Home > Cisco > Control System > Cisco Acs 57 User Guide

Cisco Acs 57 User Guide

    Download as PDF Print this page Share this page

    Have a look at the manual Cisco Acs 57 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

    Page
    of 584
    							17   
    Managing Policy Elements
    Managing Authorizations and Permissions
    Authorization profiles for network access authorization (for RADIUS).
    Shell profiles for TACACS+ shell sessions and command sets for device administration. 
    Downloadable ACLs.
    Security groups and security group ACLs for Cisco Security Group Access. See ACS and Cisco Security Group 
    Access, page 21, for information on configuring these policy elements.
    These topics describe how to manage authorizations and permissions:
    Creating, Duplicating, and Editing Authorization Profiles for Network Access, page 17
    Creating and Editing Security Groups, page 22
    Creating, Duplicating, and Editing a Shell Profile for Device Administration, page 22
    Creating, Duplicating, and Editing Command Sets for Device Administration, page 27
    Creating, Duplicating, and Editing Downloadable ACLs, page 30
    Deleting an Authorizations and Permissions Policy Element, page 31
    Configuring Security Group Access Control Lists, page 31
    Creating, Duplicating, and Editing Authorization Profiles for Network Access
    You create authorization profiles to define how different types of users are authorized to access the network. For 
    example, you can define that a user attempting to access the network over a VPN connection is treated more strictly than 
    a user attempting to access the network through a wired connection.
    An authorization profile defines the set of attributes and values that the Access-Accept response returns. You can 
    specify:
    Common data, such as VLAN information, URL for redirect, and more. This information is automatically converted to 
    the raw RADIUS parameter information.
    RADIUS authorization parameters—You can select any RADIUS attribute and specify the corresponding value to 
    return. 
    You can duplicate an authorization profile to create a new authorization profile that is the same, or similar to, an existing 
    authorization profile. After duplication is complete, you access each authorization profile (original and duplicated) 
    separately to edit or delete them.
    After you create authorization profiles, you can use them as results in network access session authorization policies. 
    To create, duplicate, or edit an authorization profile: 
    1.Choose Policy Elements > Authorization and Permissions > Network Access > Authorization Profile.
    The Authorization Profiles page appears with the fields described in Table 68 on page 18: 
    						
    							18
    Managing Policy Elements
     
    Managing Authorizations and Permissions
    2.Do one of the following:
    Click Create.
    Check the check box the authorization profile that you want to duplicate and click Duplicate.
    Click the name that you want to modify; or, check the check box the name that you want to modify and click Edit.
    The Authorization Profile Properties page appears.
    3.Enter valid configuration data in the required fields in each tab. See: 
    Specifying Authorization Profiles, page 18 
    Specifying Common Attributes in Authorization Profiles, page 19
    Specifying RADIUS Attributes in Authorization Profiles, page 20 
    4.Click Submit.
    The authorization profile is saved. The Authorization Profiles page appears with the authorization profile that you 
    created or duplicated.
    Specifying Authorization Profiles
    Use this tab to configure the name and description for a network access authorization profile.
    1.Choose Policy Elements > Authorization and Permissions > Network Access > Authorization Profiles, then click:
    Create to create a new network access authorization definition.
    Duplicate to duplicate a network access authorization definition.
    Edit to edit a network access authorization definition.
    2.Complete the required fields of the Authorization Profile: General page as shown in Table 69 on page 18:
    3.Click one of the following:
    Submit to save your changes and return to the Authorization Profiles page.
    The Common Tasks tab to configure common tasks for the authorization profile; see Specifying Common Attributes 
    in Authorization Profiles, page 19.
    Table 68 Authorization Profiles Page
    Option Description
    Name List of existing network access authorization definitions.
    DescriptionDisplay only. The description of the network access authorization definition.
    Table 69 Authorization Profile: General Page
    Option Description
    Name The name of the network access authorization definition.
    Description The description of the network access authorization definition. 
    						
