Cisco Acs 5x User Guide
Have a look at the manual Cisco Acs 5x User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
9-21 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Authorizations and Permissions Specifying RADIUS Attributes in Authorization Profiles Use this tab to configure which RADIUS attributes to include in the Access-Accept packet for an authorization profile. This tab also displays the RADIUS attribute parameters that you choose in the Common Tasks tab. Step 1Select Policy Elements > Authorization and Permissions > Network Access > Authorization Profiles, then click: Create to create a new network access authorization definition, then click the RADIUS Attributes tab. Check the check box next to the authentication profile that you want to duplicate, click Duplicate, and then click the RADIUS Attributes tab. Check the check box next to the authentication profile that you want to duplicate, click Edit, and then click the RADIUS Attributes tab. Step 2Complete the required fields of the Authorization Profile: RADIUS Attributes page as shown in Ta b l e 9 - 6: Table 9-6 Authorization Profile: RADIUS Attributes Page Option Description Common Tasks AttributesDisplays the names, values, and types for the attributes that you defined in the Common Tasks tab. Manually EnteredUse this section to define RADIUS attributes to include in the authorization profile. As you define each attribute, its name, value, and type appear in the table. To: Add a RADIUS attribute, fill in the fields below the table and click Add. Edit a RADIUS attribute, select the appropriate row in the table and click Edit. The RADIUS parameters appear in the fields below the table. Edit as required, then click Replace. Dictionary Type Choose the dictionary that contains the RADIUS attribute you want to use.
9-22 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Authorizations and Permissions Step 3To configure: Basic information of an authorization profile; see Specifying Authorization Profiles, page 9-19. Common tasks for an authorization profile; see Specifying Common Attributes in Authorization Profiles, page 9-19. RADIUS Attribute Name of the RADIUS attribute. Click Select to choose a RADIUS attribute from the specified dictionary. You must manually add VPN attributes to the authorization profile to authenticate VPN devices in your network. ACS can work with different Layer 2 and Layer 3 protocols, such as: IPSec—Operates at Layer 3; no mandatory attributes need to be configured in the ACS authorization profile, but you can configure optional attributes. L2TP—For L2TP tunneling, you must configure ACS with: –CVPN3000/ASA/PIX7.x-Tunneling Protocols—This attribute specifies the type of tunneling to be used. –CVPN3000/ASA/PIX7.x-L2TP-Encryption—This attribute, when set, enables VPN3000 to communicate to the client the type of Microsoft Point-to-Point Encryption (MPPE) key that must be used, either the MSCHAPv1 or MSCHAPv2 authentication method. PPTP—For PPTP tunneling, you must configure ACS with: –CVPN3000/ASA/PIX7.x-Tunneling Protocols—This attribute specifies the type of tunneling to be used. –CVPN3000/ASA/PIX7.x-PPTP-Encryption—This attribute, when set, enables VPN3000 to communicate to the client the type of Microsoft Point-to-Point Encryption (MPPE) key that must be used, either the MSCHAPv1 or MSCHAPv2 authentication method. Attribute Type Client vendor type of the attribute, from which ACS allows access requests. For a description of the attribute types, refer to Cisco IOS documentation for the release of Cisco IOS software that is running on your AAA clients. Attribute Value Value of the attribute. Click Select for a list of attribute values. For a description of the attribute values, refer to Cisco IOS documentation for the release of Cisco IOS software that is running on your AAA clients. For tunneled protocols, ACS provides for attribute values with specific tags to the device within the access response according to RFC 2868. If you choose Tagged Enum or Tagged String as the RADIUS Attribute type, the Tag field appears. For the tag value, enter a number that ACS will use to group attributes belonging to the same tunnel. For the Tagged Enum attribute type: Choose an appropriate attribute value. Enter an appropriate tag value (0–31). For the Tagged String attribute type: Enter an appropriate string attribute value (up to 256 characters). Enter an appropriate tag value (0–31). Table 9-6 Authorization Profile: RADIUS Attributes Page (continued) Option Description
9-23 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Authorizations and Permissions Creating and Editing Security Groups Use this page to view names and details of security groups and security group tags (SGTs), and to open pages to create, duplicate, and edit security groups. When you create a security group, ACS generates a unique SGT. Network devices can query ACS for SGT information. The network device uses the SGT to tag, or paint, packets at ingress, so that the packets can be filtered at Egress according to the Egress policy. See Egress Policy Matrix Page, page 10-45, for information on configuring an Egress policy. Step 1Select Policy Elements > Authorizations and Permissions > Network Access > Security Groups. The Security Groups page appears as described in Ta b l e 9 - 7: Step 2Click: Create to create a new security group. Duplicate to duplicate a security group. Edit to edit a security group. Step 3Enter the required information in the Name and Description fields, then click Submit. Related Topic Creating Security Groups, page 4-24 Creating, Duplicating, and Editing a Shell Profile for Device Administration You can configure Cisco IOS shell profile and command set authorization. Shell profiles and command sets are combined for authorization purposes. Shell profile authorization provides decisions for the following capabilities for the user requesting authorization and is enforced for the duration of a user’s session: Privilege level. General capabilities, such as device administration and network access. Shell profile definitions are split into two components: Common tasks Custom attributes Table 9-7 Security Groups Page Option Description Name The name of the security group. SGT (Dec / Hex) Representation of the security group tag in decimal and hexadecimal format. Description The description of the security group.
