Cisco Acs 5x User Guide
Have a look at the manual Cisco Acs 5x User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
CH A P T E R 7-1 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 7 Managing Network Resources The Network Resources drawer defines elements within the network that issue requests to ACS or those that ACS interacts with as part of processing a request. This includes the network devices that issue the requests and external servers, such as a RADIUS server that is used as a RADIUS proxy. This drawer allows you to configure: Network Device Groups—Logically groups the network devices, which you can then use in policy conditions. Network Devices—Definition of all the network devices in the ACS device repository that accesses the ACS network. Default Network Device—A default network device definition that ACS can use for RADIUS or TACACS+ requests when it does not find the device definition for a particular IP address. External Servers—RADIUS servers that can be used as a RADIUS proxy. When ACS receives a request from a network device to access the network, it searches the network device repository to find an entry with a matching IP address. ACS then compares the shared secret with the secret retrieved from the network device definition. If they match, the network device groups associated with the network device are retrieved and can be used in policy decisions. See ACS 5.x Policy Model for more information on policy decisions. External Servers The Network Resources drawer contains: Network Device Groups, page 7-2 Network Devices and AAA Clients, page 7-5 Configuring a Default Network Device, page 7-17 Working with External Proxy Servers, page 7-19
7-2 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 7 Managing Network Resources Network Device Groups Network Device Groups In ACS, you can define network device groups (NDGs), which are sets of devices. These NDGs provide logical grouping of devices, for example, Device Location or Type, which you can use in policy conditions. When the ACS receives a request for a device, the network device groups associated with that device are retrieved and compared against those in the policy table. With this method, you can group multiple devices and assign them the same policies. For example, you can group all devices in a specific location together and assign to them the same policy. You can define up to 12 network device groups. The Device Group Hierarchy is the hierarchical structure that contains the network device groups. Two of these, Location and Device Type, are predefined; you cannot change their names or delete them. You can add up to 10 additional hierarchies. An NDG relates to any node in the hierarchy and is the entity to which devices are associated. These nodes can be any node within the hierarchy, not just leaf nodes. NoteYou can have a maximum of six nodes in the NDG hierarchy, including the root node. Related Topics Creating, Duplicating, and Editing Network Device Groups, page 7-2 Deleting Network Device Groups, page 7-3 Creating, Duplicating, and Editing Network Device Groups To create, duplicate, or edit a network device group: Step 1Choose Network Resources > Network Device Groups. The Network Device Groups page appears. If you have defined additional network device groups, they appear in the left navigation pane, beneath the Network Device Groups option. Step 2Do any of the following: Click Create. Check the check box next to the network device group that you want to duplicate, then click Duplicate. Click the network device group name that you want to modify, or check the check box next to the name and click Edit. The Hierarchy - General page appears. Step 3Modify the fields in the Hierarchy - General page as described in Ta b l e 7 - 1: Table 7-1 Device Groups - General Page Field Descriptions Field Description Name Enter a name for the network device group (NDG).