    							19   
    Managing Policy Elements
    Managing Authorizations and Permissions
    The RADIUS Attributes tab to configure RADIUS attributes for the authorization profile; see Specifying RADIUS 
    Attributes in Authorization Profiles, page 20.
    Specifying Common Attributes in Authorization Profiles
    Use this tab to specify common RADIUS attributes to include in a network access authorization profile. ACS converts the 
    specified values to the required RADIUS attribute-value pairs and displays them in the RADIUS attributes tab.
    1.Choose Policy Elements > Authorization and Permissions > Network Access > Authorization Profiles, then click:
    Create to create a new network access authorization definition, then click the Common Tasks tab.
    Duplicate to duplicate a network access authorization definition, then click the Common Tasks tab.
    Edit to edit a network access authorization definition, then click the Common Tasks tab.
    2.Complete the required fields of the Authorization Profile: Common Tasks page as shown in Table 70 on page 19:
    Table 70 Authorization Profile: Common Tasks Page
    Option Description
    ACLS
    Downloadable ACL Name Includes a defined downloadable ACL. See Creating, Duplicating, and Editing 
    Downloadable ACLs, page 30 for information about defining a downloadable ACL.
    Filter-ID ACL Includes an ACL Filter ID.
    Proxy ACL Includes a proxy ACL.
    Voice VLAN
    Permission to Join Select Static. A value for this parameter is displayed.
    VLAN
    VLAN ID/Name Includes a VLAN assignment.
    Reauthentication 
    Reauthentication Timer Select whether to use a session timeout value. 
    If you select Static, you must enter a value in the Seconds field. The default value is 
    3600 seconds.
    If you select Dynamic, you must select the dynamic parameters.
    Maintain Connectivity during 
    ReauthenticationClick Ye s to ensure connectivity is maintained while reauthentication is performed. By 
    default, Ye s is selected. This field is enabled only if you define the Reauthentication Timer.
    QoS
    Input Policy Map Includes a QoS input policy map.
    Output Policy Map Includes a QoS output policy map.
    802.1X-REV  
    						
    							20
    Managing Policy Elements
     
    Managing Authorizations and Permissions
    Specifying RADIUS Attributes in Authorization Profiles
    Use this tab to configure which RADIUS attributes to include in the Access-Accept packet for an authorization profile. 
    This tab also displays the RADIUS attribute parameters that you choose in the Common Tasks tab.
    1.Choose Policy Elements > Authorization and Permissions > Network Access > Authorization Profiles, then click:
    Create to create a new network access authorization definition, then click the RADIUS Attributes tab.
    Check the check box the authentication profile that you want to duplicate, click Duplicate, and then click the RADIUS 
    Attributes tab.
    Check the check box the authentication profile that you want to duplicate, click Edit, and then click the RADIUS 
    Attributes tab.
    2.Complete the required fields of the Authorization Profile: RADIUS Attributes page as shown in Table 71 on page 20: LinkSec Security Policy If you select Static, you must select a value for the 802.1X-REV LinkSec security policy. 
    Valid options are:
    must-not-secure
    should-secure
    must-secure
    URL Redirect
    When a URL is defined for Redirect an ACL must also be defined
    URL for Redirect Includes a URL redirect.
    URL Redirect ACL Includes the name of the access control list (ACL) for URL redirection. When you define a 
    URL redirect, you must also define an ACL for the URL redirection.
    Table 70 Authorization Profile: Common Tasks Page (continued)
    Option Description
    Table 71 Authorization Profile: RADIUS Attributes Page
    Option Description
    Common Tasks 
    AttributesDisplays the names, values, and types for the attributes that you defined in the Common Tasks tab.
    Manually EnteredUse this section to define RADIUS attributes to include in the authorization profile. As you define each 
    attribute, its name, value, and type appear in the table. To:
    Add a RADIUS attribute, fill in the fields below the table and click Add.
    Edit a RADIUS attribute, select the appropriate row in the table and click Edit. The RADIUS 
    parameters appear in the fields below the table. Edit as required, then click Replace.
    Dictionary Type Choose the dictionary that contains the RADIUS attribute you want to use. 
    						
