Cisco Acs 5x User Guide
Have a look at the manual Cisco Acs 5x User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
10-7 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring the Service Selection Policy To configure a rule-based service selection policy, see these topics: Creating, Duplicating, and Editing Service Selection Rules, page 10-8 Deleting Service Selection Rules, page 10-10 After you configure your service selection policy, you can continue to configure your access service policies. See Configuring Access Service Policies, page 10-21. Table 10-2 Rule-based Service Selection Policy Page Option Description Policy type Defines the type of policy to configure: Select one result—Results apply to all requests. Rule-based result selection—Configuration rules apply different results depending on the request. Status Current status of the rule that drives service selection. The rule statuses are: Enabled—The rule is active. Disabled—ACS does not apply the results of the rule. Monitor Only—The rule is active, but ACS does not apply the results of the rule. Results such as hit count are written to the log, and the log entry includes an identification that the rule is monitor only. The monitor option is especially useful for watching the results of a new rule. Name Rule name. Conditions Conditions that determine the scope of the service. This column displays all current conditions in subcolumns. You cannot use identity-based conditions in a service selection rule. Results Service that runs as a result of the evaluation of the rule. Hit Count Number of times that the rule is matched. Click Hit Count to refresh and reset this column. Default Rule ACS applies the Default rule when: Enabled rules are not matched. No other rules are defined. Click the link to edit the Default Rule. You can edit only the results of the Default Rule; you cannot delete, disable, or duplicate it. Customize button Opens the Customize page in which you choose the types of conditions to use in policy rules. A new Conditions column appears in the Policy page for each condition that you add. CautionIf you remove a condition type after defining rules, you will lose any conditions that you configured for that condition type. Hit Count button Opens a window that enables you to reset and refresh the Hit Count display in the Policy page. See Displaying Hit Counts, page 10-10.
10-8 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring the Service Selection Policy Creating, Duplicating, and Editing Service Selection Rules Create service selection rules to determine which access service processes incoming requests. The Default Rule provides a default access service in cases where no rules are matched or defined. When you create rules, remember that the order of the rules is important. When ACS encounters a match as it processes the request of a client that tries to access the ACS network, all further processing stops and the associated result of that match is found. No further rules are considered after a match is found. You can duplicate a service selection rule to create a new rule that is the same, or very similar to, an existing rule. The duplicate rule name is based on the original rule with parentheses to indicate duplication; for example, Rule-1(1). After duplication is complete, you access each rule (original and duplicated) separately. You cannot duplicate the Default rule. You can edit all values of service selection rules; you can edit the specified access service in the Default rule. NoteTo configure a simple policy to apply the same access service to all requests, see Configuring a Simple Service Selection Policy, page 10-6. Before You Begin Configure the conditions that you want to use in the service selection policy. See Managing Policy Conditions, page 9-1. NoteIdentity-related attributes are not available as conditions in a service selection policy. Create the access services that you want to use in the service selection policy. See Creating, Duplicating, and Editing Access Services, page 10-12. You do not need to configure policies in the access service before configuring the service selection policy. Configure the types of conditions to use in the policy rules. See Customizing a Policy, page 10-4, for more information. To create, duplicate, or edit a service selection policy rule: Step 1Select Access Policies > Service Selection Policy. If you: Previously created a rule-based policy, the Rule-Based Service Selection Policy page appears with a list of configured rules. Have not created a rule-based policy, the Simple Service Selection Policy page appears. Click Rule-Based. Step 2Do one of the following: Click Create. Check the check box next to the rule that you want to duplicate; then click Duplicate. Click the rule name that you want to modify; or, check the check box next to the name and click Edit. The Rule page appears. Step 3Enter or modify values: User-defined rules—You can edit any value. Ensure that you include at least one condition. If you are duplicating a rule, you must change the rule name.
