Home > Cisco > Control System > Cisco Acs 5x User Guide

Cisco Acs 5x User Guide

    Download as PDF Print this page Share this page

    Have a look at the manual Cisco Acs 5x User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

    Page
    of 650
    							CH A P T E R
    9-1
    User Guide for Cisco Secure Access Control System 5.3
    OL-24201-01
    9
    Managing Policy Elements
    A policy defines the authentication and authorization processing of clients that attempt to access the ACS 
    network. A client can be a user, a network device, or a user associated with a network device.
    Policies are sets of rules. Rules contain policy elements, which are sets of conditions and results that are 
    organized in rule tables. See Chapter 3, “ACS 5.x Policy Model” for more information on policy design 
    and how it is implemented in ACS. 
    Before you configure your policy rules, you must create the policy elements, which are the conditions 
    and results to use in those policies. After you create the policy elements, you can use them in policy 
    rules. See Chapter 10, “Managing Access Policies” for more information on managing services, policies, 
    and policy rules.
    These topics contain.
    Managing Policy Conditions, page 9-1
    Managing Authorizations and Permissions, page 9-17
    Creating, Duplicating, and Editing Downloadable ACLs, page 9-31
    NoteWhen Cisco Security Group Access license is installed, you can also configure Security Groups and 
    Security Group Access Control Lists (SGACLs), which you can then use in Security Group Access 
    authorization policies. For information about configuring security groups for Security Group Access, see 
    Creating Security Groups, page 4-24. 
    Managing Policy Conditions
    You can configure the following items as conditions in a rule table:
    Request/Protocol Attributes—ACS retrieves these attributes from the authentication request that the 
    user issues. 
    Identity Attributes—These attributes are related to the identity of the user performing a request. 
    These attributes can be retrieved from the user definition in the internal identity store or from user 
    definitions that are stored in external repositories, such as LDAP and AD.
    Identity Groups—ACS maintains a single identity group hierarchy that is used for all types of users 
    and hosts. Each internal user or host definition can include an association to a single identity group 
    within the hierarchy.  
    						
    							9-2
    User Guide for Cisco Secure Access Control System 5.3
    OL-24201-01
    Chapter 9      Managing Policy Elements
      Managing Policy Conditions
    You can map users and hosts to identity groups by using the group mapping policy. You can include 
    identity groups in conditions to configure common policy conditions for all users in the group. For 
    more information about creating identity groups, see Managing Identity Attributes, page 8-7.
    Network Device Groups (NDGs)—Devices issuing requests are included in one or more of up to 12 
    device hierarchies. You can include hierarchy elements in policy conditions. For more information 
    about creating NDGs, see Network Device Groups, page 7-2.
    Date and Time Conditions—You can create named conditions that define specific time intervals 
    across specific days of the week. You can also associate expiry dates with date and time conditions.
    A date and time condition is a condition that takes the current date and time and effectively returns 
    either true or false to indicate whether or not the condition is met. There are two components within 
    the date and time condition:
    –Enable Duration—You have the option to limit the duration during which the condition is 
    enabled by specifying an optional start time, end time, or both. This component allows you to 
    create rules with limited time durations that effectively expire.
    If the condition is not enabled, then this component of the date and time condition returns false.
    –Time Intervals—On the ACS web interface, you see a grid of time that shows the days of the 
    week and the hours within each day. Each cell in the grid represents one hour. You can either 
    set or clear the cells.
    If the date and time when a request is processed falls at a time when the corresponding time 
    interval is set, then this component of the date and time condition returns true.
    Both components of the date and time condition are considered while processing a request. The date 
    and time condition is evaluated as true only if both components return a true value.
    Network Conditions—You can create filters of the following types to restrict access to the network:
    –End Station Filters—Based on end stations that initiate and terminate the connection. End 
    stations may be identified by IP address, MAC address, calling line identification (CLI), or 
    dialed number identification service (DNIS) fields obtained from the request.
    –Network Device Filters—Based on the AAA client that processes the request. A network device 
    can be identified by its IP address, by the device name that is defined in the network device 
    repository, or by the NDG.
    –Device Port Filters—Network device definition might be supplemented by the device port that 
    the end station is associated with.
    Each network device condition defines a list of objects that can then be included in policy 
    conditions, resulting in a set of definitions that are matched against those presented in the request. 
    The operator that you use in the condition can be either match, in which case the value presented 
    must match at least one entry within the network condition, or no matches, in which case it should 
    not match any entry in the set of objects that is present in the filter. 
    You can include Protocol and Identity attributes in a condition by defining them in custom conditions or 
    in compound conditions.
    You define compound conditions in the policy rule properties page and not as a separate named 
    condition. See Configuring Compound Conditions, page 10-40.
    Custom conditions and Date and Time conditions are called session conditions. 
    This section contains the following topics: 
    Creating, Duplicating, and Editing a Date and Time Condition, page 9-3
    Creating, Duplicating, and Editing a Custom Session Condition, page 9-5 
    						