7-3 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 7 Managing Network Resources Network Device Groups Step 4Click Submit. The network device group configuration is saved. The Network Device Groups page appears with the new network device group configuration. Related Topics Network Device Groups, page 7-2 Deleting Network Device Groups, page 7-3 Creating, Duplicating, and Editing Network Device Groups Within a Hierarchy, page 7-4 Performing Bulk Operations for Network Resources and Users, page 7-8 Deleting Network Device Groups To delete a network device group: Step 1Choose Network Resources > Network Device Groups. The Network Device Groups page appears. Step 2Check one or more check boxes next to the network device groups you want to delete, and click Delete. The following error message appears: You have requested to delete a network device group. If this group is referenced from a Policy or a Policy Element then the delete will be prohibited. If this group is referenced from a network device definition, the network device will be modified to reference the root node name group. Step 3Click OK. The Network Device Groups page appears without the deleted network device groups. Description (Optional) Enter a description for the NDG. Root Node Name/ParentEnter the name of the root node associated with the NDG. The NDG is structured as an inverted tree, and the root node is at the top of the tree. The root node name can be the same as the NDG name. The NDG name is displayed when you click an NDG in the Network Resources drawer. Table 7-1 Device Groups - General Page Field Descriptions
7-4 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 7 Managing Network Resources Network Device Groups Creating, Duplicating, and Editing Network Device Groups Within a Hierarchy You can arrange the network device group node hierarchy according to your needs by choosing parent and child relationships for new, duplicated, or edited network device group nodes. You can also delete network device group nodes from a hierarchy. To create, duplicate, or edit a network device group node within a hierarchy: Step 1Choose Network Resources > Network Device Groups. The Network Device Groups page appears. Step 2Click Location, Device Type, or another previously defined network device group in which you want to create a new network device group, and add it to the hierarchy of that group. The Network Device Group hierarchy page appears. Step 3Do one of the following: Click Create. If you click Create when you have a group selected, the new group becomes a child of the parent group you selected. You can move a parent and all its children around in the hierarchy by clicking Select from the Create screen. Check the check box next to the network device group name that you want to duplicate, then click Duplicate. Click the network device group name that you want to modify, or check the check box next to the name and click Edit. The Device Group - General page appears. Step 4Modify fields in the Device Groups - General page as shown in Ta b l e 7 - 2: Step 5Click Submit. The new configuration for the network device group is saved. The Network Device Groups hierarchy page appears with the new network device group configuration. Related Topics Network Device Groups, page 7-2 Deleting Network Device Groups, page 7-3 Creating, Duplicating, and Editing Network Device Groups, page 7-2 Performing Bulk Operations for Network Resources and Users, page 7-8 Table 7-2 Device Groups - General Page Field Descriptions Field Description Name Enter a name for the NDG. Description (Optional) Enter a description for the NDG. Parent Enter the name of the parent associated with the NDG. The NDG is structured as an inverted tree, and the parent name is the name of the top of the tree. Click Select to open the Groups dialog box from which you can select the appropriate parent for the group.
7-5 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 7 Managing Network Resources Network Devices and AAA Clients Deleting Network Device Groups from a Hierarchy To delete a network device group from within a hierarchy: Step 1Choose Network Resources > Network Device Groups. The Network Device Groups page appears. Step 2Click Location, Device Type, or another previously defined network device group in which you want to edit a network device group node. The Network Device Groups node hierarchy page appears. Step 3Select the nodes that you want to delete and click Delete. The following message appears: You have requested to delete a network device group. If this group is referenced from a Policy or a Policy Element then the delete will be prohibited. If this group is referenced from a network device definition, the network device will be modified to reference the root node name group. Step 4Click OK. NoteRoot node of a group cannot be deleted from NDG hierarchy.If you try to do so, the following error message appears: Selected node can be removed only with a root group. The network device group node is removed from the configuration. The Network Device Groups hierarchy page appears without the device group node that you deleted. Network Devices and AAA Clients You must define all devices in the ACS device repository that access the network. The network device definition can be associated with a specific IP address or a subnet mask, where all IP addresses within the subnet can access the network. The device definition includes the association of the device to network device groups (NDGs). You also configure whether the device uses TACACS+ or RADIUS, and if it is a Security Group Access device. NoteWhen you use subnet masks, the number of unique IP addresses depends on the number of IP addresses available through the subnet mask. For example, a subnet mask of 255.255.255.0 means you have 256 unique IP addresses. You can import devices with their configurations into the network devices repository. When ACS receives a request, it searches the network device repository for a device with a matching IP address; then ACS compares the secret or password information against that which was retrieved from the network device definition. If the information matches, the NDGs associated with the device are retrieved and can be used in policy decisions.