    							21   
    Managing Policy Elements
    Managing Authorizations and Permissions
    3.To  c o n f i g u r e :
    Basic information of an authorization profile; see Specifying Authorization Profiles, page 18. RADIUS  Attribute  Name of the RADIUS attribute. Click Select to choose a RADIUS attribute from the specified dictionary.
    You must manually add VPN attributes to the authorization profile to authenticate VPN devices in your 
    network. ACS can work with different Layer 2 and Layer 3 protocols, such as:
    IPSec—Operates at Layer 3; no mandatory attributes need to be configured in the ACS 
    authorization profile, but you can configure optional attributes.
    L2TP—For L2TP tunneling, you must configure ACS with:
    —CVPN3000/ASA/PIX7.x-Tunneling Protocols—This attribute specifies the type of tunneling to 
    be used.
    —CVPN3000/ASA/PIX7.x-L2TP-Encryption—This attribute, when set, enables VPN3000 to 
    communicate to the client the type of Microsoft Point-to-Point Encryption (MPPE) key that 
    must be used, either the MSCHAPv1 or MSCHAPv2 authentication method.
    PPTP—For PPTP tunneling, you must configure ACS with:
    —CVPN3000/ASA/PIX7.x-Tunneling Protocols—This attribute specifies the type of tunneling to 
    be used.
    —CVPN3000/ASA/PIX7.x-PPTP-Encryption—This attribute, when set, enables VPN3000 to 
    communicate to the client the type of Microsoft Point-to-Point Encryption (MPPE) key that 
    must be used, either the MSCHAPv1 or MSCHAPv2 authentication method.
    Attribute Type Client vendor type of the attribute, from which ACS allows access requests. For a description of the 
    attribute types, refer to Cisco IOS documentation for the release of Cisco IOS software that is running 
    on your AAA clients.
    Attribute  Value Value of the attribute. Click Select for a list of attribute values. For a description of the attribute values, 
    refer to Cisco IOS documentation for the release of Cisco IOS software that is running on your AAA 
    clients.
    For tunneled protocols, ACS provides for attribute values with specific tags to the device within the 
    access response according to RFC 2868. 
    If you choose Tagged Enum or Tagged String as the RADIUS Attribute type, the Tag field appears. For 
    the tag value, enter a number that ACS will use to group attributes belonging to the same tunnel. 
    For the Tagged Enum attribute type: 
    Choose an appropriate attribute value. 
    Enter an appropriate tag value (0–31). 
    For the Tagged String attribute type: 
    Enter an appropriate string attribute value (up to 256 characters). 
    Enter an appropriate tag value (0–31).
    Table 71 Authorization Profile: RADIUS Attributes Page (continued)
    Option Description 
    						
    							22
    Managing Policy Elements
     
    Managing Authorizations and Permissions
    Common tasks for an authorization profile; see Specifying Common Attributes in Authorization Profiles, page 19.
    Creating and Editing Security Groups
    Use this page to view names and details of security groups and security group tags (SGTs), and to open pages to create, 
    duplicate, and edit security groups.
    When you create a security group, ACS generates a unique SGT. Network devices can query ACS for SGT information. 
    The network device uses the SGT to tag, or paint, packets at ingress, so that the packets can be filtered at Egress 
    according to the Egress policy. See Egress Policy Matrix Page, page 45, for information on configuring an Egress policy.
    1.Choose Policy Elements > Authorizations and Permissions > Network Access > Security Groups.
    The Security Groups page appears as described in Table 72 on page 22:
    2.Click:
    Create to create a new security group.
    Duplicate to duplicate a security group.
    Edit to edit a security group.
    3.Enter the required information in the Name and Description fields, then click Submit.
    Related Topic
    Creating Security Groups, page 23
    Creating, Duplicating, and Editing a Shell Profile for Device Administration
    You can configure Cisco IOS shell profile and command set authorization. Shell profiles and command sets are combined 
    for authorization purposes. Shell profile authorization provides decisions for the following capabilities for the user 
    requesting authorization and is enforced for the duration of a user’s session:
    Privilege level.
    General capabilities, such as device administration and network access.
    Shell profile definitions are split into two components:
    Common tasks
    Custom attributes
    The Common Tasks tab allows you to select and configure the frequently used attributes for the profile. The attributes 
    that are included here are those defined by the TACACS protocol draft specification that are specifically relevant to the 
    shell service. However, the values can be used in the authorization of requests from other services.
    Ta b l e 7 2 S e c u r i t y  G r o u p s  P a g e
    Option Description
    Name The name of the security group.
    SGT (Dec / Hex) Representation of the security group tag in decimal and hexadecimal format.
    Description The description of the security group. 
    						
