Cisco Acs 5x User Guide
Have a look at the manual Cisco Acs 5x User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
9-11 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Policy Conditions Defining MAC Address-Based End Station Filters You can create, duplicate, and edit the MAC addresses of end stations or destinations that you want to permit or deny access to. To do this: Step 1From the MAC Address tab, do one of the following: Click Create. Check the check box next to the MAC address-based end station filter that you want to duplicate, then click Duplicate. Check the check box next to the MAC address-based end station filter that you want to edit, then click Edit. A dialog box appears. Step 2Check the End Station MAC check box to enter the MAC address of the end station. You can optionally set this field to ANY to refer to any MAC address. Step 3Check the Destination MAC check box to enter the MAC address of the destination machine. You can optionally set this field to ANY to refer to any MAC address. NoteYou must enter the MAC address in one of the following formats: xxxxxxxxxxxx, xx-xx-xx-xx-xx-xx, xx:xx:xx:xx:xx:xx, or xxxx.xxxx.xxxx, where x can be any number from 0 to 9 or A through F. You cannot use wildcard characters for MAC address. Step 4Click OK. Related Topics Managing Network Conditions, page 9-6 Creating, Duplicating, and Editing End Station Filters, page 9-9 Defining IP Address-Based End Station Filters, page 9-10 Defining CLI or DNIS-Based End Station Filters, page 9-11 Defining CLI or DNIS-Based End Station Filters You can create, duplicate, and edit the CLI and DNIS number of the end stations or destinations that you want to permit or deny access to. To do this: Step 1From the CLI/DNIS tab, do one of the following: Click Create. Check the check box next to the CLI or DNIS-based end station filter that you want to duplicate, then click Duplicate. Check the check box next to the CLI or DNIS-based end station filter that you want to edit, then click Edit. A dialog box appears. Step 2Check the CLI check box to enter the CLI number of the end station. You can optionally set this field to ANY to refer to any CLI number.
9-12 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Policy Conditions Step 3Check the DNIS check box to enter the DNIS number of the destination machine. You can optionally set this field to ANY to refer to any DNIS number. NoteYou can use ? and * wildcard characters to refer to any single character or a series of one or more successive characters respectively. Step 4Click OK. Related Topics Managing Network Conditions, page 9-6 Creating, Duplicating, and Editing End Station Filters, page 9-9 Defining IP Address-Based End Station Filters, page 9-10 Defining MAC Address-Based End Station Filters, page 9-11 Creating, Duplicating, and Editing Device Filters Use the Device Filters page to create, duplicate, and edit device filters. To do this: Step 1Choose Policy Elements > Session Conditions > Network Conditions > Device Filters. The Device Filters page appears with a list of device filters that you have configured. Step 2Click Create. You can also: Check the check box next to the device filter that you want to duplicate, then click Duplicate. Check the check box next to the device filter that you want to edit, then click Edit. Click Export to save a list of device filters in a .csv file. For more information, see Exporting Network Conditions, page 9-9. Click Replace from File to perform a bulk import of device filters from a .csv import file. For more information, see Importing Network Conditions, page 9-8. Step 3Enter the values for the following fields: Name—Name of the device filter. Description—A description of the device filter. Step 4Edit the fields in any or all of the following tabs: IP Address—See Defining IP Address-Based Device Filters, page 9-13 for a description of the fields in this tab. Device Name—See Defining Name-Based Device Filters, page 9-13 for a description of the fields in this tab. Network Device Group—See Defining NDG-Based Device Filters, page 9-14 for a description of the fields in this tab. NoteTo configure a filter, at a minimum, you must enter filter criteria in at least one of the three tabs.
