Cisco Acs 5x User Guide
Have a look at the manual Cisco Acs 5x User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
8-9 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing Internal Identity Stores In ACS 5.3, you can configure identity attributes that are used within your policies, in this order: 1.Define an identity attribute (using the user dictionary). 2.Define custom conditions to be used in a policy. 3.Populate values for each user in the internal database. 4.Define rules based on this condition. As you become more familiar with ACS 5.3 and your identity attributes for users, the policies themselves will become more robust and complex. You can use the user-defined attribute values to manage policies and authorization profiles. See Creating, Duplicating, and Editing an Internal User Identity Attribute, page 18-10 for information on how to create a user attribute. Host Attributes You can configure additional attributes for internal hosts. You can do the following when you create an internal host: Create host attributes Assign default values to the host attributes Define whether the default values are required or optional You can enter values for these host attributes and can use these values to manage policies and authorization profiles. See Creating, Duplicating, and Editing an Internal Host Identity Attribute, page 18-13 for information on how to create a host attribute. Configuring Authentication Settings for Users You can configure the authentication settings for user accounts in ACS to force users to use strong passwords. Any password policy changes that you make in the Authentication Settings page apply to all internal identity store user accounts. The User Authentication Settings page consists of the following tabs: Password complexity Advanced To configure a password policy: Step 1Choose System Administration > Users > Authentication Settings. The User Authentication Settings page appears with the Password Complexity and Advanced tabs. Step 2In the Password Complexity tab, check each check box that you want to use to configure your user password. Ta b l e 8 - 2 describes the fields in the Password Complexity tab. Ta b l e 8 - 2 P a s s w o r d C o m p l e x i t y Ta b Option Description Applies to all ACS internal identity store user accounts Minimum length Required minimum length; the valid options are 4 to 20.
8-10 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing Internal Identity Stores Step 3In the Advanced tab, enter the values for the criteria that you want to configure for your user authentication process. Ta b l e 8 - 3 describes the fields in the Advanced tab. Password may not contain the username Whether the password may contain the username or reverse username. Password may not contain ‘cisco’ Check to specify that the password cannot contain the word cisco. Password may not contain Check to specify that the password does not contain the string that you enter. Password may not contain repeated characters four or more times consecutivelyCheck to specify that the password cannot repeat characters four or more times consecutively. Password must contain at least one character of each of the selected types Lowercase alphabetic characters Password must contain at least one lowercase alphabetic character. Upper case alphabetic characters Password must contain at least one uppercase alphabetic character. Numeric characters Password must contain at least one numeric character. Non alphanumeric characters Password must contain at least one nonalphanumeric character. Table 8-3 Advanced Tab Options Description Account Disable Supports account disablement policy for internal users. Never Default option where accounts never expire. All internal users who got disabled because of this policy, are enabled if you select this option. Disable account if Date exceeds Internal user is disabled when the configured date exceeds. For example, if the configured date is 28th Dec 2010, all internal users will be disabled on the midnight of 28th Dec, 2010. The configured date can either be the current system date or a future date. You are not allowed to enter a date that is earlier than the current system date. All the internal users who get disabled due to Date exceeds option are enabled according to the configuration changes made in the Date exceeds option. Disable account if Days exceed Internal user is disabled when the configured number of days exceed. For example, if the configured number of days to disable the account of a user is 60 days, that particular user will be disabled after 60 days from the time account was enabled. Disable account if Failed Attempts ExceedInternal user is disabled when the successive failed attempts count reaches the configured value. For example, if the configured value is 5, the internal user will be disabled when the successive failed attempts count reaches 5. Reset current failed attempts count on submitIf selected, failed attempts counts of all the internal users is set to 0. All internal users who were disabled because of Failed Attempts Exceed option are enabled. Password History Table 8-2 Password Complexity Tab (continued) Option Description
