Home > Cisco > Control System > Cisco Acs 57 User Guide

Cisco Acs 57 User Guide

Download as PDF Print this page Share this page

Have a look at the manual Cisco Acs 57 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

414

415

416

417

418

419

420

421

422

423

424

425

426

427

428

429

430

431

432

433

434

435

436

437

438

439

440

441

442

443

444

445

446

447

448

449

450

451

452

453

454

455

456

457

458

459

460

461

462

463

464

465

466

467

468

469

470

471

472

473

474

475

476

477

478

479

480

481

482

483

484

485

486

487

488

489

490

491

492

493

494

495

496

497

498

499

500

501

502

503

504

505

506

507

508

509

510

511

512

513

514

515

516

517

518

519

520

521

522

523

524

525

526

527

528

529

530

531

532

533

534

535

536

537

538

539

540

541

542

543

544

545

546

547

548

549

550

551

552

553

554

555

556

557

558

559

560

561

562

563

564

565

566

567

568

569

570

571

572

573

574

575

576

577

578

579

580

581

582

583

584

View all the pages

Add page 281 to Favourites

image text

Enable zoom

25
Managing Access Policies
Configuring Access Service Policies
To configure a rule-based policy, see these topics:
Creating Policy Rules, page 37
Duplicating a Rule, page 38
Editing Policy Rules, page 39
Deleting Policy Rules, page 39
For information about configuring an identity policy for Host Lookup requests, see Configuring an Authorization Policy for
Host Lookup Requests, page 18.
Table 89 Rule-based Identity Policy Page
Option Description
Policy type Defines the type of policy to configure:
Simple—Specifies the results to apply to all requests.
Rule-based—Configure rules to apply different results depending on the request.
Caution: If you switch between policy types, you will lose your previously saved policy
configuration.
Status The current status of the rule. The rule statuses are:
Enabled—The rule is active.
Disabled—ACS does not apply the results of the rule.
Monitor—The rule is active, but ACS does not apply the results of the rule. Results such as hit
count are written to the log, and the log entry includes an identification that the rule is monitor
only. The Monitor option is especially useful for watching the results of a new rule.
Name Rule name.
Conditions Conditions that determine the scope of the policy. This column displays all current conditions in
subcolumns.
Results Identity source that is used for authentication as a result of the evaluation of the rule.
Hit Count Number of times that the rule is matched. Click the Hit Count button to refresh and reset this
column.
Default Rule ACS applies the Default rule when:
Enabled rules are not matched.
No other rules are defined.
Click the link to edit the Default Rule. You can edit only the results of the Default Rule; you cannot
delete, disable, or duplicate it.
Customize button Opens the Customize page in which you choose the types of conditions to use in policy rules. A
new Conditions column appears in the Policy page for each condition that you add.
Caution: If you remove a condition type after defining rules, you will lose any conditions that
you configured for that condition type.
Hit Count button Opens a window that enables you to reset and refresh the Hit Count display in the Policy page.
See Displaying Hit Counts, page 9.

Add page 282 to Favourites

image text

Enable zoom

26
Managing Access Policies

Configuring Access Service Policies
Related Topics
Configuring a Group Mapping Policy, page 27
Configuring a Session Authorization Policy for Network Access, page 30
Configuring a Session Authorization Policy for Network Access, page 30
Configuring Shell/Command Authorization Policies for Device Administration, page 35
Configuring Identity Policy Rule Properties
You can create, duplicate, or edit an identity policy rule to determine the identity databases that are used to authenticate
the client and retrieve attributes for the client.
To display this page:
1.Choose Access Policies > Access Services > service > Identity, then do one of the following:
Click Create.
Check a rule check box, and click Duplicate.
Click a rule name or check a rule check box, then click Edit.
2.Complete the fields as shown in the Identity Rule Properties page described in Table 90 on page 26:
Table 90 Identity Rule Properties Page
Option Description
General
Rule Name Name of the rule. If you are duplicating a rule, you must enter a unique name as a minimum configuration;
all other fields are optional.
Rule Status Rule statuses are:
Enabled—The rule is active.
Disabled—ACS does not apply the results of the rule.
Monitor—The rule is active, but ACS does not apply the results of the rule. Results such as hit count
are written to the log, and the log entry includes an identification that the rule is monitor only. The
Monitor option is especially useful for watching the results of a new rule.
Conditions
conditions Conditions that you can configure for the rule. By default the compound condition appears. You can
change the conditions that appear by using the Customize button in the Policy page.
The default value for each condition is ANY. To change the value for a condition, check the condition check
box, then specify the value.
If you check Compound Condition, an expression builder appears in the conditions frame. For more
information, see Configuring Compound Conditions, page 40.

