Home > Cisco > Control System > Cisco Acs 57 User Guide

Cisco Acs 57 User Guide

    Download as PDF Print this page Share this page

    Have a look at the manual Cisco Acs 57 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

    Page
    of 584
    							7   
    Managing System Administrators
    Creating, Duplicating, Editing, and Deleting Administrator Accounts
    Administrator Accounts and Role Association
    Administrator account definitions consist of a name, status, description, e-mail address, password, and role assignment.
    Note: It is recommended that you create a unique administrator for each person. In this way, operations are clearly 
    recorded in the audit log.
    Administrators are authenticated against the internal and external databases.
    You can edit and delete existing accounts. However, the web interface displays an error message if you attempt to delete 
    or disable the last super administrator.
    Only appropriate administrators can configure identities and certificates. The identities configured in the System 
    Administration drawer are available in the Users and Identity Stores drawer, but they cannot be modified there.
    When you create a new administrator, you have an option to choose the type of identity store for the password type. The 
    new administrator is authenticated based on this password type. The password type can be internal administrator, AD, 
    or LDAP. The default value of all the existing administrators is 
    AdminsIDStore. The password type has a new association 
    defined to create an association between the administrator account and the identity store. During the internal 
    administrator authentication, if the administrator is present in the internal database, then the value in the password type 
    field is read and populated in the attribute list.If this attribute value is not equal to 
    AdminsIDStore, then the authentication 
    is routed to either LDAP or an AD identity store, based on the value that is configured in the password type field. ACS 
    use PAP authentication to authenticate administrators against AD and LDAP. 
    Recovery Administrator Account
    ACS 5.7 requires the system administrator to keep at least one administrator account as a recovery account. If an account 
    is configured as a recovery account, then ACS bypasses the administrator identity policy and authorization policy to 
    authenticate that particular administrator. This recovery administrator account is authenticated against the administrator 
    internal identity store. If you try to access ACS using the recovery account, you are authenticated against internal 
    administrator users, and roles are assigned statically. You can have more than one recovery account. By default, the 
    Super Admin account is set as a recovery account. When you create a new administrator account, ACS does not set that 
    account as a recovery account, but you need to configure it as a recovery account in account settings. 
    To configure an administrator account as a recovery account, you need to perform the following actions:
    Assign a static role to the administrator account. 
    Assign the Super Admin role to the administrator account. 
    Do not use the password type to set an external identity store to the administrator account. 
    Related Topics
    Understanding Roles, page 3
    Creating, Duplicating, Editing, and Deleting Administrator Accounts, page 7
    Creating, Duplicating, Editing, and Deleting Administrator Accounts
    To create, duplicate, edit, or delete an administrator account:
    1.Choose System Administration > Administrators > Accounts.
    The Administrators page appears with a list of configured administrators as described in Table 14 on page 8: 
    						
    							8
    Managing System Administrators
     
    Creating, Duplicating, Editing, and Deleting Administrator Accounts
    2.Do any of the following:
    Click Create.
    Check the check box the account that you want to duplicate and click Duplicate.
    Click the account that you want to modify; or, check the check box for the Name and click Edit.
    Check the check box the account for which you want to change the password and click Change Password. See 
    Resetting Another Administrator’s Password, page 25 for more information.
    Note: On the Duplicate page, you must change at least the Admin Name.
    Check one or more check boxes the accounts that you want to delete and click Delete.
    ACS deletes the selected administrator account only if there is at least one recovery administrator account with 
    superadmin role in the ACS database other than the selected administrator account. 
    Note: Firefox does not display a warning message when you try to delete the last recovery admin account from ACS 
    web interface if you have enabled "Prevent this page from creating additional dialogs" checkbox.
    3.Complete the Administrator Accounts Properties page fields as described in Table 15 on page 8:
    Table 14 Accounts Page
    Option Description
    Status Current status of this administrator:
    Enabled—This administrator is active.
    Disabled—This administrator is not active. 
    You cannot log into ACS with a disabled administrator account.
    Name Name of the administrator.
    Role(s) Roles assigned to the administrator.
    Description Description of this administrator.
    Table 15 Administrator Accounts Properties Page 
    Option Description
    General
    Administrator Name Configured name of this administrator. If you are duplicating a rule, be sure to enter a unique 
    name.
    Status From the Status drop-down menu, select whether the account is enabled or disabled. This option 
    is disabled if you check the Account never disabled check box.
    Description A description of this administrator.
    Email Address Administrator e-mail address. ACS View sends alerts to this e-mail address. ACS uses this email 
    address to notify the internal administrators about their password expiry n days before their 
    password expires. 
    Recovery  Account  Check this option to configure an account as a recovery account. ACS bypasses the administrator 
    identity policies and authorization policies to authenticate the administrators when you use this 
    option. See Recovery Administrator Account, page 7 for more information. 
    						