9-24 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Authorizations and Permissions The Common Tasks tab allows you to select and configure the frequently used attributes for the profile. The attributes that are included here are those defined by the TACACS protocol draft specification that are specifically relevant to the shell service. However, the values can be used in the authorization of requests from other services. The Custom Attributes tab allows you to configure additional attributes. Each definition consists of the attribute name, an indication of whether the attribute is mandatory or optional, and the value for the attribute. Custom attributes can be defined for nonshell services. For a description of the attributes that you specify in shell profiles, see Cisco IOS documentation for the specific release of Cisco IOS software that is running on your AAA clients. After you create shell profiles and command sets, you can use them in authorization and permissions within rule tables. You can duplicate a shell profile if you want to create a new shell profile that is the same, or similar to, an existing shell profile. After duplication is complete, you access each shell profile (original and duplicated) separately to edit or delete them. To create, duplicate, or edit a shell profile: Step 1Select Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles. The Shell Profiles page appears. Step 2Do one of the following: Click Create. Check the check box next to the shell profile that you want to duplicate and click Duplicate. Click the name that you want to modify; or, check the check box next to the name that you want to modify and click Edit. The Shell Profile Properties page General tab appears. Step 3Enter valid configuration data in the required fields in each tab. As a minimum configuration, you must enter a unique name for the shell profile; all other fields are optional. See: Defining General Shell Profile Properties, page 9-25 Defining Common Tasks, page 9-25 Defining Custom Attributes, page 9-28 Step 4Click Submit. The shell profile is saved. The Shell Profiles page appears with the shell profile that you created or duplicated. Related Topics Creating, Duplicating, and Editing Authorization Profiles for Network Access, page 9-18 Creating, Duplicating, and Editing Command Sets for Device Administration, page 9-28 Deleting an Authorizations and Permissions Policy Element, page 9-32 Configuring Shell/Command Authorization Policies for Device Administration, page 10-34
9-25 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Authorizations and Permissions Defining General Shell Profile Properties Use this page to define a shell profile’s general properties. Step 1Select Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles, then do one of the following: Click Create. Check the check box next to the shell profile that you want to duplicate and click Duplicate. Click the name that you want to modify; or, check the check box next to the name that you want to modify and click Edit. Step 2Complete the Shell Profile: General fields as described in Ta b l e 9 - 8: Step 3Click: Submit to save your changes and return to the Shell Profiles page. The Common Tasks tab to configure privilege levels for the authorization profile; see Defining Common Tasks, page 9-25. The Custom Attributes tab to configure RADIUS attributes for the authorization profile; see Defining Custom Attributes, page 9-28. Related Topics Defining Common Tasks, page 9-25 Defining Custom Attributes, page 9-28 Defining Common Tasks Use this page to define a shell profile’s privilege level and attributes. The attributes are defined by the TACACS+ protocol. For a description of the attributes, refer to Cisco IOS documentation for the release of Cisco IOS software that is running on your AAA clients. Step 1Select Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles, then click: Create to create a new shell profile, then click Common Tasks. Duplicate to duplicate a shell profile, then click Common Tasks. Edit to edit a shell profile, then click Common Tasks. Step 2Complete the Shell Profile: Common Tasks page as described in Ta b l e 9 - 9: Table 9-8 Shell Profile: General Page Option Description Name The name of the shell profile. Description (Optional) The description of the shell profile.
