User Guide for Cisco Secure Access Control System 5.2
Managing Access Policies
Downloads: This chapterpdf (PDF - 711.0KB) The complete bookPDF (PDF - 17.78MB) | Feedback

Managing Access Policies

Table Of Contents

Managing Access Policies

Policy Creation Flow

Network Definition and Policy Goals

Policy Elements in the Policy Creation Flow

Access Service Policy Creation

Service Selection Policy Creation

Customizing a Policy

Configuring the Service Selection Policy

Configuring a Simple Service Selection Policy

Service Selection Policy Page

Creating, Duplicating, and Editing Service Selection Rules

Displaying Hit Counts

Deleting Service Selection Rules

Configuring Access Services

Editing Default Access Services

Creating, Duplicating, and Editing Access Services

Configuring General Access Service Properties

Configuring Access Service Allowed Protocols

Configuring Access Services Templates

Deleting an Access Service

Configuring Access Service Policies

Viewing Identity Policies

Viewing Rules-Based Identity Policies

Configuring Identity Policy Rule Properties

Configuring a Group Mapping Policy

Configuring Group Mapping Policy Rule Properties

Configuring a Session Authorization Policy for Network Access

Configuring Network Access Authorization Rule Properties

Configuring Device Administration Authorization Policies

Configuring Device Administration Authorization Rule Properties

Configuring Device Administration Authorization Exception Policies

Configuring Shell/Command Authorization Policies for Device Administration

Configuring Authorization Exception Policies

Creating Policy Rules

Duplicating a Rule

Editing Policy Rules

Deleting Policy Rules

Configuring Compound Conditions

Compound Condition Building Blocks

Types of Compound Conditions

Using the Compound Expression Builder

TrustSec Access Control Pages

Egress Policy Matrix Page

Editing a Cell in the Egress Policy Matrix

Defining a Default Policy for Egress Policy Page

NDAC Policy Page

NDAC Policy Properties Page

Network Device Access EAP-FAST Settings Page


Managing Access Policies


In ACS 5.2, policy drives all activities. Policies consist mainly of rules that determine the action of the policy. You create access services to define authentication and authorization policies for requests. A global service selection policy contains rules that determine which access service processes an incoming request.

For a basic workflow for configuring policies and all their elements, see Flows for Configuring Services and Policies. In general, before you can configure policy rules, you must configure all the elements that you will need, such as identities, conditions, and authorizations and permissions.

For information about:

Managing identities, see Chapter 8 "Managing Users and Identity Stores."

Configuring conditions, see Managing Policy Elements.

Configuring authorizations and permissions, see Configuring System Operations.

This section contains the following topics:

Policy Creation Flow

Customizing a Policy

Configuring the Service Selection Policy

Configuring Access Services

Configuring Access Service Policies

Configuring Compound Conditions

TrustSec Access Control Pages

For information about creating Egress and NDAC policies for Cisco TrustSec, see Configuring an NDAC Policy.

Policy Creation Flow

Policy creation depends on your network configuration and the degree of refinement that you want to bring to individual policies. The endpoint of policy creation is the access service that runs as the result of the service selection policy. Each policy is rule driven.

In short, you must determine the:

Details of your network configuration.

Access services that implement your policies.

Rules that define the conditions under which an access service can run.

This section contains the following topics:

Network Definition and Policy Goals

Policy Elements in the Policy Creation Flow

Access Service Policy Creation

Service Selection Policy Creation

Network Definition and Policy Goals

The first step in creating a policy is to determine the devices and users for which the policy should apply. Then you can start to configure your policy elements.

For basic policy creation, you can rely on the order of the drawers in the left navigation pane of the web interface. The order of the drawers is helpful because some policy elements are dependent on other policy elements. If you use the policy drawers in order, you initially avoid having to go backward to define elements that your current drawer requires.

For example, you might want to create a simple device administration policy from these elements in your network configuration:

Devices—Routers and switches.

Users—Network engineers.

Device Groups—Group devices by location and separately by device type.

Identity groups—Group network engineers by location and separately by access level.

The results of the policy apply to the administrative staff at each site:

Full access to devices at their site.

Read-only access to all other devices.

Full access to everything for a supervisor.

The policy itself applies to network operations and the administrators who will have privileges within the device administration policy. The users (network engineers) are stored in the internal identity store.

The policy results are the authorizations and permissions applied in response to the access request. These authorizations and permissions are also configured as policy elements.

Policy Creation Flow—Next Steps

Policy Elements in the Policy Creation Flow

Access Service Policy Creation

Service Selection Policy Creation

Policy Elements in the Policy Creation Flow

The web interface provides these defaults for defining device groups and identity groups:

All Locations

All Device Types

All Groups

The locations, device types, and identity groups that you create are children of these defaults.

