Home > Cisco > Control System > Cisco Acs 57 User Guide

Cisco Acs 57 User Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual Cisco Acs 57 User Guide. The Cisco manuals for Control System are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 441

    Page 441 17 Managing System Administrators Working with Administrative Access Control —Active Directory ID store —LDAP ID store In cases where Deny Access is selected as the result, the access of the administrator is denied. In a rule-based policy, each rule contains one or more conditions and a result, which is the identity source to use for authentication. The supported conditions are these: System username System time and date Administrator client IP address An identity policy in the AAC service does... 
    17   
Managing System Administrators
Working with Administrative Access Control
—Active Directory ID store
—LDAP ID store
In cases where Deny Access is selected as the result, the access of the administrator is denied.
In a rule-based policy, each rule contains one or more conditions and a result, which is the identity source to use for 
authentication. 
The supported conditions are these: 
System username 
System time and date
Administrator client IP address
An identity policy in the AAC service does...

    Page 442

    Page 442 18 Managing System Administrators Working with Administrative Access Control To configure a rule-based policy, see these topics: Creating Policy Rules, page 37 Duplicating a Rule, page 38 Editing Policy Rules, page 39 Deleting Policy Rules, page 39 Table 21 Rule-Based Identity Policy Page Option Description Policy type Defines the type of policy to configure: Simple—Specifies the results to apply to all requests. Rule-based—Configures rules to apply different results depending on the request.... 
    18
Managing System Administrators
 
Working with Administrative Access Control
To configure a rule-based policy, see these topics:
Creating Policy Rules, page 37
Duplicating a Rule, page 38
Editing Policy Rules, page 39
Deleting Policy Rules, page 39
Table 21 Rule-Based Identity Policy Page 
Option Description
Policy type Defines the type of policy to configure:
Simple—Specifies the results to apply to all requests.
Rule-based—Configures rules to apply different results depending on the request....

    Page 443

    Page 443 19 Managing System Administrators Working with Administrative Access Control Configuring Identity Policy Rule Properties You can create, duplicate, or edit an identity policy rule to determine the identity databases that are used to authenticate the administrator and retrieve attributes for the administrator. The retrieval of attributes is possible only if you use an external database. To display this page, complete the following steps: 1.Choose System Administration > Administrative Access... 
    19   
Managing System Administrators
Working with Administrative Access Control
Configuring Identity Policy Rule Properties
You can create, duplicate, or edit an identity policy rule to determine the identity databases that are used to authenticate 
the administrator and retrieve attributes for the administrator. The retrieval of attributes is possible only if you use an 
external database. 
To display this page, complete the following steps: 
1.Choose System Administration > Administrative Access...

    Page 444

    Page 444 20 Managing System Administrators Working with Administrative Access Control Authenticating Administrators against RADIUS Identity and RSA SecurID Servers Note: This feature works only after installing ACS 5.7 patch 1. ACS 5.7 supports authenticating administrators against RADIUS Identity Server and RSA SecurID Servers. This feature is available in both ACS web interface and acs-config m o d e o f AC S C L I . T h i s f e at u re e n h an c e s se c u r i t y t o ad m i n i st r at o r... 
    20
Managing System Administrators
 
Working with Administrative Access Control
Authenticating Administrators against RADIUS Identity and RSA SecurID Servers
Note: This feature works only after installing ACS 5.7 patch 1. 
ACS 5.7 supports authenticating administrators against RADIUS Identity Server and RSA SecurID Servers. This feature 
is available in both ACS web interface and acs-config m o d e  o f  AC S  C L I .  T h i s  f e at u re e n h an c e s  se c u r i t y  t o  ad m i n i st r at o r...

    Page 445

    Page 445 21 Managing System Administrators Working with Administrative Access Control Performing First ACS administrator authentication using RSA SecurID Server 1.Launch ACS web interface. 2.Enter the username in the Username field. 3.Generate a To k e n c o d e using RSA SecurID device and enter the token code in the Password field of ACS web interface and click Login. ACS displays the following message with a system generated PIN: PIN: Please remember your new PIN then press Return to continue. Note: Copy... 
    21   
Managing System Administrators
Working with Administrative Access Control
Performing First ACS administrator authentication using RSA SecurID Server
1.Launch ACS web interface.
2.Enter the username in the Username field.
3.Generate a To k e n  c o d e using RSA SecurID device and enter the token code in the Password field of ACS web 
interface and click Login.
ACS displays the following message with a system generated PIN:
PIN:  Please remember your new PIN then press Return to continue.
Note: Copy...