8-11 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing Internal Identity Stores Step 4Click Submit. The user password is configured with the defined criteria. These criteria will apply only for future logins. NoteACS supports any character as passwords and shared secrets that can be represented using UTF-8 encoding. NoteIf one of the users gets disabled, the Failed Attempt Count value needs to be reconfigures multiple times. In such a case, the Administrators should note the current failed attempts count of such user, separately or they should reset the count to 0 for all users. Creating Internal Users In ACS, you can create internal users that do not access external identity stores for security reasons. You can use the bulk import feature to import hundreds of internal users at a time; see Performing Bulk Operations for Network Resources and Users, page 7-8 for more information. Alternatively, you can use the procedure described in this topic to create internal users one at a time. Step 1Select Users and Identity Stores > Internal Identity Store > Users. The Internal Users page appears. Step 2Click Create. You can also: Check the check box next to the user that you want to duplicate, then click Duplicate. Password must be different from the previous n versions.Specifies the number of previous passwords for this user to be compared against. The number of previous passwords include the default password as well. This option prevents the users from setting a password that was recently used. Valid options are 1 to 99. Password Lifetime Users can be required to periodically change password Disable user account after n days if password is not changedSpecifies that the user account must be disabled after n days if the password is not changed; the valid options are 1 to 365. This option is applicable only for TACACS+ authentication. Display reminder after n days Displays a reminder after n days to change password; the valid options are 1 to 365. This option, when set, only displays a reminder. It does not prompt you for a new password. This option is applicable only for TACACS+ authentication. TACACS Enable Password Select whether a separate password should be defined in the user record to store the Enable Password TACACS Enable Password Check the check box to enable a separate password for TACACS+ authentication. Table 8-3 Advanced Tab Options Description
8-12 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing Internal Identity Stores Click the username that you want to modify, or check the check box next to the name and click Edit. Check the check box next to the user whose password you want to change, then click Change Password. The Change Password page appears. Step 3Complete the fields as described in Ta b l e 8 - 4 to change the internal user password. Click File Operations to: –Add—Adds internal users from the import to ACS. –Update—Overwrites the existing internal users in ACS with the list of users from the import. –Delete—Removes the internal users listed in the import from ACS. Click Export to export a list of internal users to your local hard disk. For more information on the File Operations option, see Performing Bulk Operations for Network Resources and Users, page 7-8. The User Properties page appears when you choose the Create, Duplicate, or Edit option. In the Edit view, you can see the information on the original creation and last modification of the user. You cannot edit this information. Step 4Complete the fields as described in Ta b l e 8 - 5. . Table 8-4 Internal User - Change Password Page Option Description Password Information Password User’s current password, which must comply with the password policies defined under System Administration > Users > Authentication Settings. Confirm Password User’s password, which must match the Password entry exactly. Change Password on Next Login Check this box to start the process to change the user’s password at the next user login, after authentication with the old password. Enable Password Information Enable Password (Optional) The internal user’s TACACS+ enable password, from 4 to 32 characters. You can disable this option. See Authentication Information, page 8-5 for more information. Confirm Password (Optional) The internal user’s TACACS+ enable password, which must match the Enable Password entry exactly. Table 8-5 Users and Identity Stores > Internal Identity Store > User Properties Page Option Description General Name Username. Status Use the drop-down list box to select the status for the user: Enabled—Authentication requests for this user are allowed. Disabled—Authentication requests for this user fail.
