Home > Cisco > Control System > Cisco Acs 57 User Guide

Cisco Acs 57 User Guide

    Download as PDF Print this page Share this page

    Have a look at the manual Cisco Acs 57 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

    Page
    of 584
    							35   
    Managing Access Policies
    Configuring Access Service Policies
    Configuring Shell/Command Authorization Policies for Device Administration
    When you create an access service and select a service policy structure for Device Administration, ACS automatically 
    creates a shell/command authorization policy. You can then create and modify policy rules. 
    The web interface supports the creation of multiple command sets for device administration. With this capability, you can 
    maintain a smaller number of basic command sets. You can then choose the command sets in combination as rule 
    results, rather than maintaining all the combinations themselves in individual command sets. 
    You can also create an authorization policy with an exception policy, which can override the standard policy results. See 
    Configuring Authorization Exception Policies, page 36.
    For information about how ACS processes rules with multiple command sets, see Processing Rules with Multiple 
    Command Sets, page 10.
    To configure rules, see:
    Creating Policy Rules, page 37
    Duplicating a Rule, page 38
    Table 98 Device Administration Authorization Exception Policy Page
    Option Description
    Status Rule statuses are:
    Enabled—The rule is active.
    Disabled—ACS does not apply the results of the rule.
    Monitor—The rule is active, but ACS does not apply the results of the rule. Results such as hit count 
    are written to the log, and the log entry includes an identification that the rule is monitor only. The 
    monitor option is especially useful for watching the results of a new rule.
    Name Name of the rule. 
    Conditions
    Identity Group Name of the internal identity group to which this is matching against.
    NDG:nameNetwork device group. The two predefined NDGs are Location and Device Type.
    ConditionConditions that define the scope of the rule. To change the types of conditions that the rule uses, click 
    the Customize button. You must have previously defined the conditions that you want to use.
    Results Displays the shell profile and command sets that will be applied when the corresponding rule is 
    matched.
    You can customize rule results; a rule can determine the shell profile, the command sets, or both. The 
    columns that appear reflect the customization settings. 
    Hit Count Number of times that the rule is matched. Click the Hit Count button to refresh and reset this column.
    Customize button Opens the Customize page in which you choose the types of conditions to use in policy rules. A new 
    Conditions column appears in the Policy page for each condition that you add. You do not need to use 
    the same set of conditions and results as in the corresponding authorization policy.
    Caution: If you remove a condition type after defining rules, you will lose any conditions that you 
    configured for that condition type.
    Hit Count button Opens a window that enables you to reset and refresh the Hit Count display in the Policy page. See 
    Displaying Hit Counts, page 9. 
    						
    							36
    Managing Access Policies
     
    Configuring Access Service Policies
    Editing Policy Rules, page 39
    Deleting Policy Rules, page 39
    Configuring Authorization Exception Policies 
    An authorization policy can include exception policies. In general, exceptions are temporary policies; for example, to 
    grant provisional access to visitors or increase the level of access to specific users. Use exception policies to react 
    efficiently to changing circumstances and events. 
    The results from the exception rules always override the standard authorization policy rules.
    You create exception policies in a separate rule table from the main authorization policy table. You do not need to use 
    the same policy conditions in the exception policy as you used in the corresponding standard authorization policy. 
    To access the exception policy rules page:
    1.Select Access Policies > Service Selection Policy service > authorization policy, where service is the name of the 
    access service, and authorization policy is the session authorization or shell/command set authorization policy.
    2.In the Rule-Based Policy page, click the Exception Policy link above the rules table. 
    The Exception Policy table appears with the fields described in Table 99 on page 36:
    Table 99 Network Access Authorization Exception Policy Page
    Option Description
    Status Rule statuses are:
    Enabled—The rule is active.
    Disabled—ACS does not apply the results of the rule.
    Monitor—The rule is active, but ACS does not apply the results of the rule. Results such as hit count 
    are written to the log, and the log entry includes an identification that the rule is monitor only. The 
    monitor option is especially useful for watching the results of a new rule.
    Name Name of the rule. 
    Conditions
    Identity Group Name of the internal identity group to which this is matching against.
    NDG:nameNetwork device group. The two predefined NDGs are Location and Device Type.
    Condition NameConditions that define the scope of the rule. To change the types of conditions that the rule uses, click 
    the Customize button. You must have previously defined the conditions that you want to use.
    Results Displays the authorization profile that will be applied when the corresponding rule is matched.
    When you enable the Security Group Access feature, you can customize rule results; a rule can 
    determine the access permission of an endpoint, the security group of that endpoint, or both. The 
    columns that appear reflect the customization settings.  
    						
