Home > Cisco > Control System > Cisco Acs 5x User Guide

Cisco Acs 5x User Guide

Download as PDF Print this page Share this page

Have a look at the manual Cisco Acs 5x User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

414

415

416

417

418

419

420

421

422

423

424

425

426

427

428

429

430

431

432

433

434

435

436

437

438

439

440

441

442

443

444

445

446

447

448

449

450

451

452

453

454

455

456

457

458

459

460

461

462

463

464

465

466

467

468

469

470

471

472

473

474

475

476

477

478

479

480

481

482

483

484

485

486

487

488

489

490

491

492

493

494

495

496

497

498

499

500

501

502

503

504

505

506

507

508

509

510

511

512

513

514

515

516

517

518

519

520

521

522

523

524

525

526

527

528

529

530

531

532

533

534

535

536

537

538

539

540

541

542

543

544

545

546

547

548

549

550

551

552

553

554

555

556

557

558

559

560

561

562

563

564

565

566

567

568

569

570

571

572

573

574

575

576

577

578

579

580

581

582

583

584

585

586

587

588

589

590

591

592

593

594

595

596

597

598

599

600

601

602

603

604

605

606

607

608

609

610

611

612

613

614

615

616

617

618

619

620

621

622

623

624

625

626

627

628

629

630

631

632

633

634

635

636

637

638

639

640

641

642

643

644

645

646

647

648

649

650

View all the pages

Add page 301 to Favourites

image text

Enable zoom

10-37
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 10 Managing Access Policies
Configuring Access Service Policies
Creating Policy Rules
When you create rules, remember that the order of the rules is important. When ACS encounters a match
as it processes the request of a client that tries to access the ACS network, all further processing stops
and the associated result of that match is found. No further rules are considered after a match is found.
The Default Rule provides a default policy in cases where no rules are matched or defined. You can edit
the result of a default rule.
Before You Begin
Configure the policy conditions and results. See Managing Policy Conditions, page 9-1.
Select the types of conditions and results that the policy rules apply. See Customizing a Policy,
page 10-4.
To create a new policy rule:
Step 1Select Access Policies > Service Selection Policy service > policy, where service is the name of the
access service, and policy is the type of policy. If you:
Previously created a rule-based policy, the Rule-Based Policy page appears, with a list of configured
rules.
Have not created a rule-based policy, the Simple Policy page appears. Click Rule-Based.
Step 2In the Rule-Based Policy page, click Create.
The Rule page appears.
Step 3Define the rule.
Step 4Click OK
The Policy page appears with the new rule.
Step 5Click Save Changes to save the new rule.
To configure a simple policy to use the same result for all requests that an access service processes, see:
Viewing Identity Policies, page 10-21
Configuring a Group Mapping Policy, page 10-26
Configuring a Session Authorization Policy for Network Access, page 10-29
Configuring a Session Authorization Policy for Network Access, page 10-29
Configuring Shell/Command Authorization Policies for Device Administration, page 10-34
Related Topics
Duplicating a Rule, page 10-38
Editing Policy Rules, page 10-38
Deleting Policy Rules, page 10-39

Add page 302 to Favourites

image text

Enable zoom

10-38
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 10 Managing Access Policies
Configuring Access Service Policies
Duplicating a Rule
You can duplicate a rule if you want to create a new rule that is the same, or very similar to, an existing
rule. The duplicate rule name is based on the original rule with parentheses to indicate duplication; for
example, Rule-1(1).
After duplication is complete, you access each rule (original and duplicated) separately.
NoteYou cannot duplicate the Default rule.
To duplicate a rule:
Step 1Select Access Policies > Service Selection Policy > service > policy, where service is the name of the
access service, and policy is the type of policy.
The Policy page appears with a list of configured rules.
Step 2Check the check box next to the rule that you want to duplicate. You cannot duplicate the Default Rule.
Step 3Click Duplicate.
The Rule page appears.
Step 4Change the name of the rule and complete the other applicable field options.
Step 5Click OK.
The Policy page appears with the new rule.
Step 6Click Save Changes to save the new rule.
Step 7Click Discard Changes to cancel the duplicate rule.
Related Topics
Creating Policy Rules, page 10-37
Editing Policy Rules, page 10-38
Deleting Policy Rules, page 10-39
Editing Policy Rules
You can edit all values of policy rules; you can also edit the result in the Default rule.
To edit a rule:
Step 1Select Access Policies > Service Selection Policy > service > policy, where service is the name of the
access service, and policy is the type of policy.
The Policy page appears, with a list of configured rules.
Step 2Click the rule name that you want to modify; or, check the check box for the Name and click Edit.
The Rule page appears.
Step 3Edit the appropriate values.