8-13 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing Internal Identity Stores Description (Optional) Description of the user. Identity Group Click Select to display the Identity Groups window. Choose an identity group and click OK to configure the user with a specific identity group. Password Information This section of the page appears only when you create an internal user. Password must contain at least 4 characters Password Type Displays all configured external identity store names, along with Internal Users which is the default password type. You can choose any one identity store from the list. During user authentication, if an external identity store is configured for the user then internal identity store forwards the authentication request to the configured external identity store. If an external identity store is selected, you cannot configure a password for the user. The password edit box is disabled. You cannot use identity sequences as external identity stores for the Password Type. You can change Password Type using the Change Password button located in the Users and Identity Stores > Internal Identity Stores > Users page. Password User’s password, which must comply with the password policies defined under System Administration > Users > Authentication Settings. Confirm Password User’s password, which must match the Password entry exactly. Change Password on next login Check this box to start the process to change the user’s password when the user logs in next time, after authentication with the old password Enable Password Information This section of the page appears only when you create an internal user. Password must contain 4-32 characters Enable Password (Optional) Internal user’s TACACS+ enable password, from 4 to 32 characters. You can disable this option. See Authentication Information, page 8-5 for more information. Confirm Password (Optional) Internal user’s TACACS+ enable password, which must match the Enable Password entry exactly. User Information If defined, this section displays additional identity attributes defined for user records. Creation/Modification Information This section of the page appears only after you have created or modified an internal user. Table 8-5 Users and Identity Stores > Internal Identity Store > User Properties Page (continued) Option Description
8-14 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing Internal Identity Stores Step 5Click Submit. The user configuration is saved. The Internal Users page appears with the new configuration. Related Topics Configuring Authentication Settings for Users, page 8-9 Viewing and Performing Bulk Operations for Internal Identity Store Users, page 8-15 Deleting Users from Internal Identity Stores, page 8-14 Deleting Users from Internal Identity Stores To delete a user from an internal identity store: Step 1Select Users and Identity Stores > Internal Identity Store > Users. The Internal Users page appears. Step 2Check one or more check boxes next to the users you want to delete. Step 3Click Delete. The following message appears: Are you sure you want to delete the selected item/items? Date CreatedDisplay only. The date and time when the user’s account was created, in the format Day Mon dd hh:mm:ss UTC YYYY, where: Day = Day of the week. Mon = Three characters that represent the month of the year: Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sept, Oct, Nov, Dec DD = Two digits that represent the day of the month; a space precedes single-digit days (1 to 9). hh:mm:ss = Hour, minute, and second, respectively YYYY = Four digits that represent the year Date ModifiedDisplay only. The date and time when the user’s account was last modified (updated), in the format Day Mon dd hh:mm:ss UTC YYYY, where: Day = Day of the week. Mon = Three characters that represent the month of the year: Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sept, Oct, Nov, Dec DD = Two digits that represent the day of the month; a space precedes single-digit days (1 to 9). hh:mm:ss = Hour, minute, and second, respectively YYYY = Four digits that represent the year Table 8-5 Users and Identity Stores > Internal Identity Store > User Properties Page (continued) Option Description
8-15 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing Internal Identity Stores Step 4Click OK. The Internal Users page appears without the deleted users. Related Topics Viewing and Performing Bulk Operations for Internal Identity Store Users, page 8-15 Creating Internal Users, page 8-11 Viewing and Performing Bulk Operations for Internal Identity Store Users To view and perform bulk operations to internal identity store users: Step 1Select Users and Identity Stores > Internal Identity Stores > Users. The Internal Users page appears, with the following information for all configured users: Status—The status of the user User Name—The username of the user Identity Group—The identity group to which the user belongs Description—(Optional) A description of the user. Step 2Do one of the following: Click Create. For more information on creating internal users, see Creating Internal Users, page 8-11. Check the check box next to an internal user whose information you want to edit and click Edit. For more information on the various fields in the edit internal user page, see Creating Internal Users, page 8-11. Check the check box next to an internal user whose information you want to duplicate and click Duplicate. For more information on the various fields in the duplicate internal user page, see Creating Internal Users, page 8-11. Click File Operations to perform any of the following bulk operations: –Add—Choose this option to add internal users from the import file to ACS. –Update—Choose this option to replace the list of internal users in ACS with the list of internal users in the import file. –Delete—Choose this option to delete the internal users listed in the import file from ACS. See Performing Bulk Operations for Network Resources and Users, page 7-8 for a detailed description of the bulk operations. Related Topics Creating Internal Users, page 8-11 Viewing and Performing Bulk Operations for Internal Identity Store Users, page 8-15 Deleting Users from Internal Identity Stores, page 8-14
8-16 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing Internal Identity Stores Creating Hosts in Identity Stores To create, duplicate, or edit a MAC address and assign identity groups to internal hosts: Step 1Select Users and Identity Stores > Internal Identity Stores > Hosts. The Internal Hosts page appears, listing any configured internal hosts. Step 2Click Create. You can also: Check the check box next to the MAC address you want to duplicate, then click Duplicate. Click the MAC address that you want to modify, or check the check box next to the MAC address and click Edit. Click File Operations to perform bulk operations. See Viewing and Performing Bulk Operations for Internal Identity Store Hosts, page 8-18 for more information on the import process. Click Export to export a list of hosts to your local hard drive. The Internal Hosts General page appears when you click the Create, Duplicate, or Edit options. Step 3Complete the fields in the Internal MAC Address Properties page as described in Ta b l e 8 - 6: Table 8-6 Internal Hosts Properties Page Option Description General MAC Address ACS 5.3 support wildcards while adding new hosts to the internal identity store. Enter a valid MAC address, using any of the following formats: 01-23-45-67-89-AB/01-23-45-* 01:23:45:67:89:AB/01:23:45:* 0123.4567.89AB/0123.45* 0123456789AB/012345* ACS accepts a MAC address in any of the above formats, and converts and stores the MAC address as six hexadecimal digits separated by hyphens; for example, 01-23-45-67-89-AB. Status Use the drop-down list box to enable or disable the MAC address. Description (Optional) Enter a description of the MAC address. Identity Group Enter an identity group with which to associate the MAC address, or click Select to display the Identity Groups window. Choose an identity group with which to associate the MAC address, then click OK. MAC Host InformationDisplay only. Contains MAC host identity attribute information. Creation/Modification Information This section of the page appears only after you have created or modified a MAC address.