Add page 283 to Favourites

image text

Enable zoom

27
Managing Access Policies
Configuring Access Service Policies
Configuring a Group Mapping Policy
Configure a group mapping policy to map groups and attributes that are retrieved from external identity stores to ACS
identity groups. When ACS processes a request for a user or host, this policy retrieves the relevant identity group which
can be used in authorization policy rules.
If you created an access service that includes a group mapping policy, you can configure and modify this policy. You can
configure a simple policy, which applies the same identity group to all requests; or, you can configure a rule-based policy.
In the rule-based policy, each rule contains one or more conditions and a result. The conditions can be based only on
attributes or groups retrieved from external attribute stores, and the result is an identity group within the identity group
hierarchy. You can create, duplicate, edit, and delete rules within the policy; and you can enable and disable them.
Caution: If you switch between the simple policy and the rule-based policy pages, you will lose your previously
saved policy.
To configure a simple group mapping policy:
1.Select Access Policies > Access Services > service > Group Mapping, where service is the name of the access
service.
By default, the Simple Group Mapping Policy page appears. See Table 91 on page 28 for field descriptions.
See Table 92 on page 28 for Rule-Based Group Mapping Policy page field descriptions. Results
Identity Source Identity source to apply to requests. The default is Deny Access. For:
Password-based authentication, choose a single identity store, or an identity store sequence.
Certificate-based authentication, choose a certificate authentication profile, or an identity store
sequence.
The identity store sequence defines the sequence that is used for authentication and attribute retrieval
and an optional sequence to retrieve additional attributes. See Configuring Identity Store Sequences,
page 90.
Advanced
optionsSpecifies whether to reject or drop the request, or continue with authentication for these options:
If authentication failed—Default is reject.
If user not found—Default is reject.
If process failed—Default is drop.
Owing to restrictions on the underlying protocol, ACS cannot always continue processing when the
Continue option is chosen. ACS can continue when authentication fails for PAP/ASCII, EAP-TLS or Host
Lookup.
For all other authentication protocols, the request is dropped even if you choose the Continue option.
Table 90 Identity Rule Properties Page (continued)
Option Description

Add page 284 to Favourites

image text

Enable zoom

28
Managing Access Policies

Configuring Access Service Policies
2.Select an identity group.
Table 91 Simple Group Mapping Policy Page
Option Description
Policy type Defines the type of policy to configure:
Simple—Specifies the results to apply to all requests.
Rule-based—Configure rules to apply different results depending on the request.
Caution: If you switch between policy types, you will lose your previously saved policy configuration.
Identity Group Identity group to which attributes and groups from all requests are mapped.
Table 92 Rule-based Group Mapping Policy Page
Option Description
Policy type Defines the type of policy to configure:
Simple—Specifies the results to apply to all requests.
Rule-based—Configure rules to apply different results depending on the request.
Caution: If you switch between policy types, you will lose your previously saved policy
configuration.
Status Current status of the rule. The rule statuses are:
Enabled—The rule is active.
Disabled—ACS does not apply the results of the rule.
Monitor—The rule is active, but ACS does not apply the results of the rule. Results such as hit count
are written to the log, and the log entry includes an identification that the rule is monitor only. The
monitor option is especially useful for watching the results of a new rule.
Name Rule name.
Conditions Conditions that determine the scope of the policy. This column displays all current conditions in
subcolumns.
Results Identity group that is used as a result of the evaluation of the rule.
Hit Count Number of times that the rule is matched. Click the Hit Count button to refresh and reset this column.
Default Rule ACS applies the Default rule when:
Enabled rules are not matched.
No other rules are defined.
Click the link to edit the Default Rule. You can edit only the results of the Default Rule; you cannot
delete, disable, or duplicate it.
Customize button Opens the Customize page in which you choose the types of conditions to use in policy rules. A new
Conditions column appears in the Policy page for each condition that you add.
Caution: If you remove a condition type after defining rules, you will lose any conditions that you
configured for that condition type.
Hit Count button Opens a window that enables you to reset and refresh the Hit Count display in the Policy page. See
Displaying Hit Counts, page 9.

