Home > Cisco > Control System > Cisco Acs 57 User Guide

Cisco Acs 57 User Guide

Download as PDF Print this page Share this page

Have a look at the manual Cisco Acs 57 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

414

415

416

417

418

419

420

421

422

423

424

425

426

427

428

429

430

431

432

433

434

435

436

437

438

439

440

441

442

443

444

445

446

447

448

449

450

451

452

453

454

455

456

457

458

459

460

461

462

463

464

465

466

467

468

469

470

471

472

473

474

475

476

477

478

479

480

481

482

483

484

485

486

487

488

489

490

491

492

493

494

495

496

497

498

499

500

501

502

503

504

505

506

507

508

509

510

511

512

513

514

515

516

517

518

519

520

521

522

523

524

525

526

527

528

529

530

531

532

533

534

535

536

537

538

539

540

541

542

543

544

545

546

547

548

549

550

551

552

553

554

555

556

557

558

559

560

561

562

563

564

565

566

567

568

569

570

571

572

573

574

575

576

577

578

579

580

581

582

583

584

View all the pages

Add page 301 to Favourites

image text

Enable zoom

45
Managing Access Policies
Security Group Access Control Pages
Related Topics
Compound Condition Building Blocks, page 40
Types of Compound Conditions, page 41
Security Group Access Control Pages
This section contains the following topics:
Egress Policy Matrix Page, page 45
Editing a Cell in the Egress Policy Matrix, page 46
Defining a Default Policy for Egress Policy Page, page 46
NDAC Policy Page, page 47
NDAC Policy Properties Page, page 48
Network Device Access EAP-FAST Settings Page, page 49
Egress Policy Matrix Page
The Egress policy, also known as an SGACL policy, determines which SGACLs to apply at the Egress points of the
network, based on the source and destination SGTs. ACS presents the Egress policy as a matrix; it displays all the
security groups in the source and destination axes. Each cell in the matrix can contain a set of ACLs to apply to the
corresponding source and destination SGTs.
The network devices add the default policy to the specific policies that you defined for the cells. For empty cells, only
the default policy applies.
Use the Egress policy matrix to view, define, and edit the sets of ACLs to apply to the corresponding source and
destination SGTs. Current
Condition
SetUse this section to organize the order of conditions and the logical operators that operate on or between
binary conditions.
Condition list Displays a list of defined binary conditions for the compound conditions and their associated logical
operators.
Add After you define a binary condition, click Add to add it to the Condition list.
Edit To edit a binary condition, select the condition in the Condition list and click Edit. The condition properties
appear in the Condition fields. Modify the condition as required, then click Replace.
Replace Click to replace the selected condition with the condition currently defined in the Condition fields.
And
OrSpecifies the logical operator on a selected condition, or between the selected condition and the one above
it. Click the appropriate operator, and click Insert to add the operator as a separate line; click the operator
and click Replace, to replace the selected line.
Delete Click to delete the selected binary condition or operator from the condition list.
Preview Click to display the current expression in corresponding parenthesis representation. The rule table displays
the parenthesis representation after the compound expression is created.
Table 101 Expression Builder Fields (continued)
Field Description

