Home > Cisco > Control System > Cisco Acs 5x User Guide

Cisco Acs 5x User Guide

Download as PDF Print this page Share this page

Have a look at the manual Cisco Acs 5x User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

414

415

416

417

418

419

420

421

422

423

424

425

426

427

428

429

430

431

432

433

434

435

436

437

438

439

440

441

442

443

444

445

446

447

448

449

450

451

452

453

454

455

456

457

458

459

460

461

462

463

464

465

466

467

468

469

470

471

472

473

474

475

476

477

478

479

480

481

482

483

484

485

486

487

488

489

490

491

492

493

494

495

496

497

498

499

500

501

502

503

504

505

506

507

508

509

510

511

512

513

514

515

516

517

518

519

520

521

522

523

524

525

526

527

528

529

530

531

532

533

534

535

536

537

538

539

540

541

542

543

544

545

546

547

548

549

550

551

552

553

554

555

556

557

558

559

560

561

562

563

564

565

566

567

568

569

570

571

572

573

574

575

576

577

578

579

580

581

582

583

584

585

586

587

588

589

590

591

592

593

594

595

596

597

598

599

600

601

602

603

604

605

606

607

608

609

610

611

612

613

614

615

616

617

618

619

620

621

622

623

624

625

626

627

628

629

630

631

632

633

634

635

636

637

638

639

640

641

642

643

644

645

646

647

648

649

650

View all the pages

Add page 291 to Favourites

image text

Enable zoom

10-27
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 10 Managing Access Policies
Configuring Access Service Policies
Step 2Select an identity group.
Step 3Click Save Changes to save the policy.
To configure a rule-based policy, see these topics:
Creating Policy Rules, page 10-37
Duplicating a Rule, page 10-38
Editing Policy Rules, page 10-38
Table 10-13 Rule-based Group Mapping Policy Page
Option Description
Policy type Defines the type of policy to configure:
Simple—Specifies the results to apply to all requests.
Rule-based—Configure rules to apply different results depending on the request.
CautionIf you switch between policy types, you will lose your previously saved policy
configuration.
Status Current status of the rule. The rule statuses are:
Enabled—The rule is active.
Disabled—ACS does not apply the results of the rule.
Monitor—The rule is active, but ACS does not apply the results of the rule. Results such as hit
count are written to the log, and the log entry includes an identification that the rule is monitor
only. The monitor option is especially useful for watching the results of a new rule.
Name Rule name.
Conditions Conditions that determine the scope of the policy. This column displays all current conditions in
subcolumns.
Results Identity group that is used as a result of the evaluation of the rule.
Hit Count Number of times that the rule is matched. Click the Hit Count button to refresh and reset this column.
Default Rule ACS applies the Default rule when:
Enabled rules are not matched.
No other rules are defined.
Click the link to edit the Default Rule. You can edit only the results of the Default Rule; you cannot
delete, disable, or duplicate it.
Customize button Opens the Customize page in which you choose the types of conditions to use in policy rules. A new
Conditions column appears in the Policy page for each condition that you add.
CautionIf you remove a condition type after defining rules, you will lose any conditions that you
configured for that condition type.
Hit Count button Opens a window that enables you to reset and refresh the Hit Count display in the Policy page. See
Displaying Hit Counts, page 10-10.