    							9   
    Managing System Administrators
    Creating, Duplicating, Editing, and Deleting Administrator Accounts
    4.Click Submit. 
    The new account is saved. The Administrators page appears, with the new account that you created or duplicated.
    Note: A SuperAdmin with static role assignment can create, assign, or remove SuperAdmin roles for other administrators 
    whereas a SuperAdmin with dynamic role assignment cannot create, assign, or remove SuperAdmin roles for other 
    administrators.
    Related Topics
    Understanding Roles, page 3
    Administrator Accounts and Role Association, page 7
    Viewing Predefined Roles, page 10
    Configuring Authentication Settings for Administrators, page 11
    Exporting Administrator Accounts, page 10 Account  never  disabled Check to ensure that your account is never disabled. Your account will not be disabled even when:
    Your password expires
    Your account becomes inactive
    You exceed the specified number of login retries
    Authentication Information
    Password Type Displays (only AD and LDAP) configured external identity store names, along with internal 
    administrator, which is the default password type. You can choose any identity store from the list. 
    During administrator authentication, if an external identity store is configured for the administrator, 
    then the internal identity store forwards the authentication request to the configured external 
    identity store. 
    If an external identity store is selected, you cannot configure a password for the administrator. 
    The password edit box is disabled.
    You cannot use identity sequences as external identity stores for the password type.
    You can change the password type using the Change Password button, which is located in the 
    System Administration > Administrators > Accounts page. 
    Password Authentication password.
    Confirm Password Confirmation of the authentication password.
    Change password on 
    next loginCheck to prompt the user for a new password at the next login.
    Note: If you enable Change password on next login option for an administrator account, then the 
    administrator cannot add ACS instances to a distributed deployment. 
    Role Assignment
    Available  Roles List of all configured roles. Select the roles that you want to assign for this administrator and click 
    >. Click >> to assign all the roles for this administrator.
    Assigned Roles Roles that apply to this administrator.
    Table 15 Administrator Accounts Properties Page  (continued)
    Option Description 
    						
    							10
    Managing System Administrators
     
    Viewing Predefined Roles
    Exporting Administrator Accounts
    ACS 5.7 allows you to export the administrator accounts to a .csv file using the export option available on the 
    Administrator Accounts page. This option exports all administrator accounts that are created and listed in the 
    administrator accounts page to a .csv file. You can save this file to a local drive for audit purposes. You can also encrypt 
    the exported file using an encryption password option. You need this password to decrypt the exported file. However, 
    you cannot import the exported administrator account details back into ACS. For dynamic administrator accounts, the 
    roles column in the exported file is empty. If you have assigned multiple roles for an administrator, a semicolon is used 
    in between the roles. You can also export the administrator accounts from the ACS CLI, but you cannot export 
    administrator accounts using REST PI. 
    Note: To export the administrator accounts, you must have an administrator account with Super Admin, System Admin, 
    or User Admin roles.
    To export the administrator accounts from the ACS web interface:
    1.Choose System Administration > Administrators > Accounts.
    The Administrators page appears with a list of configured administrators as described in Table 14 on page 8.
    2.Click Export. 
    The Export properties dialog box appears. 
    3.Check the check box the Password field, and enter the encryption password if you want to encrypt the exported file. 
    4.Click Start Export. 
    The Export Progress dialog box appears and displays the progress of the export operation. This dialog box also 
    displays the export logs that helps the user to identify the errors during export operation. 
    Note: To export the administrator accounts from the ACS CLI, run the export-data administrator  
       command in ACS configuration mode. 
    Related Topics
    Understanding Roles, page 3
    Administrator Accounts and Role Association, page 7
    Viewing Predefined Roles, page 10
    Configuring Authentication Settings for Administrators, page 11
    Viewing Predefined Roles
    See Table 13Predefined Role Descriptions, page 4 for description of the predefined roles included in ACS.
    To view predefined roles:
    Choose System Administration > Administrators > Roles.
    The Roles page appears with a list of predefined roles. Table 16Roles Page, page 11 describes the Roles page 
    fields. 
    						