9-13 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Policy Conditions Step 5Click Submit to save the changes. Related Topics Managing Network Conditions, page 9-6 Importing Network Conditions, page 9-8 Creating, Duplicating, and Editing End Station Filters, page 9-9 Creating, Duplicating, and Editing Device Port Filters, page 9-14 Defining IP Address-Based Device Filters You can create, duplicate, and edit the IP addresses of network devices that you want to permit or deny access to. To do this: Step 1From the IP Address tab, do one of the following: Click Create. Check the check box next to the IP-based device filter that you want to duplicate, then click Duplicate. Check the check box next to the IP-based device filter that you want to edit, then click Edit. A dialog box appears. Step 2Choose either of the following: Single IP Address—If you choose this option, you must enter a valid IPv4 address of the format x.x.x.x, where x can be any number from 0 to 255. IP Range(s)—If you choose this option, you must enter a valid IPv4 address and subnet mask to filter a range of IP addresses. By default, the subnet mask value is 32. Step 3Click OK. Related Topics Managing Network Conditions, page 9-6 Creating, Duplicating, and Editing Device Filters, page 9-12 Defining Name-Based Device Filters, page 9-13 Defining NDG-Based Device Filters, page 9-14 Defining Name-Based Device Filters You can create, duplicate, and edit the name of the network device that you want to permit or deny access to. To do this: Step 1From the Device Name tab, do one of the following: Click Create. Check the check box next to the name-based device filter that you want to duplicate, then click Duplicate.
9-14 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Policy Conditions Check the check box next to the name-based device filter that you want to edit, then click Edit. A dialog box appears. Step 2Click Select to choose the network device that you want to filter. Step 3Click OK. Related Topics Managing Network Conditions, page 9-6 Creating, Duplicating, and Editing Device Filters, page 9-12 Defining IP Address-Based Device Filters, page 9-13 Defining NDG-Based Device Filters, page 9-14 Defining NDG-Based Device Filters You can create, duplicate, and edit the name of the network device group type that you want to permit or deny access to. To do this: Step 1From the Network Device Group tab, do one of the following: a.Click Create. b.Check the check box next to the NDG-based device filter that you want to duplicate, then click Duplicate. c.Check the check box next to the NDG-based device filter that you want to edit, then click Edit. A dialog box appears. Step 2Click Select to choose the network device group type that you want to filter. Step 3Click Select to choose the network device group value that you want to filter. Step 4Click OK. Related Topics Managing Network Conditions, page 9-6 Creating, Duplicating, and Editing Device Filters, page 9-12 Defining IP Address-Based Device Filters, page 9-13 Defining Name-Based Device Filters, page 9-13 Creating, Duplicating, and Editing Device Port Filters Use the Device Port Filters page to create, duplicate, and edit device port filters. To do this: Step 1Choose Policy Elements > Session Conditions > Network Conditions > Device Port Filters. The Device Port Filters page appears with a list of device port filters that you have configured. Step 2Click Create. You can also: Check the check box next to the device port filter that you want to duplicate, then click Duplicate.
9-15 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Policy Conditions Check the check box next to the device port filter that you want to edit, then click Edit. Click Export to save a list of device port filters in a .csv file. For more information, see Exporting Network Conditions, page 9-9. Click Replace from File to perform a bulk import of device port filters from a .csv import file. For more information, see Importing Network Conditions, page 9-8. Step 3Enter the values for the following fields: Name—Name of the device port filter. Description—A description of the device port filter. Step 4Edit the fields in any or all of the following tabs: IP Address—See Defining IP Address-Based Device Port Filters, page 9-15 for a description of the fields in this tab. Device Name—See Defining NDG-Based Device Port Filters, page 9-17 for a description of the fields in this tab. Network Device Group—See Defining NDG-Based Device Port Filters, page 9-17 for a description of the fields in this tab. NoteTo configure a filter, at a minimum, you must enter filter criteria in at least one of the three tabs. Step 5Click Submit to save the changes. Related Topics Managing Network Conditions, page 9-6 Importing Network Conditions, page 9-8 Creating, Duplicating, and Editing End Station Filters, page 9-9 Creating, Duplicating, and Editing Device Filters, page 9-12 Defining IP Address-Based Device Port Filters You can create, duplicate, and edit the IP addresses of the network device ports that you want to permit or deny access to. To do this: Step 1From the IP Address tab, do one of the following: Click Create. Check the check box next to the IP-based device port filter that you want to duplicate, then click Duplicate. Check the check box next to the IP-based device port filter that you want to edit, then click Edit. A dialog box appears. Step 2Choose either of the following: Single IP Address—If you choose this option, you must enter a valid IPv4 address of the format x.x.x.x, where x can be any number from 0 to 255. IP Range(s)—If you choose this option, you must enter a valid IPv4 address and subnet mask to filter a range of IP addresses. By default, the subnet mask value is 32.
