User Guide for the Cisco Secure Access Control System 5.0
Managing Policy Elements
Downloads: This chapterpdf (PDF - 282.0KB) The complete bookPDF (PDF - 12.93MB) | Feedback

Managing Policy Elements

Table Of Contents

Managing Policy Elements

Managing Policy Conditions

Creating, Duplicating, and Editing a Date and Time Condition

Creating, Duplicating, and Editing a Custom Session Condition

Deleting a Session Condition

Managing Authorizations and Permissions

Creating, Duplicating, and Editing Authorization Profiles for Network Access

Specifying Authorization Profiles

Specifying Common Attributes in Authorization Profiles

Specifying RADIUS Attributes in Authorization Profiles

Creating and Editing Security Groups

Creating, Duplicating, and Editing a Shell Profile for Device Administration

Defining General Shell Profile Properties

Defining Shell Profile Privilege Level

Defining Shell Attributes

Creating, Duplicating, and Editing Command Sets for Device Administration

Creating, Duplicating, and Editing Downloadable ACLs

Deleting an Authorizations and Permissions Policy Element

Configuring Security Group Access Control Lists


Managing Policy Elements


A policy defines the authentication and authorization processing of clients that attempt to access the ACS network. A client can be a user, a network device, or a user associated with a network device.

Policies are sets of rules. Rules contain policy elements, which are sets of conditions and results that are organized in rule tables. See Chapter 3, "ACS 5.0 Policy Model" for more information on policy design and how it is implemented in ACS.

Before you configure your policy rules, you must create the policy elements, which are the conditions and results to use in those policies. After you create the policy elements, you can use them in policy rules. See Chapter 9, "Managing Access Policies" for more information on managing services, policies, and policy rules.

These topics contain.

Managing Policy Conditions

Managing Authorizations and Permissions

Creating, Duplicating, and Editing Downloadable ACLs


Note When Cisco TrustSec is installed, you can also configure security groups, which you can then use in TrustSec authorization policies. For information about configuring security groups for TrustSec, see Creating Security Groups, page 4-26.


Managing Policy Conditions

You can configure the following items as conditions in a rule table:

Request/Protocol Attributes—ACS retrieves these attributes from the authentication request that the user issues.

Identity Attributes—These attributes are related to the identity of the user performing a request. These attributes can be retrieved from the user definition in the internal identity store or from user definitions that are stored in external repositories, such as LDAP and AD.

Identity Groups—ACS maintains a single identity group hierarchy that is used for all types of users and hosts. Each internal user or host definition can include an association to a single identity group within the hierarchy. You can map users and hosts to identity groups by using the group mapping policy. You can include identity groups in conditions to configure common policy conditions for all users in the group. For more information about creating identity groups, see Creating Identity Groups, page 7-2.

Network Device Groups (NDGs)—Devices issuing requests are included in one or more of up to 12 device hierarchies. You can include hierarchy elements in policy conditions. For more information about creating NDGs, see Network Device Groups, page 6-1.

Date and Time Conditions—You can create named conditions that define specific time intervals across specific days of the week. You can also associate expiry dates with date and time conditions.

You can include Protocol and Identity attributes in a condition by defining them in custom conditions or in compound conditions.

You define compound conditions in the policy rule properties page and not as a separate named condition. See Configuring Compound Conditions, page 9-45.

Custom conditions and Date and Time conditions are called session conditions.

This section contains the following topics:

Creating, Duplicating, and Editing a Date and Time Condition

Creating, Duplicating, and Editing a Custom Session Condition

Deleting a Session Condition

See Chapter 3, "ACS 5.0 Policy Model" for information about additional conditions that you can use in policy rules, although they are not configurable.

Creating, Duplicating, and Editing a Date and Time Condition

Create date and time conditions to specify time intervals and durations. For example, you can define shifts over a specific holiday period. When ACS processes a rule with a date and time condition, the condition is compared to the date and time information of the ACS instance that is processing the request. Clients that are associated with this condition are subject to it for the duration of their session.


Note The time on the ACS server is used when making policy decisions. Therefore, ensure that you configure date and time conditions that correspond to the time zone in which your ACS server resides. Your time zone may be different from that of the ACS server.


