Cisco Acs 5x User Guide
Have a look at the manual Cisco Acs 5x User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![Page 306
10-42
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 10 Managing Access Policies
Configuring Compound Conditions
Figure 10-2 Compound Expression - Atomic Condition
Single Nested Compound Condition
Consists of a single operator followed by a set of predicates (>=2). The operator is applied between each
of the predicates. See Figure 10-3 for an example. The preview window displays parentheses [()] to
indicate precedence of logical operators.
Figure 10-3 Single Nested...](http://img.usermanuals.tech/thumb/17/97883/w64_acs-5x-user-guide-1509197461_d-305.png "Page 306
10-42
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 10 Managing Access Policies
Configuring Compound Conditions
Figure 10-2 Compound Expression - Atomic Condition
Single Nested Compound Condition
Consists of a single operator followed by a set of predicates (>=2). The operator is applied between each
of the predicates. See Figure 10-3 for an example. The preview window displays parentheses [()] to
indicate precedence of logical operators.
Figure 10-3 Single Nested...")
10-47 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Security Group Access Control Pages NDAC Policy Page The Network Device Admission Control (NDAC) policy determines the SGT for network devices in a Security Group Access environment. The NDAC policy handles: Peer authorization requests from one device about its neighbor. Environment requests (a device is collecting information about itself). The policy returns the same SGT for a specific device, regardless of the request type. NoteYou do not add an NDAC policy to an access service; it is implemented by default. However, for endpoint admission control, you must define an access service and session authorization policy. See Configuring Network Access Authorization Rule Properties, page 10-31, for information about creating a session authorization policy. Use this page to configure a simple policy that assigns the same security group to all devices, or configure a rule-based policy. To display this page, choose Access Policies > Security Group Access Control > Network Device Access > Authentication Policy. If you have already configured an NDAC policy, the corresponding Simple Policy page or Rule-based Policy page opens; otherwise, the Simple Policy page opens by default. Simple Policy Page Use this page to define a simple NDAC policy. Rule-Based Policy Page Use this page for a rule-based policy to: Vi ew r u l e s . Delete rules. Open pages that create, duplicate, edit, and customize rules. Table 10-26 Simple NDAC Policy Page Option Description Policy type Defines the type of policy to configure: Simple—Specifies that the result applies to all requests. Rule-based—Configure rules to apply different results depending on the request. If you switch between policy types, you will lose your previously saved policy configuration. Security Group Select the security group to assign to devices. The default is Unknown.
10-48 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Security Group Access Control Pages Related Topics: Configuring an NDAC Policy, page 4-25 NDAC Policy Properties Page, page 10-48 NDAC Policy Properties Page Use this page to create, duplicate, and edit rules to determine the SGT for a device. To display this page, choose Access Policies > Security Group Access Control > Network Device Access > Authentication Policy, then click Create, Edit, or Duplicate. Table 10-27 Rule-Based NDAC Policy Page Option Description Policy type Defines the type of policy to configure: Simple—Specifies the result to apply to all requests. Rule-based—Configure rules to apply different results depending on the request. If you switch between policy types, you will lose your previously saved policy configuration. Status Rule statuses are: Enabled—The rule is active. Disabled—ACS does not apply the results of the rule. Monitor—The rule is active, but ACS does not apply the results of the rule. Results such as hit count are written to the log, and the log entry includes an identification that the rule is monitor only. The monitor option is especially useful for watching the results of a new rule. Name Name of the rule. The Default Rule is available for conditions for which: Enabled rules are not matched. Rules are not defined. Click a link to edit or duplicate a rule. You can edit the Default Rule but you cannot delete, disable, or duplicate it. Conditions Conditions that you can use to define policy rules. To change the display of rule conditions, click the Customize button. You must have previously defined the conditions that you want to use. Results Displays the security group assigned to the device when it matches the corresponding condition. Hit Count Number of times that the rule is matched. Click the Hit Count button to refresh and reset this column. Customize button Opens the Customize page in which you choose the types of conditions to use in policy rules. A new Conditions column appears in the Policy page for each condition that you add. You do not need to use the same set of conditions as in the corresponding authorization policy. CautionIf you remove a condition type after defining rules, you will lose any conditions that you configured for that condition type. Hit Count button Opens a window that enables you to reset and refresh the Hit Count display in the Policy page. See Displaying Hit Counts, page 10-10.