    							11   
    Managing System Administrators
    Configuring Authentication Settings for Administrators
    Viewing Role Properties
    Use this page to view the properties of each role.
    Choose System Administration > Administrators > Roles, and click a role or choose the role’s radio button and click 
    View.
    The Roles Properties page appears as described in Table 17 on page 11:
    Related Topics
    Understanding Roles, page 3
    Administrator Accounts and Role Association, page 7
    Configuring Authentication Settings for Administrators, page 11
    Configuring Authentication Settings for Administrators
    Authentication settings are a set of rules that enhance security by forcing administrators to use strong passwords, 
    regularly change their passwords, and so on. Any password policy changes that you make apply to all ACS system 
    administrator accounts.
    To configure a password policy:
    1.Choose System Administration > Administrators > Settings > Authentication.
    The Password Policies page appears with the Password Complexity and Advanced tabs.
    2.In the Password Complexity tab, check each check box that you want to use to configure your administrator 
    password. 
    Table 18 on page 12 describes the fields in the Password Complexity tab.
    Ta b l e 1 6 R o l e s  P a g e
    Field Description
    Name List of all configured roles. See Predefined Roles, page 4 for a list of predefined roles.
    Description Description of each role.
    Table 17 Roles Properties Page
    Field Description
    Name Name of the role. If you are duplicating a role, you must enter a unique name as a minimum 
    configuration; all other fields are optional. Roles cannot be created or edited. See 
    Table 16Roles Page, page 11 for a list of predefined roles.
    Description Description of the role. See Predefined Roles, page 4 for more information.
    Permissions List
    Resource  List of available resources.
    Privileges Privileges that can be assigned to each resource. If a privilege does not apply, the privilege 
    check box is dimmed (not available). 
    Row color is irrelevant to availability of a given privilege and is determined by the explicit 
    text in the Privileges column.  
    						
    							12
    Managing System Administrators
     
    Configuring Authentication Settings for Administrators
    3.In the Advanced tab, enter the values for the criteria that you want to configure for your administrator authentication 
    process. 
    Table 19 on page 12 describes the fields in the Advanced tab.
    Ta b l e 1 8 P a s s w o r d  C o m p l e x i t y  Ta b
    Option Description
    Applies to all ACS system administrator accounts
    Minimum length Required minimum length; the valid options are 4 to 127.
    Password may not contain the username or 
    its characters in reversed orderCheck to specify that the password cannot contain the username or reverse 
    username. For example, if your username is john, your password cannot be john 
    or nhoj.
    Password may not contain ‘cisco’ or its 
    characters in reversed orderCheck to specify that the password cannot contain the word cisco or its 
    characters in reverse order, that is, ocsic.
    Password may not contain ‘’ or its 
    characters in reversed orderCheck to specify that the password does not contain the string that you enter or 
    its characters in reverse order. For example, if you specify a string, polly, your 
    password cannot be polly or yllop.
    Password may not contain repeated 
    characters four or more times 
    consecutivelyCheck to specify that the password cannot repeat characters four or more times 
    consecutively. For example, you cannot have the string apppple as your 
    password. The letter p appears four times consecutively.
    Password must contain at least one character of each of the selected types
    Lowercase alphabetic characters  Password must contain at least one lowercase alphabetic character.
    Upper case alphabetic characters  Password must contain at least one uppercase alphabetic character.
    Numeric characters Password must contain at least one numeric character.
    Non alphanumeric characters Password must contain at least one nonalphanumeric character.
    Table 19 Advanced Tab
    Options Description
    Password History
    Password must be different from the 
    previous n versionsSpecifies the number of previous passwords for this administrator to be 
    compared against. This option prevents the administrators from setting a 
    password that was recently used. Valid options are 1 to 99.
    Password Lifetime: Administrators are required to periodically change password
    Require a password change after n  days Specifies that the password must be changed after n days; the valid options are 
    1 to 365. This option, when set, ensures that you change the password after n 
    days.
    Disable administrator account after n days 
    if password is not changedSpecifies that the administrator account must be disabled after n days if the 
    password is not changed; the valid options are 1 to 365.
    ACS does not allow you to configure this option without configuring the Display 
    reminder after n days option. 
    						