You can duplicate a session condition to create a new session condition that is the same, or similar to, an existing session condition. After duplication is complete, you access each session condition (original and duplicated) separately to edit or delete them.


Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts, page 14-2 to configure the appropriate administrator privileges.


To create, duplicate, or edit a date and time condition:


Step 1 Select Policy Elements > Session Conditions > Date and Time.

The Date and Time Conditions page appears.

Step 2 Do one of the following:

Click Create.

Check the check box next to the condition you want to duplicate and click Duplicate.

Click the name that you want to modify; or, check the check box next to the condition that you want to modify and click Edit.

The Date and Time Properties page appears.

Step 3 Enter valid configuration data in the required fields as described in Table 8-1:

Table 8-1 Date and Time Properties Page 

Option
Description
General

Name

Enter a name for the date and time condition.

Description

Enter a description, such as specific days and times of the date and time condition.

Duration

Start

Click one of the following options:

Start Immediately—Specifies that the rules associated with this condition are valid, starting at the current date.

Start On—Specify a start date by clicking the calendar icon next to the associated field to choose a specific start date, at which the condition becomes active (at the beginning of the day, indicated by the time 00:00:00 on a 24-hour clock).

End

Click one of the following options:

No End Date—Specifies that the rules associated with this date and time condition are always active, after the indicated start date.

End By—Specify an end date by clicking the calendar icon next to the associated field to choose a specific end date, at which the date and time condition becomes inactive (at the end of the day, indicated by the time 23:59:59 on a 24-hour clock)

Days and Time

Days and Time section grid

Each square in the Days and Time grid is equal to one hour. Select a grid square to make the corresponding time active; rules associated with this condition are valid during this time.

A green (or darkened) grid square indicates an active hour.

Note Ensure that you configure date and time conditions that correspond to the time zone in which your ACS server resides. Your time zone may be different from that of the ACS server. For example, you may receive an error message if you configure a date and time condition that is an hour ahead of your current time, but that is already in the past with respect to the time zone of your ACS server.

Set All

Click to set all squares in the grid to the active state. Rules associated with this condition are always valid.

Clear All

Click to set all squares in the grid to the inactive state. Rules associated with this condition are always invalid.

Undo All

Click to remove your latest changes for the active and inactive day and time selections for the date and time group.



Note To add date and time conditions to a policy, you must first customize the rule table. See Customizing a Policy, page 9-4.


Step 4 Click Submit.

The date and time condition is saved. The Date and Time Conditions page appears with the new date and time condition that you created or duplicated.


Related Topics

Creating, Duplicating, and Editing a Custom Session Condition

Deleting a Session Condition

Configuring Access Service Policies, page 9-20

Creating, Duplicating, and Editing a Custom Session Condition

The protocol and identity dictionaries contain a large number of attributes. To use any of these attributes as a condition in a policy rule, you must first create a custom condition for the attribute. In this way, you define a smaller subset of attributes to use in policy conditions, and present a smaller focused list from which to choose condition types for rule tables.


Note You can also include protocol and identity attributes within compound conditions. See Configuring Compound Conditions, page 9-45 for more information on compound conditions.


To create a custom condition, you must select a specific protocol (RADIUS or TACACS+) or identity attribute from one of the dictionaries, and name the custom condition. See Configuring Global System Options, page 16-1 for more information on protocol and identity dictionaries.


Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts, page 14-2 to configure the appropriate administrator privileges.


To create, duplicate, or edit a custom session condition:


Step 1 Select Policy Elements > Session Conditions > Custom.

The Custom Conditions page appears.

Step 2 Do one of the following:

Click Create.

Check the check box next to the condition you want to duplicate and click Duplicate.

Click the name that you want to modify; or, check the check box next to the condition that you want to modify and click Edit.

The Custom Condition Properties page appears.

Step 3 Enter valid configuration data in the required fields as shown in Table 8-2:

Table 8-2 Policy Custom Condition Properties Page 

Option
Description
General

Name

Name of the custom condition.

Description

Description of the custom condition.

Condition

Dictionary

Choose a specific protocol or identity dictionary from the drop-down list box.