To create the building blocks for a basic device administration policy:


Step 1 Create network resources. In the Network Resources drawer, create:

a. Device groups for Locations, such as All Locations > East, West, HQ.

b. Device groups for device types, such as All Device Types > Router, Switch.

c. AAA clients (clients for AAA switches and routers, address for each, and protocol for each), such as EAST-ACCESS-SWITCH, HQ-CORE-SWITCH, or WEST-WAN-ROUTER.

Step 2 Create users and identity stores. In the Users and Identity Stores drawer, create:

a. Identity groups (Network Operations and Supervisor).

b. Specific users and association to identity groups (Names, Identity Group, Password, and more).

Step 3 Create authorizations and permissions for device administration. In the Policy Elements drawer, create:

a. Specific privileges (in Shell Profiles), such as full access or read only.

b. Command Sets that allow or deny access (in Command Sets).


For this policy, you now have the following building blocks:

Network Device Groups (NDGs), such as:

Locations—East, HQ, West.

Device Types—Router, Switch.

Identity groups, such as:

Network Operations Sites—East, HQ, West.

Access levels—Full Access.

Devices—Routers and switches that have been assigned to network device groups.

Users—Network engineers in the internal identity store that have been assigned to identity groups.

Shell Profiles—Privileges that can apply to each administrator, such as:

Full privileges.

Read only privileges.

Command Sets—Allow or deny authorization to each administrator.

Policy Creation Flow—Previous Step

Network Definition and Policy Goals

Policy Creation Flow—Next Steps

Access Service Policy Creation

Service Selection Policy Creation

Access Service Policy Creation

After you create the basic elements, you can create an access policy that includes identity groups and privileges. For example, you can create an access service for device administration, called NetOps, which contains authorization and authentication policies that use this data:

Users in the Supervisor identity group—Full privileges to all devices at all locations.

User in the East, HQ, West identity groups—Full privileges to devices in the corresponding East, HQ, West device groups.

If no match—Deny access.

Policy Creation Flow—Previous Steps

Network Definition and Policy Goals

Policy Elements in the Policy Creation Flow

Policy Creation Flow—Next Step

Service Selection Policy Creation

Service Selection Policy Creation

ACS provides support for various access use cases; for example, device administration, wireless access, network access control, and so on. You can create access policies for each of these use cases. Your service selection policy determines which access policy applies to an incoming request.

For example, you can create a service selection rule to apply the NetOps access service to any access request that uses the TACAC+ protocol.

Policy Creation Flow—Previous Steps

Network Definition and Policy Goals

Policy Elements in the Policy Creation Flow

Access Service Policy Creation

Customizing a Policy

ACS policy rules contain conditions and results. Before you begin to define rules for a policy, you must configure which types of conditions that policy will contain. This step is called customizing your policy. The condition types that you choose appear on the Policy page. You can apply only those types of conditions that appear on the Policy page. For information about policy conditions, see Managing Policy Conditions.

By default, a Policy page displays a single condition column for compound expressions. For information on compound conditions, see Configuring Compound Conditions.

If you have implemented TrustSec functionality, you can also customize results for authorization policies.


Caution If you have already defined rules, be certain that a rule is not using any condition that you remove when customizing conditions. Removing a condition column removes all configured conditions that exist for that column.

To customize a policy:


Step 1 Open the Policy page that you want to customize. For:

The service selection policy, choose Access Policies > Service Selection Policy.

An access service policy, choose Access Policies > Access Services > service > policy, where service is the name of the access service, and policy is the name of the policy that you want to customize.

Step 2 In the Policy page, click Customize.

A list of conditions appears. This list includes identity attributes, system conditions, and custom conditions.


Note Identity-related attributes are not available as conditions in a service selection policy.


Step 3 Move conditions between the Available and Selected list boxes.

Step 4 Click OK

The selected conditions now appear under the Conditions column.

Step 5 Click Save Changes.


Configuring a Policy—Next Steps

Configuring the Service Selection Policy

Configuring Access Service Policies

Configuring the Service Selection Policy

The service selection policy determines which access service processes incoming requests. You can configure a simple policy, which applies the same access service to all requests; or, you can configure a rule-based service selection policy.

In the rule-based policy, each service selection rule contains one or more conditions and a result, which is the access service to apply to an incoming request. You can create, duplicate, edit, and delete rules within the service selection policy, and you can enable and disable them.