    							37   
    Managing Access Policies
    Configuring Access Service Policies
    To configure rules, see:
    Creating Policy Rules, page 37
    Duplicating a Rule, page 38
    Editing Policy Rules, page 39
    Deleting Policy Rules, page 39
    Related Topics
    Configuring a Session Authorization Policy for Network Access, page 30
    Configuring Shell/Command Authorization Policies for Device Administration, page 35
    Creating Policy Rules
    When you create rules, remember that the order of the rules is important. When ACS encounters a match as it processes 
    the request of a client that tries to access the ACS network, all further processing stops and the associated result of that 
    match is found. No further rules are considered after a match is found.
    The Default Rule provides a default policy in cases where no rules are matched or defined. You can edit the result of a 
    default rule.
    Before You Begin
    Configure the policy conditions and results. See Managing Policy Conditions, page 1.
    Select the types of conditions and results that the policy rules apply. See Customizing a Policy, page 4.
    To create a new policy rule:
    1.Select Access Policies > Service Selection Policy service > policy, where service is the name of the access 
    service, and policy is the type of policy. If you:
    Previously created a rule-based policy, the Rule-Based Policy page appears, with a list of configured rules.
    Have not created a rule-based policy, the Simple Policy page appears. Click Rule-Based.
    2.In the Rule-Based Policy page, click Create. Hit Count Number of times that the rule is matched. Click the Hit Count button to refresh and reset this column.
    Customize button Opens the Customize page in which you choose the types of conditions to use in policy rules. A new 
    Conditions column appears in the Policy page for each condition that you add. You do not need to use 
    the same set of conditions as in the corresponding authorization policy.
    When you enable the Security Group Access feature, you can also choose the set of rule results; only 
    session authorization profiles, only security groups, or both.
    Caution: If you remove a condition type after defining rules, you will lose any conditions that you 
    configured for that condition type.
    Hit Count button Opens a window that enables you to reset and refresh the Hit Count display in the Policy page. See 
    Displaying Hit Counts, page 9.
    Table 99 Network Access Authorization Exception Policy Page (continued)
    Option Description 
    						
    							38
    Managing Access Policies
     
    Configuring Access Service Policies
    The Rule page appears.
    3.Define the rule. 
    4.Click OK
    The Policy page appears with the new rule. 
    5.Click Save Changes to save the new rule.
    To configure a simple policy to use the same result for all requests that an access service processes, see: 
    Viewing Identity Policies, page 23
    Configuring a Group Mapping Policy, page 27
    Configuring a Session Authorization Policy for Network Access, page 30
    Configuring a Session Authorization Policy for Network Access, page 30
    Configuring Shell/Command Authorization Policies for Device Administration, page 35
    Related Topics
    Duplicating a Rule, page 38
    Editing Policy Rules, page 39
    Deleting Policy Rules, page 39
    Note: ACS 5.7 displays a detailed audit reports on ACS configuration audit reports page for creating, editing, or 
    re-ordering access service policies from the ACS web interface. 
    Duplicating a Rule
    You can duplicate a rule if you want to create a new rule that is the same, or very similar to, an existing rule. The duplicate 
    rule name is based on the original rule with parentheses to indicate duplication; for example, Rule-1(1). 
    After duplication is complete, you access each rule (original and duplicated) separately.
    Note: You cannot duplicate the Default rule.
    To duplicate a rule:
    1.Select Access Policies > Service Selection Policy > service > policy, where service is the name of the access 
    service, and policy is the type of policy.
    The Policy page appears with a list of configured rules.
    2.Check the check box the rule that you want to duplicate. You cannot duplicate the Default Rule.
    3.Click Duplicate. 
    The Rule page appears.
    4.Change the name of the rule and complete the other applicable field options.
    5.Click OK.
    The Policy page appears with the new rule.
    6.Click Save Changes to save the new rule. 
    						
