Cisco Acs 57 User Guide
Have a look at the manual Cisco Acs 57 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
5 Managing Access Policies Configuring the Service Selection Policy An access service policy, choose Access Policies > Access Services > service > policy, where service is the name of the access service, and policy is the name of the policy that you want to customize. 2.In the Policy page, click Customize. A list of conditions appears. This list includes identity attributes, system conditions, and custom conditions. Note: Identity-related attributes are not available as conditions in a service selection policy. 3.Move conditions between the Available and Selected list boxes. 4.Click OK The selected conditions now appear under the Conditions column. 5.Click Save Changes. Configuring a Policy—Next Steps Configuring the Service Selection Policy, page 5 Configuring Access Service Policies, page 22 Configuring the Service Selection Policy The service selection policy determines which access service processes incoming requests. You can configure a simple policy, which applies the same access service to all requests; or, you can configure a rule-based service selection policy. In the rule-based policy, each service selection rule contains one or more conditions and a result, which is the access service to apply to an incoming request. You can create, duplicate, edit, and delete rules within the service selection policy, and you can enable and disable them. This section contains the following topics: Configuring a Simple Service Selection Policy, page 5 Creating, Duplicating, and Editing Service Selection Rules, page 7 Note: If you create and save a simple policy, and then change to a rule-based policy, the simple policy becomes the default rule of the rule-based policy. If you have saved a rule-based policy and then change to a simple policy, you will lose all your rules except for the default rule. ACS automatically uses the default rule as the simple policy. Configuring a Simple Service Selection Policy A simple service selection policy applies the same access service to all requests. To configure a simple service selection policy: 1.Select Access Policies > Service Selection Policy. By default, the Simple Service Selection Policy page appears. 2.Select an access service to apply; or, choose Deny Access. 3.Click Save Changes to save the policy.
6 Managing Access Policies Configuring the Service Selection Policy Service Selection Policy Page Use this page to configure a simple or rule-based policy to determine which service to apply to incoming requests. To display this page, choose Access Policies > Service Selection. If you have already configured the service selection policy, the corresponding Simple Policy page (see Table 80 on page 6) or Rule-based Policy page (see Table 81 on page 6) opens; otherwise, the Simple Policy page opens by default. Table 80 Simple Service Selection Policy Page Option Description Policy type Defines the type of policy: Select one result—The results apply to all requests. Rule-based result selection—Configuration rules apply different results depending on the request. Service Selection Policy Access service to apply to all requests. The default is Deny Access. Table 81 Rule-based Service Selection Policy Page Option Description Policy type Defines the type of policy to configure: Select one result—Results apply to all requests. Rule-based result selection—Configuration rules apply different results depending on the request. Status Current status of the rule that drives service selection. The rule statuses are: Enabled—The rule is active. Disabled—ACS does not apply the results of the rule. Monitor Only—The rule is active, but ACS does not apply the results of the rule. Results such as hit count are written to the log, and the log entry includes an identification that the rule is monitor only. The monitor option is especially useful for watching the results of a new rule. Name Rule name. Conditions Conditions that determine the scope of the service. This column displays all current conditions in subcolumns. You cannot use identity-based conditions in a service selection rule. Results Service that runs as a result of the evaluation of the rule. Hit Count Number of times that the rule is matched. Click Hit Count to refresh and reset this column.