Add page 302 to Favourites

image text

Enable zoom

46
Managing Access Policies

Security Group Access Control Pages
To display this page, choose Access Policies > Security Group Access Control > Egress Policy.
Related Topic
Creating an Egress Policy, page 25
Editing a Cell in the Egress Policy Matrix
Use this page to configure the policy for the selected cell. You can configure the SGACLs to apply to the corresponding
source and destination security group.
To display this page, choose Access Policies > Security Group Access Control > Egress Policy, select a cell, then click
Edit.
Related Topic
Creating an Egress Policy, page 25
Defining a Default Policy for Egress Policy Page
Use this page to define the default Egress policy. The network devices add the default policy to the specific policies
defined for the cells. For empty cells, only the default policy applies.
To display this page, choose Access Policies > Security Group Access Control > Egress Policy, then click Default
Policy.
Table 102 Egress Policy Matrix Page
Option Description
Destination Security
GroupColumn header displaying all destination security groups.
Source Security
GroupRow header displaying all source security groups.
Cells Contain the SGACLs to apply to the corresponding source and destination security group.
Edit Click a cell, then click Edit to open the Edit dialog box for that cell. See Editing a Cell in the Egress
Policy Matrix, page 46.
Default Policy Click to open a dialog box to define the default Egress policy. See Defining a Default Policy for Egress
Policy Page, page 46.
Set Matrix View To change the Egress policy matrix display, choose an option, then click Go:
All—Clears all the rows and columns in the Egress policy matrix.
Customize View—Launches a window where you can customize source and destination security
groups corresponding to the selected cell.
Table 103 Edit Cell Page
Option Description
Configure Security
GroupsDisplay only. Displays the source and destination security group name for the selected cell.
General Description for the cell policy.
ACLs Move the SGACLs that you want to apply to the corresponding source and destination security group
from the Available list to the Selected list. To specify the order of the list of SGACLs, use the Up (^) and
Down (v) arrows.

Add page 303 to Favourites

image text

Enable zoom

47
Managing Access Policies
Security Group Access Control Pages
Related Topics
Creating an Egress Policy, page 25
Creating a Default Policy, page 26
NDAC Policy Page
The Network Device Admission Control (NDAC) policy determines the SGT for network devices in a Security Group
Access environment. The NDAC policy handles:
Peer authorization requests from one device about its neighbor.
Environment requests (a device is collecting information about itself).
The policy returns the same SGT for a specific device, regardless of the request type.
Note: Yo u d o n o t a d d a n N D A C p o l i c y t o a n a c c e s s s e r v i c e ; i t is implemented by default. However, for endpoint admission
control, you must define an access service and session authorization policy. See Configuring Network Access
Authorization Rule Properties, page 31, for information about creating a session authorization policy.
Use this page to configure a simple policy that assigns the same security group to all devices, or configure a rule-based
policy.
To display this page, choose Access Policies > Security Group Access Control > Network Device Access >
Authentication Policy.
If you have already configured an NDAC policy, the corresponding Simple Policy page or Rule-based Policy page opens;
otherwise, the Simple Policy page opens by default.
Simple Policy Page
Use this page to define a simple NDAC policy.
Rule-Based Policy Page
Use this page for a rule-based policy to:
Table 104 Default Policy Page
Option Description
ACLs Move the SGACLs that you want to apply to the corresponding source and destination security group
from the Available list to the Selected list. To specify the order of the list of SGACLs, use the Up (^) and
Down (v) arrows.
Select Permit All or Deny All as a final catch-all rule.
Table 105 Simple NDAC Policy Page
Option Description
Policy type Defines the type of policy to configure:
Simple—Specifies that the result applies to all requests.
Rule-based—Configure rules to apply different results depending on the request.
If you switch between policy types, you will lose your previously saved policy configuration.
Security Group Select the security group to assign to devices. The default is Unknown.

Add page 304 to Favourites

image text

Enable zoom

48
Managing Access Policies

Security Group Access Control Pages
View rules.
Delete rules.
Open pages that create, duplicate, edit, and customize rules.
Related Topics:
Configuring an NDAC Policy, page 23
NDAC Policy Properties Page, page 48
NDAC Policy Properties Page
Use this page to create, duplicate, and edit rules to determine the SGT for a device.
Table 106 Rule-Based NDAC Policy Page
Option Description
Policy type Defines the type of policy to configure:
Simple—Specifies the result to apply to all requests.
Rule-based—Configure rules to apply different results depending on the request.
If you switch between policy types, you will lose your previously saved policy configuration.
Status Rule statuses are:
Enabled—The rule is active.
Disabled—ACS does not apply the results of the rule.
Monitor—The rule is active, but ACS does not apply the results of the rule. Results such as hit count
are written to the log, and the log entry includes an identification that the rule is monitor only. The
monitor option is especially useful for watching the results of a new rule.
Name Name of the rule. The Default Rule is available for conditions for which:
Enabled rules are not matched.
Rules are not defined.
Click a link to edit or duplicate a rule.
You can edit the Default Rule but you cannot delete, disable, or duplicate it.
Conditions Conditions that you can use to define policy rules. To change the display of rule conditions, click the
Customize button. You must have previously defined the conditions that you want to use.
Results Displays the security group assigned to the device when it matches the corresponding condition.
Hit Count Number of times that the rule is matched. Click the Hit Count button to refresh and reset this column.
Customize button Opens the Customize page in which you choose the types of conditions to use in policy rules. A new
Conditions column appears in the Policy page for each condition that you add. You do not need to use
the same set of conditions as in the corresponding authorization policy.
Caution: If you remove a condition type after defining rules, you will lose any conditions that you
configured for that condition type.
Hit Count button Opens a window that enables you to reset and refresh the Hit Count display in the Policy page. See
Displaying Hit Counts, page 9.