Attribute

Click Select to display the list of external identity store dictionaries based on the selection you made in the Dictionary field. Select the attribute that you want to associate with the custom condition, then click OK. If you are editing a custom condition that is in use in a policy, you cannot edit the attribute that it references.



Note To add custom conditions to a policy, you must first customize the rule table. See Customizing a Policy, page 9-4.


Step 4 Click Submit.

The new custom session condition is saved. The Custom Condition page appears with the new custom session condition. Clients that are associated with this condition are subject to it for the duration of their session.


Related Topics

Creating, Duplicating, and Editing a Date and Time Condition

Deleting a Session Condition

Configuring Access Service Policies, page 9-20

Deleting a Session Condition


Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts, page 14-2 to configure the appropriate administrator privileges.


To delete a session condition:


Step 1 Select Policy Elements > Session Conditions > <session condition>, where <session condition> is Date and Time or Custom.

The Session Condition page appears.

Step 2 Check one or more check boxes next to the session conditions that you want to delete and click Delete.

The following message appears:

Are you sure you want to delete the selected item/items?

Step 3 Click OK.

The Session Condition page appears without the deleted custom session conditions.


Related Topics

Creating, Duplicating, and Editing a Date and Time Condition

Creating, Duplicating, and Editing a Custom Session Condition

Managing Authorizations and Permissions

You define authorizations and permissions to determine the results associated with a specific policy rule.

You can define:

Authorization profiles for network access authorization (for RADIUS).

Shell profiles for TACACS+ shell sessions and command sets for device administration.

Downloadable ACLs.

Security groups and security group ACLs for Cisco TrustSec. See ACS and Cisco TrustSec, page 4-25, for information on configuring these policy elements.

These topics describe how to manage authorizations and permissions:

Creating, Duplicating, and Editing Authorization Profiles for Network Access

Creating and Editing Security Groups

Creating, Duplicating, and Editing a Shell Profile for Device Administration

Creating, Duplicating, and Editing Command Sets for Device Administration

Creating, Duplicating, and Editing Downloadable ACLs

Deleting an Authorizations and Permissions Policy Element

Configuring Security Group Access Control Lists

Creating, Duplicating, and Editing Authorization Profiles for Network Access

You create authorization profiles to define how different types of users are authorized to access the network. For example, you can define that a user attempting to access the network over a VPN connection is treated more strictly than a user attempting to access the network through a wired connection.

An authorization profile defines the set of attributes and values that the access-accept response returns. You can specify:

Common data, such as VLAN information, URL for redirect, and more. This information is automatically converted to the raw RADIUS parameter information.

RADIUS authorization parameters—You can select any RADIUS attribute and specify the corresponding value to return.

You can duplicate an authorization profile to create a new authorization profile that is the same, or similar to, an existing authorization profile. After duplication is complete, you access each authorization profile (original and duplicated) separately to edit or delete them.

After you create authorization profiles, you can use them as results in network access session authorization policies.


Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts, page 14-2 to configure the appropriate administrator privileges.


To create, duplicate, or edit an authorization profile:


Step 1 Select Policy Elements > Authorization and Permissions > Network Access > Authorization Profile.

The Authorization Profiles page appears with the fields described in Table 8-3:

Table 8-3 Authorization Profiles Page 

Option
Description

Name

A list of existing network access authorization definitions.

Description

Display only. The description of the network access authorization definition.


Step 2 Do one of the following:

Click Create.

Check the check box next to the authorization profile that you want to duplicate and click Duplicate.

Click the name that you want to modify; or, check the check box next to the name that you want to modify and click Edit.

The Authorization Profile Properties page appears.

Step 3 Enter valid configuration data in the required fields in each tab. See:

Specifying Authorization Profiles

Specifying Common Attributes in Authorization Profiles

Specifying RADIUS Attributes in Authorization Profiles

Step 4 Click Submit.

The authorization profile is saved. The Authorization Profiles page appears with the authorization profile that you created or duplicated.


Specifying Authorization Profiles

Use this tab to configure the name and description for a network access authorization profile.


Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts, page 14-2 to configure the appropriate administrator privileges.



Step 1 Select Policy Elements > Authorization and Permissions > Network Access > Authorization Profiles, then click:

Create to create a new network access authorization definition.