Add page 285 to Favourites

image text

Enable zoom

29
Managing Access Policies
Configuring Access Service Policies
3.Click Save Changes to save the policy.
To configure a rule-based policy, see these topics:
Creating Policy Rules, page 37
Duplicating a Rule, page 38
Editing Policy Rules, page 39
Deleting Policy Rules, page 39
Related Topics
Viewing Identity Policies, page 23
Configuring a Session Authorization Policy for Network Access, page 30
Configuring a Session Authorization Policy for Network Access, page 30
Configuring Shell/Command Authorization Policies for Device Administration, page 35
Configuring Group Mapping Policy Rule Properties
Use this page to create, duplicate, or edit a group mapping policy rule to define the mapping of attributes and groups
that are retrieved from external databases to ACS identity groups.
1.Select Access Policies > Access Services > service > Group Mapping, then do one of the following:
Click Create.
Check a rule check box, and click Duplicate.
Click a rule name or check a rule check box, then click Edit.
2.Complete the fields as described in Table 93 on page 29:
Table 93 Group Mapping Rule Properties Page
Option Description
General
Rule Name Name of the rule. If you are duplicating a rule, you must enter a unique name as a minimum configuration;
all other fields are optional.
Rule Status Rule statuses are:
Enabled—The rule is active.
Disabled—ACS does not apply the results of the rule.
Monitor—The rule is active, but ACS does not apply the results of the rule. Results such as hit count
are written to the log, and the log entry includes an identification that the rule is monitor only. The
monitor option is especially useful for watching the results of a new rule.

Add page 286 to Favourites

image text

Enable zoom

30
Managing Access Policies

Configuring Access Service Policies
Configuring a Session Authorization Policy for Network Access
When you create an access service for network access authorization, it creates a Session Authorization policy. You can
then add and modify rules to this policy to determine the access permissions for the client session.
You can create a standalone authorization policy for an access service, which is a standard first-match rule table. You
can also create an authorization policy with an exception policy. See Configuring Authorization Exception Policies,
page 36. When a request matches an exception rule, the policy exception rule result is always applied.
The rules can contain any conditions and multiple results:
Authorization profile—Defines the user-defined attributes and, optionally, the downloadable ACL that the
Access-Accept message should return.
Security Group Tag (SGT)—If you have installed Cisco Security Group Access, the authorization rules can define
which SGT to apply to the request.
For information about how ACS processes rules with multiple authorization profiles, see Processing Rules with Multiple
Authorization Profiles, page 16.
To configure an authorization policy, see these topics:
Creating Policy Rules, page 37
Duplicating a Rule, page 38
Editing Policy Rules, page 39
Deleting Policy Rules, page 39
For information about creating an authorization policy for:
Host Lookup requests, see ACS and Cisco Security Group Access, page 21.
Security Group Access support, see Creating an Endpoint Admission Control Policy, page 25.
1.Select Access Policies > Access Services > service > Authorization.
2.Complete the fields as described in Table 94 on page 31: Conditions
conditions Conditions that you can configure for the rule. By default, the compound condition appears. You can
change the conditions that appear by using the Customize button in the Policy page.
The default value for each condition is ANY. To change the value for a condition, check the condition check
box, then specify the value.
If you check Compound Condition, an expression builder appears in the conditions frame. For more
information, see Configuring Compound Conditions, page 40.
Results
Identity Group Identity group to which attributes and groups from requests are mapped.
Table 93 Group Mapping Rule Properties Page (continued)
Option Description