7-6 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 7 Managing Network Resources Network Devices and AAA Clients You must install Security Group Access license to enable Security Group Access options. The Security Group Access options only appear if you have installed the Security Group Access license. For more information on Security Group Access licenses, see Licensing Overview, page 18-34. Viewing and Performing Bulk Operations for Network Devices You can view the network devices and AAA clients. These are the devices sending access requests to ACS. The access requests are sent via TACACs+ or RADIUS. To view and import network devices: Step 1Choose Network Resources > Network Devices and AAA Clients. The Network Device page appears, with any configured network devices listed. Ta b l e 7 - 3 provides a description of the fields in the Network Device page: Step 2Do any one of the following: Click Create to create a new network device. See Creating, Duplicating, and Editing Network Devices, page 7-10. Check the check box next to the network device that you want to edit and click Edit. See Creating, Duplicating, and Editing Network Devices, page 7-10. Check the check box next to the network device that you want to duplicate and click Duplicate. See Creating, Duplicating, and Editing Network Devices, page 7-10. You can search for the Network devices based on the following categories: –Name –IP Address –Description –NDG Location Table 7-3 Network Device Page Field Descriptions Option Description Name User-specified name of network devices in ACS. Click a name to edit the associated network device (see Displaying Network Device Properties, page 7-14). IP AddressDisplay only. The IP address or subnet mask of each network device. The first three IP addresses appear in the field, each separated by a comma (,). If this field contains a subnet mask, all IP addresses within the specified subnet mask are permitted to access the network and are associated with the network device definition. When you use subnet masks, the number of unique IP addresses depends on the number of IP addresses available through the subnet mask. For example, a subnet mask of 255.255.255.0 means you have 256 unique IP addresses. You can see the excluded IP address next to the specified IP address if any. NDG: stringNetwork device group. The two predefined NDGs are Location and Device Type. If you have defined additional network device groups, they are listed here as well. DescriptionDisplay only. Descriptions of the network devices.
7-7 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 7 Managing Network Resources Network Devices and AAA Clients –Device Type You can specify full IP address, or IP address with wildcard “*” or, with IP address range, such as [15-20] in the IP address search field. The wildcard “*” and the IP range [15-20] option can be specified in all the 4 octets of IP address. The Equals option only is listed in the search condition when searching by IP address. NoteWhen you search for an IP address or IP-Range address, the search result displays all records that match the Search criteria, even if the Search IP Address (or) IP-Range address is in Excluded IP Address (or) Range. Click File Operations to perform any of the following functions: –Add—Choose this option to add a list of network devices from the import file in a single shot. –Update—Choose this option to replace the list of network devices in ACS with the network devices in the import file. –Delete—Choose this option to delete from ACS the network devices listed in the import file. See Performing Bulk Operations for Network Resources and Users, page 7-8 for more information. For information on how to create the import files, refer to http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/sdk/ cli_imp_exp.html#wp1055255. TimesaverTo perform a bulk add, edit, or delete operation on any of the ACS objects, you can use the export file of that object, retain the header row, and create the .csv import file. However, to add an updated name or MAC address to the ACS objects, must to download and use the particular update template. Also, for the NDGs, the export template contains only the NDG name, so in order to update any other property, you must download and use the NDG update template. Related Topics: Network Devices and AAA Clients, page 7-5 Performing Bulk Operations for Network Resources and Users, page 7-8 Creating, Duplicating, and Editing Network Device Groups Within a Hierarchy, page 7-4 Exporting Network Devices and AAA Clients NoteYou must turn off the popup blockers in your browser to ensure that the export process completes successfully. To export a list of network devices: Step 1Choose Network Resources > Network Devices and AAA Clients. The Network Device page appears.
7-8 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 7 Managing Network Resources Network Devices and AAA Clients Step 2Choose the filter condition and the Match if operator, and enter the filter criterion that you are looking for in the text box. Step 3Click Go. A list of records that match your filter criterion appears. You can export this list to a .csv file. Step 4Click Export to export the records to a .csv file. A system message box appears, prompting you for an encryption password to encrypt the .csv file during file transfer. To encrypt the export .csv file, check the Password check box and enter the encryption password. You can optionally choose to not encrypt the file during transfer. Step 5Click Start Export to begin the export process. The Export Progress window appears, displaying the progress of the export process. If any errors are encountered during this process, they are displayed in the Export Progress window. You can terminate the export process at any time during this process. All the reports, till you abort the export process, get exported. To resume, you have to start the export process all over again. Step 6After the export process is complete, Click Save File to save the export file to your local disk. The export file is a .csv file that is compressed as export.zip. Performing Bulk Operations for Network Resources and Users You can use the file operation function to perform bulk operations (add, update, and delete) for the following on your database: Internal users Internal hosts Network devices For bulk operations, you must download the .csv file template from ACS and add the records that you want to add, update, or delete to the .csv file and save it to your local disk. Use the Download Template function to ensure that your .csv file adheres to the requirements. The .csv templates for users, internal hosts, and network devices are specific to their type; for example, you cannot use a downloaded template accessed from the Users page to add internal hosts or network devices. Within the .csv file, you must adhere to these requirements: Do not alter the contents of the first record (the first line, or row, of the .csv file). Use only one line for each record. Do not imbed new-line characters in any fields. For non-English languages, encode the .csv file in utf-8 encoding, or save it with a font that supports Unicode. Before you begin the bulk operation, ensure that your browser’s popup blocker is disabled. Step 1Click File Operations on the Users, Network Devices, or MAC Address page of the web interface. The Operation dialog box appears. Step 2Click Next to download the .csv file template if you do not have it.