Add page 292 to Favourites

image text

Enable zoom

10-28
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 10 Managing Access Policies
Configuring Access Service Policies
Deleting Policy Rules, page 10-39
Related Topics
Viewing Identity Policies, page 10-21
Configuring a Session Authorization Policy for Network Access, page 10-29
Configuring a Session Authorization Policy for Network Access, page 10-29
Configuring Shell/Command Authorization Policies for Device Administration, page 10-34
Configuring Group Mapping Policy Rule Properties
Use this page to create, duplicate, or edit a group mapping policy rule to define the mapping of attributes
and groups that are retrieved from external databases to ACS identity groups.
Step 1Select Access Policies > Access Services > service > Group Mapping, then do one of the following:
Click Create.
Check a rule check box, and click Duplicate.
Click a rule name or check a rule check box, then click Edit.
Step 2Complete the fields as described in Table 10-14:
Table 10-14 Group Mapping Rule Properties Page
Option Description
General
Rule Name Name of the rule. If you are duplicating a rule, you must enter a unique name as a minimum configuration;
all other fields are optional.
Rule Status Rule statuses are:
Enabled—The rule is active.
Disabled—ACS does not apply the results of the rule.
Monitor—The rule is active, but ACS does not apply the results of the rule. Results such as hit count
are written to the log, and the log entry includes an identification that the rule is monitor only. The
monitor option is especially useful for watching the results of a new rule.
Conditions
conditionsConditions that you can configure for the rule. By default, the compound condition appears. You can
change the conditions that appear by using the Customize button in the Policy page.
The default value for each condition is ANY. To change the value for a condition, check the condition check
box, then specify the value.
If you check Compound Condition, an expression builder appears in the conditions frame. For more
information, see Configuring Compound Conditions, page 10-40.
Results
Identity Group Identity group to which attributes and groups from requests are mapped.

Add page 293 to Favourites

image text

Enable zoom

10-29
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 10 Managing Access Policies
Configuring Access Service Policies
Configuring a Session Authorization Policy for Network Access
When you create an access service for network access authorization, it creates a Session Authorization
policy. You can then add and modify rules to this policy to determine the access permissions for the client
session.
You can create a standalone authorization policy for an access service, which is a standard first-match
rule table. You can also create an authorization policy with an exception policy. See Configuring
Authorization Exception Policies, page 10-35. When a request matches an exception rule, the policy
exception rule result is always applied.
The rules can contain any conditions and multiple results:
Authorization profile—Defines the user-defined attributes and, optionally, the downloadable ACL
that the Access-Accept message should return.
Security Group Tag (SGT)—If you have installed Cisco Security Group Access, the authorization
rules can define which SGT to apply to the request.
For information about how ACS processes rules with multiple authorization profiles, see Processing
Rules with Multiple Authorization Profiles, page 3-17.
To configure an authorization policy, see these topics:
Creating Policy Rules, page 10-37
Duplicating a Rule, page 10-38
Editing Policy Rules, page 10-38
Deleting Policy Rules, page 10-39
For information about creating an authorization policy for:
Host Lookup requests, see ACS and Cisco Security Group Access, page 4-23.
Security Group Access support, see Creating an Endpoint Admission Control Policy, page 4-27.
Step 1Select Access Policies > Access Services > service > Authorization.
Step 2Complete the fields as described in Table 10-15:

Add page 294 to Favourites

image text

Enable zoom

10-30
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 10 Managing Access Policies
Configuring Access Service Policies
Table 10-15 Network Access Authorization Policy Page
Option Description
Status Rule statuses are:
Enabled—The rule is active.
Disabled—ACS does not apply the results of the rule.
Monitor—The rule is active, but ACS does not apply the results of the rule. Results such as hit
count are written to the log, and the log entry includes an identification that the rule is monitor
only. The monitor option is especially useful for watching the results of a new rule.
Name Name of the rule.
Conditions
Identity Group Name of the internal identity group to which this is matching against.
NDG:nameNetwork device group. The two predefined NDGs are Location and Device Type.
conditionsConditions that define the scope of the rule. To change the types of conditions that the rule uses, click
the Customize button. You must have previously defined the conditions that you want to use.
Results
Authorization Profile Displays the authorization profile that will be applied when the corresponding rule is matched.
When you enable the Security Group Access feature, you can customize rule results; a rule can
determine the access permission of an endpoint, the security group of that endpoint, or both. The
columns that appear reflect the customization settings.
Hit Count The number of times that the rule is matched. Click the Hit Count button to refresh and reset this
column.
Default Rule ACS applies the Default rule when:
Enabled rules are not matched.
No other rules are defined.
Click the link to edit the Default Rule. You can edit only the results of the Default Rule; you cannot
delete, disable, or duplicate it.
Customize button Opens the Customize page in which you choose the types of conditions to use in policy rules. A new
Conditions column appears in the Policy page for each condition that you add.
When you enable the Security Group Access feature, you can also choose the set of rule results; only
session authorization profiles, only security groups, or both.
CautionIf you remove a condition type after defining rules, you will lose any conditions that you
configured for that condition type.
Hit Count button Opens a window that enables you to reset and refresh the Hit Count display in the Policy page. See
Displaying Hit Counts, page 10-10.