9-16 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Policy Conditions Step 3Check the Port check box and enter the port number. This field is of type string and can contain numbers or characters. You can use the following wildcard characters: ?—match a single character *—match a set of characters For example, the string “p*1*” would match any word that starts with the letter “p” and contains the number 1, such as port1, port15, and so on. Step 4Click OK. Related Topics Managing Network Conditions, page 9-6 Creating, Duplicating, and Editing Device Port Filters, page 9-14 Defining Name-Based Device Port Filters, page 9-16 Defining NDG-Based Device Port Filters, page 9-17 Defining Name-Based Device Port Filters You can create, duplicate, and edit the name of the network device and the port to which you want to permit or deny access. To do this: Step 1From the Device Name tab, do one of the following: Click Create. Check the check box next to the name-based device port filter that you want to duplicate, then click Duplicate. Check the check box next to the name-based device port filter that you want to edit, then click Edit. A dialog box appears. Step 2Click Select to choose the network device that you want to filter. Step 3Check the Port check box and enter the port number. Step 4Click OK. Related Topics Managing Network Conditions, page 9-6 Creating, Duplicating, and Editing Device Port Filters, page 9-14 Defining IP Address-Based Device Port Filters, page 9-15 Defining NDG-Based Device Port Filters, page 9-17
9-17 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Authorizations and Permissions Defining NDG-Based Device Port Filters You can create, duplicate, and edit the network device group type and the port to which you want to permit or deny access. To do this: Step 1From the Network Device Group tab, do one of the following: Click Create. Check the check box next to the NDG-based device port filter that you want to duplicate, then click Duplicate. Check the check box next to the NDG-based device port filter that you want to edit, then click Edit. A dialog box appears. Step 2Click Select to choose the network device group type that you want to filter. Step 3Click Select to choose the network device group value that you want to filter. Step 4Check the Port check box and enter the port number. Step 5Click OK. Related Topics Managing Network Conditions, page 9-6 Creating, Duplicating, and Editing Device Filters, page 9-12 Defining IP Address-Based Device Filters, page 9-13 Defining Name-Based Device Filters, page 9-13 Managing Authorizations and Permissions You define authorizations and permissions to determine the results associated with a specific policy rule. You can define: Authorization profiles for network access authorization (for RADIUS). Shell profiles for TACACS+ shell sessions and command sets for device administration. Downloadable ACLs. Security groups and security group ACLs for Cisco Security Group Access. See ACS and Cisco Security Group Access, page 4-23, for information on configuring these policy elements. These topics describe how to manage authorizations and permissions: Creating, Duplicating, and Editing Authorization Profiles for Network Access, page 9-18 Creating and Editing Security Groups, page 9-23 Creating, Duplicating, and Editing a Shell Profile for Device Administration, page 9-23 Creating, Duplicating, and Editing Command Sets for Device Administration, page 9-28 Creating, Duplicating, and Editing Downloadable ACLs, page 9-31 Deleting an Authorizations and Permissions Policy Element, page 9-32 Configuring Security Group Access Control Lists, page 9-33
9-18 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Authorizations and Permissions Creating, Duplicating, and Editing Authorization Profiles for Network Access You create authorization profiles to define how different types of users are authorized to access the network. For example, you can define that a user attempting to access the network over a VPN connection is treated more strictly than a user attempting to access the network through a wired connection. An authorization profile defines the set of attributes and values that the Access-Accept response returns. You can specify: Common data, such as VLAN information, URL for redirect, and more. This information is automatically converted to the raw RADIUS parameter information. RADIUS authorization parameters—You can select any RADIUS attribute and specify the corresponding value to return. You can duplicate an authorization profile to create a new authorization profile that is the same, or similar to, an existing authorization profile. After duplication is complete, you access each authorization profile (original and duplicated) separately to edit or delete them. After you create authorization profiles, you can use them as results in network access session authorization policies. To create, duplicate, or edit an authorization profile: Step 1Select Policy Elements > Authorization and Permissions > Network Access > Authorization Profile. The Authorization Profiles page appears with the fields described in Ta b l e 9 - 3: Step 2Do one of the following: Click Create. Check the check box next to the authorization profile that you want to duplicate and click Duplicate. Click the name that you want to modify; or, check the check box next to the name that you want to modify and click Edit. The Authorization Profile Properties page appears. Step 3Enter valid configuration data in the required fields in each tab. See: Specifying Authorization Profiles, page 9-19 Specifying Common Attributes in Authorization Profiles, page 9-19 Specifying RADIUS Attributes in Authorization Profiles, page 9-21 Step 4Click Submit. The authorization profile is saved. The Authorization Profiles page appears with the authorization profile that you created or duplicated. Table 9-3 Authorization Profiles Page Option Description Name List of existing network access authorization definitions. DescriptionDisplay only. The description of the network access authorization definition.