7-9 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 7 Managing Network Resources Network Devices and AAA Clients Step 3Click any one of the following operations if you have previously created a template-based .csv file on your local disk: Add—Adds the records in the .csv file to the records currently available in ACS. Update—Overwrites the records in ACS with the records from the .csv file. Delete—Removes the records in the .csv file from the list in ACS. Step 4Click Next to move to the next page. Step 5Click Browse to navigate to your .csv file. Step 6Choose either of the following options that you want ACS to follow in case of an error during the import process: Continue processing remaining records; successful records will be imported. Stop processing the remaining records; only the records that were successfully imported before the error will be imported. Step 7Check the Password check box and enter the password to decrypt the .csv file if it is encrypted in GPG format. Step 8Click Finish to start the bulk operation. The Import Progress window appears. Use this window to monitor the progress of the bulk operation. Data transfer failures of any records within your .csv file are displayed. You can click the Abort button to stop importing data that is under way; however, the data that was successfully transferred is not removed from your database. When the operation completes, the Save Log button is enabled. Step 9Click Save Log to save the log file to your local disk. Step 10Click OK to close the Import Progress window. You can submit only one .csv file to the system at one time. If an operation is under way, an additional operation cannot succeed until the original operation is complete. NoteInternal users whose password type is NAC Profiler can also be imported when NAC Profiler is not installed in ACS. For information on how to create the import files, refer to http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/sdk/ cli_imp_exp.html#wp1055255. TimesaverTo perform a bulk add, edit, or delete operation on any of the ACS objects, you can use the export file of that object, retain the header row, and create the .csv import file. However, to add an updated name or MAC address to the ACS objects, you must download and use the particular update template. Also, for the NDGs, the export template contains only the NDG name, so in order to update any other property, you must download and use the NDG update template.
7-10 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 7 Managing Network Resources Network Devices and AAA Clients Exporting Network Resources and Users To export a list of network resources or users: Step 1Click Export on the Users, Network Devices, or MAC Address page of the web interface. The Network Device page appears. Step 2Choose the filter condition and the Match if operator, and enter the filter criterion that you are looking for in the text box. Step 3Click Go. A list of records that match your filter criterion appears. You can export these to a .csv file. Step 4Click Export to export the records to a .csv file. A system message box appears, prompting you for an encryption password to encrypt the .csv file during file transfer. To encrypt the export .csv file, check the Password check box and enter the encryption password. You can optionally choose to not encrypt the file during transfer. Step 5Click Start Export to begin the export process. The Export Progress window appears, displaying the progress of the export process. If any errors are encountered during this process, they are displayed in the Export Progress window. You can terminate the export process at any time during this process. If you terminate the export process, all the reports till the termination of the process are exported. If you want to resume, you have to start the export process all over again. Step 6After the export process is complete, Click Save File to save the export file to your local disk. The export file is a .csv file that is compressed as export.zip. Creating, Duplicating, and Editing Network Devices You can use the bulk import feature to import a large number of network devices in a single operation; see Performing Bulk Operations for Network Resources and Users, page 7-8 for more information. Alternatively, you can use the procedure described in this topic to create network devices. To create, duplicate, or edit a network device: Step 1Choose Network Resources > Network Devices and AAA Clients. The Network Devices page appears, with a list of your configured network devices, if any. Step 2Do one of the following: Click Create. Check the check box next to the network device name that you want to duplicate, then click Duplicate. Click the network device name that you want to modify, or check the check box next to the name and click Edit.