Add page 295 to Favourites

image text

Enable zoom

10-31
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 10 Managing Access Policies
Configuring Access Service Policies
Configuring Network Access Authorization Rule Properties
Use this page to create, duplicate, and edit the rules to determine access permissions in a network access
service.
Step 1Select Access Policies > Access Services > > Authorization, and click Create, Edit, or
Duplicate.
Step 2Complete the fields as described in Table 10-16:
Table 10-16 Network Access Authorization Rule Properties Page
Option Description
General
Name Name of the rule. If you are duplicating a rule, you must enter a unique name as a minimum
configuration; all other fields are optional.
Status Rule statuses are:
Enabled—The rule is active.
Disabled—ACS does not apply the results of the rule.
Monitor—The rule is active, but ACS does not apply the results of the rule. Results such as
hit count are written to the log, and the log entry includes an identification that the rule is
monitor only. The monitor option is especially useful for watching the results of a new rule.
Conditions
conditionsConditions that you can configure for the rule. By default the compound condition appears. You
can change the conditions that appear by using the Customize button in the Policy page.
The default value for each condition is ANY. To change the value for a condition, check the
condition check box, then specify the value.
If you check Compound Condition, an expression builder appears in the conditions frame. For
more information, see Configuring Compound Conditions, page 10-40.
Results
Authorization Profiles List of available and selected profiles. You can choose multiple authorization profiles to apply to
a request. See Processing Rules with Multiple Authorization Profiles, page 3-17 for information
about the importance of authorization profile order when resolving conflicts.
Security Group (Security Group Access only) The security group to apply.
When you enable Security Group Access, you can customize the results options to display only
session authorization profiles, only security groups, or both.

Add page 296 to Favourites

image text

Enable zoom

10-32
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 10 Managing Access Policies
Configuring Access Service Policies
Configuring Device Administration Authorization Policies
A device administration authorization policy determines the authorizations and permissions for network
administrators.
You create an authorization policy during access service creation. See Configuring General Access
Service Properties, page 10-13 for details of the Access Service Create page.
Use this page to:
Vi ew r u l e s .
Delete rules.
Open pages that enable you to create, duplicate, edit, and customize rules.
Select Access Policies > Access Services > service > Authorization.
The Device Administration Authorization Policy page appears as described in Table 10-17.
Table 10-17 Device Administration Authorization Policy Page
Option Description
Status Rule statuses are:
Enabled—The rule is active.
Disabled—ACS does not apply the results of the rule.
Monitor—The rule is active, but ACS does not apply the results of the rule. Results such as hit count
are written to the log, and the log entry includes an identification that the rule is monitor only. The
monitor option is especially useful for watching the results of a new rule.
Name Name of the rule.
Conditions Conditions that define the scope of the rule. To change the types of conditions that the rule uses, click the
Customize button. You must have previously defined the conditions that you want to use.
Results Displays the shell profiles and command sets that will be applied when the corresponding rule is matched.
You can customize rule results; a rule can apply shell profiles, or command sets, or both. The columns that
appear reflect the customization settings.
Hit Count Number of times that the rule is matched. Click the Hit Count button to refresh and reset this column.
Default Rule ACS applies the Default rule when:
Enabled rules are not matched.
No other rules are defined.
Click the link to edit the Default Rule. You can edit only the results of the Default Rule; you cannot delete,
disable, or duplicate it.
Customize
buttonOpens the Customize page in which you choose the types of conditions and results to use in policy rules.
The Conditions and Results columns reflect your customized settings.
CautionIf you remove a condition type after defining rules, you will lose any conditions that you
configured for that condition type.
Hit Count button Opens a window that enables you to reset and refresh the Hit Count display in the Policy page. See
Displaying Hit Counts, page 10-10.