Add page 303 to Favourites

image text

Enable zoom

							10-39
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 10      Managing Access Policies
  Configuring Access Service Policies
Step 4Click OK.
The Policy page appears with the edited rule.
Step 5Click Save Changes to save the new configuration.
Step 6Click Discard Changes to cancel the edited information.
Related Topics
Creating Policy Rules, page 10-37
Duplicating a Rule, page 10-38
Deleting Policy Rules, page 10-39
Deleting Policy Rules
NoteYou cannot delete the Default rule.
To delete a policy rule:
Step 1Select Access Policies > Service Selection Policy > service > policy, where service is the name of the 
access service, and policy is the type of policy.
The Policy page appears, with a list of configured rules.
Step 2Check one or more check boxes next to the rules that you want to delete.
Step 3Click Delete. 
The Policy page appears without the deleted rule(s).
Step 4Click Save Changes to save the new configuration.
Step 5Click Discard Changes to retain the deleted information.
Related Topics
Creating Policy Rules, page 10-37
Duplicating a Rule, page 10-38
Editing Policy Rules, page 10-38

Add page 304 to Favourites

image text

Enable zoom

10-40
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 10 Managing Access Policies
Configuring Compound Conditions
Configuring Compound Conditions
Use compound conditions to define a set of conditions based on any attributes allowed in simple policy
conditions. You define compound conditions in a policy rule page; you cannot define them as separate
condition objects.
This section contains the following topics:
Compound Condition Building Blocks, page 10-40
Types of Compound Conditions, page 10-41
Using the Compound Expression Builder, page 10-44
Compound Condition Building Blocks
Figure 10-1 shows the building blocks of a compound condition.
Figure 10-1 Building Blocks of a Compound Condition

Operands—Any attribute or condition type, such as Protocol/Request Attributes, Identity
Attributes, Identity Groups, Network Device Groups (NDGs), Date/Time, and Custom or Standard
Conditions.
Relational Operators—Operators that specify the relation between an operand and a value; for
example, equals (=), or does not match. The operators that you can use in any condition vary
according to the type of operand.
Binary condition—A binary condition defines the relation between a specified operand and value;
for example, [username = “Smith”].
Logical Operators—The logical operators operate on or between binary conditions. The supported
logical operators are AND and OR.
Precedence Control—You can alter the precedence of logical operators by using parentheses.
Nested parentheses provide administrator control of precedence. The natural precedence of logical
operators, that is, without parenthesis intervention, is NOT, AND, OR, where NOT has the highest
precedence and OR the lowest.
Table 10-21 summarizes the supported dynamic attribute mapping while building Compound
Conditions.