7 Managing Access Policies Configuring the Service Selection Policy To configure a rule-based service selection policy, see these topics: Creating, Duplicating, and Editing Service Selection Rules, page 7 Deleting Service Selection Rules, page 10 After you configure your service selection policy, you can continue to configure your access service policies. See Configuring Access Service Policies, page 22. Creating, Duplicating, and Editing Service Selection Rules Create service selection rules to determine which access service processes incoming requests. The Default Rule provides a default access service in cases where no rules are matched or defined. When you create rules, remember that the order of the rules is important. When ACS encounters a match as it processes the request of a client that tries to access the ACS network, all further processing stops and the associated result of that match is found. No further rules are considered after a match is found. You can duplicate a service selection rule to create a new rule that is the same, or very similar to, an existing rule. The duplicate rule name is based on the original rule with parentheses to indicate duplication; for example, Rule-1(1). After duplication is complete, you access each rule (original and duplicated) separately. You cannot duplicate the Default rule. You can edit all values of service selection rules; you can edit the specified access service in the Default rule. Note: To configure a simple policy to apply the same access service to all requests, see Configuring a Simple Service Selection Policy, page 5. Before You Begin Configure the conditions that you want to use in the service selection policy. See Managing Policy Conditions, page 1. Identity-related attributes are not available as conditions in a service selection policy. Create the access services that you want to use in the service selection policy. See Creating, Duplicating, and Editing Access Services, page 11. You do not need to configure policies in the access service before configuring the service selection policy. Configure the types of conditions to use in the policy rules. See Customizing a Policy, page 4, for more information. Default Rule ACS applies the Default rule when: Enabled rules are not matched. No other rules are defined. Click the link to edit the Default Rule. You can edit only the results of the Default Rule; you cannot delete, disable, or duplicate it. Customize button Opens the Customize page in which you choose the types of conditions to use in policy rules. A new Conditions column appears in the Policy page for each condition that you add. Caution: If you remove a condition type after defining rules, you will lose any conditions that you configured for that condition type. Hit Count button Opens a window that enables you to reset and refresh the Hit Count display in the Policy page. See Displaying Hit Counts, page 9. Table 81 Rule-based Service Selection Policy Page (continued) Option Description
8 Managing Access Policies Configuring the Service Selection Policy To create, duplicate, or edit a service selection policy rule: 1.Select Access Policies > Service Selection Policy. If you: Previously created a rule-based policy, the Rule-Based Service Selection Policy page appears with a list of configured rules. Have not created a rule-based policy, the Simple Service Selection Policy page appears. Click Rule-Based. 2.Do one of the following: Click Create. Check the check box the rule that you want to duplicate; then click Duplicate. Click the rule name that you want to modify; or, check the check box the name and click Edit. The Rule page appears. 3.Enter or modify values: User-defined rules—You can edit any value. Ensure that you include at least one condition. If you are duplicating a rule, you must change the rule name. The Default Rule—You can change only the access service. See Table 82 on page 8 for field descriptions: Table 82 Service Selection Rule Properties Page Option Description General Name Name of the rule. If you are duplicating a rule, you must enter a unique name as a minimum configuration; all other fields are optional. Status Rule statuses are: Enabled—The rule is active. Disabled—ACS does not apply the results of the rule. Monitor Only—The rule is active but ACS does not apply the results of the rule. Results such as hit count are written to the log, and the log entry includes an identification that the rule is monitor only. The Monitor option is especially useful for watching the results of a new rule.
9 Managing Access Policies Configuring the Service Selection Policy 4.Click OK. The Service Selection Policy page appears with the rule that you configured. 5.Click Save Changes. Related Topics Configuring Access Services, page 10 Deleting Service Selection Rules, page 10 Displaying Hit Counts Use this page to reset and refresh the Hit Count display on the Rule-based Policy page. To display this page, click Hit Count on the Rule-based Policy page. Conditions conditions Conditions that you can configure for the rule. By default, the compound condition appears. Click Customize in the Policy page to change the conditions that appear. The default value for each condition is ANY. To change the value for a condition, check the condition check box, then specify the value. If you check Compound Condition, an expression builder appears in the conditions frame. For more information, see Configuring Compound Conditions, page 40. Note: The Service selection policy, which contains a compound condition with TACACS+ username, does not work consistently. The policy works only when the first TACACS+ authentication request contains a username. If the first packet does not have the username and when ACS requests NAS for the username, the TACACS+ username condition is not matched. Therefore, the request meets the default deny access condition and fails to meet the proper access service. Results Service Name of the access service that runs as a result of the evaluation of the rule. Table 82 Service Selection Rule Properties Page (continued) Option Description Ta b l e 8 3 H i t C o u n t P a g e Option Description Hit Counts Reset Last time hit counts were reset for this policyDisplays the date and time of the last hit count reset for this policy. Reset hit counts display for this policyClick Reset to reset the hit counts display to zero (0) for all rules on the Policy page.