Add page 297 to Favourites

image text

Enable zoom

10-33
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 10 Managing Access Policies
Configuring Access Service Policies
Configuring Device Administration Authorization Rule Properties
Use this page to create, duplicate, and edit the rules to determine authorizations and permissions in a
device administration access service.
Select Access Policies > Access Services > service > Authorization, and click Create, Edit, or
Duplicate.
The Device Administration Authorization Rule Properties page appears as described in Table 10-18.
Configuring Device Administration Authorization Exception Policies
You can create a device administration authorization exception policy for a defined authorization policy.
Results from the exception rules always override authorization policy rules.
Use this page to:
View exception rules.
Delete exception rules.
Open pages that create, duplicate, edit, and customize exception rules.
Select Access Policies > Access Services > service > Authorization, and click Device Administration
Authorization Exception Policy.
The Device Administration Authorization Exception Policy page appears as described in Table 10-19.
Table 10-18 Device Administration Authorization Rule Properties Page
Option Description
General
Name Name of the rule. If you are duplicating a rule, you must enter a unique name as a minimum configuration;
all other fields are optional.
Status Rule statuses are:
Enabled—The rule is active.
Disabled—ACS does not apply the results of the rule.
Monitor—The rule is active, but ACS does not apply the results of the rule. Results such as hit count
are written to the log, and the log entry includes an identification that the rule is monitor only. The
monitor option is especially useful for watching the results of a new rule.
Conditions
conditionsConditions that you can configure for the rule. By default the compound condition appears. You can change
the conditions that appear by using the Customize button in the Policy page.
The default value for each condition is ANY. To change the value for a condition, check the condition check
box, then specify the value.
If you check Compound Condition, an expression builder appears in the conditions frame. For more
information, see Configuring Compound Conditions, page 10-40.
Results
Shell Profiles Shell profile to apply for the rule.
Command Sets List of available and selected command sets. You can choose multiple command sets to apply.

Add page 298 to Favourites

image text

Enable zoom

10-34
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 10 Managing Access Policies
Configuring Access Service Policies
Configuring Shell/Command Authorization Policies for Device Administration
When you create an access service and select a service policy structure for Device Administration, ACS
automatically creates a shell/command authorization policy. You can then create and modify policy
rules.
The web interface supports the creation of multiple command sets for device administration. With this
capability, you can maintain a smaller number of basic command sets. You can then choose the command
sets in combination as rule results, rather than maintaining all the combinations themselves in individual
command sets.
You can also create an authorization policy with an exception policy, which can override the standard
policy results. See Configuring Authorization Exception Policies, page 10-35.
For information about how ACS processes rules with multiple command sets, see Processing Rules with
Multiple Command Sets, page 3-11.
Table 10-19 Device Administration Authorization Exception Policy Page
Option Description
Status Rule statuses are:
Enabled—The rule is active.
Disabled—ACS does not apply the results of the rule.
Monitor—The rule is active, but ACS does not apply the results of the rule. Results such as hit
count are written to the log, and the log entry includes an identification that the rule is monitor
only. The monitor option is especially useful for watching the results of a new rule.
Name Name of the rule.
Conditions
Identity Group Name of the internal identity group to which this is matching against.
NDG:nameNetwork device group. The two predefined NDGs are Location and Device Type.
ConditionConditions that define the scope of the rule. To change the types of conditions that the rule uses, click
the Customize button. You must have previously defined the conditions that you want to use.
Results Displays the shell profile and command sets that will be applied when the corresponding rule is
matched.
You can customize rule results; a rule can determine the shell profile, the command sets, or both. The
columns that appear reflect the customization settings.
Hit Count Number of times that the rule is matched. Click the Hit Count button to refresh and reset this column.
Customize button Opens the Customize page in which you choose the types of conditions to use in policy rules. A new
Conditions column appears in the Policy page for each condition that you add. You do not need to use
the same set of conditions and results as in the corresponding authorization policy.
CautionIf you remove a condition type after defining rules, you will lose any conditions that you
configured for that condition type.
Hit Count button Opens a window that enables you to reset and refresh the Hit Count display in the Policy page. See
Displaying Hit Counts, page 10-10.

