Cisco Acs 5x User Guide
Have a look at the manual Cisco Acs 5x User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
16-5 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 16 Managing System Administrators Understanding Roles NoteAt first login, only the Super Admin is assigned to a specific administrator. Related Topics Administrator Accounts and Role Association Creating, Duplicating, Editing, and Deleting Administrator Accounts Changing Role Associations By design, all roles in ACS are predefined and cannot be changed. ACS allows you to only change role associations. Owing to the potential ramifications on the system’s entire authorization status, the ACS Super Admin and SecurityAdmin roles alone have the privilege to change role associations. Changes in role associations take effect only after the affected administrators log out and log in again. At the new login, ACS reads and applies the role association changes. NoteYou must be careful in assigning the ACS Super Admin and SecurityAdmin roles because of the global ramifications of role association changes. SecurityAdmin This role is required in order to create, update, or delete ACS administrator accounts, to assign administrative roles, and to change the ACS password policy. This role has the following permissions: Read and write permissions on internal protocol users and administrator password policies Read and write permissions on administrator account settings Read and write permissions on administrator access settings SuperAdmin The Super Admin role has complete access to every ACS administrative function. If you do not need granular access control, this role is most convenient, and this is the role assigned to the predefined ACSAdmin account. This role has Create, Read, Update, Delete, and eXecute (CRUDX) permissions on all resources. SystemAdmin This role is intended for administrators responsible for ACS system configuration and operations. This role has the following permissions: Read and write permissions on all system administration activities except for account definition Read and write permissions on ACS instances UserAdmin This role is intended for administrators who are responsible for adding, updating, or deleting entries in the internal ACS identity stores, which includes internal users and internal hosts. This role has the following permissions: Read and write permissions on users and hosts Read permission on IDGs Table 16-1 Predefined Role Descriptions (continued) Role Privileges
16-6 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 16 Managing System Administrators Creating, Duplicating, Editing, and Deleting Administrator Accounts Administrator Accounts and Role Association Administrator account definitions consist of a name, status, description, e-mail address, password, and role assignment. NoteIt is recommended that you create a unique administrator for each person. In this way, operations are clearly recorded in the audit log. Administrators are authenticated against the internal database only. You can edit and delete existing accounts. However, the web interface displays an error message if you attempt to delete or disable the last super administrator. Only appropriate administrators can configure identities and certificates. The identities configured in the System Administration drawer are available in the Users and Identity Stores drawer, but they cannot be modified there. Related Topics Understanding Roles Creating, Duplicating, Editing, and Deleting Administrator Accounts Creating, Duplicating, Editing, and Deleting Administrator Accounts To create, duplicate, edit, or delete an administrator account: Step 1Choose System Administration > Administrators > Accounts. The Administrators page appears with a list of configured administrators as described in Ta b l e 1 6 - 2: Table 16-2 Accounts Page Option Description Status Current status of this administrator: Enabled—This administrator is active. Disabled—This administrator is not active. You cannot log into ACS with a disabled admin account. Name Name of the administrator. Role(s) Roles assigned to the administrator. Description Description of this administrator.
16-7 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 16 Managing System Administrators Creating, Duplicating, Editing, and Deleting Administrator Accounts Step 2Do any of the following: Click Create. Check the check box next to the account that you want to duplicate and click Duplicate. Click the account that you want to modify; or, check the check box for the Name and click Edit. Check the check box next to the account for which you want to change the password and click Change Password. See Resetting Another Administrator’s Password, page 16-14 for more information. NoteOn the Duplicate page, you must change at least the Admin Name. Check one or more check boxes next to the accounts that you want to delete and click Delete. NoteFirefox does not display a warning message when you try to delete the last recovery admin account from ACS web interface if you have enabled Prevent this page from creating additional dialogs checkbox. Step 3Complete the Administrator Accounts Properties page fields as described in Table 16-3: Step 4Click Submit. Table 16-3 Administrator Accounts Properties Page Option Description General Admin Name Configured name of this administrator. If you are duplicating a rule, be sure to enter a unique name. Status From the Status drop-down menu, select whether the account is enabled or disabled. This option is disabled if you check the Account never disabled check box. Description A description of this administrator. Email Address Administrator e-mail address. ACS View will direct alerts to this e-mail address. Account never disabled Check to ensure that your account is never disabled. Your account will not be disabled even when: Your password expires Your account becomes inactive You exceed the specified number of login retries Authentication Information Password Authentication password. Confirm Password Confirmation of the authentication password. Change password on next loginCheck to prompt the user for a new password at the next login. Role Assignment Available Roles List of all configured roles. Select the roles that you want to assign for this administrator and click >. Click >> to assign all the roles for this administrator. Assigned Roles Roles that apply to this administrator.