10 Managing Access Policies Configuring Access Services Deleting Service Selection Rules Note: You cannot delete the Default service selection rule. To delete a service selection rule: 1.Select Access Policies > Service Selection Policy. The Service Selection Policy page appears, with a list of configured rules. 2.Check one or more check boxes the rules that you want to delete. 3.Click Delete. The Service Selection Rules page appears without the deleted rule(s). 4.Click Save Changes to save the new configuration. Configuring Access Services Access services contain the authentication and authorization policies for requests. You can create separate access services for different use cases; for example, device administration, wireless network access, and so on. When you create an access service, you define the type of policies and policy structures that it contains; for example, policies for device administration or network access. Note: You must create access services before you define service selection rules, although you do not need to define the policies in the services. This section contains the following topics: Creating, Duplicating, and Editing Access Services, page 11 Deleting an Access Service, page 22 After you create an access service, you can use it in the service selection policy. See Configuring the Service Selection Policy, page 5. You can customize and modify the policies in the access service. See Configuring Access Service Policies, page 22. Related Topic Creating, Duplicating, and Editing Access Services, page 11 Hit Counts Collection Hit counts are collected every:Displays the interval between hit count collections. Last time hit counts were collected for this policy:Displays the date and time of the last hit count update for this policy. Refresh hit counts display for this policyClick Refresh to refresh the hit count display in the Policy page with updated hit counts for all rules. The previous hit counts are deleted. When a TACACS+ authentication request succeeds, the hit counts of the corresponding identity policy rule and authorization policy rule both increase by 1. Table 83 Hit Count Page (continued) Option Description
11 Managing Access Policies Configuring Access Services Editing Default Access Services ACS 5.7 is preconfigured with two default access services, one for device administration and another for network access. You can edit these access services. To edit the default access service: 1.Choose one of the following: Access Policies > Access Services > Default Device Admin Access Policies > Access Services > Default Network Access The Default Service Access Service Edit page appears. 2.Edit the fields in the Default Service Access Service page. Table 84 on page 11 describes the fields in the General tab. 3.Edit the fields in the Allowed Protocols tab as described in Table 86 on page 17. 4.Click Submit to save the changes you have made to the default access service. Creating, Duplicating, and Editing Access Services Access services contain the authentication and authorization policies for requests. When you create an access service, you define: Policy structure—The types of policies the service will contain. You can define these according to a service template, an existing service, or a use case. A service can contain: Table 84 Default Access Service - General Page Option Description General Name Name of the access service. Description Description of the access service. Service Type (Display only) Type of service, device administration, or network access. Policy Structure Identity Check to include an identity policy in the access service, to define the identity store or stores that ACS uses for authentication and attribute retrieval. Group Mapping Check to include a group mapping policy in the access service, to map groups and attributes that are retrieved from external identity stores to the identity groups in ACS. Authorization Check to include an authorization policy in the access service, to apply: Authorization profiles for network access services. Shell profiles and command sets for device administration services.
12 Managing Access Policies Configuring Access Services —An Identity policy—Defines which identity store to use for authentication. —A group mapping policy—Defines the identity group to which to map. —An Authorization policy—For network access, this policy defines which session authorization profile to apply; for device administration, it defines which shell profile or command set to apply. Allowed protocols—Specifies which authentication protocols are allowed for this access service, and provides additional information about how ACS uses them for authentication. Use a service template to define an access service with policies that are customized to use specific condition types. See Configuring Access Services Templates, page 21 for information about the service templates. Duplicate an access service to create a new access service with rules that are the same, or very similar to, an existing access service. After duplication is complete, you access each service (original and duplicated) separately. To replicate a service policy structure without duplicating the source service’s rules, create a new access service based on an existing service. To create, duplicate, or edit an access service: 1.Select Access Policies > Access Services. The Access Services page appears with a list of configured services. 2.Do one of the following: Click Create. Check the check box the access service that you want to duplicate; then click Duplicate. Click the access service name that you want to modify; or, check the check box the name and click Edit. Click the access service name in the left navigation tab. The Access Service Properties General page appears. If you are creating a new access service: a.Define the name and policy structure of the access service. b.Click Next to proceed to the Allowed Protocols page. c.Click Finish to save the new access service. If you are duplicating or editing an access service: a.Modify fields in the Properties page tabs as required. You can add policies, but you cannot remove existing policies. b.Click Submit to save changes. For information about valid field options, see: Configuring General Access Service Properties, page 13 Configuring Access Service Allowed Protocols, page 16 Configuring Access Services Templates, page 21 The access service configuration is saved. The Access Services page appears with the new configuration.