Duplicate to duplicate a network access authorization definition.

Edit to edit a network access authorization definition.

Step 2 Complete the required fields of the Authorization Profile: General page as shown in Table 8-4:

Table 8-4 Authorization Profile: General Page

Option
Description

Name

The name of the network access authorization definition.

Description

The description of the network access authorization definition.


Step 3 Click:

Submit to save your changes and return to the Authorization Profiles page.

The Common Tasks tab to configure common tasks for the authorization profile, see Specifying Common Attributes in Authorization Profiles.

The RADIUS Attributes tab to configure RADIUS attributes for the authorization profile, see Specifying RADIUS Attributes in Authorization Profiles.


Specifying Common Attributes in Authorization Profiles

Use this tab to specify common RADIUS attributes to include in a network access authorization profile. ACS converts the specified values to the required RADIUS attribute-value pairs and displays them in the RADIUS attributes tab.


Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts, page 14-2 to configure the appropriate administrator privileges.



Step 1 Select Policy Elements > Authorization and Permissions > Network Access > Authorization Profiles, then click:

Create to create a new network access authorization definition, then click the Common Tasks tab.

Duplicate to duplicate a network access authorization definition, then click the Common Tasks tab.

Edit to edit a network access authorization definition, then click the Common Tasks tab.

Step 2 Complete the required fields of the Authorization Profile: Common Tasks page as shown in Table 8-5:

Table 8-5 Authorization Profile: Common Tasks Page 

Option
Description

Parameter options

To include a parameter in the profile, do one of the following:

Select Static, then enter or choose a value for the parameter.

Select Dynamic, then choose the dictionary and attribute from which to retrieve the value of the parameter. The selection list of identity attributes contains attributes of the same type as the RADIUS attribute for which the value will be substituted: string, integer or IP address.

VLAN ID/Name

Includes a VLAN assignment.

URL for Redirect

Includes a URL redirect.

URL Redirect ACL

Includes the name of the access control list (ACL) for URL redirection. This field is displayed only if you select URL for Redirect.

ACLS

Downloadable ACL Name

Includes a defined downloadable ACL. See Configuring Security Group Access Control Lists for information about defining a downloadable ACL.

IOS ACL Filter ID

Includes an IOS ACL Filter ID.

Proxy ACL

Includes a proxy ACL.

QoS

Input Policy Map

Includes a QoS input policy map.

Output Policy Map

Includes a QoS output policy map.

Voice VLAN

Permission to Join

Select Static. A value for this parameter is displayed.

Reauthentication

Reauthentication Timer

Select whether to use a session timeout value.

If you select Static, you must enter a value in the Seconds field.

If you select Dynamic, you must select the dynamic parameters.

Maintain Connectivity during Reauthentication

Click Yes to ensure connectivity is maintained while reauthentication is performed. By default, Yes is selected.



Specifying RADIUS Attributes in Authorization Profiles

Use this tab to configure which RADIUS attributes to include in the Access-Accept packet for an authorization profile. This tab also displays the RADIUS attribute parameters that you choose in the Common Tasks tab.


Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts, page 14-2 to configure the appropriate administrator privileges.



Step 1 Select Policy Elements > Authorization and Permissions > Network Access > Authorization Profiles, then click:

Create to create a new network access authorization definition, then click the RADIUS Attributes tab.

Duplicate to duplicate a network access authorization definition, then click the RADIUS Attributes tab.

Edit to edit a network access authorization definition, then click the RADIUS Attributes tab.

Step 2 Complete the required fields of the Authorization Profile: RADIUS Attributes page as shown in Table 8-6:

Table 8-6 Authorization Profile: RADIUS Attributes Page 

Option
Description
Common Tasks Attributes

Displays the names, values, and types for the attributes that you defined in the Common Tasks tab.

Manually Entered

Use this section to define RADIUS attributes to include in the authorization profile. As you define each attribute, its name, value, and type appear in the table. To:

Add a RADIUS attribute, fill in the fields below the table and click Add.

Edit a RADIUS attribute, select the appropriate row in the table and click Edit. The RADIUS parameters appear in the fields below the table. Modify as required, then click Replace.