Add page 305 to Favourites

image text

Enable zoom

49
Managing Access Policies
Security Group Access Control Pages
To display this page, choose Access Policies > Security Group Access Control > Network Device Access >
Authentication Policy, then click Create, Edit, or Duplicate.
Note: For endpoint admission control, you must define an access service and session authorization policy. See
Configuring Network Access Authorization Rule Properties, page 31 for information about creating a session
authorization policy.
Related Topics:
Configuring an NDAC Policy, page 23
NDAC Policy Page, page 47
Network Device Access EAP-FAST Settings Page
Use this page to configure parameters for the EAP-FAST protocol that the NDAC policy uses.
To display this page, choose Access Policies > Security Group Access Control > Network Device Access.
Table 107 NDAC Policy Properties Page
Option Description
General
Name Name of the rule. If you are duplicating a rule, you must enter a unique name as a minimum
configuration; all other fields are optional.
Status Rule statuses are:
Enabled—The rule is active.
Disabled—ACS does not apply the results of the rule.
Monitor—The rule is active, but ACS does not apply the results of the rule. Results such as hit count
are written to the log, and the log entry includes an identification that the rule is monitor only. The
monitor option is especially useful for watching the results of a new rule.
Conditions
conditions Conditions that you can configure for the rule. The default value for each condition is ANY. To change
the value for a condition, check the condition check box, then enter the value.
If compound expression conditions are available, when you check Compound Expression, an
expression builder appears. For more information, see Configuring Compound Conditions, page 40.
To change the list of conditions for the policy, click the Customize button in the NDAC Policy Page,
page 47.
Results
Security Group Select the security group to assign to the device when it matches the corresponding conditions.
Table 108 Network Device Access EAP-FAST Settings Page
Option Description
EAP-FAST Settings
Tunnel PAC Time To Live Time to live (TTL), or duration, of a PAC before it expires and requires replacing.
Proactive PAC Update When %
of PAC TTL is LeftPercentage of PAC TTL remaining when you should update the PAC.

Add page 306 to Favourites

image text

Enable zoom

50
Managing Access Policies

Maximum User Sessions
Related Topics:
Configuring an NDAC Policy, page 23
Configuring EAP-FAST Settings for Security Group Access, page 24
NDAC Policy Page, page 47
Maximum User Sessions
For optimal performance, you can limit the number of concurrent users accessing network resources. ACS 5.7 imposes
limits on the number of concurrent service sessions per user.
The limits are set in several different ways. You can set the limits at the user level or at the group level. Depending upon
the maximum user session configurations, the session count is applied to the user.
Note: To make the maximum sessions work for user access, the administrator should configure RADIUS accounting.
Note: To make the maximum sessions work for device management, the administrator should configure TACACS+
session authorization and accounting.
This section contains the following topics:
Maximum Session User Settings, page 50
Maximum Session Group Settings, page 51
Maximum Session Global Settings, page 52
Purging User Sessions, page 53
Maximum User Session in Distributed Environment, page 54
Maximum User Session in Proxy Scenario, page 54
Maximum Session User Settings
You can configure maximum user sessions for each user globally.
To configure maximum user sessions:
1.Choose Access Policies > Max User Session Policy > Max Session User Settings.
2.Specify a Max User Session Value, for the maximum number of concurrent sessions permitted.
3.Check the Unlimited Sessions check box if you want users to have unlimited sessions.
4.Click Submit.
Note: If the maximum number of sessions is configured at both the user and group level, the smaller value will have
precedence.
For example:
Given a user Bob in the group America:US:West with a maximum session value of 5 sessions for the group and a
maximum session value of 10 for the user. In this case, user Bob can have a maximum of 5 sessions only.
Related Topics
Maximum Session Group Settings, page 51