16-8 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 16 Managing System Administrators Viewing Predefined Roles The new account is saved. The Administrators page appears, with the new account that you created or duplicated. Related Topics Understanding Roles, page 16-3 Administrator Accounts and Role Association, page 16-6 Viewing Predefined Roles, page 16-8 Configuring Authentication Settings for Administrators, page 16-9 Viewing Predefined Roles See Ta b l e 1 6 - 1 for description of the predefined roles included in ACS. To view predefined roles: Choose System Administration > Administrators > Roles. The Roles page appears with a list of predefined roles. Table 16-4 describes the Roles page fields. Viewing Role Properties Use this page to view the properties of each role. Choose System Administration > Administrators > Roles, and click a role or choose the role’s radio button and click View. The Roles Properties page appears as described in Table 16-5: Table 16-4 Roles Page Field Description Name List of all configured roles. See Predefined Roles, page 16-4 for a list of predefined roles. Description Description of each role. Table 16-5 Roles Properties Page Field Description Name Name of the role. If you are duplicating a role, you must enter a unique name as a minimum configuration; all other fields are optional. Roles cannot be created or edited. See Table 16-4 for a list of predefined roles. Description Description of the role. See Predefined Roles, page 16-4 for more information. Permissions List Resource List of available resources. Privileges Privileges that can be assigned to each resource. If a privilege does not apply, the privilege check box is dimmed (not available). Row color is irrelevant to availability of a given privilege and is determined by the explicit text in the Privileges column.
16-9 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 16 Managing System Administrators Configuring Authentication Settings for Administrators Related Topics Understanding Roles, page 16-3 Administrator Accounts and Role Association, page 16-6 Configuring Authentication Settings for Administrators, page 16-9 Configuring Authentication Settings for Administrators Authentication settings are a set of rules that enhance security by forcing administrators to use strong passwords, regularly change their passwords, and so on. Any password policy changes that you make apply to all ACS system administrator accounts. To configure a password policy: Step 1Choose System Administration > Administrators > Settings > Authentication. The Password Policies page appears with the Password Complexity and Advanced tabs. Step 2In the Password Complexity tab, check each check box that you want to use to configure your administrator password. Table 16-6 describes the fields in the Password Complexity tab. Step 3In the Advanced tab, enter the values for the criteria that you want to configure for your administrator authentication process. Table 16-7 describes the fields in the Advanced tab. Table 16-6 Password Complexity Tab Option Description Applies to all ACS system administrator accounts Minimum length Required minimum length; the valid options are 4 to 20. Password may not contain the username or its characters in reversed orderCheck to specify that the password cannot contain the username or reverse username. For example, if your username is john, your password cannot be john or nhoj. Password may not contain ‘cisco’ or its characters in reversed orderCheck to specify that the password cannot contain the word cisco or its characters in reverse order, that is, ocsic. Password may not contain ‘’ or its characters in reversed orderCheck to specify that the password does not contain the string that you enter or its characters in reverse order. For example, if you specify a string, polly, your password cannot be polly or yllop. Password may not contain repeated characters four or more times consecutivelyCheck to specify that the password cannot repeat characters four or more times consecutively. For example, you cannot have the string apppple as your password. The letter p appears four times consecutively. Password must contain at least one character of each of the selected types Lowercase alphabetic characters Password must contain at least one lowercase alphabetic character. Upper case alphabetic characters Password must contain at least one uppercase alphabetic character. Numeric characters Password must contain at least one numeric character. Non alphanumeric characters Password must contain at least one nonalphanumeric character.
16-10 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 16 Managing System Administrators Configuring Authentication Settings for Administrators NoteACS automatically deactivates or disables your account based on your last login, last password change, or number of login retries. The CLI and PI user accounts are blocked and they receive a notification that they can change the password through the web interface. If your account is disabled, contact another administrator to enable your account. Step 4Click Submit. The administrator password is configured with the defined criteria. These criteria will apply only for future logins. Table 16-7 Advanced Tab Options Description Password History Password must be different from the previous n versionsSpecifies the number of previous passwords for this administrator to be compared against. This option prevents the administrators from setting a password that was recently used. Valid options are 1 to 99. Password Lifetime: Administrators are required to periodically change password Display reminder after n days Displays a reminder after n days to change password; the valid options are 1 to 365. This option, when set, only displays a reminder. It does not prompt you for a new password. Require a password change after n days Specifies that the password must be changed after n days; the valid options are 1 to 365. This option, when set, ensures that you change the password after n days. Disable administrator account after n days if password is not changedSpecifies that the administrator account must be disabled after n days if the password is not changed; the valid options are 1 to 365. ACS does not allow you to configure this option without configuring the Display reminder after n days option. Account Inactivity Inactive accounts are disabled Require a password change after n days of inactivitySpecifies that the password must be changed after n days of inactivity; the valid options are 1 to 365. This option, when set, ensures that you change the password after n days. ACS does not allow you to configure this option without configuring the Display reminder after n days option. Disable administrator account after n days of inactivitySpecifies that the administrator account must be disabled after n days of inactivity; the valid options are 1 to 365. ACS does not allow you to configure this option without configuring the Display reminder after n days option. Incorrect Password Attempts Disable account after n successive failed attemptsSpecifies the maximum number of login retries after which the account is disabled; the valid options are 1 to 10.