Add page 287 to Favourites

image text

Enable zoom

31
Managing Access Policies
Configuring Access Service Policies
Configuring Network Access Authorization Rule Properties
Use this page to create, duplicate, and edit the rules to determine access permissions in a network access service.
1.Select Access Policies > Access Services > > Authorization, and click Create, Edit, or Duplicate.
Table 94 Network Access Authorization Policy Page
Option Description
Status Rule statuses are:
Enabled—The rule is active.
Disabled—ACS does not apply the results of the rule.
Monitor—The rule is active, but ACS does not apply the results of the rule. Results such as hit count
are written to the log, and the log entry includes an identification that the rule is monitor only. The
monitor option is especially useful for watching the results of a new rule.
Name Name of the rule.
Conditions
Identity Group Name of the internal identity group to which this is matching against.
NDG:nameNetwork device group. The two predefined NDGs are Location and Device Type.
conditionsConditions that define the scope of the rule. To change the types of conditions that the rule uses, click
the Customize button. You must have previously defined the conditions that you want to use.
Results
Authorization Profile Displays the authorization profile that will be applied when the corresponding rule is matched.
When you enable the Security Group Access feature, you can customize rule results; a rule can
determine the access permission of an endpoint, the security group of that endpoint, or both. The
columns that appear reflect the customization settings.
Hit Count The number of times that the rule is matched. Click the Hit Count button to refresh and reset this
column.
Default Rule ACS applies the Default rule when:
Enabled rules are not matched.
No other rules are defined.
Click the link to edit the Default Rule. You can edit only the results of the Default Rule; you cannot
delete, disable, or duplicate it.
Customize button Opens the Customize page in which you choose the types of conditions to use in policy rules. A new
Conditions column appears in the Policy page for each condition that you add.
When you enable the Security Group Access feature, you can also choose the set of rule results; only
session authorization profiles, only security groups, or both.
Caution: If you remove a condition type after defining rules, you will lose any conditions that you
configured for that condition type.
Hit Count button Opens a window that enables you to reset and refresh the Hit Count display in the Policy page. See
Displaying Hit Counts, page 9.

Add page 288 to Favourites

image text

Enable zoom

32
Managing Access Policies

Configuring Access Service Policies
2.Complete the fields as described in Table 95 on page 32:
Note: ACS allows you to create an internal user account using the identity string attribute to match a particular
NDG:location only by configuring the detailed path of the NDG.
Configuring Device Administration Authorization Policies
A device administration authorization policy determines the authorizations and permissions for network administrators.
You create an authorization policy during access service creation. See Configuring General Access Service Properties,
page 13 for details of the Access Service Create page.
Use this page to:
View rules.
Delete rules.
Open pages that enable you to create, duplicate, edit, and customize rules.
Select Access Policies > Access Services > service > Authorization.
Table 95 Network Access Authorization Rule Properties Page
Option Description
General
Name Name of the rule. If you are duplicating a rule, you must enter a unique name as a minimum
configuration; all other fields are optional.
Status Rule statuses are:
Enabled—The rule is active.
Disabled—ACS does not apply the results of the rule.
Monitor—The rule is active, but ACS does not apply the results of the rule. Results such as hit
count are written to the log, and the log entry includes an identification that the rule is monitor
only. The monitor option is especially useful for watching the results of a new rule.
Conditions
conditions Conditions that you can configure for the rule. By default the compound condition appears. You
can change the conditions that appear by using the Customize button in the Policy page.
The default value for each condition is ANY. To change the value for a condition, check the
condition check box, then specify the value.
If you check Compound Condition, an expression builder appears in the conditions frame. For
more information, see Configuring Compound Conditions, page 40.
Results
Authorization Profiles List of available and selected profiles. You can choose multiple authorization profiles to apply to
a request. See Processing Rules with Multiple Authorization Profiles, page 16 for information
about the importance of authorization profile order when resolving conflicts.
Security Group (Security Group Access only) The security group to apply.
When you enable Security Group Access, you can customize the results options to display only
session authorization profiles, only security groups, or both.