    							23   
    Managing Policy Elements
    Managing Authorizations and Permissions
    The Custom Attributes tab allows you to configure additional attributes. Each definition consists of the attribute name, 
    an indication of whether the attribute is mandatory or optional, and the value for the attribute. Custom attributes can be 
    defined for nonshell services.
    For a description of the attributes that you specify in shell profiles, see Cisco IOS documentation for the specific release 
    of Cisco IOS software that is running on your AAA clients.
    After you create shell profiles and command sets, you can use them in authorization and permissions within rule tables.
    You can duplicate a shell profile if you want to create a new shell profile that is the same, or similar to, an existing shell 
    profile.
    After duplication is complete, you access each shell profile (original and duplicated) separately to edit or delete them.
    To create, duplicate, or edit a shell profile:
    1.Choose Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles.
    The Shell Profiles page appears.
    2.Do one of the following:
    Click Create.
    Check the check box the shell profile that you want to duplicate and click Duplicate.
    Click the name that you want to modify; or, check the check box the name that you want to modify and click Edit.
    The Shell Profile Properties page General tab appears.
    3.Enter valid configuration data in the required fields in each tab. As a minimum configuration, you must enter a unique 
    name for the shell profile; all other fields are optional. See: 
    Defining General Shell Profile Properties, page 23 
    Defining Common Tasks, page 24
    Defining Custom Attributes, page 27 
    4.Click Submit.
    The shell profile is saved. The Shell Profiles page appears with the shell profile that you created or duplicated.
    Related Topics
    Creating, Duplicating, and Editing Authorization Profiles for Network Access, page 17
    Creating, Duplicating, and Editing Command Sets for Device Administration, page 27
    Deleting an Authorizations and Permissions Policy Element, page 31
    Configuring Shell/Command Authorization Policies for Device Administration, page 35
    Defining General Shell Profile Properties
    Use this page to define a shell profile’s general properties.
    1.Choose Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles, then do one 
    of the following: 
    						
    							24
    Managing Policy Elements
     
    Managing Authorizations and Permissions
    Click Create.
    Check the check box the shell profile that you want to duplicate and click Duplicate.
    Click the name that you want to modify; or, check the check box the name that you want to modify and click Edit.
    2.Complete the Shell Profile: General fields as described in Table 73 on page 24:
    3.Click:
    Submit to save your changes and return to the Shell Profiles page.
    The Common Tasks tab to configure privilege levels for the authorization profile; see Defining Common Tasks, 
    page 24.
    The Custom Attributes tab to configure RADIUS attributes for the authorization profile; see Defining Custom 
    Attributes, page 27.
    Related Topics
    Defining Common Tasks, page 24
    Defining Custom Attributes, page 27
    Defining Common Tasks
    Use this page to define a shell profile’s privilege level and attributes. The attributes are defined by the TACACS+ protocol.
    For a description of the attributes, refer to Cisco IOS documentation for the release of Cisco IOS software that is running 
    on your AAA clients.
    1.Choose Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles, then click:
    Create to create a new shell profile, then click Common Tasks.
    Duplicate to duplicate a shell profile, then click Common Tasks.
    Edit to edit a shell profile, then click Common Tasks.
    2.Complete the Shell Profile: Common Tasks page as described in Table 74 on page 25:
    Table 73 Shell Profile: General Page
    Option Description
    Name The name of the shell profile.
    Description (Optional) The description of the shell profile. 
    						
