Cisco Acs 5x User Guide
Have a look at the manual Cisco Acs 5x User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
9-31 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Authorizations and Permissions Related Topics Creating, Duplicating, and Editing Authorization Profiles for Network Access, page 9-18 Creating, Duplicating, and Editing a Shell Profile for Device Administration, page 9-23 Deleting an Authorizations and Permissions Policy Element, page 9-32 Creating, Duplicating, and Editing a Shell Profile for Device Administration, page 9-23 Creating, Duplicating, and Editing Downloadable ACLs You can define downloadable ACLs for the Access-Accept message to return. Use ACLs to prevent unwanted traffic from entering the network. ACLs can filter source and destination IP addresses, transport protocols, and more by using the RADIUS protocol. After you create downloadable ACLs as named permission objects, you can add them to authorization profiles, which you can then specify as the result of an authorization policy. You can duplicate a downloadable ACL if you want to create a new downloadable ACL that is the same, or similar to, an existing downloadable ACL. After duplication is complete, you access each downloadable ACL (original and duplicated) separately to edit or delete them. To create, duplicate or edit a downloadable ACL: Step 1Select Policy Elements > Authorization and Permissions > Named Permission Objects > Downloadable ACLs. The Downloadable ACLs page appears. Step 2Do one of the following: Click Create. The Downloadable ACL Properties page appears. Check the check box next to the downloadable ACL that you want to duplicate and click Duplicate. The Downloadable ACL Properties page appears. Click the name that you want to modify; or, check the check box next to the name that you want to modify and click Edit. The Downloadable ACL Properties page appears. Click File Operations to perform any of the following functions: –Add—Choose this option to add ACLs from the import file to ACS. –Update—Choose this option to replace the list of ACLs in ACS with the list of ACLs in the import file. –Delete—Choose this option to delete the ACLs listed in the import file from ACS. See Performing Bulk Operations for Network Resources and Users, page 7-8 for a detailed description of the bulk operations. Click Export to export the DACLs from ACS to your local hard disk. A dialog box appears, prompting you to enter an encryption password to securely export the DACLs: –Check the Password check box and enter the password to encrypt the file during the export process, then click Start Export.
9-32 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Authorizations and Permissions –Click Start Export to export the DACLs without any encryption. Step 3Enter valid configuration data in the required fields as shown in Ta b l e 9 - 1 2, and define one or more ACLs by using standard ACL syntax. Step 4Click Submit. The downloadable ACL is saved. The Downloadable ACLs page appears with the downloadable ACL that you created or duplicated. Related Topics Creating, Duplicating, and Editing Authorization Profiles for Network Access, page 9-18 Configuring a Session Authorization Policy for Network Access, page 10-29 Deleting an Authorizations and Permissions Policy Element, page 9-32 Deleting an Authorizations and Permissions Policy Element To delete an authorizations and permissions policy element: Step 1Select Policy Elements > Authorization and Permissions; then, navigate to the required option. The corresponding page appears. Step 2Check one or more check boxes next to the items that you want to delete and click Delete. The following message appears: Are you sure you want to delete the selected item/items? Step 3Click OK. The page appears without the deleted object. Table 9-12 Downloadable ACL Properties Page Option Description Name Name of the DACL. Description Description of the DACL. Downloadable ACL ContentDefine the ACL content. Use standard ACL command syntax and semantics. The ACL definitions comprise one or more ACL commands; each ACL command must occupy a separate line. For detailed ACL definition information, see the command reference section of your device configuration guide.
9-33 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Authorizations and Permissions Configuring Security Group Access Control Lists Security group access control lists (SGACLs) are applied at Egress, based on the source and destination SGTs. Use this page to view, create, duplicate and edit SGACLs. When you modify the name or content of an SGACL, ACS updates its generation ID. When the generation ID of an SGACL changes, the relevant Security Group Access network devices reload the content of the SGACL. SGACLs are also called role-based ACLs (RBACLs). Step 1Select Policy Elements > Authorizations and Permissions > Named Permissions Objects > Security Group ACLs. The Security Group Access Control Lists page appears with the fields described in Ta b l e 9 - 1 3: Step 2Click one of the following options: Create to create a new SGACL. Duplicate to duplicate an SGACL. Edit to edit an SGACL. Step 3Complete the fields in the Security Group Access Control Lists Properties page as described in Ta b l e 9 - 1 4: Step 4Click Submit. Table 9-13 Security Group Access Control Lists Page Option Description Name The name of the SGACL. Description The description of the SGACL. Table 9-14 Security Group Access Control List Properties Page Option Description General Name Name of the SGACL. You cannot use spaces, hyphens (-), question marks (?), or exclamation marks (!) in the name. After you create an SGACL, its generation ID appears. Generation IDDisplay only. ACS updates the generation ID of the SGACL if you change the: Name of the SGACL. Content of the SGACL (the ACEs). Changing the SGACL description does not affect the generation ID. Description Description of the SGACL. Security Group ACL ContentEnter the ACL content. Ensure that the ACL definition is syntactically and semantically valid.