    							39   
    Managing Access Policies
    Configuring Access Service Policies
    7.Click Discard Changes to cancel the duplicate rule. 
    Related Topics
    Creating Policy Rules, page 37
    Editing Policy Rules, page 39
    Deleting Policy Rules, page 39
    Editing Policy Rules
    You can edit all values of policy rules; you can also edit the result in the Default rule.
    To edit a rule:
    1.Select Access Policies > Service Selection Policy > service > policy, where service is the name of the access 
    service, and policy is the type of policy.
    The Policy page appears, with a list of configured rules.
    2.Click the rule name that you want to modify; or, check the check box for the Name and click Edit.
    The Rule page appears.
    3.Edit the appropriate values. 
    4.Click OK.
    The Policy page appears with the edited rule.
    5.Click Save Changes to save the new configuration.
    6.Click Discard Changes to cancel the edited information.
    Related Topics
    Creating Policy Rules, page 37
    Duplicating a Rule, page 38
    Deleting Policy Rules, page 39
    Deleting Policy Rules
    Note: You cannot delete the Default rule.
    To delete a policy rule:
    1.Select Access Policies > Service Selection Policy > service > policy, where service is the name of the access 
    service, and policy is the type of policy.
    The Policy page appears, with a list of configured rules.
    2.Check one or more check boxes the rules that you want to delete.
    3.Click Delete.  
    						
    							40
    Managing Access Policies
     
    Configuring Compound Conditions
    The Policy page appears without the deleted rule(s).
    4.Click Save Changes to save the new configuration.
    5.Click Discard Changes to retain the deleted information.
    Related Topics
    Creating Policy Rules, page 37
    Duplicating a Rule, page 38
    Editing Policy Rules, page 39
    Configuring Compound Conditions
    Use compound conditions to define a set of conditions based on any attributes allowed in simple policy conditions. You 
    define compound conditions in a policy rule page; you cannot define them as separate condition objects.
    This section contains the following topics:
    Compound Condition Building Blocks, page 40
    Types of Compound Conditions, page 41
    Using the Compound Expression Builder, page 44
    Compound Condition Building Blocks
    Figure 24 on page 40 shows the building blocks of a compound condition.
    Figure 24 Building Blocks of a Compound Condition
    Operands—Any attribute or condition type, such as Protocol/Request Attributes, Identity Attributes, Identity Groups, 
    Network Device Groups (NDGs), Date/Time, and Custom or Standard Conditions.
    Relational Operators—Operators that specify the relation between an operand and a value; for example, equals (=), 
    or does not match. The operators that you can use in any condition vary according to the type of operand. 
    Binary condition—A binary condition defines the relation between a specified operand and value; for example, 
    [username = “Smith”].
    Logical Operators—The logical operators operate on or between binary conditions. The supported logical operators 
    are AND and OR.  
    						