Dictionary Type

Choose the dictionary that contains the RADIUS attribute you want to use.

RADIUS Attribute

The name of the RADIUS attribute. Click Select to choose a RADIUS attribute from the specified dictionary.

Attribute Type

The client vendor type of the attribute, from which ACS allows access requests. For a description of the attribute types, refer to Cisco IOS documentation for the release of Cisco IOS software that is running on your AAA clients.

Attribute Value

The value of the attribute. Click Select for a list of attribute values. For a description of the attribute values, refer to Cisco IOS documentation for the release of Cisco IOS software that is running on your AAA clients.

For tunneled protocols, ACS provides for attribute values with specific tags to the device within the access response according to RFC 2868.

If you choose Tagged Enum or Tagged String as the RADIUS Attribute type, the Tag field appears. For the tag value, enter a number that ACS will use to group attributes belonging to the same tunnel.

For the Tagged Enum attribute type:

Choose an appropriate attribute value.

Enter an appropriate tag value (0-31).

For the Tagged String attribute type:

Enter an appropriate string attribute value (up to 256 characters).

Enter an appropriate tag value (0-31).


Step 3 To configure:

Basic information of an authorization profile, see Specifying Authorization Profiles.

Common tasks for an authorization profile, see Specifying Common Attributes in Authorization Profiles.


Creating and Editing Security Groups

Use this page to view names and details of security groups and security group tags (SGTs), and to open pages to create, duplicate, and edit security groups.

When you create a security group, ACS generates a unique SGT. Network devices can query ACS for SGT information. The network device uses the SGT to tag, or paint, packets at ingress, so that the packets can be filtered at egress according to the egress policy. See Egress Policy Matrix Page, page 9-50, for information on configuring an egress policy.


Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts, page 14-2 to configure the appropriate administrator privileges.



Step 1 Select Policy Elements > Authorizations and Permissions > Network Access > Security Groups.

The Security Groups page appears as described in Table 8-7:

Table 8-7 Security Groups Page 

Option
Description

Name

The name of the security group.

SGT (Dec / Hex)

Representation of the security group tag in decimal and hexadecimal format.

Description

The description of the security group.


Step 2 Click:

Create to create a new security group.

Duplicate to duplicate a security group.

Edit to edit a security group.

Step 3 Enter the required information in the Name and Description fields, then click Submit.


Related Topic

Creating Security Groups, page 4-26

Creating, Duplicating, and Editing a Shell Profile for Device Administration

You can configure Cisco IOS shell profile and command set authorization. Shell profiles and command sets are combined for authorization purposes. Shell profile authorization provides decisions for the following capabilities for the user requesting authorization and is enforced for the duration of a user's session:

Privilege level.

General capabilities, such as device administration and network access.

For a description of the attributes that you specify in shell profiles, see Cisco IOS documentation for the specific release of Cisco IOS software that is running on your AAA clients.

After you create shell profiles and command sets, you can use them in authorization and permissions within rule tables.

You can duplicate a shell profile if you want to create a new shell profile that is the same, or similar to, an existing shell profile.

After duplication is complete, you access each shell profile (original and duplicated) separately to edit or delete them.


Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts, page 14-2 to configure the appropriate administrator privileges.


To create, duplicate, or edit a shell profile:


Step 1 Select Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles.

The Shell Profiles page appears.

Step 2 Do one of the following:

Click Create.

Check the check box next to the shell profile that you want to duplicate and click Duplicate.

Click the name that you want to modify; or, check the check box next to the name that you want to modify and click Edit.

The Shell Profile Properties page General tab appears.

Step 3 Enter valid configuration data in the required fields in each tab. As a minimum configuration, you must enter a unique name for the shell profile; all other fields are optional. See:

Defining General Shell Profile Properties

Defining Shell Profile Privilege Level

Defining Shell Attributes

Step 4 Click Submit.

The shell profile is saved. The Shell Profiles page appears with the shell profile that you created or duplicated.


Related Topics

Creating, Duplicating, and Editing Authorization Profiles for Network Access

Creating, Duplicating, and Editing Command Sets for Device Administration

Deleting an Authorizations and Permissions Policy Element

Configuring Shell/Command Authorization Policies for Device Administration, page 9-39

Defining General Shell Profile Properties

Use this page to define a shell profile's general properties.


Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts, page 14-2 to configure the appropriate administrator privileges.



Step 1 Select Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles, then do one of the following:

Click Create.

Check the check box next to the shell profile that you want to duplicate and click Duplicate.

Click the name that you want to modify; or, check the check box next to the name that you want to modify and click Edit.

Step 2 Complete the Shell Profile: General fields as described in Table 8-8:

Table 8-8 Shell Profile: General Page 

Option
Description

Name

The name of the shell profile.

Description

(Optional) The description of the shell profile.


Step 3 Click:

Submit to save your changes and return to the Shell Profiles page.

The Privilege Level tab to configure privilege levels for the authorization profile, see Defining Shell Profile Privilege Level.

The Shell Attributes tab to configure RADIUS attributes for the authorization profile, see Defining Shell Attributes.


Related Topics

Defining Shell Profile Privilege Level

Defining Shell Attributes

Defining Shell Profile Privilege Level

Use this page to define a shell profile's privilege level.


Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts, page 14-2 to configure the appropriate administrator privileges.



Step 1 Select Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles, then click:

Create to create a new shell profile, then click Privilege Level.

Duplicate to duplicate a shell profile, then click Privilege Level.

Edit to edit a shell profile, then click Privilege Level.

Step 2 Complete the Shell Profile: Privilege Level page as described in Table 8-9:

Table 8-9 Shell Profile: Privilege Level Page 

Option
Description
Enable Default Privilege

Enable Default Privilege

(Optional) Enables the initial privilege level assignment that you allow for a client, through shell authorization. If disabled, the setting is not interpreted in authorization and permissions.

The Default Privilege Level specifies the default (initial) privilege level for the shell profile. If you select this option, you must select a privilege level; the valid options are 0 to 15.

Maximum Privilege Level

Enable Change of Privilege Level

(Optional) Enables the maximum privilege level assignment for which you allow a client after the initial shell authorization.

The Maximum Privilege Level specifies the maximum privilege level for the shell profile. If you select this option, you must select a maximum privilege level; the valid options are 0 to 15.

Note If you choose both default and privilege level assignments, the default privilege level assignment must be equal to or lower than the maximum privilege level assignment.


Step 3 Click:

Submit to save your changes and return to the Shell Profiles page.

The General tab to configure the name and description for the authorization profile, see Defining General Shell Profile Properties.

The Shell Attributes tab to configure RADIUS attributes for the authorization profile, see Defining Shell Attributes.


Related Topics

Defining Shell Attributes

Configuring Shell/Command Authorization Policies for Device Administration, page 9-39

Defining Shell Attributes

Use this page to define shell attributes. The attributes are defined by:

TACACS+ protocol

RADIUS protocol, tunneled using the Cisco AV pair vendor-specific attribute (VSA)

For a description of the attributes, refer to Cisco IOS documentation for the release of Cisco IOS software that is running on your AAA clients.


Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts, page 14-2 to configure the appropriate administrator privileges.



Step 1 Select Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles, then click:

Create to create a new shell profile, then click Shell Attributes.

Duplicate to duplicate a shell profile, then click Shell Attributes.

Edit to edit a shell profile, then click Shell Attributes.

Step 2 Complete the Shell Profile: Shell Attributes page as described in Table 8-10:

Table 8-10 Shell Profile: Shell Attributes 

Option
Description

Access Control List

(Optional) Check the check box and specify the access control list to enable. The name of the access control list can be up to 27 characters, and cannot contain a hyphen (-), left bracket ([), right bracket, (]) forward slash (/), back slash (\), apostrophe (`), left angle bracket (<), or right angle bracket (>).

Auto Command

(Optional) Check the check box and specify the command to enable.

No Callback Verify

(Optional) Check the check box and specify if you want callback verification. Valid options are:

true—Specifies that callback verification is not needed.

false—Specifies that callback verification is needed.

No Escape

(Optional) Check the check box and specify if you want escape prevention. Valid options are:

true—Specifies that escape prevention is enabled.

false—Specifies that escape prevention is not enabled.