10-49 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Security Group Access Control Pages NoteFor endpoint admission control, you must define an access service and session authorization policy. See Configuring Network Access Authorization Rule Properties, page 10-31 for information about creating a session authorization policy. Related Topics: Configuring an NDAC Policy, page 4-25 NDAC Policy Page, page 10-47 Table 10-28 NDAC Policy Properties Page Option Description General Name Name of the rule. If you are duplicating a rule, you must enter a unique name as a minimum configuration; all other fields are optional. Status Rule statuses are: Enabled—The rule is active. Disabled—ACS does not apply the results of the rule. Monitor—The rule is active, but ACS does not apply the results of the rule. Results such as hit count are written to the log, and the log entry includes an identification that the rule is monitor only. The monitor option is especially useful for watching the results of a new rule. Conditions conditionsConditions that you can configure for the rule. The default value for each condition is ANY. To change the value for a condition, check the condition check box, then enter the value. If compound expression conditions are available, when you check Compound Expression, an expression builder appears. For more information, see Configuring Compound Conditions, page 10-40. To change the list of conditions for the policy, click the Customize button in the NDAC Policy Page, page 10-47. Results Security Group Select the security group to assign to the device when it matches the corresponding conditions.
10-50 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Maximum User Sessions Network Device Access EAP-FAST Settings Page Use this page to configure parameters for the EAP-FAST protocol that the NDAC policy uses. To display this page, choose Access Policies > Security Group Access Control > Network Device Access. Related Topics: Configuring an NDAC Policy, page 4-25 Configuring EAP-FAST Settings for Security Group Access, page 4-26 NDAC Policy Page, page 10-47 Maximum User Sessions For optimal performance, you can limit the number of concurrent users accessing the network resources. ACS 5.3 imposes limits on the number of concurrent service sessions per user. The limits are set in several different ways. You can set the limits at user level or at group level. Depending upon the maximum user session configurations, the session count is applied on the user. NoteTo make the maximum sessions work for the user access, the administrator should configure the RADIUS accounting. NoteTo make the maximum sessions work for the device management, the administrator should configure the T+ session authorization and accounting. This section contains the following topics: Max Session User Settings, page 10-51 Max Session Group Settings, page 10-51 Max Session Global Setting, page 10-52 Purging User Sessions, page 10-53 Maximum User Session in Distributed Environment, page 10-54 Maximum User Session in Proxy Scenario, page 10-55 Table 10-29 Network Device Access EAP-FAST Settings Page Option Description EAP-FAST Settings Tunnel PAC Time To Live Time to live (TTL), or duration, of a PAC before it expires and requires replacing. Proactive PAC Update When % of PAC TTL is LeftPercentage of PAC TTL remaining when you should update the PAC.
10-51 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Maximum User Sessions Max Session User Settings You can configure maximum user session to impose maximum session value for each users. To configure maximum user sessions: Step 1Choose Access Policies > Max User Session Policy > Max Session User Settings. Step 2Specify a Max User Session Value, for the maximum number of concurrent sessions permitted. Step 3Check the Unlimited Sessions checkbox if you want the users to have unlimited sessions. Step 4Click Submit. NoteIf maximum session is configured at both user and group level, then the least value will have the precedence. For example: If a user Bob is into the group America:US:West. The maximum session value for the group America:US:West is 5 sessions and the maximum user session value is 10. In this case, the user Bob can have a maximum of 5 sessions only. Related topics Maximum User Sessions, page 10-50 Max Session Group Settings, page 10-51 Max Session Global Setting, page 10-52 Purging User Sessions, page 10-53 Maximum User Session in Distributed Environment, page 10-54 Maximum User Session in Proxy Scenario, page 10-55 Max Session Group Settings You can configure maximum session for the Identity Groups. You can choose any one identity group and can configure the maximum session for that group. To configure maximum sessions for a group: Step 1Choose Access Policies > Max User Session Policy > Max Session Group Settings. All the configured identity groups are listed. Step 2Select the checkbox next to the group for which you want to configure maximum session. Step 3Click Edit. Step 4Complete the fields as described in Table 10-30. Step 5Click Submit.