9-19 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Authorizations and Permissions Specifying Authorization Profiles Use this tab to configure the name and description for a network access authorization profile. Step 1Select Policy Elements > Authorization and Permissions > Network Access > Authorization Profiles, then click: Create to create a new network access authorization definition. Duplicate to duplicate a network access authorization definition. Edit to edit a network access authorization definition. Step 2Complete the required fields of the Authorization Profile: General page as shown in Ta b l e 9 - 4: Step 3Click one of the following: Submit to save your changes and return to the Authorization Profiles page. The Common Tasks tab to configure common tasks for the authorization profile; see Specifying Common Attributes in Authorization Profiles, page 9-19. The RADIUS Attributes tab to configure RADIUS attributes for the authorization profile; see Specifying RADIUS Attributes in Authorization Profiles, page 9-21. Specifying Common Attributes in Authorization Profiles Use this tab to specify common RADIUS attributes to include in a network access authorization profile. ACS converts the specified values to the required RADIUS attribute-value pairs and displays them in the RADIUS attributes tab. Step 1Select Policy Elements > Authorization and Permissions > Network Access > Authorization Profiles, then click: Create to create a new network access authorization definition, then click the Common Tasks tab. Duplicate to duplicate a network access authorization definition, then click the Common Tasks tab. Edit to edit a network access authorization definition, then click the Common Tasks tab. Step 2Complete the required fields of the Authorization Profile: Common Tasks page as shown in Ta b l e 9 - 5: Table 9-4 Authorization Profile: General Page Option Description Name The name of the network access authorization definition. Description The description of the network access authorization definition.
9-20 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Authorizations and Permissions Table 9-5 Authorization Profile: Common Tasks Page Option Description ACLS Downloadable ACL Name Includes a defined downloadable ACL. See Creating, Duplicating, and Editing Downloadable ACLs, page 9-31 for information about defining a downloadable ACL. Filter-ID ACL Includes an ACL Filter ID. Proxy ACL Includes a proxy ACL. Voice VLAN Permission to Join Select Static. A value for this parameter is displayed. VLAN VLAN ID/Name Includes a VLAN assignment. Reauthentication Reauthentication Timer Select whether to use a session timeout value. If you select Static, you must enter a value in the Seconds field. The default value is 3600 seconds. If you select Dynamic, you must select the dynamic parameters. Maintain Connectivity during ReauthenticationClick Ye s to ensure connectivity is maintained while reauthentication is performed. By default, Ye s is selected. This field is enabled only if you define the Reauthentication Timer. QoS Input Policy Map Includes a QoS input policy map. Output Policy Map Includes a QoS output policy map. 802.1X-REV LinkSec Security Policy If you select Static, you must select a value for the 802.1X-REV LinkSec security policy. Valid options are: must-not-secure should-secure must-secure URL Redirect When a URL is defined for Redirect an ACL must also be defined URL for Redirect Includes a URL redirect. URL Redirect ACL Includes the name of the access control list (ACL) for URL redirection. When you define a URL redirect, you must also define an ACL for the URL redirection.