No Hang Up

(Optional) Check the check box and specify if you want no hangup. Valid options are:

true—Specifies no hangups are allowed.

false—Specifies that hangups are allowed.

Timeout

(Optional) Check the check box to enable and specify, in minutes, the duration of the allowed timeout in the field. The valid range is from 0 to 999.

Idle Time

(Optional) Check the check box to enable and specify, in minutes, the duration of the allowed idle time in the field. The valid range is from 0 to 999.

Callback Line

(Optional) Check the check box to enable and specify the callback phone line in the field.

Callback Rotary

(Optional) Check the check box to enable and specify the callback rotary phone line in the field.


Step 3 Click:

Submit to save your changes and return to the Shell Profiles page.

The General tab to configure the name and description for the authorization profile, see Defining General Shell Profile Properties.

The Privilege Level tab to configure privilege levels for the authorization profile, see Defining Shell Attributes.


Creating, Duplicating, and Editing Command Sets for Device Administration

Command sets provide decisions for allowed commands and arguments for device administration. You can specify command sets as results in a device configuration authorization policy. Shell profiles and command sets are combined for authorization purposes, and are enforced for the duration of a user's session.

You can duplicate a command set if you want to create a new command set that is the same, or similar to, an existing command set. After duplication is complete, you access each command set (original and duplicated) separately to edit or delete them.

After you create command sets, you can use them in authorizations and permissions within rule tables. A rule can contain multiple command sets. See Creating, Duplicating, and Editing a Shell Profile for Device Administration.


Note Command sets support TACACS+ protocol attributes only.



Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts, page 14-2 to configure the appropriate administrator privileges.


To create, duplicate, or edit a new command set:


Step 1 Select Policy Elements > Authorization and Permissions > Device Administration > Command Sets.

The Command Sets page appears.

Step 2 Do one of the following:

Click Create.

Check the check box next to the command set that you want to duplicate and click Duplicate.

Click the name that you want to modify; or, check the check box next to the name that you want to modify and click Edit.

The Command Set Properties page appears.

Step 3 Enter valid configuration data in the required fields. As a minimum configuration, you must enter a unique name for the command set; all other fields are optional. You can define commands and arguments; you can also add commands and arguments from other command sets.

See Table 8-11 for a description of the fields in the Command Set Properties page.

Table 8-11 Command Set Properties Page 

Field
Description

Name

The name of the command set.

Description

(Optional) The description of the command set.

Permit any command that is not in the table below

Check to allow all commands that are requested, unless they are explicitly denied in the Grant table. Uncheck to allow only commands that are explicitly allowed in the Grant table.

Command Set table

Use this section to define commands to include in the authorization profile. As you define each command, its details appear in the table. To:

Add a command, fill in the fields below the table and click Add.

Edit a command, select the appropriate row in the table, and click Edit. The command parameters appear in the fields below the table. Modify as required, then click Replace.

The order of commands in the Command Set table is important; policy rule table processing depends on which command and argument are matched first to make a decision on policy result choice. Use the control buttons at the right of the Command Set table to order your commands.

Grant

Choose the permission level of the associated command. Options are:

Permit—The associated command and arguments are automatically granted.

Deny—The associated command and arguments are automatically denied.

Deny Always—The associated command and arguments are always denied.

Command

Enter the command name. This field is not case sensitive. You can use the asterisk (*) to represent zero (0) or more characters in the command name, and you can use the question mark (?) to represent a single character in a command name.

Examples of valid command name entries:

SHOW

sH*

sho?

Sh*?

Arguments (field)

Enter the argument associated with the command name. This field is not case sensitive.

Select Command/ Arguments from Command Set

To add a command from another command set:

1. Choose the command set.

2. Click Select to open a page that lists the available commands and arguments.

3. Choose a command and click OK.


Step 4 Click Submit.

The command set is saved. The Command Sets page appears with the command set that you created or duplicated.


Related Topics

Creating, Duplicating, and Editing Authorization Profiles for Network Access

Creating, Duplicating, and Editing a Shell Profile for Device Administration

Deleting an Authorizations and Permissions Policy Element

Creating, Duplicating, and Editing a Shell Profile for Device Administration

Creating, Duplicating, and Editing Downloadable ACLs

You can define downloadable ACLs for the access-accept message to return. Use ACLs to prevent unwanted traffic from entering the network. ACLs can filter source and destination IP addresses, transport protocols, and more by using the RADIUS protocol.