    							9-3
    User Guide for Cisco Secure Access Control System 5.3
    OL-24201-01
    Chapter 9      Managing Policy Elements
      Managing Policy Conditions
    Deleting a Session Condition, page 9-6
    Managing Network Conditions, page 9-6
    See Chapter 3, “ACS 5.x Policy Model” for information about additional conditions that you can use in 
    policy rules, although they are not configurable.
    Creating, Duplicating, and Editing a Date and Time Condition
    Create date and time conditions to specify time intervals and durations. For example, you can define 
    shifts over a specific holiday period. When ACS processes a rule with a date and time condition, the 
    condition is compared to the date and time information of the ACS instance that is processing the 
    request. Clients that are associated with this condition are subject to it for the duration of their session.
    The time on the ACS server is used when making policy decisions. Therefore, ensure that you configure 
    date and time conditions that correspond to the time zone in which your ACS server resides. Your time 
    zone may be different from that of the ACS server. 
    You can duplicate a session condition to create a new session condition that is the same, or similar to, 
    an existing session condition. After duplication is complete, you access each session condition (original 
    and duplicated) separately to edit or delete them.
    To create, duplicate, or edit a date and time condition:
    Step 1Select Policy Elements > Session Conditions > Date and Time.
    The Date and Time Conditions page appears.
    Step 2Do one of the following:
    Click Create.
    Check the check box next to the condition you want to duplicate and click Duplicate.
    Click the name that you want to modify; or, check the check box next to the condition that you want 
    to modify and click Edit.
    The Date and Time Properties page appears.
    Step 3Enter valid configuration data in the required fields as described in Ta b l e 9 - 1:
    Table 9-1 Date and Time Properties Page
    Option Description
    General
    Name Enter a name for the date and time condition.
    Description Enter a description, such as specific days and times of the date and time condition. 
    						
    							9-4
    User Guide for Cisco Secure Access Control System 5.3
    OL-24201-01
    Chapter 9      Managing Policy Elements
      Managing Policy Conditions
    To add date and time conditions to a policy, you must first customize the rule table. See Customizing a 
    Policy, page 10-4.
    Step 4Click Submit.
    The date and time condition is saved. The Date and Time Conditions page appears with the new date and 
    time condition that you created or duplicated. 
    Related Topics
    Creating, Duplicating, and Editing a Custom Session Condition, page 9-5
    Deleting a Session Condition, page 9-6
    Configuring Access Service Policies, page 10-21
    Duration
    Start Click one of the following options: 
    Start Immediately—Specifies that the rules associated with this condition are valid, starting at the 
    current date.
    Start On—Specify a start date by clicking the calendar icon next to the associated field to choose a 
    specific start date, at which the condition becomes active (at the beginning of the day, indicated by 
    the time 00:00:00 on a 24-hour clock).
    You can specify time in the hh:mm format.
    End Click one of the following options: 
    No End Date—Specifies that the rules associated with this date and time condition are always active, 
    after the indicated start date.
    End By—Specify an end date by clicking the calendar icon next to the associated field to choose a 
    specific end date, at which the date and time condition becomes inactive (at the end of the day, 
    indicated by the time 23:59:59 on a 24-hour clock)
    You can specify time in the hh:mm format.
    Days and Time
    Days and Time 
    section gridEach square in the Days and Time grid is equal to one hour. Select a grid square to make the 
    corresponding time active; rules associated with this condition are valid during this time. 
    A green (or darkened) grid square indicates an active hour.
    Ensure that you configure date and time conditions that correspond to the time zone in which your ACS 
    server resides. Your time zone may be different from that of the ACS server. 
    For example, you may receive an error message if you configure a date and time condition that is an hour 
    ahead of your current time, but that is already in the past with respect to the time zone of your ACS server.
    Select  All Click to set all squares in the grid to the active state. Rules associated with this condition are always valid.
    Clear All Click to set all squares in the grid to the inactive state. Rules associated with this condition are always 
    invalid.
    Undo All Click to remove your latest changes for the active and inactive day and time selections for the date and 
    time group.
    Table 9-1 Date and Time Properties Page (continued)
    Option Description 
    						