    							25   
    Managing Policy Elements
    Managing Authorizations and Permissions
    Table 74 Shell Profile: Common Tasks
    Option Description
    Privilege Level
    Default Privilege (Optional) Enables the initial privilege level assignment that you allow for a client, through shell 
    authorization. If disabled, the setting is not interpreted in authorization and permissions.
    The Default Privilege Level specifies the default (initial) privilege level for the shell profile. If you select 
    Static as the Enable Default Privilege option, you can select the default privilege level; the valid options 
    are 0 to 15.
    If you select Dynamic as the Enable Default Privilege option, you can select attribute from dynamic 
    ACS dictionary, for a substitute attribute.
    Maximum Privilege (Optional) Enables the maximum privilege level assignment for which you allow a client after the initial 
    shell authorization.
    The Maximum Privilege Level specifies the maximum privilege level for the shell profile. If you select 
    the Enable Change of Privilege Level option, you can select the maximum privilege level; the valid 
    options are 0 to 15.
    If you choose both default and privilege level assignments, the default privilege level assignment must 
    be equal to or lower than the maximum privilege level assignment.
    Shell Attributes
    Select Not in Use for the options provided below if you do not want to enable them.
    If you select Dynamic, you can substitute the static value of a TACACS+ attribute with a value of another attribute from one 
    of the listed dynamic dictionaries 
    Access Control List (Optional) Choose Static to specify the name of the access control list to enable it. The name of the 
    access control list can be up to 27 characters, and cannot contain the following:
    A hyphen (-), left bracket ([), right bracket, (]) forward slash (/), back slash (\), apostrophe (‘), left angle 
    bracket ().
    Choose Dynamic to select attribute from dynamic ACS dictionary, for a substitute attribute.
    Auto Command (Optional) Choose Static and specify the command to enable it.
    Choose Dynamic to select attribute from dynamic ACS dictionary, for a substitute attribute.
    No Callback Verify (Optional) Choose Static to specify whether or not you want callback verification. Valid options are:
    True—Specifies that callback verification is not needed.
    False—Specifies that callback verification is needed.
    Choose Dynamic to select attribute from dynamic ACS dictionary, for a substitute attribute.
    No Escape (Optional) Choose Static to specify whether or not you want escape prevention. Valid options are:
    True—Specifies that escape prevention is enabled.
    False—Specifies that escape prevention is not enabled.
    Choose Dynamic to select attribute from dynamic ACS dictionary, for a substitute attribute. 
    						
    							26
    Managing Policy Elements
     
    Managing Authorizations and Permissions
    3.Click:
    Submit to save your changes and return to the Shell Profiles page.
    The General tab to configure the name and description for the authorization profile; see Defining General Shell Profile 
    Properties, page 23.
    The Custom Attributes tab to configure Custom Attributes for the authorization profile; see Defining Custom 
    Attributes, page 27.
    To substitute the static value of a TACACS+ attribute with a value of another attribute from one of the listed dynamic 
    dictionaries, complete the following steps.
    1.Choose System Administration > Configuration > Dictionaries > Identity > Internal Users to add attributes to the 
    Internal Users Dictionary. 
    2.Choose Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles to create a 
    Shell Profile.
    3.Choose Custom Attributes tab to create a new attribute and choose Dynamic as Attribute Value and correlate it to 
    created attribute in Internal Users Dictionary.
    4.Create a new rule in Access Policies > Access Services > Default Device Admin > Authorization and choose the 
    Results created as Shell Profile instead.
    After authorization you will see the response as dynamic attribute value from Internal ID Store.
    Related Topics
    Defining Custom Attributes, page 27
    Configuring Shell/Command Authorization Policies for Device Administration, page 35 No Hang Up (Optional) Choose Static to specify whether or not you want any hangups. Valid options are:
    True—Specifies no hangups are allowed.
    False—Specifies that hangups are allowed.
    Choose Dynamic to select attribute from dynamic ACS dictionary, for a substitute attribute.
    Timeout (Optional) Choose Static to enable and specify, in minutes, the duration of the allowed timeout in the 
    value field. The valid range is from 0 to 999.
    Choose Dynamic to select attribute from dynamic ACS dictionary, for a substitute attribute.
    Idle Time (Optional) Choose Static to enable and specify, in minutes, the duration of the allowed idle time in the 
    value field. The valid range is from 0 to 999.
    Choose Dynamic to select attribute from dynamic ACS dictionary, for a substitute attribute.
    Callback Line (Optional) Choose Static to enable and specify the callback phone line in the value field.
    Choose Dynamic to select attribute from dynamic ACS dictionary, for a substitute attribute.
    Callback Rotary (Optional) Choose Static to enable and specify the callback rotary phone line in the value field.
    Choose Dynamic
     to select attribute from dynamic ACS dictionary, for a substitute attribute.
    Table 74 Shell Profile: Common Tasks
    Option Description 
    						
    All Cisco manuals Comments (0)

    Related Manuals for Cisco Acs 57 User Guide