10-9 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring the Service Selection Policy The Default Rule—You can change only the access service. See Table 10-3 for field descriptions: Step 4Click OK. The Service Selection Policy page appears with the rule that you configured. Step 5Click Save Changes. Related Topics Configuring Access Services, page 10-11 Deleting Service Selection Rules, page 10-10 Table 10-3 Service Selection Rule Properties Page Option Description General Name Name of the rule. If you are duplicating a rule, you must enter a unique name as a minimum configuration; all other fields are optional. Status Rule statuses are: Enabled—The rule is active. Disabled—ACS does not apply the results of the rule. Monitor Only—The rule is active but ACS does not apply the results of the rule. Results such as hit count are written to the log, and the log entry includes an identification that the rule is monitor only. The Monitor option is especially useful for watching the results of a new rule. Conditions conditionsConditions that you can configure for the rule. By default, the compound condition appears. Click Customize in the Policy page to change the conditions that appear. The default value for each condition is ANY. To change the value for a condition, check the condition check box, then specify the value. If you check Compound Condition, an expression builder appears in the conditions frame. For more information, see Configuring Compound Conditions, page 10-40. NoteThe Service selection policy, which contains a compound condition with TACACS+ username, does not work consistently. The policy works only when the first TACACS+ authentication request contains a username. If the first packet does not have the username and when ACS requests NAS for the username, the TACACS+ username condition is not matched. Therefore, the request meets the default deny access condition and fails to meet the proper access service. Results Service Name of the access service that runs as a result of the evaluation of the rule.
10-10 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring the Service Selection Policy Displaying Hit Counts Use this page to reset and refresh the Hit Count display on the Rule-based Policy page. To display this page, click Hit Count on the Rule-based Policy page. Deleting Service Selection Rules NoteYou cannot delete the Default service selection rule. To delete a service selection rule: Step 1Select Access Policies > Service Selection Policy. The Service Selection Policy page appears, with a list of configured rules. Step 2Check one or more check boxes next to the rules that you want to delete. Step 3Click Delete. The Service Selection Rules page appears without the deleted rule(s). Step 4Click Save Changes to save the new configuration. Table 10-4 Hit Count Page Option Description Hit Counts Reset Last time hit counts were reset for this policyDisplays the date and time of the last hit count reset for this policy. Reset hit counts display for this policyClick Reset to reset the hit counts display to zero (0) for all rules on the Policy page. Hit Counts Collection Hit counts are collected every:Displays the interval between hit count collections. Last time hit counts were collected for this policy:Displays the date and time of the last hit count update for this policy. Refresh hit counts display for this policyClick Refresh to refresh the hit count display in the Policy page with updated hit counts for all rules. The previous hit counts are deleted. When a TACACS+ authentication request succeeds, the hit counts of the corresponding identity policy rule and authorization policy rule both increase by 1.
10-11 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Services Configuring Access Services Access services contain the authentication and authorization policies for requests. You can create separate access services for different use cases; for example, device administration, wireless network access, and so on. When you create an access service, you define the type of policies and policy structures that it contains; for example, policies for device administration or network access. NoteYou must create access services before you define service selection rules, although you do not need to define the policies in the services. This section contains the following topics: Creating, Duplicating, and Editing Access Services, page 10-12 Deleting an Access Service, page 10-20 After you create an access service, you can use it in the service selection policy. See Configuring the Service Selection Policy, page 10-5. You can customize and modify the policies in the access service. See Configuring Access Service Policies, page 10-21. Related Topic Creating, Duplicating, and Editing Access Services, page 10-12 Editing Default Access Services ACS 5.3 is preconfigured with two default access services, one for device administration and another for network access. You can edit these access services. To edit the default access service: Step 1Choose one of the following: Access Policies > Access Services > Default Device Admin Access Policies > Access Services > Default Network Access The Default Service Access Service Edit page appears. Step 2Edit the fields in the Default Service Access Service page. Table 10-5 describes the fields in the General tab. Table 10-5 Default Access Service - General Page Option Description General Name Name of the access service. Description Description of the access service. Service Type (Display only) Type of service, device administration, or network access. Policy Structure