    							9-5
    User Guide for Cisco Secure Access Control System 5.3
    OL-24201-01
    Chapter 9      Managing Policy Elements
      Managing Policy Conditions
    Creating, Duplicating, and Editing a Custom Session Condition
    The protocol and identity dictionaries contain a large number of attributes. To use any of these attributes 
    as a condition in a policy rule, you must first create a custom condition for the attribute. In this way, you 
    define a smaller subset of attributes to use in policy conditions, and present a smaller focused list from 
    which to choose condition types for rule tables. 
    You can also include protocol and identity attributes within compound conditions. See Configuring 
    Compound Conditions, page 10-40 for more information on compound conditions.
    To create a custom condition, you must select a specific protocol (RADIUS or TACACS+) or identity 
    attribute from one of the dictionaries, and name the custom condition. See Configuring Global System 
    Options, page 18-1 for more information on protocol and identity dictionaries.
    When you create a custom condition that includes identity or RADIUS attributes, you can also include 
    the definition of the attributes. You can thus easily view any existing custom conditions associated with 
    a particular attribute.
    To create, duplicate, or edit a custom session condition:
    Step 1Select Policy Elements > Session Conditions > Custom.
    The Custom Conditions page appears.
    Step 2Do one of the following:
    Click Create.
    Check the check box next to the condition you want to duplicate and click Duplicate.
    Click the name that you want to modify; or, check the check box next to the condition that you want 
    to modify and click Edit.
    The Custom Condition Properties page appears.
    Step 3Enter valid configuration data in the required fields as shown in Ta b l e 9 - 2:
    To add custom conditions to a policy, you must first customize the rule table. See Customizing a Policy, 
    page 10-4.
    Table 9-2 Policy Custom Condition Properties Page
    Option Description
    General
    Name Name of the custom condition.
    Description Description of the custom condition.
    Condition
    Dictionary Choose a specific protocol or identity dictionary from the drop-down list box. 
    Attribute Click Select to display the list of external identity store dictionaries based on the selection you made in the 
    Dictionary field. Select the attribute that you want to associate with the custom condition, then click OK. If 
    you are editing a custom condition that is in use in a policy, you cannot edit the attribute that it references. 
    						
    							9-6
    User Guide for Cisco Secure Access Control System 5.3
    OL-24201-01
    Chapter 9      Managing Policy Elements
      Managing Policy Conditions
    Step 4Click Submit.
    The new custom session condition is saved. The Custom Condition page appears with the new custom 
    session condition. Clients that are associated with this condition are subject to it for the duration of their 
    session.
    Related Topics
    Creating, Duplicating, and Editing a Date and Time Condition, page 9-3
    Deleting a Session Condition, page 9-6
    Configuring Access Service Policies, page 10-21
    Deleting a Session Condition
    To delete a session condition:
    Step 1Select Policy Elements > Session Conditions > session condition, where session condition is Date and 
    Time or Custom.
    The Session Condition page appears.
    Step 2Check one or more check boxes next to the session conditions that you want to delete and click Delete.
    The following message appears:
    Are you sure you want to delete the selected item/items?
    Step 3Click OK.
    The Session Condition page appears without the deleted custom session conditions.
    Related Topics
    Creating, Duplicating, and Editing a Date and Time Condition, page 9-3
    Creating, Duplicating, and Editing a Custom Session Condition, page 9-5
    Managing Network Conditions
    Filters are reusable network conditions that you create for end stations, network devices, and network 
    device ports. Filters enable ACS 5.3 to do the following: 
    Decide whether or not to grant network access to users and devices. 
    Decide on the identity store, service, and so on to be used in policies.
    After you create a filter with a name, you can reuse this filter multiple times across various rules and 
    policies by referring to its name.
    NoteThe filters in ACS 5.3 are similar to the NARs in ACS 4.x. In ACS 4.x, the NARs were based on either 
    the user or user group. In 5.3, the filters are independent conditions that you can reuse across various 
    rules and policies. 
    						