This section contains the following topics:

Configuring a Simple Service Selection Policy

Creating, Duplicating, and Editing Service Selection Rules


Note If you create and save a simple policy, and then change to a rule-based policy, the simple policy becomes the default rule of the rule-based policy. If you have saved a rule-based policy and then change to a simple policy, you will lose all your rules except for the default rule. ACS automatically uses the default rule as the simple policy.


Configuring a Simple Service Selection Policy

A simple service selection policy applies the same access service to all requests.

To configure a simple service selection policy:


Step 1 Select Access Policies > Service Selection Policy.

By default, the Simple Service Selection Policy page appears.

Step 2 Select an access service to apply; or, choose Deny Access.

Step 3 Click Save Changes to save the policy.


Service Selection Policy Page

Use this page to configure a simple or rule-based policy to determine which service to apply to incoming requests.

To display this page, choose Access Policies > Service Selection.

If you have already configured the service selection policy, the corresponding Simple Policy page (see Table 10-1) or Rule-based Policy page (see Table 10-2) opens; otherwise, the Simple Policy page opens by default.

Table 10-1 Simple Service Selection Policy Page 

Option
Description

Policy type

Defines the type of policy:

Select one result—The results apply to all requests.

Rule-based result selection—Configuration rules apply different results depending on the request.

Service Selection Policy

The access service to apply to all requests. The default is Deny Access.


Table 10-2 Rule-based Service Selection Policy Page  

Option
Description

Policy type

Defines the type of policy to configure:

Select one result—Results apply to all requests.

Rule-based result selection—Configuration rules apply different results depending on the request.

Status

The current status of the rule that drives service selection. The rule statuses are:

Enabled—The rule is active.

Disabled—ACS does not apply the results of the rule.

Monitor Only—The rule is active, but ACS does not apply the results of the rule. Results such as hit count are written to the log, and the log entry includes an identification that the rule is monitor only. The monitor option is especially useful for watching the results of a new rule.

Name

The rule name.

Conditions

The conditions that determine the scope of the service. This column displays all current conditions in subcolumns.

Note You cannot use identity-based conditions in a service selection rule.

Results

The service that runs as a result of the evaluation of the rule.

Hit Count

The number of times that the rule is matched. Click Hit Count to refresh and reset this column.

Default Rule

ACS applies the Default rule when:

Enabled rules are not matched.

No other rules are defined.

Click the link to edit the Default Rule. You can edit only the results of the Default Rule; you cannot delete, disable, or duplicate it.

Customize button

Opens the Customize page in which you choose the types of conditions to use in policy rules. A new Conditions column appears in the Policy page for each condition that you add.


Caution If you remove a condition type after defining rules, you will lose any conditions that you configured for that condition type.

Hit Count button

Opens a window that enables you to reset and refresh the Hit Count display in the Policy page. See Displaying Hit Counts.


To configure a rule-based service selection policy, see these topics:

Creating, Duplicating, and Editing Service Selection Rules

Deleting Service Selection Rules

After you configure your service selection policy, you can continue to configure your access service policies. See Configuring Access Service Policies.

Creating, Duplicating, and Editing Service Selection Rules

Create service selection rules to determine which access service processes incoming requests. The Default Rule provides a default access service in cases where no rules are matched or defined.

When you create rules, remember that the order of the rules is important. When ACS encounters a match as it processes the request of a client that tries to access the ACS network, all further processing stops and the associated result of that match is found. No further rules are considered after a match is found.

You can duplicate a service selection rule to create a new rule that is the same, or very similar to, an existing rule. The duplicate rule name is based on the original rule with parentheses to indicate duplication; for example, Rule-1(1). After duplication is complete, you access each rule (original and duplicated) separately. You cannot duplicate the Default rule.

You can edit all values of service selection rules; you can edit the specified access service in the Default rule.


Note To configure a simple policy to apply the same access service to all requests, see Configuring a Simple Service Selection Policy.


Before You Begin

Configure the conditions that you want to use in the service selection policy. See Managing Policy Conditions.


Note Identity-related attributes are not available as conditions in a service selection policy.


Create the access services that you want to use in the service selection policy. See Creating, Duplicating, and Editing Access Services. You do not need to configure policies in the access service before configuring the service selection policy.

Configure the types of conditions to use in the policy rules. See Customizing a Policy, for more information.

To create, duplicate, or edit a service selection policy rule:


Step 1 Select Access Policies > Service Selection Policy. If you:

Previously created a rule-based policy, the Rule-Based Service Selection Policy page appears with a list of configured rules.

Have not created a rule-based policy, the Simple Service Selection Policy page appears. Click Rule-Based.

Step 2 Do one of the following:

Click Create.