10-12 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Services Step 3Edit the fields in the Allowed Protocols tab as described in Table 10-7. Step 4Click Submit to save the changes you have made to the default access service. Creating, Duplicating, and Editing Access Services Access services contain the authentication and authorization policies for requests. When you create an access service, you define: Policy structure—The types of policies the service will contain. You can define these according to a service template, an existing service, or a use case. A service can contain: –An Identity policy—Defines which identity store to use for authentication. –A group mapping policy—Defines the identity group to which to map. –An Authorization policy—For network access, this policy defines which session authorization profile to apply; for device administration, it defines which shell profile or command set to apply. Allowed protocols—Specifies which authentication protocols are allowed for this access service, and provides additional information about how ACS uses them for authentication. Use a service template to define an access service with policies that are customized to use specific condition types. See Configuring Access Services Templates, page 10-19 for information about the service templates. Duplicate an access service to create a new access service with rules that are the same, or very similar to, an existing access service. After duplication is complete, you access each service (original and duplicated) separately. To replicate a service policy structure without duplicating the source service’s rules, create a new access service based on an existing service. To create, duplicate, or edit an access service: Step 1Select Access Policies > Access Services. The Access Services page appears with a list of configured services. Identity Check to include an identity policy in the access service, to define the identity store or stores that ACS uses for authentication and attribute retrieval. Group Mapping Check to include a group mapping policy in the access service, to map groups and attributes that are retrieved from external identity stores to the identity groups in ACS. Authorization Check to include an authorization policy in the access service, to apply: Authorization profiles for network access services. Shell profiles and command sets for device administration services. Table 10-5 Default Access Service - General Page (continued) Option Description
10-13 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Services Step 2Do one of the following: Click Create. Check the check box next to the access service that you want to duplicate; then click Duplicate. Click the access service name that you want to modify; or, check the check box next to the name and click Edit. Click the access service name in the left navigation tab. The Access Service Properties General page appears. If you are creating a new access service: a.Define the name and policy structure of the access service. b.Click Next to proceed to the Allowed Protocols page. c.Click Finish to save the new access service. If you are duplicating or editing an access service: a.Modify fields in the Properties page tabs as required. You can add policies, but you cannot remove existing policies. b.Click Submit to save changes. For information about valid field options, see: Configuring General Access Service Properties, page 10-13 Configuring Access Service Allowed Protocols, page 10-15 Configuring Access Services Templates, page 10-19 The access service configuration is saved. The Access Services page appears with the new configuration. Related Topics Deleting an Access Service, page 10-20 Configuring Access Service Policies, page 10-21 Configuring the Service Selection Policy, page 10-5 Configuring General Access Service Properties Access service definitions contain general and allowed protocol information. When you duplicate and edit services, the Access Service properties page contains tabs. Step 1Select Access Policies > Access Services, then click Create, Duplicate, or Edit. Step 2Complete the fields as described in Table 10-6: Table 10-6 Access Service Properties—General Page Option Description General Name Name of the access service. If you are duplicating a service, you must enter a unique name as a minimum configuration; all other fields are optional.
10-14 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Services Step 3Click Next to configure the allowed protocols. See Configuring Access Service Allowed Protocols, page 10-15. Description Description of the access service. Access Service Policy Structure Based on service template Creates an access service containing policies based on a predefined template. This option is available only for service creation. Based on existing service Creates an access service containing policies based on an existing access service. The new access service does not include the existing service’s policy rules. This option is available only for service creation.To replicate a service, including its policy rules, duplicate an existing access service. User selected service type Provides you the option to select the access service type. The available options are Network Access, Device Administration, and External Proxy. The list of policies you can configure depends on your choice of access service type. User Selected Service Type—Network Access and Device Administration Policy Structure Identity Check to