Add page 307 to Favourites

image text

Enable zoom

51
Managing Access Policies
Maximum User Sessions
Maximum Session Global Settings, page 52
Purging User Sessions, page 53
Maximum User Session in Distributed Environment, page 54
Maximum User Session in Proxy Scenario, page 54
Maximum Session Group Settings
You can configure the maximum number of sessions for the identity groups. All the sessions can sometimes be used by
a few users in the group. Requests from other users to create a new session are rejected because the number of sessions
has already reached the maximum configured value.
ACS 5.7 allows you to configure a maximum session limit for any user in the group; for example, each user belonging to
a specific Identity Group may open not more than the session limit, no matter how many sessions other users from the
same group have opened. There is no option to set up a session limit for a particular user.
From the ACS web interface, you can configure the Maximum Sessions limit for a user belonging to an identity group
from the ACS web interface.
The ACS 4.x migration utility includes migrating the maximum session configuration.
When calculating the session limit for a particular user, the lowest configuration value takes the precedence—whether the
global session limit per user, the session limit per identity group that the user belongs to, or the session limit per user in
the group.
To configure maximum sessions for a group:
1.Choose Access Policies > Max User Session Policy > Max Session Group Settings.
All the configured identity groups are listed.
2.Check the check box the group for which you want to configure a maximum number of sessions.
3.Click Edit.
4.Complete the fields as described in Table 109 on page 51.
5.Click Submit.
Table 109 Max User Session Global Settings Page
Option Description
General
Name Name of the Identity Group.
Description Description of the Identity Group.
Max Session Group Settings
Unlimited Session Check this check box if you want to provide unlimited sessions to the group.
Max Session for Group Specify a value for the maximum number of concurrent sessions permitted for the group.
Unlimited Sessions for Users in
GroupCheck this check box if you want to provide unlimited sessions for each user in a group.
Max Session for User in Group Specify a value for the maximum number of concurrent sessions permitted for each user
in a group. This option overrides the maximum number of sessions for a group.

Add page 308 to Favourites

image text

Enable zoom

52
Managing Access Policies

Maximum User Sessions
Unlimited is selected by default. Group-level session limits are applied based on the hierarchy. For example:
The group hierarchy is America:US:West:CA and the maximum sessions are as follows:
America: 100 max sessions
US: 80 max sessions
West: 75 max sessions
CA: 50 max sessions
If “Max Session for User in Group X” is set to N, each user belonging to the group X may open not more than N sessions.
If the user belongs to America/US/West, ACS checks that the number of sessions does not exceed the limit that is
specified for the parent groups America/US/West, America/US, America. When you set the maximum number of
sessions of a user group to 100, the total count of all sessions established by all members of that group cannot exceed
100. Once the session is allowed, the Number of Active Sessions Availed counter for the three nodes is increased by
one. The ACS runtime component takes care of this validation during authentication.
Note: If the maximum number of sessions is configured at the group level, at the user level within a group level, and at
the user level globally, then ACS considers the least value among them.
Related Topics
Maximum Session User Settings, page 50
Maximum Session Global Settings, page 52
Purging User Sessions, page 53
Maximum User Session in Distributed Environment, page 54
Maximum User Session in Proxy Scenario, page 54
Maximum Session Global Settings
You can assign session keys for RADIUS and TACACS+ requests. A session key is provided with a set of attributes for
RADIUS and TACACS+. You can customize the session key attribute s a c c o r d i n g t o yo u r e n v i r o n m e n t . I f yo u d o n o t a ss i g n
a session key, ACS uses the default session key values.
A session key is a unique key that is used to track user sessions. The session key helps ACS differentiate between a user
re-authenticating to the same session and a user starting a new session. The session key attributes for a single session
should be the same in the access request and in the accounting start packet. The Session key helps ACS to identity the
session properly. When ACS re-authenticates the same session again, the same key is retained.
To configure the global settings for maximum user sessions, choose System Administration > Users > Max User
Session Global Settings.