Add page 299 to Favourites

image text

Enable zoom

							10-35
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 10      Managing Access Policies
  Configuring Access Service Policies
To configure rules, see:
Creating Policy Rules, page 10-37
Duplicating a Rule, page 10-38
Editing Policy Rules, page 10-38
Deleting Policy Rules, page 10-39
Configuring Authorization Exception Policies 
An authorization policy can include exception policies. In general, exceptions are temporary policies; 
for example, to grant provisional access to visitors or increase the level of access to specific users. Use 
exception policies to react efficiently to changing circumstances and events. 
The results from the exception rules always override the standard authorization policy rules.
You create exception policies in a separate rule table from the main authorization policy table. You do 
not need to use the same policy conditions in the exception policy as you used in the corresponding 
standard authorization policy. 
To access the exception policy rules page:
Step 1Select Access Policies > Service Selection Policy service > authorization policy, where service is the 
name of the access service, and authorization policy is the session authorization or shell/command set 
authorization policy.
Step 2In the Rule-Based Policy page, click the Exception Policy link above the rules table. 
The Exception Policy table appears with the fields described in Table 10-20:

Add page 300 to Favourites

image text

Enable zoom

10-36
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 10 Managing Access Policies
Configuring Access Service Policies
To configure rules, see:
Creating Policy Rules, page 10-37
Duplicating a Rule, page 10-38
Editing Policy Rules, page 10-38
Deleting Policy Rules, page 10-39
Related Topics
Configuring a Session Authorization Policy for Network Access, page 10-29
Configuring Shell/Command Authorization Policies for Device Administration, page 10-34
Table 10-20 Network Access Authorization Exception Policy Page
Option Description
Status Rule statuses are:
Enabled—The rule is active.
Disabled—ACS does not apply the results of the rule.
Monitor—The rule is active, but ACS does not apply the results of the rule. Results such as hit
count are written to the log, and the log entry includes an identification that the rule is monitor only.
The monitor option is especially useful for watching the results of a new rule.
Name Name of the rule.
Conditions
Identity Group Name of the internal identity group to which this is matching against.
NDG:nameNetwork device group. The two predefined NDGs are Location and Device Type.
Condition NameConditions that define the scope of the rule. To change the types of conditions that the rule uses, click
the Customize button. You must have previously defined the conditions that you want to use.
Results Displays the authorization profile that will be applied when the corresponding rule is matched.
When you enable the Security Group Access feature, you can customize rule results; a rule can
determine the access permission of an endpoint, the security group of that endpoint, or both. The
columns that appear reflect the customization settings.
Hit Count Number of times that the rule is matched. Click the Hit Count button to refresh and reset this column.
Customize button Opens the Customize page in which you choose the types of conditions to use in policy rules. A new
Conditions column appears in the Policy page for each condition that you add. You do not need to use
the same set of conditions as in the corresponding authorization policy.
When you enable the Security Group Access feature, you can also choose the set of rule results; only
session authorization profiles, only security groups, or both.
CautionIf you remove a condition type after defining rules, you will lose any conditions that you
configured for that condition type.
Hit Count button Opens a window that enables you to reset and refresh the Hit Count display in the Policy page. See
Displaying Hit Counts, page 10-10.

All Cisco manuals Comments (0)

Related Manuals for Cisco Acs 5x User Guide

Cisco Acs 57 User Guide
584 pages | Cisco Control System