16-11 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 16 Managing System Administrators Configuring Session Idle Timeout Related Topics Understanding Roles, page 16-3 Administrator Accounts and Role Association, page 16-6 Viewing Predefined Roles, page 16-8 Configuring Session Idle Timeout A GUI session, by default, is assigned a timeout period of 30 minutes. You can configure a timeout period for anywhere from 5 to 90 minutes. To configure the timeout period: Step 1Choose System Administration > Administrators > Settings > Session. The GUI Session page appears. Step 2Enter the Session Idle Timeout value in minutes. Valid values are 5 to 90 minutes. Step 3Click Submit. NoteThe CLI client interface has a default session timeout value of 6 hours. You cannot configure the session timeout period in the CLI client interface. Configuring Administrator Access Settings ACS 5.3 allows you to restrict administrative access to ACS based on the IP address of the remote client. You can filter IP addresses in any one of the following ways: Allow All IP Addresses to Connect, page 16-11 Allow Remote Administration from a Select List of IP Addresses, page 16-11 Reject Remote Administration from a Select List of IP Addresses, page 16-12 Allow All IP Addresses to Connect You can choose the Allow all IP addresses to connect option to allow all connections; this is the default option. Allow Remote Administration from a Select List of IP Addresses To allow administrators to access ACS remotely: Step 1Choose System Administration > Administrators > Settings > Access. The IP Addresses Filtering page appears. Step 2Click Allow only listed IP addresses to connect radio button. The IP Range(s) area appears.
16-12 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 16 Managing System Administrators Resetting the Administrator Password Step 3Click Create in the IP Range(s) area. A new window appears. Enter the IP address of the machine from which you want to allow remote access to ACS. Enter a subnet mask for an entire IP address range. Step 4Click OK. The IP Range(s) area is populated with the IP addresses. Repeat Step 3 to add other IP addresses or ranges for which you want to provide remote access. Step 5Click Submit. Reject Remote Administration from a Select List of IP Addresses To reject administrators from accessing ACS remotely: Step 1Choose System Administration > Administrators > Settings > Access. The IP Addresses Filtering page appears. Step 2Click Reject connections from listed IP addresses radio button. The IP Range(s) area appears. Step 3Click Create in the IP Range(s) area. A new window appears. Step 4Enter the IP address of the machine that you do not want to access ACS remotely. Enter a subnet mask for an entire IP address range. Step 5Click OK. The IP Range(s) area is populated with the IP addresses. Repeat Step 3 to add other IP addresses or ranges that you want to reject. Step 6Click Submit. NoteIt is possible to reject connection from all IP addresses. You cannot reset this condition through the ACS web interface. However, you can use the following CLI command: acs reset-password Refer to the CLI Reference Guide for Cisco Secure Access Control System 5.3 for more information. Resetting the Administrator Password While configuring administrator access settings, it is possible for all administrator accounts to get locked out, with none of the administrators able to access ACS from any IP address in your enterprise. If this happens, you must reset the administrator password from the ACS Config CLI. You must use the following command to reset all administrator passwords: access-setting accept-all For more information on this command, refer to
16-13 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 16 Managing System Administrators Changing the Administrator Password http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/command/ reference/cli_app_a.html#wp1893005. NoteYou cannot reset the administrator password through the ACS web interface. Changing the Administrator Password ACS 5.3 introduces a new role Change Admin Password that entitles an administrator to change another administrator’s password. If an administrator’s account is disabled, any other administrator who is assigned the Change Admin Password role can reset the disabled account through the ACS web interface. This section contains the following topics: Changing Your Own Administrator Password, page 16-13 Resetting Another Administrator’s Password, page 16-14 Changing Your Own Administrator Password NoteAll administrators can change their own passwords. You do not need any special roles to perform this operation. To change your password: Step 1Choose My Workspace > My Account. The My Account page appears. See My Account Page, page 5-2 for valid values. Step 2In the Password field section, enter the current administrator password. Step 3In the New Password field, enter a new administrator password. Step 4In the Confirm Password field, re-enter the new administration password. Step 5Click Submit. The administrator password is created. You can also use the acs reset-password command to reset your ACSAdmin account password. For more information on this command, refer to http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/command/refer ence/cli_app_a.html#wp1887660.
16-14 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 16 Managing System Administrators Changing the Administrator Password Resetting Another Administrator’s Password To reset another administrator’s password: Step 1Choose System Administration > Administrators > Accounts. The Accounts page appears with a list of administrator accounts. Step 2Check the check box next to the administrator account for which you want to change the password and click Change Password. The Authentication Information page appears, listing the date when the administrator’s password was last changed. Step 3In the Password field, enter a new administrator password. Step 4In the Confirm Password field, re-enter the new administrator password. Step 5Check the Change password on next login check box for the other administrator to change password at first login. Step 6Click Submit. The administrator password is reset. Related Topics Configuring Authentication Settings for Administrators, page 16-9 Understanding Roles, page 16-3 Administrator Accounts and Role Association, page 16-6 Viewing Predefined Roles, page 16-8