Add page 309 to Favourites

image text

Enable zoom

53
Managing Access Policies
Maximum User Sessions
Related Topics
Maximum Session User Settings, page 50
Maximum Session Group Settings, page 51
Purging User Sessions, page 53
Maximum User Session in Distributed Environment, page 54
Maximum User Session in Proxy Scenario, page 54
Purging User Sessions
You can use the Purge option only when users are listed as Logged-in but connection to the AAA client has been lost
and the users are no longer actually logged in.
Purging will not log off the user from the AAA client, however it will decrease the session count by one. While the count
is zero, any interim updates or STOP packet that arrives from the device will be discarded. Due to this purging, if a user
logged in with the same user name and password in another AAA client, this session will not be affected.
Note: A fake accounting stop is sent irrespective of the session count value.
To purge the User session:
1.Go to System Administration > Users > Purge User Sessions.
The Purge User Session page appears with a list of all AAA clients.
2.Select the AAA client for which you want to purge the user sessions.
3.Click Get Logged-in User List.
Table 110 Max User Session Global Settings Page
Option Description
RADIUS Session Key Assignment
Available Session Keys RADIUS sessions keys available for assignment.
Note: To use the RADIUS Acct-Session-Id (attribute #44) in the RADIUS session key, you
should configure the Acct-Session-Id to be sent in the access request:
Router(config)# radius-server attribute 44 include-in-access-req
Assigned Session Keys RADIUS session key assigned. The default session keys for RADIUS are:
UserName:NAS-Identifier:NAS-Port:Calling-Station-ID
TACACS+ Session Key Assignment
Available Session Keys TACACS+ sessions keys available for assignment.
Assigned Session Keys TACACS+ session key that have been assigned. The default session keys for TACACS+
are: User:NAS-Address:Port:Remote-Address
Max User Session Timeout Settings
Unlimited Session Timeout No timeout.
Max User Session Timeout Once the session timeout is reached, ACS sends a fake STOP packet to close the
respective session and updates the session count.
Note: The user is not forced to log out of the device.

Add page 310 to Favourites

image text

Enable zoom

							54
Managing Access Policies
 
Maximum User Sessions
A list of all the logged in users is displayed.
4.Click Purge All Sessions to purge all the user session logged in to the particular AAA client.
Related Topics
Maximum Session User Settings, page 50
Maximum Session Group Settings, page 51
Maximum Session Global Settings, page 52
Maximum User Session in Distributed Environment, page 54
Maximum User Session in Proxy Scenario, page 54
Maximum User Session in Distributed Environment
In distributed environment, all the user and identity group configurations are replicated to the secondaries except the 
session cache related information with respect to maximum user session maintained by runtime. Hence, each server has 
its own session established details in the runtime. Also, the maximum session count gets applied based on which ACS 
server the authentication/accounting request is received on.
Related Topics
Maximum Session User Settings, page 50
Maximum Session Group Settings, page 51
Maximum Session Global Settings, page 52
Purging User Sessions, page 53
Maximum User Session in Proxy Scenario, page 54
Maximum User Session in Proxy Scenario
Authentication and accounting requests should be sent to the same ACS server; else the Maximum Session feature will 
not work as desired.
Related Topics
Maximum User Sessions, page 50
Maximum Session User Settings, page 50
Maximum Session Group Settings, page 51
Maximum Session Global Settings, page 52
Purging User Sessions, page 53
Maximum User Session in Distributed Environment, page 54

All Cisco manuals Comments (0)

Related Manuals for Cisco Acs 57 User Guide

Cisco Acs 5x User Guide
650 pages | Cisco Control System