10-52 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Maximum User Sessions Unlimited is selected by default. Group level session is applied based on the hierarchy. For example: The group hierarchy is America:US:West:CA and the maximum sessions are as follows: America: 100 max sessions US: 80 max sessions West: 75 max sessions CA: 50 max sessions If the user belongs to America/US/West, ACS will check that the number of session does not exceed the limit specified for the groups America/US/West, America/US, America. When you set the maximum session group settings of a user group as 100, it means that the total count of all the sessions established by all the members of that group cannot exceed 100. Once the session is allowed then the Number of Active Sessions Availed counter for the three nodes are increased by one. Child groups can not have more sessions than the parent group. Related topics Maximum User Sessions, page 10-50 Max Session User Settings, page 10-51 Max Session Global Setting, page 10-52 Purging User Sessions, page 10-53 Maximum User Session in Distributed Environment, page 10-54 Maximum User Session in Proxy Scenario, page 10-55 Max Session Global Setting You can assign session keys for RADIUS and TACACS+ requests. Session key is provided with a set of attributes for RADIUS and TACACS+. You can customize the session key attributes according to your environment. If you do not assign any session key, ACS uses the default session key values. Session key is a unique key which is used to track the user sessions. The session key helps ACS to differentiate between a user re-authenticating to the same session and a user starting a new session. The session key attributes for a single session should be the same in the access request as well as in the accounting start packet. It helps ACS to identity the session properly. When ACS re-authenticates the same session again, the same key is retained. To configure the global settings for maximum user session, choose System Administrator > Users > Max User Session Global Settings Table 10-30 Max User Session Global Settings Page Option Description General Name Name of the Identity Group. Description Description of the Identity Group. Max Session Group Settings Unlimited Session Check this checkbox if you want to provide unlimited session to the group. Max Session for Group Specify a value for the maximum number of concurrent sessions permitted for the group.
10-53 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Maximum User Sessions Related topics Maximum User Sessions, page 10-50 Max Session User Settings, page 10-51 Max Session Group Settings, page 10-51 Purging User Sessions, page 10-53 Maximum User Session in Distributed Environment, page 10-54 Maximum User Session in Proxy Scenario, page 10-55 Purging User Sessions You can use the Purge option only when users are listed as Logged-in but connection to the AAA client has been lost and the users are no longer actually logged in. Purging will not log off the user from the AAA client, however it will decrease the session count by one. While the count is zero, any interim updates or STOP packet that arrives from the device will be discarded. Due to this purging, if a user logged in with the same user name and password in another AAA client, this session will not be affected. NoteA fake accounting stop is sent irrespective of the session count value. To purge the User session: Step 1Go to System Administration > Users > Purge User Sessions. Table 10-31 Max User Session Global Settings Page Option Description RADIUS Session Key Assignment Available Session Keys RADIUS sessions keys available for assignation. NoteTo use the RADIUS Acct-Session-Id (attribute #44) in the RADIUS session key, the admin should configure the Acct-Session-Id to be sent in the access request: Router(config)# radius-server attribute 44 include-in-access-req Assigned Session Keys RADIUS session key assigned. The default session keys for RADIUS are: UserName:NAS-Identifier:NAS-Port:Calling-Station-ID TACACS+ Session Key Assignment Available Session Keys TACACS+ sessions keys available for assignation. Assigned Session Keys TACACS+ session key assigned. The default session keys for TACACS+ are: User:NAS-Address:Port:Remote-Address Max User Session Timeout Settings Unlimited Session Timeout No timeout. Max User Session Timeout Once the session timeout is reached, ACS sends a fake STOP packet to close the respective session and update the session count. NoteThe user is not enforced to logout in the device.
10-54 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Maximum User Sessions The Purge User Session page appears with a list of all AAA clients. Step 2Select the AAA client for which you want to purge the user sessions. Step 3Click Get Logged-in User List. A list of all the logged in users is displayed. Step 4Click Purge All Sessions to purge all the user session logged in to the particular AAA client. Related topics Maximum User Sessions, page 10-50 Max Session User Settings, page 10-51 Max Session Group Settings, page 10-51 Max Session Global Setting, page 10-52 Maximum User Session in Distributed Environment, page 10-54 Maximum User Session in Proxy Scenario, page 10-55 Maximum User Session in Distributed Environment In distributed environment, all the user and identity group configurations are replicated to the secondaries except the session cache related information with respect to maximum user session maintained by runtime. Hence, each server has its own session established details in the runtime. Also, the maximum session count gets applied based on to which ACS server the authentication/accounting request is received. Related topics Maximum User Sessions, page 10-50 Max Session User Settings, page 10-51 Max Session Group Settings, page 10-51 Max Session Global Setting, page 10-52 Purging User Sessions, page 10-53 Maximum User Session in Proxy Scenario, page 10-55
10-55 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Maximum User Sessions Maximum User Session in Proxy Scenario Authentication and accounting requests should be sent to the same ACS server, else the Maximum Session feature will not work as desired. Related topics Maximum User Sessions, page 10-50 Max Session User Settings, page 10-51 Max Session Group Settings, page 10-51 Max Session Global Setting, page 10-52 Purging User Sessions, page 10-53 Maximum User Session in Distributed Environment, page 10-54
10-56 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 10 Managing Access Policies Maximum User Sessions