9-26 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Authorizations and Permissions Table 9-9 Shell Profile: Common Tasks Option Description Privilege Level Default Privilege (Optional) Enables the initial privilege level assignment that you allow for a client, through shell authorization. If disabled, the setting is not interpreted in authorization and permissions. The Default Privilege Level specifies the default (initial) privilege level for the shell profile. If you select Static as the Enable Default Privilege option, you can select the default privilege level; the valid options are 0 to 15. If you select Dynamic as the Enable Default Privilege option, you can select attribute from dynamic ACS dictionary, for a substitute attribute. Maximum Privilege (Optional) Enables the maximum privilege level assignment for which you allow a client after the initial shell authorization. The Maximum Privilege Level specifies the maximum privilege level for the shell profile. If you select the Enable Change of Privilege Level option, you can select the maximum privilege level; the valid options are 0 to 15. If you choose both default and privilege level assignments, the default privilege level assignment must be equal to or lower than the maximum privilege level assignment. Shell Attributes Select Not in Use for the options provided below if you do not want to enable them. If you select Dynamic, you can substitute the static value of a TACACS+ attribute with a value of another attribute from one of the listed dynamic dictionaries Access Control List (Optional) Choose Static to specify the name of the access control list to enable it. The name of the access control list can be up to 27 characters, and cannot contain the following: A hyphen (-), left bracket ([), right bracket, (]) forward slash (/), back slash (\), apostrophe (‘), left angle bracket (). Choose Dynamic to select attribute from dynamic ACS dictionary, for a substitute attribute. Auto Command (Optional) Choose Static and specify the command to enable it. Choose Dynamic to select attribute from dynamic ACS dictionary, for a substitute attribute. No Callback Verify (Optional) Choose Static to specify whether or not you want callback verification. Valid options are: True—Specifies that callback verification is not needed. False—Specifies that callback verification is needed. Choose Dynamic to select attribute from dynamic ACS dictionary, for a substitute attribute. No Escape (Optional) Choose Static to specify whether or not you want escape prevention. Valid options are: True—Specifies that escape prevention is enabled. False—Specifies that escape prevention is not enabled. Choose Dynamic to select attribute from dynamic ACS dictionary, for a substitute attribute. No Hang Up (Optional) Choose Static to specify whether or not you want any hangups. Valid options are: True—Specifies no hangups are allowed. False—Specifies that hangups are allowed. Choose Dynamic to select attribute from dynamic ACS dictionary, for a substitute attribute.
9-27 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Authorizations and Permissions Step 3Click: Submit to save your changes and return to the Shell Profiles page. The General tab to configure the name and description for the authorization profile; see Defining General Shell Profile Properties, page 9-25. The Custom Attributes tab to configure Custom Attributes for the authorization profile; see Defining Custom Attributes, page 9-28. To substitute the static value of a TACACS+ attribute with a value of another attribute from one of the listed dynamic dictionaries, complete the following steps. Step 1Select System Administration > Configuration > Dictionaries > Identity > Internal Users to add attributes to the Internal Users Dictionary. Step 2Select Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles to create a Shell Profile. Step 3Select Custom Attributes tab to create a new attribute and choose Dynamic as Attribute Value and correlate it to created attribute in Internal Users Dictionary. Step 4Create a new rule in Access Policies > Access Services > Default Device Admin > Authorization and choose the Results created as Shell Profile instead. After authorization you will see the response as dynamic attribute value from Internal ID Store. Related Topics Defining Custom Attributes, page 9-28 Configuring Shell/Command Authorization Policies for Device Administration, page 10-34 Timeout (Optional) Choose Static to enable and specify, in minutes, the duration of the allowed timeout in the value field. The valid range is from 0 to 999. Choose Dynamic to select attribute from dynamic ACS dictionary, for a substitute attribute. Idle Time (Optional) Choose Static to enable and specify, in minutes, the duration of the allowed idle time in the value field. The valid range is from 0 to 999. Choose Dynamic to select attribute from dynamic ACS dictionary, for a substitute attribute. Callback Line (Optional) Choose Static to enable and specify the callback phone line in the value field. Choose Dynamic to select attribute from dynamic ACS dictionary, for a substitute attribute. Callback Rotary (Optional) Choose Static to enable and specify the callback rotary phone line in the value field. Choose Dynamic to select attribute from dynamic ACS dictionary, for a substitute attribute. Table 9-9 Shell Profile: Common Tasks Option Description
9-28 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Authorizations and Permissions Defining Custom Attributes Use this tab to define custom attributes for the shell profile. This tab also displays the Common Tasks Attributes that you have chosen in the Common Tasks tab. Step 1Edit the fields in the Custom Attributes tab as described in Ta b l e 9 - 1 0: Step 2Click: Submit to save your changes and return to the Shell Profiles page. The General tab to configure the name and description for the authorization profile; see Defining General Shell Profile Properties, page 9-25. The Common Tasks tab to configure the shell profile’s privilege level and attributes for the authorization profile; see Defining Common Tasks, page 9-25. Related Topics Defining General Shell Profile Properties, page 9-25 Defining Common Tasks, page 9-25 Creating, Duplicating, and Editing Command Sets for Device Administration Command sets provide decisions for allowed commands and arguments for device administration. You can specify command sets as results in a device configuration authorization policy. Shell profiles and command sets are combined for authorization purposes, and are enforced for the duration of a user’s session. You can duplicate a command set if you want to create a new command set that is the same, or similar to, an existing command set. After duplication is complete, you access each command set (original and duplicated) separately to edit or delete them. Table 9-10 Shell Profile: Custom Attributes Page Option Description Common Tasks AttributesDisplays the names, requirements, and values for the Common Tasks Attributes that you have defined in the Common Tasks tab. Manually Entered Use this section to define custom attributes to include in the authorization profile. As you define each attribute, its name, requirement, and value appear in the table. To: Add a custom attribute, fill in the fields below the table and click Add. Edit a custom attribute, select the appropriate row in the table and click Edit. The custom attribute parameters appear in the fields below the table. Edit as required, then click Replace. Attribute Name of the custom attribute. Requirement Choose whether this custom attribute is Mandatory or Optional. Attribute Value Choose whether the custom attribute is Static or Dynamic.