    							13   
    Managing System Administrators
    Configuring Session Idle Timeout
    Note: ACS automatically deactivates or disables your account based on your last login, last password change, or 
    number of login retries. The CLI and PI user accounts are blocked and they receive a notification that they can change 
    the password through ACS web interface. If your account is disabled, contact another administrator to enable your 
    account.
    4.Click Submit.
    The administrator password is configured with the defined criteria. These criteria will apply only for future logins.
    Related Topics
    Understanding Roles, page 3
    Administrator Accounts and Role Association, page 7
    Viewing Predefined Roles, page 10
    Configuring Session Idle Timeout
    A GUI session, by default, is assigned a timeout period of 30 minutes. You can configure a timeout period for anywhere 
    from 5 to 90 minutes. The session timeout option is not applicable for the Active Directory and Distributed System 
    Management pages. The AD page is automatically refreshed to verify the AD connectivity status based on the refresh  Send Email for password expiry before n 
    daysSpecifies that an email notification a day must be sent to the internal 
    administrators starting from nth day before their password expires if the 
    password is not changed; the valid options are 1 to 365. The default value is 5 
    days. This option, when set, ensures that an email notification is sent to the 
    internal administrator accounts n days before their password expires. 
    ACS does not allow you to configure this option without configuring the Disable 
    administrator account after n days if password is not changed.
    Display reminder after n days Displays a reminder after n days to change password; the valid options are 1 to 
    365. This option, when set, only displays a reminder. It does not prompt you for 
    a new password.
    Account Inactivity: Inactive accounts are disabled
    Require a password change after n days of 
    inactivitySpecifies that the password must be changed after n days of inactivity; the valid 
    options are 1 to 365. This option, when set, ensures that you change the 
    password after n days.
    ACS does not allow you to configure this option without configuring the Display 
    reminder after n days option.
    Disable administrator account after n days 
    of inactivitySpecifies that the administrator account must be disabled after n days of 
    inactivity; the valid options are 1 to 365.
    ACS does not allow you to configure this option without configuring the Display 
    reminder after n days option.
    Incorrect Password Attempts
    Disable account after n successive failed 
    attemptsSpecifies the maximum number of login retries after which the account is 
    disabled; the valid options are 1 to 10.
    Table 19 Advanced Tab
    Options Description 
    						
    							14
    Managing System Administrators
     
    Configuring Administrator Access Settings
    interval that is defined in the application. The Distributed System Management page is automatically refreshed for the 
    configured interval of time. You can configure the refresh interval from the Distributed System Management page of ACS 
    web interface.
    To configure the timeout period:
    1.Choose System Administration > Administrators > Settings > Session.
    The GUI Session page appears.
    2.Enter the Session Idle Timeout value in minutes. Valid values are 5 to 90 minutes.
    3.Click Submit.
    Note: The CLI client interface has a default session timeout value of 6 hours. You cannot configure the session timeout 
    period in the CLI client interface.
    Configuring Administrator Access Settings
    ACS 5.7 allows you to restrict administrative access to ACS based on the IP address of the remote client. You can filter 
    IP addresses in any one of the following ways:
    Allow All IP Addresses to Connect, page 14
    Allow Remote Administration from a Select List of IP Addresses, page 14
    Reject Remote Administration from a Select List of IP Addresses, page 15
    Allow All IP Addresses to Connect
    You can choose the Allow all IP addresses to connect option to allow all connections; this is the default option.
    Allow Remote Administration from a Select List of IP Addresses
    To allow administrators to access ACS remotely:
    1.Choose System Administration > Administrators > Settings > Access.
    The IP Addresses Filtering page appears.
    2.Click Allow only listed IP addresses to connect radio button.
    The IP Range(s) area appears.
    3.Click Create in the IP Range(s) area.
    A new window appears. Enter the IPv4 or IPv6 address of the machine from which you want to allow remote access 
    to ACS. Enter a subnet mask for an entire IP address range. ACS checks if the address that is entered is in a format 
    that is supported by IPv4 or IPv6. 
    4.Click OK.
    The IP Range(s) area is populated with the IP addresses. Repeat Step 3 to add other IP addresses or ranges for 
    which you want to provide remote access.
    5.Click Submit. 
    						