Check the check box next to the rule that you want to duplicate; then click Duplicate.

Click the rule name that you want to modify; or, check the check box next to the name and click Edit.

The Rule page appears.

Step 3 Enter or modify values:

User-defined rules—You can edit any value. Ensure that you include at least one condition. If you are duplicating a rule, you must change the rule name.

The Default Rule—You can change only the access service.

See Table 10-3 for field descriptions:

Table 10-3 Service Selection Rule Properties Page   

Option
Description
General

Name

The name of the rule. If you are duplicating a rule, you must enter a unique name as a minimum configuration; all other fields are optional.

Status

The rule statuses are:

Enabled—The rule is active.

Disabled—ACS does not apply the results of the rule.

Monitor Only—The rule is active but ACS does not apply the results of the rule. Results such as hit count are written to the log, and the log entry includes an identification that the rule is monitor only. The Monitor option is especially useful for watching the results of a new rule.

Conditions

<condition(s)>

The conditions that you can configure for the rule.

By default, the compound condition appears. Click Customize in the Policy page to change the conditions that appear.

The default value for each condition is ANY. To change the value for a condition, check the condition check box, then specify the value.

If you check Compound Condition, an expression builder appears in the conditions frame. For more information, see Configuring Compound Conditions.

Note The Service selection policy, which contains a compound condition with TACACS+ username, does not work consistently. The policy works only when the first TACACS+ authentication request contains a username. If the first packet does not have the username and when ACS requests NAS for the username, the TACACS+ username condition is not matched. Therefore, the request meets the default deny access condition and fails to meet the proper access service.

Results

Service

The name of the access service that runs as a result of the evaluation of the rule.


Step 4 Click OK.

The Service Selection Policy page appears with the rule that you configured.

Step 5 Click Save Changes.


Related Topics

Configuring Access Services

Deleting Service Selection Rules

Displaying Hit Counts

Use this page to reset and refresh the Hit Count display on the Rule-based Policy page.

To display this page, click Hit Count on the Rule-based Policy page.

Table 10-4 Hit Count Page   

Option
Description
Hit Counts Reset

Last time hit counts were reset for this policy

Displays the date and time of the last hit count reset for this policy.

Reset hit counts display for this policy

Click Reset to reset the hit counts display to zero (0) for all rules on the Policy page.

Hit Counts Collection

Hit counts are collected every:

Displays the interval between hit count collections.

Last time hit counts were collected for this policy:

Displays the date and time of the last hit count update for this policy.

Refresh hit counts display for this policy

Click Refresh to refresh the hit count display in the Policy page with updated hit counts for all rules. The previous hit counts are deleted.

When a TACACS+ authentication request succeeds, the hit counts of the corresponding identity policy rule and authorization policy rule both increase by 1.


Deleting Service Selection Rules


Note You cannot delete the Default service selection rule.


To delete a service selection rule:


Step 1 Select Access Policies > Service Selection Policy.

The Service Selection Policy page appears, with a list of configured rules.

Step 2 Check one or more check boxes next to the rules that you want to delete.

Step 3 Click Delete.

The Service Selection Rules page appears without the deleted rule(s).

Step 4 Click Save Changes to save the new configuration.


Configuring Access Services

Access services contain the authentication and authorization policies for requests. You can create separate access services for different use cases; for example, device administration, wireless network access, and so on.

When you create an access service, you define the type of policies and policy structures that it contains; for example, policies for device administration or network access.


Note You must create access services before you define service selection rules, although you do not need to define the policies in the services.


This section contains the following topics:

Creating, Duplicating, and Editing Access Services

Deleting an Access Service

After you create an access service, you can use it in the service selection policy. See Configuring the Service Selection Policy.

You can customize and modify the policies in the access service. See Configuring Access Service Policies.

Related Topic

Creating, Duplicating, and Editing Access Services

Editing Default Access Services

ACS 5.2 is preconfigured with two default access services, one for device administration and another for network access. You can edit these access services.

To edit the default access service:


Step 1 Choose one of the following:

Access Policies > Access Services > Default Device Admin

Access Policies > Access Services > Default Network Access

The Default Service Access Service Edit page appears.

Step 2 Edit the fields in the Default Service Access Service page.

Table 10-5 describes the fields in the General tab.

Table 10-5 Default Access Service - General Page 

Option
Description
General

Name

Name of the access service.

Description

Description of the access service.

Service Type

(Display only) Type of service, device administration, or network access.

Policy Structure

Identity

Check to include an identity policy in the access service, to define the identity store or stores that ACS uses for authentication and attribute retrieval.