9-29 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Authorizations and Permissions After you create command sets, you can use them in authorizations and permissions within rule tables. A rule can contain multiple command sets. See Creating, Duplicating, and Editing a Shell Profile for Device Administration, page 9-23. NoteCommand sets support TACACS+ protocol attributes only. To create, duplicate, or edit a new command set: Step 1Select Policy Elements > Authorization and Permissions > Device Administration > Command Sets. The Command Sets page appears. Step 2Do one of the following: Click Create. The Command Set Properties page appears. Check the check box next to the command set that you want to duplicate and click Duplicate. The Command Set Properties page appears. Click the name that you want to modify; or, check the check box next to the name that you want to modify and click Edit. The Command Set Properties page appears. Click File Operations to perform any of the following functions: –Add—Choose this option to add command sets from the import file to ACS. –Update—Choose this option to replace the list of command sets in ACS with the list of command sets in the import file. –Delete—Choose this option to delete the command sets listed in the import file from ACS. See Performing Bulk Operations for Network Resources and Users, page 7-8 for a detailed description of the bulk operations. Click Export to export the command sets from ACS to your local hard disk. A dialog box appears, prompting you to enter an encryption password to securely export the command sets: a.Check the Password check box and enter the password to encrypt the file during the export process, then click Start Export. b.Click Start Export to export the command sets without any encryption. Step 3Enter valid configuration data in the required fields. As a minimum configuration, you must enter a unique name for the command set; all other fields are optional. You can define commands and arguments; you can also add commands and arguments from other command sets. See Ta b l e 9 - 1 1 for a description of the fields in the Command Set Properties page.
9-30 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Authorizations and Permissions Step 4Click Submit. The command set is saved. The Command Sets page appears with the command set that you created or duplicated. Table 9-11 Command Set Properties Page Field Description Name Name of the command set. Description (Optional) The description of the command set. Permit any command that is not in the table belowCheck to allow all commands that are requested, unless they are explicitly denied in the Grant table. Uncheck to allow only commands that are explicitly allowed in the Grant table. Command Set table Use this section to define commands to include in the authorization profile. As you define each command, its details appear in the table. To: Add a command, fill in the fields below the table and click Add. Edit a command, select the appropriate row in the table, and click Edit. The command parameters appear in the fields below the table. Edit as required, then click Replace. The order of commands in the Command Set table is important; policy rule table processing depends on which command and argument are matched first to make a decision on policy result choice. Use the control buttons at the right of the Command Set table to order your commands. Grant Choose the permission level of the associated command. Options are: Permit—The associated command and arguments are automatically granted. Deny—The associated command and arguments are automatically denied. Deny Always—The associated command and arguments are always denied. Command Enter the command name. This field is not case sensitive. You can use the asterisk (*) to represent zero (0) or more characters in the command name, and you can use the question mark (?) to represent a single character in a command name. Examples of valid command name entries: SHOW sH* sho? Sh*? Arguments (field) Enter the argument associated with the command name. This field is not case sensitive. ACS 5.3 uses standard UNIX-type regular expressions. Select Command/ Arguments from Command SetTo add a command from another command set: 1.Choose the command set. 2.Click Select to open a page that lists the available commands and arguments. 3.Choose a command and click OK.