    							15   
    Managing System Administrators
    Working with Administrative Access Control
    Reject Remote Administration from a Select List of IP Addresses
    To reject administrators from accessing ACS remotely:
    1.Choose System Administration > Administrators > Settings > Access.
    The IP Addresses Filtering page appears.
    2.Click Reject connections from listed IP addresses radio button.
    The IP Range(s) area appears.
    3.Click Create in the IP Range(s) area.
    A new window appears.
    4.Enter the IP address of the machine that you do not want to access ACS remotely. Enter a subnet mask for an entire 
    IP address range.
    5.Click OK.
    The IP Range(s) area is populated with the IP addresses. Repeat Step 3 to add other IP addresses or ranges that you 
    want to reject.
    6.Click Submit.
    It is possible to reject connection from all IP addresses. You cannot reset this condition through the ACS web interface. 
    However, you can use the following CLI command:
    access-setting accept-all
    Refer to the CLI Reference Guide for Cisco Secure Access Control System 5.7 for more information.
    Working with Administrative Access Control
    ACS 5.7 introduces a new service type called the Administrative Access Control (AAC) service. The AAC service handles 
    the authentications and authorization of the ACS administrators. 
    The enhanced AAC web interface includes: 
    Policy-based authentication and authorization
    Authentication against an external database is feasible by: 
    —Password type on administrator accounts in the Internal Administrators ID store. 
    —Configuring the identity policy (the authentication policy) against an external database. 
    This AAC service is automatically created at the time of installation. You cannot remove or add a new AAC service. AAC 
    is not available under the service selection policy and is automatically selected upon administrator login. 
    The AAC service identifies a set of policies for administrator login. The policies that are provided within the AAC service 
    are these:
    The Administrator identity policy determines the identity database that is used to authenticate the administrator and 
    also retrieves attributes for the administrator that may be used in subsequent authorization policy.  
    						
    							16
    Managing System Administrators
     
    Working with Administrative Access Control
    The Administrator authorization policy determines the role of the administrator for the session in ACS. The assigned 
    role determines the permission of the administrator. Each role has a predefined list of permissions, and it can be 
    viewed in the roles page. 
    The AAC service processes these two policies in a sequence. You need to configure both the Administrator identity policy 
    and the Administrator authorization policy. The default for both the policies are:
    Identity policy—The default is Internal Identity Store. 
    Authorization policy—The default is Deny Access. 
    The AAC service supports only the PAP authentication type. Only the Super Admin is permitted to configure administrator 
    access control.
    While upgrading the ACS application to ACS 5.7, AAC undergoes the following changes:
    Single AAC service is automatically created during upgrade.
    The identity policy in AAC service is set to Administrators Internal Identity Store.
    All existing administrators are validated with a static role assignment. 
    All administrators with the Super Admin role are automatically set as the recovery account.
    After upgrading the ACS application to 5.7, if the administrator accounts are not updated, the upgraded administrator 
    accounts are authenticated against the administrator internal identity store and get their roles through static assignment. 
    While restoring the backup when upgrading, ACS 5.7 takes care of upgrading the schema files as well as the data. 
    Note: Administrator accounts created in external identity stores cannot access CARS mode of ACS CLI. But, they can 
    access acs-config mode of ACS CLI. 
    This section contains the following topics:
    Administrator Identity Policy, page 16
    Administrator Authorization Policy, page 22
    Administrator Identity Policy
    The identity policy in administrative access control defines the identity source that ACS uses for authentication and 
    attribute retrieval. The attributes and groups can be retrieved only from the external database. ACS can use the retrieved 
    attributes only in subsequent authorization policies. 
    The AAC service supports two types of identity policies. They are:
    Single result selection 
    Rule-based result selection
    Super Admin can configure and modify this policy. You can configure a simple policy, which applies the same identity 
    source for authentication of all requests, or you can configure a rule-based identity policy. 
    The supported identity methods for a simple policy are:
    Deny Access—Access to the user is denied and no authentication is performed.
    Identity Store—A single identity store.
    You can select any one of the following identity stores:
    —Internal Administrator ID store 
    						
    All Cisco manuals Comments (0)

    Related Manuals for Cisco Acs 57 User Guide