9-34 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 9 Managing Policy Elements Managing Authorizations and Permissions
CH A P T E R 10-1 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 10 Managing Access Policies In ACS 5.3, policy drives all activities. Policies consist mainly of rules that determine the action of the policy. You create access services to define authentication and authorization policies for requests. A global service selection policy contains rules that determine which access service processes an incoming request. For a basic workflow for configuring policies and all their elements, see Flows for Configuring Services and Policies, page 3-19. In general, before you can configure policy rules, you must configure all the elements that you will need, such as identities, conditions, and authorizations and permissions. For information about: Managing identities, see Chapter 8, “Managing Users and Identity Stores.” Configuring conditions, see Managing Policy Elements, page 9-1. Configuring authorizations and permissions, see Configuring System Operations, page 17-1. This section contains the following topics: Policy Creation Flow, page 10-1 Customizing a Policy, page 10-4 Configuring the Service Selection Policy, page 10-5 Configuring Access Services, page 10-11 Configuring Access Service Policies, page 10-21 Configuring Compound Conditions, page 10-40 Security Group Access Control Pages, page 10-45 Maximum User Sessions, page 10-50 For information about creating Egress and NDAC policies for Cisco Security Group Access, see Configuring an NDAC Policy, page 4-25. Policy Creation Flow Policy creation depends on your network configuration and the degree of refinement that you want to bring to individual policies. The endpoint of policy creation is the access service that runs as the result of the service selection policy. Each policy is rule driven.
10-2 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Policy Creation Flow In short, you must determine the: Details of your network configuration. Access services that implement your policies. Rules that define the conditions under which an access service can run. This section contains the following topics: Network Definition and Policy Goals, page 10-2 Policy Elements in the Policy Creation Flow, page 10-3 Access Service Policy Creation, page 10-4 Service Selection Policy Creation, page 10-4 Network Definition and Policy Goals The first step in creating a policy is to determine the devices and users for which the policy should apply. Then you can start to configure your policy elements. For basic policy creation, you can rely on the order of the drawers in the left navigation pane of the web interface. The order of the drawers is helpful because some policy elements are dependent on other policy elements. If you use the policy drawers in order, you initially avoid having to go backward to define elements that your current drawer requires. For example, you might want to create a simple device administration policy from these elements in your network configuration: Devices—Routers and switches. Users—Network engineers. Device Groups—Group devices by location and separately by device type. Identity groups—Group network engineers by location and separately by access level. The results of the policy apply to the administrative staff at each site: Full access to devices at their site. Read-only access to all other devices. Full access to everything for a supervisor. The policy itself applies to network operations and the administrators who will have privileges within the device administration policy. The users (network engineers) are stored in the internal identity store. The policy results are the authorizations and permissions applied in response to the access request. These authorizations and permissions are also configured as policy elements. Policy Creation Flow—Next Steps Policy Elements in the Policy Creation Flow, page 10-3 Access Service Policy Creation, page 10-4 Service Selection Policy Creation, page 10-4
10-3 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Policy Creation Flow Policy Elements in the Policy Creation Flow The web interface provides these defaults for defining device groups and identity groups: All Locations All Device Types All Groups The locations, device types, and identity groups that you create are children of these defaults. To create the building blocks for a basic device administration policy: Step 1Create network resources. In the Network Resources drawer, create: a.Device groups for Locations, such as All Locations > East, West, HQ. b.Device groups for device types, such as All Device Types > Router, Switch. c.AAA clients (clients for AAA switches and routers, address for each, and protocol for each), such as EAST-ACCESS-SWITCH, HQ-CORE-SWITCH, or WEST-WAN-ROUTER. Step 2Create users and identity stores. In the Users and Identity Stores drawer, create: a.Identity groups (Network Operations and Supervisor). b.Specific users and association to identity groups (Names, Identity Group, Password, and more). Step 3Create authorizations and permissions for device administration. In the Policy Elements drawer, create: a.Specific privileges (in Shell Profiles), such as full access or read only. b.Command Sets that allow or deny access (in Command Sets). For this policy, you now have the following building blocks: Network Device Groups (NDGs), such as: –Locations—East, HQ, West. –Device Types—Router, Switch. Identity groups, such as: –Network Operations Sites—East, HQ, West. –Access levels—Full Access. Devices—Routers and switches that have been assigned to network device groups. Users—Network engineers in the internal identity store that have been assigned to identity groups. Shell Profiles—Privileges that can apply to each administrator, such as: –Full privileges. –Read only privileges. Command Sets—Allow or deny authorization to each administrator. Policy Creation Flow—Previous Step Network Definition and Policy Goals, page 10-2