    							9-7
    User Guide for Cisco Secure Access Control System 5.3
    OL-24201-01
    Chapter 9      Managing Policy Elements
      Managing Policy Conditions
    ACS offers three types of filters:
    End Station Filter—Filters end stations, such as a laptop or printer that initiates a connection based 
    on the end station’s IP address, MAC address, CLID number, or DNIS number.
    The end station identifier can be the IP address, MAC address, or any other string that uniquely 
    identifies the end station. It is a protocol-agnostic attribute of type string that contains a copy of the 
    end station identifier:
    –In a RADIUS request, this identifier is available in Attribute 31 (Calling-Station-Id).
    –In a TACACS request, ACS obtains this identifier from the remote address field of the start 
    request (of every phase). It takes the remote address value before the slash (/) separator, if it is 
    present; otherwise, it takes the entire remote address value.
    The end station IPv4 is an IPv4 version of the end station identifier. The end station MAC is a 
    normalized MAC address of the end station identifier.
    Device Filter—Filters a network device (AAA client) that acts as a Policy Enforcement Point (PEP) 
    to the end station based on the network device’s IP address or name, or the network device group 
    that it belongs to.
    The device identifier can be the IP address or name of the device, or it can be based on the network 
    device group to which the device belongs.
    The IP address is a protocol-agnostic attribute of type IPv4 that contains a copy of the device IP 
    address obtained from the request:
    –In a RADIUS request, if Attribute 4 (NAS-IP-Address) is present, ACS obtains the IP address 
    from Attribute 4; otherwise, if Attribute 32 (NAS-Identifier) is present, ACS obtains the IP 
    address from Attribute 32, or it obtains the IP address from the packet that it receives.
    –In a TACACS request, the IP address is obtained from the packet that ACS receives.
    The device name is an attribute of type string that contains a copy of the device name derived from 
    the ACS repository.
    The device dictionary (the NDG dictionary) contains network device group attributes such as 
    Location, Device Type, or other dynamically created attributes that represent NDGs. These 
    attributes, in turn, contain the groups that the current device is related to.
    Device Port Filter—Filters the physical port of the device that the end station is connected to. 
    Filtering is based on the device’s IP address, name, NDG it belongs to, and port.
    The device port identifier is an attribute of type string:
    –In a RADIUS request, if Attribute 5 (NAS-Port) is present in the request, ACS obtains the value 
    from Attribute 5; or, if Attribute 87 (NAS-Port-Id) is present in the request, ACS obtains the 
    request from Attribute 87.
    –In a TACACS request, ACS obtains this identifier from the port field of the start request (of 
    every phase).
    The device name is an attribute of type string that contains a copy of the device name derived from 
    the ACS repository.
    The device dictionary (the NDG dictionary) contains network device group attributes such as 
    Location, Device Type, or other dynamically created attributes that represent NDGs. These 
    attributes, in turn, contain the groups that the current device is related to.
    You can create, duplicate, and edit these filters. You can also do a bulk import of the contents within a 
    filter from a .csv file and export the filters from ACS to a .csv file. See Importing Network Conditions, 
    page 9-8 for more information on how to do a bulk import of network conditions. 
    						
    							9-8
    User Guide for Cisco Secure Access Control System 5.3
    OL-24201-01
    Chapter 9      Managing Policy Elements
      Managing Policy Conditions
    This section contains the following topics:
    Importing Network Conditions, page 9-8
    Exporting Network Conditions, page 9-9
    Creating, Duplicating, and Editing End Station Filters, page 9-9
    Creating, Duplicating, and Editing Device Filters, page 9-12
    Creating, Duplicating, and Editing Device Port Filters, page 9-14
    Importing Network Conditions
    You can use the bulk import function to import the contents from the following network conditions:
    End station filters
    Device filters
    Device port filters
    For bulk import, you must download the .csv file template from ACS, add the records that you want to 
    import to the .csv file, and save it to your hard drive. Use the Download Template function to ensure that 
    your .csv file adheres to the requirements. 
    The .csv templates for end station filters, device filters, and device port filters are specific to their type; 
    for example, you cannot use a downloaded template accessed from the End Station Filters page to import 
    device filters or device port filters. Within the .csv file, you must adhere to these requirements:
    Do not alter the contents of the first record (the first line, or row, of the .csv file).
    Use only one line for each record.
    Do not imbed new-line characters in any fields.
    For non-English languages, encode the .csv file in utf-8 encoding, or save it with a font that supports 
    Unicode.
    The import process does not add filters to the existing list of filters in ACS, but instead replaces the 
    existing list. When you import records from a .csv file, it replaces the existing filter configuration in ACS 
    and replaces it with the filter configuration from the .csv file.
    Step 1Click the Replace from File button on the End Station Filter, Device Filter, or Device Port Filter page 
    of the web interface.
    The Replace from File dialog box appears.
    Step 2Click Download Template to download the .csv file template if you do not have it.
    Step 3Click Browse to navigate to your .csv file.
    Step 4Click Start Replace to start the bulk import process.
    The import progress is shown on the same page. You can monitor the bulk import progress. Data transfer 
    failures of any records within your .csv file are displayed.
    Step 5Click Close to close the Import Progress window.
    You can submit only one .csv file to the system at one time. If an import is under way, an additional 
    import cannot succeed until the original import is complete. 
    						