8-17 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing Internal Identity Stores Step 4Click Submit to save changes. The MAC address configuration is saved. The Internal MAC list page appears with the new configuration. NoteHosts with wildcards (supported formats) for MAC addresses are migrated from 4.x to 5.x. NoteYou can add wildcard for MAC address which allows the entire range of Organization Unique Identifier (OUI) clients. For example: If you add Ciscos MAC address 00-00-0C-*, the entire range of Cisco devices will be added to the host. Related Topics Host Lookup, page 4-13 Deleting Internal Hosts, page 8-18 Viewing and Performing Bulk Operations for Internal Identity Store Hosts, page 8-18 Policies and Identity Attributes, page 3-17 Configuring an Identity Group for Host Lookup Network Access Requests, page 4-18 Date CreatedDisplay only. The date that the host account was created, in the format Day Mon dd hh:mm:ss UTC YYYY, where: Day = Day of the week. Mon = Three characters that represent the month of the year: Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sept, Oct, Nov, Dec DD = Two digits that represent the day of the month; a space precedes single-digit days (1 to 9). hh:mm:ss = Hour, minute, and second, respectively YYYY = Four digits that represent the year Date ModifiedDisplay only. The date that the host account was last modified (updated), in the format Day Mon dd hh:mm:ss UTC YYYY, where: Day = Day of the week. Mon = Three characters that represent the month of the year: Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sept, Oct, Nov, Dec DD = Two digits that represent the day of the month; a space precedes single-digit days (1 to 9). hh:mm:ss = Hour, minute, and second, respectively YYYY = Four digits that represent the year Table 8-6 Internal Hosts Properties Page (continued) Option Description
8-18 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 8 Managing Users and Identity Stores Managing Internal Identity Stores Deleting Internal Hosts To delete a MAC address: Step 1Select Users and Identity Stores > Internal Identity Stores > Hosts. The Internal MAC List page appears, with any configured MAC addresses listed. Step 2Check one or more of the check boxes next to the internal hosts you want to delete. Step 3Click Delete. The following message appears: Are you sure you want to delete the selected item/items? Step 4Click OK. The Internal MAC List page appears without the deleted MAC addresses. Related Topics Host Lookup, page 4-13 Viewing and Performing Bulk Operations for Internal Identity Store Hosts, page 8-18 Creating Hosts in Identity Stores, page 8-16 Policies and Identity Attributes, page 3-17 Configuring an Identity Group for Host Lookup Network Access Requests, page 4-18 Viewing and Performing Bulk Operations for Internal Identity Store Hosts To view and perform bulk operations for internal identity stores: Step 1Select Users and Identity Stores > Internal Identity Stores > Hosts. The Internal Hosts page appears, with any configured internal hosts listed. Step 2Click File Operations to perform any of the following functions: Add—Choose this option to add internal hosts from an import file to ACS. Update—Choose this option to replace the list of internal hosts in ACS with the internal hosts in the import file. Delete—Choose this option to delete the internal hosts listed in the import file from ACS. See Performing Bulk Operations for Network Resources and Users, page 7-8 for a detailed description of the bulk operations. Related Topics Host Lookup, page 4-13 Creating Hosts in Identity Stores, page 8-16 Deleting Internal Hosts, page 8-18