    Page 446

    Page 446 22 Managing System Administrators Working with Administrative Access Control Administrator Authorization Policy The authorization policy in the Administrative Access Control is used for dynamically assigning roles to administrators upon login. The role of the administrator is set according to the rules that are defined in the policy. According to the rules that are defined in the policy, the condition can include attributes and groups if authenticated with an external database. ACS can use the... 
    22
Managing System Administrators
 
Working with Administrative Access Control
Administrator Authorization Policy
The authorization policy in the Administrative Access Control is used for dynamically assigning roles to administrators 
upon login. The role of the administrator is set according to the rules that are defined in the policy. According to the rules 
that are defined in the policy, the condition can include attributes and groups if authenticated with an external database. 
ACS can use the...

    Page 447

    Page 447 23 Managing System Administrators Working with Administrative Access Control Configuring Administrator Authorization Rule Properties Use this page to create, duplicate, and edit the rules to determine administrator roles in the AAC access service. Select System Administration > Administrative Access Control > Authorization > Standard Policy, and click Create, Edit, or Duplicate. The Administrator Authorization Rule Properties page appears as described in Table 24 on page 24. Table 23 Administrators... 
    23   
Managing System Administrators
Working with Administrative Access Control
Configuring Administrator Authorization Rule Properties
Use this page to create, duplicate, and edit the rules to determine administrator roles in the AAC access service. 
Select System Administration > Administrative Access Control > Authorization > Standard Policy, and click Create, 
Edit, or Duplicate.
The Administrator Authorization Rule Properties page appears as described in Table 24 on page 24.
Table 23 Administrators...

    Page 448

    Page 448 24 Managing System Administrators Working with Administrative Access Control Administrator Login Process When an administrator logs in to the ACS web interface, ACS 5.7 performs the authentication as given below. If an administrator account is configured as a recovery account in the administrator internal identity store, then ACS bypasses the identity and authorization policies, authenticates the administrator against the administrator internal identity store, and assigns the role statically. If an... 
    24
Managing System Administrators
 
Working with Administrative Access Control
Administrator Login Process
When an administrator logs in to the ACS web interface, ACS 5.7 performs the authentication as given below. 
If an administrator account is configured as a recovery account in the administrator internal identity store, then ACS 
bypasses the identity and authorization policies, authenticates the administrator against the administrator internal identity 
store, and assigns the role statically. If an...

    Page 449

    Page 449 25 Managing System Administrators Resetting the Administrator Password Note: If the administrator password on the AD or LDAP server is expired or reset, then ACS denies the administrator access to the web interface. Resetting the Administrator Password While configuring administrator access settings, it is possible for all administrator accounts to get locked out, with none of the administrators able to access ACS from any IP address in your enterprise. If this happens, you must reset the... 
    25   
Managing System Administrators
Resetting the Administrator Password
Note: If the administrator password on the AD or LDAP server is expired or reset, then ACS denies the administrator 
access to the web interface. 
Resetting the Administrator Password
While configuring administrator access settings, it is possible for all administrator accounts to get locked out, with none 
of the administrators able to access ACS from any IP address in your enterprise. If this happens, you must reset the...

    Page 450

    Page 450 26 Managing System Administrators Changing the Administrator Password The Accounts page appears with a list of administrator accounts. 2.Check the check box the administrator account for which you want to change the password and click Change Password. The Authentication Information page appears, listing the date when the administrator’s password was last changed. 3.In the Password field, enter a new administrator password. 4.In the Confirm Password field, re-enter the new administrator password.... 
    26
Managing System Administrators
 
Changing the Administrator Password
The Accounts page appears with a list of administrator accounts.
2.Check the check box the administrator account for which you want to change the password and click Change 
Password.
The Authentication Information page appears, listing the date when the administrator’s password was last changed.
3.In the Password field, enter a new administrator password.
4.In the Confirm Password field, re-enter the new administrator password....
    Start reading Cisco Acs 57 User Guide

    Related Manuals for Cisco Acs 57 User Guide

    All Cisco manuals