13 Managing Access Policies Configuring Access Services Related Topics Deleting an Access Service, page 22 Configuring Access Service Policies, page 22 Configuring the Service Selection Policy, page 5 Configuring General Access Service Properties Access service definitions contain general and allowed protocol information. When you duplicate and edit services, the Access Service properties page contains tabs. 1.Select Access Policies > Access Services, then click Create, Duplicate, or Edit. 2.Complete the fields as described in Table 85 on page 13: Table 85 Access Service Properties—General Page Option Description General Name Name of the access service. If you are duplicating a service, you must enter a unique name as a minimum configuration; all other fields are optional. Description Description of the access service. Access Service Policy Structure Based on service templateCreates an access service containing policies based on a predefined template. This option is available only for service creation. Based on existing service Creates an access service containing policies based on an existing access service. The new access service does not include the existing service’s policy rules. This option is available only for service creation.To replicate a service, including its policy rules, duplicate an existing access service. User selected service typeProvides you the option to select the access service type. The available options are Network Access, Device Administration, and External Proxy. The list of policies you can configure depends on your choice of access service type. User Selected Service Type—Network Access and Device Administration Policy Structure Identity Check to include an identity policy in the access service to define the identity store or stores that ACS uses for authentication and attribute retrieval. Group Mapping Check to include a group mapping policy in the access service to map groups and attributes that are retrieved from external identity stores to ACS identity groups. Authorization Check to include an authorization policy in the access service to apply: Authorization profiles for network access services. Shell profiles and command sets for device administration services. User Selected Service Type—External Proxy External Proxy Servers—Select the set of external servers to be used for proxies. You can also determine the order in which these servers are used. Available External Proxy ServersList of available external RADIUS and TACACS+ servers. Select the external servers to be used for proxy and move them to the Selected External Proxy Servers list. Selected External Proxy ServersList of selected external proxy servers.
14 Managing Access Policies Configuring Access Services Advanced Options Accounting Remote Accounting Check to enable remote accounting. Local Accounting Check to enable local accounting. Username Prefix\Suffix Stripping Strip start of subject name up to the first occurrence of the separatorCheck to strip the username from the prefix. For example, if the subject name is acme\smith and the separator is \, the username becomes smith. The default separator is \. Strip end of subject name from the last occurrence of the separatorCheck to strip the username from the suffix. For example, if the subject name is [email protected] and the separator is @, the username becomes smith. The default separator is @. RADIUS INBOUND Attributes Injection—The RADIUS INBOUND attributes section is used for manipulating the incoming attributes before sending them to the proxy server. Add After you define a RADIUS incoming attribute, click ADD to add it to the RADIUS attributes list. Edit To edit the listed RADIUS incoming attribute, select the attribute in the list and click Edit. The attribute properties appear in the fields. Modify the properties as required, then click Replace. Replace Click Replace to replace the selected RADIUS incoming attribute with the value that is currently defined in this field. Delete Click Delete to delete the selected RADIUS incoming attribute from the list. Dictionary Type Choose the dictionary that contains the RADIUS incoming attribute you want to use. RADIUS Attribute Name of the RADIUS attribute. Click Select to choose a RADIUS attribute from the specified dictionary. Attribute Type Type of the selected RADIUS attribute. Client vendor type of the attribute, from which ACS allows access requests. For a description of the attribute types, refer to Cisco IOS documentation for the Cisco IOS Software release that is running on your AAA clients. Table 85 Access Service Properties—General Page (continued) Option Description