    							9-9
    User Guide for Cisco Secure Access Control System 5.3
    OL-24201-01
    Chapter 9      Managing Policy Elements
      Managing Policy Conditions
    TimesaverInstead of downloading the template and creating an import file, you can use the export file of the 
    particular filter, update the information in that file, save it, and reuse it as your import file.
    Exporting Network Conditions
    ACS 5.3 offers you a bulk export function to export the filter configuration data in the form of a .csv file. 
    You can export the following filter configurations:
    End Station Filters
    Device Filters
    Device Port Filters
    From the create, edit, or duplicate page of any of the filters, click Export to File to save the filter 
    configuration as a .csv file on your local hard drive.
    Creating, Duplicating, and Editing End Station Filters
    Use the End Station Filters page to create, duplicate, and edit end station filters. To do this:
    Step 1Choose Policy Elements > Session Conditions > Network Conditions > End Station Filters.
    The End Station Filters page appears with a list of end station filters that you have configured.
    Step 2Click Create. You can also:
    Check the check box next to the end station filter that you want to duplicate, then click Duplicate.
    Check the check box next to the end station filter that you want to edit, then click Edit.
    Click Export to save a list of end station filters in a .csv file. For more information, see Exporting 
    Network Conditions, page 9-9.
    Click Replace from File to perform a bulk import of end station filters from a .csv import file. For 
    more information, see Importing Network Conditions, page 9-8.
    Step 3Enter the values for the following fields:
    Name—Name of the end station filter.
    Description—A description of the end station filter.
    Step 4Edit the fields in one or more of the following tabs:
    IP Address—See Defining IP Address-Based End Station Filters, page 9-10 for a description of the 
    fields in this tab.
    MAC Address—See Defining MAC Address-Based End Station Filters, page 9-11 for a description 
    of the fields in this tab.
    CLI/DNIS—See Defining CLI or DNIS-Based End Station Filters, page 9-11 for a description of 
    the fields in this tab.
    NoteTo configure a filter, at a minimum, you must enter filter criteria in at least one of the three tabs. 
    						
    							9-10
    User Guide for Cisco Secure Access Control System 5.3
    OL-24201-01
    Chapter 9      Managing Policy Elements
      Managing Policy Conditions
    Step 5Click Submit to save the changes.
    Related Topics
    Managing Network Conditions, page 9-6
    Importing Network Conditions, page 9-8
    Creating, Duplicating, and Editing Device Filters, page 9-12
    Creating, Duplicating, and Editing Device Port Filters, page 9-14
    Defining IP Address-Based End Station Filters
    You can create, duplicate, and edit the IP addresses of end stations that you want to permit or deny access 
    to. To do this:
    Step 1From the IP Address tab, do one of the following:
    Click Create.
    Check the check box next to the IP-based end station filter that you want to duplicate, then click 
    Duplicate.
    Check the check box next to the IP-based end station filter that you want to edit, then click Edit.
    A dialog box appears.
    Step 2Choose either of the following:
    Single IP Address—If you choose this option, you must enter a valid IPv4 address of the format 
    x.x.x.x, where x can be any number from 0 to 255.
    IP Range(s)—If you choose this option, you must enter a valid IPv4 address and subnet mask to filter 
    a range of IP addresses. By default, the subnet mask value is 32.
    Step 3Click OK.
    Related Topics
    Managing Network Conditions, page 9-6
    Creating, Duplicating, and Editing End Station Filters, page 9-9
    Defining MAC Address-Based End Station Filters, page 9-11
    Defining CLI or DNIS-Based End Station Filters, page 9-11 
    						
    All Cisco manuals Comments (0)

    Related Manuals for Cisco Acs 5x User Guide