Add page 305 to Favourites

image text

Enable zoom

							10-41
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 10      Managing Access Policies
  Configuring Compound Conditions
NoteDynamic attribute mapping is not applicable for ExternalGroups attribute of Type String Enum and 
Time And Date attribute of type Date Time Period.
For hierarchical attribute, the value is appended with attribute name so while configuring any string 
attribute to compare with hierarchical attribute the value of the string attribute has to start with 
hierarchical attribute name.
For example: 
When you define a new string attribute named UrsAttr to compare against DeviceGroup attribute 
created under NDG, then the value of the UsrAttr has to be configured as follows:
DeviceGroup: Va l u e
When you want to compare a string attribute with UserIdentityGroup which is a hierarchy type 
attribute within each internal users, then the string attribute has to be configured as follows:
IdentityGroup:All Groups:”Identity Group Name”
Related Topics
Types of Compound Conditions, page 10-41
Using the Compound Expression Builder, page 10-44
Types of Compound Conditions
You can create three types of compound conditions:
Atomic Condition
Consists of a single predicate and is the only entry in the list. Because all simple conditions in a rule 
table, except for NDGs, assume the equals (=) operation between the attribute and value, the atomic 
condition is used to choose an operator other than equals (=). See Figure 10-2 for an example.
Table 10-21 Supported Dynamic Attribute Mapping in Policy Compound Condition
Operand1 Operand2 Example
String attribute  String attribute —
Integer attribute Integer attribute —
Enumeration attribute Enumeration attribute —
Boolean attribute Boolean attribute —
IP address attribute IP address attribute —
Special cases
Hierarchical attribute String attribute NDG:Customer vs. Internal 
Users string attribute
String attribute Hierarchical attribute —

Add page 306 to Favourites

image text

Enable zoom

							10-42
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 10      Managing Access Policies
  Configuring Compound Conditions
Figure 10-2 Compound Expression - Atomic Condition 
Single Nested Compound Condition
Consists of a single operator followed by a set of predicates (>=2). The operator is applied between each 
of the predicates. See Figure 10-3 for an example. The preview window displays parentheses [()] to 
indicate precedence of logical operators.
Figure 10-3 Single Nested Compound Expression
Multiple Nested Compound Condition
You can extend the simple nested compound condition by replacing any predicate in the condition with 
another simple nested compound condition. See Figure 10-4 for an example. The preview window 
displays parentheses [()] to indicate precedence of logical operators.

Add page 307 to Favourites

image text

Enable zoom

							10-43
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 10      Managing Access Policies
  Configuring Compound Conditions
Figure 10-4 Multiple Nested Compound Expression
Compound Expression with Dynamic value
You can select dynamic value to select another dictionary attribute to compare against the dictionary 
attribute selected as operand. See Figure 10-5 for an example.
Figure 10-5 Compound Expression Builder with Dynamic Value

Add page 308 to Favourites

image text

Enable zoom

10-44
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 10 Managing Access Policies
Configuring Compound Conditions
Related Topics
Compound Condition Building Blocks, page 10-40
Using the Compound Expression Builder, page 10-44
Using the Compound Expression Builder
You construct compound conditions by using the expression builder in Rule Properties pages. The
expression builder contains two sections: a predicate builder to create primary conditions and controls
for managing the expression.
In the first section, you define the primary conditions. Choose the dictionary and attribute to define the
operand, then choose the operator, and specify a value for the condition. Use the second section to
organize the order of conditions and the logical operators that operate on or between binary conditions.
Table 10-22 describes the fields in the compound expression builder.
Table 10-22 Expression Builder Fields
Field Description
ConditionUse this section to define the primary conditions.
Dictionary Specifies the dictionary from which to take the operand. These available options depend on the policy that
you are defining. For example, when you define a service selection policy, the Identity dictionaries are not
available.
Attribute Specifies the attribute that is the operand of the condition. The available attributes depend on the dictionary
that you chose.
Operator The relational operator content is dynamically determined according to the choice in the preceding operand
field.
Value The condition value. The type of this field depends on the type of condition or attribute. Select one of the
following two options:
Static—If selected, you have to enter or select the static value depending on attribute type.
Dynamic—If selected, you can select another dictionary attribute to compare against the dictionary
attribute selected as operand.
Current
Condition SetUse this section to organize the order of conditions and the logical operators that operate on or between
binary conditions.
Condition list Displays a list of defined binary conditions for the compound conditions and their associated logical
operators.
Add After you define a binary condition, click Add to add it to the Condition list.
Edit To edit a binary condition, select the condition in the Condition list and click Edit. The condition properties
appear in the Condition fields. Modify the condition as required, then click Replace.
Replace Click to replace the selected condition with the condition currently defined in the Condition fields.
And
OrSpecifies the logical operator on a selected condition, or between the selected condition and the one above
it. Click the appropriate operator, and click Insert to add the operator as a separate line; click the operator
and click Replace, to replace the selected line.
Delete Click to delete the selected binary condition or operator from the condition list.
Preview Click to display the current expression in corresponding parenthesis representation. The rule table displays
the parenthesis representation after the compound expression is created.