10-4 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Customizing a Policy Policy Creation Flow—Next Steps Access Service Policy Creation, page 10-4 Service Selection Policy Creation, page 10-4 Access Service Policy Creation After you create the basic elements, you can create an access policy that includes identity groups and privileges. For example, you can create an access service for device administration, called NetOps, which contains authorization and authentication policies that use this data: Users in the Supervisor identity group—Full privileges to all devices at all locations. User in the East, HQ, West identity groups—Full privileges to devices in the corresponding East, HQ, West device groups. If no match—Deny access. Policy Creation Flow—Previous Steps Network Definition and Policy Goals, page 10-2 Policy Elements in the Policy Creation Flow, page 10-3 Policy Creation Flow—Next Step Service Selection Policy Creation, page 10-4 Service Selection Policy Creation ACS provides support for various access use cases; for example, device administration, wireless access, network access control, and so on. You can create access policies for each of these use cases. Your service selection policy determines which access policy applies to an incoming request. For example, you can create a service selection rule to apply the NetOps access service to any access request that uses the TACAC+ protocol. Policy Creation Flow—Previous Steps Network Definition and Policy Goals, page 10-2 Policy Elements in the Policy Creation Flow, page 10-3 Access Service Policy Creation, page 10-4 Customizing a Policy ACS policy rules contain conditions and results. Before you begin to define rules for a policy, you must configure which types of conditions that policy will contain. This step is called customizing your policy. The condition types that you choose appear on the Policy page. You can apply only those types of conditions that appear on the Policy page. For information about policy conditions, see Managing Policy Conditions, page 9-1. By default, a Policy page displays a single condition column for compound expressions. For information on compound conditions, see Configuring Compound Conditions, page 10-40.
10-5 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring the Service Selection Policy If you have implemented Security Group Access functionality, you can also customize results for authorization policies. CautionIf you have already defined rules, be certain that a rule is not using any condition that you remove when customizing conditions. Removing a condition column removes all configured conditions that exist for that column. To customize a policy: Step 1Open the Policy page that you want to customize. For: The service selection policy, choose Access Policies > Service Selection Policy. An access service policy, choose Access Policies > Access Services > service > policy, where service is the name of the access service, and policy is the name of the policy that you want to customize. Step 2In the Policy page, click Customize. A list of conditions appears. This list includes identity attributes, system conditions, and custom conditions. NoteIdentity-related attributes are not available as conditions in a service selection policy. Step 3Move conditions between the Available and Selected list boxes. Step 4Click OK The selected conditions now appear under the Conditions column. Step 5Click Save Changes. Configuring a Policy—Next Steps Configuring the Service Selection Policy, page 10-5 Configuring Access Service Policies, page 10-21 Configuring the Service Selection Policy The service selection policy determines which access service processes incoming requests. You can configure a simple policy, which applies the same access service to all requests; or, you can configure a rule-based service selection policy. In the rule-based policy, each service selection rule contains one or more conditions and a result, which is the access service to apply to an incoming request. You can create, duplicate, edit, and delete rules within the service selection policy, and you can enable and disable them. This section contains the following topics: Configuring a Simple Service Selection Policy, page 10-6 Creating, Duplicating, and Editing Service Selection Rules, page 10-8
10-6 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring the Service Selection Policy NoteIf you create and save a simple policy, and then change to a rule-based policy, the simple policy becomes the default rule of the rule-based policy. If you have saved a rule-based policy and then change to a simple policy, you will lose all your rules except for the default rule. ACS automatically uses the default rule as the simple policy. Configuring a Simple Service Selection Policy A simple service selection policy applies the same access service to all requests. To configure a simple service selection policy: Step 1Select Access Policies > Service Selection Policy. By default, the Simple Service Selection Policy page appears. Step 2Select an access service to apply; or, choose Deny Access. Step 3Click Save Changes to save the policy. Service Selection Policy Page Use this page to configure a simple or rule-based policy to determine which service to apply to incoming requests. To display this page, choose Access Policies > Service Selection. If you have already configured the service selection policy, the corresponding Simple Policy page (see Table 10-1) or Rule-based Policy page (see Ta b l e 1 0 - 2) opens; otherwise, the Simple Policy page opens by default. Table 10-1 Simple Service Selection Policy Page Option Description Policy type Defines the type of policy: Select one result—The results apply to all requests. Rule-based result selection—Configuration rules apply different results depending on the request. Service Selection Policy Access service to apply to all requests. The default is Deny Access.