include an identity policy in the access service to define the identity store or stores that ACS uses for authentication and attribute retrieval. Group Mapping Check to include a group mapping policy in the access service to map groups and attributes that are retrieved from external identity stores to ACS identity groups. Authorization Check to include an authorization policy in the access service to apply: Authorization profiles for network access services. Shell profiles and command sets for device administration services. User Selected Service Type—External Proxy Select the set of External servers to be used for proxy. You can also determine the order in which these servers will be used. Available External Proxy ServersList of available external RADIUS and TACACS+ servers. Select the external servers to be used for proxy and move them to the Selected External Proxy Servers list. Selected External Proxy ServersList of selected external proxy servers. Advanced Options Accounting Remote Accounting Check to enable remote accounting. Local Accounting Check to enable local accounting. Username Prefix\Suffix Stripping Strip start of subject name up to the first occurrence of the separatorCheck to strip the username from the prefix. For example, if the subject name is acme\smith and the separator is \, the username becomes smith. The default separator is \. Strip end of subject name from the last occurrence of the separatorCheck to strip the username from the suffix. For example, if the subject name is [email protected] and the separator is @, the username becomes smith. The default separator is @. Table 10-6 Access Service Properties—General Page (continued) Option Description
10-15 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Services Related Topic Configuring Access Service Allowed Protocols, page 10-15 Configuring Access Services Templates, page 10-19 Configuring Access Service Allowed Protocols The allowed protocols are the second part of access service creation. Access service definitions contain general and allowed protocol information. When you duplicate and edit services, the Access Service properties page contains tabs. Step 1Select Access Policies > Access Services, then click: Create to create a new access service, then click Next to go to the Allowed Protocols screen. Duplicate to duplicate an access service, then click Next to go to the Allowed Protocols screen. Edit to edit an access service, then click Next to go to the Allowed Protocols screen. Step 2Complete the fields as shown in Table 10-7: Table 10-7 Access Service Properties—Allowed Protocols Page Option Description Process Host Lookup Check to configure ACS to process the Host Lookup field (for example, when the RADIUS Service-Type equals 10) and use the System UserName attribute from the RADIUS Calling-Station-ID attribute. Uncheck for ACS to ignore the Host Lookup request and use the original value of the system UserName attribute for authentication and authorization. When unchecked, message processing is according to the protocol (for example, PAP). Authentication Protocols Allow PAP/ASCII Enables PAP/ASCII. PAP uses clear-text passwords (that is, unencrypted passwords) and is the least secure authentication protocol. When you check Allow PAP/ASCII, you can check Detect PAP as Host Lookup to configure ACS to detect this type of request as a Host Lookup (instead of PAP) request in the network access service. Allow CHAP Enables CHAP authentication. CHAP uses a challenge-response mechanism with password encryption. CHAP does not work with the Windows Active Directory. Allow MS-CHAPv1 Enables MS-CHAPv1. Allow MSCHAPv2 Enables MSCHAPv2. Allow EAP-MD5 Enables EAP-based Message Digest 5 hashed authentication. When you check Allow EAP-MD5, you can check Detect EAP-MD5 as Host Lookup to configure ACS to detect this type of request as a Host Lookup (instead of EAP-MD5) request in the network access service.
10-16 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Configuring Access Services Allow EAP-TLS Enables the EAP-TLS Authentication protocol and configures EAP-TLS settings. You can specify how ACS verifies user identity as presented in the EAP Identity response from the end-user client. User identity is verified against information in the certificate that the end-user client presents. This comparison occurs after an EAP-TLS tunnel is established between ACS and the end-user client. EAP-TLS is a certificate-based authentication protocol. EAP-TLS authentication can occur only after you have completed the required steps to configure certificates. See Configuring Local Server Certificates, page 18-14 for more information. Allow LEAP Enables LEAP authentication. Allow PEAP Enables the PEAP authentication protocol and PEAP settings. The default inner method is MSCHAPv2. When you check Allow PEAP, you can configure the following PEAP inner methods: Allow EAP-TLS—Check to use EAP-TLS as the inner method. Allow EAP-MSCHAPv2—Check to use EAP-MSCHAPv2 as the inner method. –Allow Password Change—Check for ACS to support password changes. –Retry Attempts—Specifies how many times ACS requests user credentials before returning login failure. Valid values are 1 to 3. Allow EAP-GTC—Check to use EAP-GTC as the inner method. –Allow Password Change—Check for ACS to support password changes. –Retry Attempts—Specifies how many times ACS requests user credentials before returning login failure. Valid values are 1 to 3. Table 10-7 Access Service Properties—Allowed Protocols Page (continued) Option Description