Add page 309 to Favourites

image text

Enable zoom

10-45
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 10 Managing Access Policies
Security Group Access Control Pages
Related Topics
Compound Condition Building Blocks, page 10-40
Types of Compound Conditions, page 10-41
Security Group Access Control Pages
This section contains the following topics:
Egress Policy Matrix Page, page 10-45
Editing a Cell in the Egress Policy Matrix, page 10-46
Defining a Default Policy for Egress Policy Page, page 10-46
NDAC Policy Page, page 10-47
NDAC Policy Properties Page, page 10-48
Network Device Access EAP-FAST Settings Page, page 10-50
Egress Policy Matrix Page
The Egress policy, also known as an SGACL policy, determines which SGACLs to apply at the Egress
points of the network, based on the source and destination SGTs. ACS presents the Egress policy as a
matrix; it displays all the security groups in the source and destination axes. Each cell in the matrix can
contain a set of ACLs to apply to the corresponding source and destination SGTs.
The network devices add the default policy to the specific policies that you defined for the cells. For
empty cells, only the default policy applies.
Use the Egress policy matrix to view, define, and edit the sets of ACLs to apply to the corresponding
source and destination SGTs.
To display this page, choose Access Policies > Security Group Access Control > Egress Policy.
Table 10-23 Egress Policy Matrix Page
Option Description
Destination Security
GroupColumn header displaying all destination security groups.
Source Security
GroupRow header displaying all source security groups.
Cells Contain the SGACLs to apply to the corresponding source and destination security group.
Edit Click a cell, then click Edit to open the Edit dialog box for that cell. See Editing a Cell in the Egress
Policy Matrix, page 10-46.
Default Policy Click to open a dialog box to define the default Egress policy. See Defining a Default Policy for Egress
Policy Page, page 10-46.
Set Matrix View To change the Egress policy matrix display, choose an option, then click Go:
All—Clears all the rows and columns in the Egress policy matrix.
Customize View—Launches a window where you can customize source and destination security
groups corresponding to the selected cell.

Add page 310 to Favourites

image text

Enable zoom

10-46
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 10 Managing Access Policies
Security Group Access Control Pages
Related Topic
Creating an Egress Policy, page 4-27
Editing a Cell in the Egress Policy Matrix
Use this page to configure the policy for the selected cell. You can configure the SGACLs to apply to the
corresponding source and destination security group.
To display this page, choose Access Policies > Security Group Access Control > Egress Policy, select
a cell, then click Edit.
Related Topic
Creating an Egress Policy, page 4-27
Defining a Default Policy for Egress Policy Page
Use this page to define the default Egress policy. The network devices add the default policy to the
specific policies defined for the cells. For empty cells, only the default policy applies.
To display this page, choose Access Policies > Security Group Access Control > Egress Policy, then
click Default Policy.
Related Topics
Creating an Egress Policy, page 4-27
Creating a Default Policy, page 4-28
Table 10-24 Edit Cell Page
Option Description
Configure Security
GroupsDisplay only. Displays the source and destination security group name for the selected cell.
General Description for the cell policy.
ACLs Move the SGACLs that you want to apply to the corresponding source and destination security group
from the Available list to the Selected list. To specify the order of the list of SGACLs, use the Up (^)
and Down (v) arrows.
Table 10-25 Default Policy Page
Option Description
ACLs Move the SGACLs that you want to apply to the corresponding source and destination security group
from the Available list to the Selected list. To specify the order of the list of SGACLs, use the Up (^)
and Down (v) arrows.
Select Permit All or Deny All as a final catch-all rule.

All Cisco manuals Comments (0)

Related Manuals for Cisco Acs 5x User Guide

Cisco Acs 57 User Guide
584 pages | Cisco Control System