After you create downloadable ACLs as named permission objects, you can add them to authorization profiles, which you can then specify as the result of an authorization policy.

You can duplicate a downloadable ACL if you want to create a new downloadable ACL that is the same, or similar to, an existing downloadable ACL.

After duplication is complete, you access each downloadable ACL (original and duplicated) separately to edit or delete them.


Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts, page 14-2 to configure the appropriate administrator privileges.


To create, duplicate or edit a downloadable ACL:


Step 1 Select Policy Elements > Authorization and Permissions > Named Permission Objects > Downloadable ACLs.

The Downloadable ACLs page appears.

Step 2 Do one of the following:

Click Create.

Check the check box next to the downloadable ACL that you want to duplicate and click Duplicate.

Click the name that you want to modify; or, check the check box next to the name that you want to modify and click Edit.

The Downloadable ACL Properties page appears.

Step 3 Enter valid configuration data in the required fields as shown in Table 8-12, and define one or more ACLs by using standard ACL syntax.

Table 8-12 Downloadable ACL Properties Page 

Option
Description

Name

The name of the DACL.

Description

The description of the DACL.

Downloadable ACL Content

Define the ACL content.

Use standard ACL command syntax and semantics. The ACL definitions comprise one or more ACL commands; each ACL command must occupy a separate line.

For detailed ACL definition information, see the command reference section of your device configuration guide.


Step 4 Click Submit.

The downloadable ACL is saved. The Downloadable ACLs page appears with the downloadable ACL that you created or duplicated.


Related Topics

Creating, Duplicating, and Editing Authorization Profiles for Network Access

Configuring a Session Authorization Policy for Network Access, page 9-32

Deleting an Authorizations and Permissions Policy Element

Deleting an Authorizations and Permissions Policy Element

To delete an authorizations and permissions policy element:


Step 1 Select Policy Elements > Authorization and Permissions; then, navigate to the required option.

The corresponding page appears.

Step 2 Check one or more check boxes next to the items that you want to delete and click Delete.

The following message appears:

Are you sure you want to delete the selected item/items?

Step 3 Click OK.

The page appears without the deleted object.


Configuring Security Group Access Control Lists

Security group access control lists (SGACLs) are applied at egress, based on the source and destination SGTs. Use this page to view, create, duplicate and edit SGACLs. When you modify the name or content of an SGACL, ACS updates its generation ID. When the generation ID of an SGACL changes, the relevant TrustSec network devices reload the content of the SGACL.


Note SGACLs are also called role-based ACLs (RBACLs).



Note Every ACS administrator account is assigned one or more administrative roles. Depending upon the roles assigned to your account, you may or may not be able to perform the operations or see the options described in the following procedure. See Configuring System Administrators and Accounts, page 14-2 to configure the appropriate administrator privileges.



Step 1 Select Policy Elements > Authorizations and Permissions > Named Permissions Objects > Security Group ACLs.

The Security Group Access Control Lists page appears with the fields described in Table 8-13:

Table 8-13 Security Group Access Control Lists Page 

Option
Description

Name

The name of the SGACL.

Description

The description of the SGACL.


Step 2 Click one of the following options:

Create to create a new SGACL.

Duplicate to duplicate an SGACL.

Edit to edit an SGACL.

Step 3 Complete the fields in the Security Group Access Control Lists Properties page as described in Table 8-14:

Table 8-14 Security Group Access Control List Properties Page 

Option
Description
General

Name

The name of the SGACL. You cannot use spaces, hyphens (-), question marks (?), or exclamation marks (!) in the name. After you create an SGACL, its generation ID appears.

Generation ID

Display only. ACS updates the generation ID of the SGACL if you change the:

Name of the SGACL.

Content of the SGACL (the ACEs).

Changing the SGACL description does not affect the generation ID.

Description

The description of the SGACL.

Security Group ACL Content

Enter the ACL content. Ensure that the ACL definition is syntactically and semantically valid.


Step 4 Click Submit.