If you choose to perform authentication on an identity database, you can define a list of identity databases to be accessed in sequence until the authentication succeeds. If the authentication succeeds, the attributes within the database are retrieved. In addition, you can configure an optional list of databases from which additional attributes can be retrieved. These additional databases can be configured irrespective of... 
    4
Managing Users and Identity Stores
 
Managing Internal Identity Stores
If you choose to perform authentication on an identity database, you can define a list of identity databases to be accessed 
in sequence until the authentication succeeds. If the authentication succeeds, the attributes within the database are 
retrieved.
In addition, you can configure an optional list of databases from which additional attributes can be retrieved. These additional 
databases can be configured irrespective of...

    Page 135

    Page 135 5 Managing Users and Identity Stores Managing Internal Identity Stores Creating Internal Users, page 13 Enable and Disable Password Hashing for Internal Users, page 18 Configuring Password Expiry Notification Emails to Users and Administrators, page 19 Viewing and Performing Bulk Operations for Internal Identity Store Users, page 21 Configuring Authentication Settings for Hosts, page 21 Creating Hosts in Identity Stores, page 22 Viewing and Performing Bulk Operations for Internal Identity Store... 
    5   
Managing Users and Identity Stores
Managing Internal Identity Stores
Creating Internal Users, page 13
Enable and Disable Password Hashing for Internal Users, page 18
Configuring Password Expiry Notification Emails to Users and Administrators, page 19
Viewing and Performing Bulk Operations for Internal Identity Store Users, page 21
Configuring Authentication Settings for Hosts, page 21
Creating Hosts in Identity Stores, page 22
Viewing and Performing Bulk Operations for Internal Identity Store...

    Page 136

    Page 136 6 Managing Users and Identity Stores Managing Internal Identity Stores You use identity groups within policy conditions to create logical groups of users to which the same policy results are applied. You can associate each user in the internal identity store with a single identity group. When ACS processes a request for a user, the identity group for the user is retrieved and can then be used in conditions in the rule table. Identity groups are hierarchical in structure. You can map identity groups... 
    6
Managing Users and Identity Stores
 
Managing Internal Identity Stores
You use identity groups within policy conditions to create logical groups of users to which the same policy results are applied. 
You can associate each user in the internal identity store with a single identity group. 
When ACS processes a request for a user, the identity group for the user is retrieved and can then be used in conditions in the 
rule table. Identity groups are hierarchical in structure. 
You can map identity groups...

    Page 137

    Page 137 7 Managing Users and Identity Stores Managing Internal Identity Stores Deleting an Identity Group, page 7 Deleting an Identity Group To delete an identity group: 1.Choose Users and Identity Stores > Identity Groups. The Identity Groups page appears. 2.Check one or more check boxes next to the identity groups you want to delete and click Delete. The following error message appears: Are you sure you want to delete the selected item/items? 3.Click OK. The Identity Groups page appears without the deleted... 
    7   
Managing Users and Identity Stores
Managing Internal Identity Stores
Deleting an Identity Group, page 7
Deleting an Identity Group
To delete an identity group:
1.Choose Users and Identity Stores > Identity Groups.
The Identity Groups page appears.
2.Check one or more check boxes next to the identity groups you want to delete and click Delete.
The following error message appears:
Are you sure you want to delete the selected item/items?
3.Click OK.
The Identity Groups page appears without the deleted...

    Page 138

    Page 138 8 Managing Users and Identity Stores Managing Internal Identity Stores User Attributes Administrators can create and add user-defined attributes from the set of identity attributes. You can then assign default values for these attributes for each user in the internal identity store and define whether the default values are required or optional. You need to define users in ACS, which includes associating each internal user with an identity group, a description (optional), a password, an enable... 
    8
Managing Users and Identity Stores
 
Managing Internal Identity Stores
User Attributes
Administrators can create and add user-defined attributes from the set of identity attributes. You can then assign default values 
for these attributes for each user in the internal identity store and define whether the default values are required or optional.
You need to define users in ACS, which includes associating each internal user with an identity group, a description (optional), 
a password, an enable...

    Page 139

    Page 139 9 Managing Users and Identity Stores Managing Internal Identity Stores 4.Define rules based on this condition. As you become more familiar with ACS 5.7 and your identity attributes for users, the policies themselves will become more robust and complex. You can use the user-defined attribute values to manage policies and authorization profiles. See Creating, Duplicating, and Editing an Internal User Identity Attribute, page 12 for information on how to create a user attribute. Host Attributes You can... 
    9   
Managing Users and Identity Stores
Managing Internal Identity Stores
4.Define rules based on this condition.
As you become more familiar with ACS 5.7 and your identity attributes for users, the policies themselves will become more 
robust and complex.
You can use the user-defined attribute values to manage policies and authorization profiles. See Creating, Duplicating, and 
Editing an Internal User Identity Attribute, page 12 for information on how to create a user attribute.
Host Attributes
You can...

    Page 140

    Page 140 1 Managing Users and Identity Stores Managing Internal Identity Stores 3.In the Advanced tab, enter the values for the criteria that you want to configure for your user authentication process. The following table describes the fields in the Advanced tab. Ta b l e 3 8 P a s s w o r d C o m p l e x i t y Ta b Option Description Applies to all ACS internal identity store user accounts Minimum length Required minimum length; the valid options are 4 to 127. Password may not contain the username Whether... 
    1
Managing Users and Identity Stores
 
Managing Internal Identity Stores
3.In the Advanced tab, enter the values for the criteria that you want to configure for your user authentication process. The 
following table describes the fields in the Advanced tab.
Ta b l e 3 8 P a s s w o r d  C o m p l e x i t y  Ta b
Option Description
Applies to all ACS internal identity store user accounts
Minimum length Required minimum length; the valid options are 4 to 127.
Password may not contain the username  Whether...
    Start reading Cisco Acs 57 User Guide

    Related Manuals for Cisco Acs 57 User Guide

    All Cisco manuals