Add page 289 to Favourites

image text

Enable zoom

33
Managing Access Policies
Configuring Access Service Policies
The Device Administration Authorization Policy page appears as described in Table 96 on page 33.
Configuring Device Administration Authorization Rule Properties
Use this page to create, duplicate, and edit the rules to determine authorizations and permissions in a device
administration access service.
Select Access Policies > Access Services > service > Authorization, and click Create, Edit, or Duplicate.
The Device Administration Authorization Rule Properties page appears as described in Table 97 on page 34.
Table 96 Device Administration Authorization Policy Page
Option Description
Status Rule statuses are:
Enabled—The rule is active.
Disabled—ACS does not apply the results of the rule.
Monitor—The rule is active, but ACS does not apply the results of the rule. Results such as hit count are
written to the log, and the log entry includes an identification that the rule is monitor only. The monitor
option is especially useful for watching the results of a new rule.
Name Name of the rule.
Conditions Conditions that define the scope of the rule. To change the types of conditions that the rule uses, click the
Customize button. You must have previously defined the conditions that you want to use.
Results Displays the shell profiles and command sets that will be applied when the corresponding rule is matched.
You can customize rule results; a rule can apply shell profiles, or command sets, or both. The columns that
appear reflect the customization settings.
Hit Count Number of times that the rule is matched. Click the Hit Count button to refresh and reset this column.
Default Rule ACS applies the Default rule when:
Enabled rules are not matched.
No other rules are defined.
Click the link to edit the Default Rule. You can edit only the results of the Default Rule; you cannot delete,
disable, or duplicate it.
Customize
buttonOpens the Customize page in which you choose the types of conditions and results to use in policy rules.
The Conditions and Results columns reflect your customized settings.
Caution: If you remove a condition type after defining rules, you will lose any conditions that you
configured for that condition type.
Hit Count
buttonOpens a window that enables you to reset and refresh the Hit Count display in the Policy page. See
Displaying Hit Counts, page 9.

Add page 290 to Favourites

image text

Enable zoom

34
Managing Access Policies

Configuring Access Service Policies
Configuring Device Administration Authorization Exception Policies
You can create a device administration authorization exception policy for a defined authorization policy. Results from the
exception rules always override authorization policy rules.
Use this page to:
View exception rules.
Delete exception rules.
Open pages that create, duplicate, edit, and customize exception rules.
Select Access Policies > Access Services > service > Authorization, and click Device Administration Authorization
Exception Policy.
The Device Administration Authorization Exception Policy page appears as described in Table 98 on page 35.
Table 97 Device Administration Authorization Rule Properties Page
Option Description
General
Name Name of the rule. If you are duplicating a rule, you must enter a unique name as a minimum configuration;
all other fields are optional.
Status Rule statuses are:
Enabled—The rule is active.
Disabled—ACS does not apply the results of the rule.
Monitor—The rule is active, but ACS does not apply the results of the rule. Results such as hit count are
written to the log, and the log entry includes an identification that the rule is monitor only. The monitor
option is especially useful for watching the results of a new rule.
Conditions
conditions Conditions that you can configure for the rule. By default the compound condition appears. You can change
the conditions that appear by using the Customize button in the Policy page.
The default value for each condition is ANY. To change the value for a condition, check the condition check
box, then specify the value.
If you check Compound Condition, an expression builder appears in the conditions frame. For more
information, see Configuring Compound Conditions, page 40.
Results
Shell Profiles Shell profile to apply for the rule.
Command
SetsList of available and selected command sets. You can choose multiple command sets to apply.

All Cisco manuals Comments (0)

Related Manuals for Cisco Acs 57 User Guide

Cisco Acs 5x User Guide
650 pages | Cisco Control System