    							41   
    Managing Access Policies
    Configuring Compound Conditions
    Precedence Control—You can alter the precedence of logical operators by using parentheses. Nested parentheses 
    provide administrator control of precedence. The natural precedence of logical operators, that is, without 
    parenthesis intervention, is NOT, AND, OR, where NOT has the highest precedence and OR the lowest.
    Table 100 on page 41 summarizes the supported dynamic attribute mapping while building Compound Conditions. 
    Note: Dynamic attribute mapping is not applicable for ExternalGroups attribute of Type "String Enum" and "Time And 
    Date" attribute of type "Date Time Period".
    For hierarchical attribute, the value is appended with attribute name so while configuring any string attribute to compare 
    with hierarchical attribute the value of the string attribute has to start with hierarchical attribute name.
    For example: 
    When you define a new string attribute named UrsAttr to compare against DeviceGroup attribute created under NDG, 
    then the value of the UsrAttr has to be configured as follows:
    DeviceGroup: Value
    When you want to compare a string attribute with UserIdentityGroup which is a hierarchy type attribute within each 
    internal users, then the string attribute has to be configured as follows:
    IdentityGroup:All Groups:”Identity Group Name”
    Related Topics
    Types of Compound Conditions, page 41
    Using the Compound Expression Builder, page 44
    Types of Compound Conditions
    You can create three types of compound conditions:
    Atomic Condition
    Consists of a single predicate and is the only entry in the list. Because all simple conditions in a rule table, except for 
    NDGs, assume the equals (=) operation between the attribute and value, the atomic condition is used to choose an 
    operator other than equals (=). See Figure 25 on page 42 for an example.
    Table 100 Supported Dynamic Attribute Mapping in Policy Compound Condition
    Operand1 Operand2 Example
    String attribute  String attribute —
    Integer attribute Integer attribute —
    Enumeration attribute Enumeration attribute —
    Boolean attribute Boolean attribute —
    IP address attribute IP address attribute —
    Special cases
    Hierarchical attribute String attribute NDG:Customer vs. 'Internal 
    Users' string attribute
    String attribute Hierarchical attribute — 
    						
    							42
    Managing Access Policies
     
    Configuring Compound Conditions
    Figure 25 Compound Expression - Atomic Condition 
    Single Nested Compound Condition
    Consists of a single operator followed by a set of predicates (>=2). The operator is applied between each of the 
    predicates. See Figure 26 on page 42 for an example. The preview window displays parentheses [()] to indicate 
    precedence of logical operators.
    Figure 26 Single Nested Compound Expression
    Multiple Nested Compound Condition
    You can extend the simple nested compound condition by replacing any predicate in the condition with another simple 
    nested compound condition. See Figure 27 on page 43 for an example. The preview window displays parentheses [()] 
    to indicate precedence of logical operators. 
    						
    							43   
    Managing Access Policies
    Configuring Compound Conditions
    Figure 27 Multiple Nested Compound Expression
    Compound Expression with Dynamic value
    You can select dynamic value to select another dictionary attribute to compare against the dictionary attribute selected 
    as operand. See Figure 28 on page 44 for an example. 
    						
    							44
    Managing Access Policies
     
    Configuring Compound Conditions
    Figure 28 Compound Expression Builder with Dynamic Value
    Related Topics
    Compound Condition Building Blocks, page 40
    Using the Compound Expression Builder, page 44
    Using the Compound Expression Builder
    You construct compound conditions by using the expression builder in Rule Properties pages. The expression builder 
    contains two sections: a predicate builder to create primary conditions and controls for managing the expression.
    In the first section, you define the primary conditions. Choose the dictionary and attribute to define the operand, then 
    choose the operator, and specify a value for the condition. Use the second section to organize the order of conditions 
    and the logical operators that operate on or between binary conditions. 
    Table 101 on page 44 describes the fields in the compound expression builder.
    Table 101 Expression Builder Fields 
    Field Description
    ConditionUse this section to define the primary conditions.
    Dictionary  Specifies the dictionary from which to take the operand. These available options depend on the policy that 
    you are defining. For example, when you define a service selection policy, the Identity dictionaries are not 
    available. 
    Attribute  Specifies the attribute that is the operand of the condition. The available attributes depend on the dictionary 
    that you chose. 
    Operator  The relational operator content is dynamically determined according to the choice in the preceding operand 
    field. 
    Value  The condition value. The type of this field depends on the type of condition or attribute. Select one of the 
    following two options:
    Static—If selected, you have to enter or select the static value depending on attribute type.
    Dynamic—If selected, you can select another dictionary attribute to compare against the dictionary 
    attribute selected as operand. 
    						
    All Cisco manuals Comments (0)

    Related Manuals for Cisco Acs 57 User Guide