Cisco Acs 57 User Guide
Here you can view all the pages of manual Cisco Acs 57 User Guide. The Cisco manuals for Control System are available online for free. You can easily download all the documents as PDF.
Page 271
15 Managing Access Policies Configuring Access Services Operation You can perform the following three operations: Choose ADD to add a new attribute value for the selected RADIUS attribute: —If Multiple not allowed—adds the new value for the selected attribute only if this attribute does not exists on the request. —If Multiple allowed—always adds the attribute with a new value. Choose UPDATE to update the existing value of a selected RADIUS attribute: —If Multiple not allowed—updates the...
Page 272
16 Managing Access Policies Configuring Access Services 3.Click Next to configure the allowed protocols. See Configuring Access Service Allowed Protocols, page 16. Related Topic Configuring Access Service Allowed Protocols, page 16 Configuring Access Services Templates, page 21 Configuring Access Service Allowed Protocols The allowed protocols are the second part of access service creation. Access service definitions contain general and allowed protocol information. When you duplicate and edit...
Page 273
17 Managing Access Policies Configuring Access Services Table 86 Access Service Properties—Allowed Protocols Page Option Description Process Host Lookup Check to configure ACS to process the Host Lookup field (for example, when the RADIUS Service-Type equals 10) and use the System UserName attribute from the RADIUS Calling-Station-ID attribute. Uncheck for ACS to ignore the Host Lookup request and use the original value of the system UserName attribute for authentication and authorization. When...
Page 274
18 Managing Access Policies Configuring Access Services Allow PEAP Enables the PEAP authentication protocol and PEAP settings. The default inner method is MSCHAPv2. When you check Allow PEAP, you can configure the following PEAP inner methods: Allow EAP-TLS—Check to use EAP-TLS as the inner method. Allow EAP-MSCHAPv2—Check to use EAP-MSCHAPv2 as the inner method. —Allow Password Change—Check for ACS to support password changes. —Retry Attempts—Specifies how many times ACS requests user credentials...
Page 275
19 Managing Access Policies Configuring Access Services Allow EAP-FAST Enables the EAP-FAST authentication protocol and EAP-FAST settings. The EAP-FAST protocol can support multiple internal protocols on the same server. The default inner method is MSCHAPv2. When you check Allow EAP-FAST, you can configure EAP-FAST inner methods: Allow EAP-MSCHAPv2 —Allow Password Change—Check for ACS to support password changes in phase zero and phase two of EAP-FAST. —Retry Attempts—Specifies how many times ACS...
Page 276
20 Managing Access Policies Configuring Access Services Allow EAP-FAST (continued)PAC O pti o n s Tunnel PAC Time To Live—The Time To Live (TTL) value restricts the lifetime of the PAC. Specify the lifetime value and units. The default is one (1) day. Proactive PAC Update When: of PAC TTL is Left—The Update value ensures that the client has a valid PAC. ACS initiates update after the first successful authentication but before the expiration time that is set by the TTL. The Update value is a...
Page 277
21 Managing Access Policies Configuring Access Services 3.Click Finish to save your changes to the access service. To enable an access service, you must add it to the service selection policy. Configuring Access Services Templates Use a service template to define an access service with policies that are customized to use specific condition types. 1.In the Configuring General Access Service Properties, page 13, choose Based on service template and click Select. 2.Complete the fields as described in...
Page 278
22 Managing Access Policies Configuring Access Service Policies Deleting an Access Service To delete an access service: 1.Select Access Policies > Access Services. The Access Services page appears with a list of configured services. 2.Check one or more check boxes the access services that you want to delete. 3.Click Delete; then click OK in the confirmation message. The Access Policies page appears without the deleted access service(s). Related Topic Creating, Duplicating, and Editing Access...
Page 279
23 Managing Access Policies Configuring Access Service Policies Configuring a Group Mapping Policy, page 27 Configuring a Session Authorization Policy for Network Access, page 30 Configuring a Session Authorization Policy for Network Access, page 30 Configuring Shell/Command Authorization Policies for Device Administration, page 35 You can configure simple policies to apply to the same result to all incoming requests; or, you can create rule-based policies. Note: If you create and save a simple...
Page 280
24 Managing Access Policies Configuring Access Service Policies 2.Select an identity source for authentication; or, choose Deny Access. You can configure additional advanced options. See Configuring Identity Policy Rule Properties, page 26. 3.Click Save Changes to save the policy. Viewing Rules-Based Identity Policies Select Access Policies > Access Services > service > Identity, where is the name of the access service. By default, the Simple Identity Policy page appears with the fields described in...