Group Mapping

Check to include a group mapping policy in the access service, to map groups and attributes that are retrieved from external identity stores to the identity groups in ACS.

Authorization

Check to include an authorization policy in the access service, to apply:

Authorization profiles for network access services.

Shell profiles and command sets for device administration services.


Step 3 Edit the fields in the Allowed Protocols tab as described in Table 10-7.

Step 4 Click Submit to save the changes you have made to the default access service.


Creating, Duplicating, and Editing Access Services

Access services contain the authentication and authorization policies for requests.

When you create an access service, you define:

Policy structure—The types of policies the service will contain. You can define these according to a service template, an existing service, or a use case.

A service can contain:

An Identity policy—Defines which identity store to use for authentication.

A group mapping policy—Defines the identity group to which to map.

An Authorization policy—For network access, this policy defines which session authorization profile to apply; for device administration, it defines which shell profile or command set to apply.

Allowed protocols—Specifies which authentication protocols are allowed for this access service, and provides additional information about how ACS uses them for authentication.

Use a service template to define an access service with policies that are customized to use specific condition types. See Configuring Access Services Templates for information about the service templates.

Duplicate an access service to create a new access service with rules that are the same, or very similar to, an existing access service. After duplication is complete, you access each service (original and duplicated) separately.

To replicate a service policy structure without duplicating the source service's rules, create a new access service based on an existing service.

To create, duplicate, or edit an access service:


Step 1 Select Access Policies > Access Services.

The Access Services page appears with a list of configured services.

Step 2 Do one of the following:

Click Create.

Check the check box next to the access service that you want to duplicate; then click Duplicate.

Click the access service name that you want to modify; or, check the check box next to the name and click Edit.

Click the access service name in the left navigation tab.

The Access Service Properties General page appears.

If you are creating a new access service:

a. Define the name and policy structure of the access service.

b. Click Next to proceed to the Allowed Protocols page.

c. Click Finish to save the new access service.

If you are duplicating or editing an access service:

a. Modify fields in the Properties page tabs as required. You can add policies, but you cannot remove existing policies.

b. Click Submit to save changes.

For information about valid field options, see:

Configuring General Access Service Properties

Configuring Access Service Allowed Protocols

Configuring Access Services Templates

The access service configuration is saved. The Access Services page appears with the new configuration.


Related Topics

Deleting an Access Service

Configuring Access Service Policies

Configuring the Service Selection Policy

Configuring General Access Service Properties

Access service definitions contain general and allowed protocol information. When you duplicate and edit services, the Access Service properties page contains tabs.


Step 1 Select Access Policies > Access Services, then click Create, Duplicate, or Edit.

Step 2 Complete the fields as described in Table 10-6:

Table 10-6 Access Service Properties—General Page  

Option
Description
General

Name

The name of the access service. If you are duplicating a service, you must enter a unique name as a minimum configuration; all other fields are optional.

Description

The description of the access service.

Access Service Policy Structure

Based on service template

Creates an access service containing policies based on a predefined template. This option is available only for service creation.

Based on existing service

Creates an access service containing policies based on an existing access service. The new access service does not include the existing service's policy rules. This option is available only for service creation.To replicate a service, including its policy rules, duplicate an existing access service.

User selected service type

Provides you the option to select the access service type. The available options are Network Access, Device Administration, and RADIUS Proxy. The list of policies you can configure depends on your choice of access service type.

User Selected Service Type—Network Access and Device Administration
Policy Structure

Identity

Check to include an identity policy in the access service to define the identity store or stores that ACS uses for authentication and attribute retrieval.

Group Mapping

Check to include a group mapping policy in the access service to map groups and attributes that are retrieved from external identity stores to ACS identity groups.

Authorization

Check to include an authorization policy in the access service to apply:

Authorization profiles for network access services.

Shell profiles and command sets for device administration services.

User Selected Service Type—RADIUS Proxy
Select the set of External RADIUS servers to be used for proxy. You can also determine the order in which these servers will be used.

Available External RADIUS Servers

The list of available external RADIUS servers. Select the external RADIUS servers to be used for proxy and move them to the Selected External RADIUS Servers list.

Selected External RADIUS Servers

The list of selected external RADIUS servers.

Advanced Options
Accounting

Remote Accounting

Check to enable remote accounting.

Local Accounting

Check to enable local accounting.

Username Prefix\Suffix Stripping

Strip start of subject name up to the last occurrence of the separator

Check to strip the username from the prefix. For example, if the subject name is acme\smith and the separator is \, the username becomes smith.

Strip end of subject name from the first occurrence of the separator

Check to strip the username from the suffix. For example, if the subject name is smith@acme.com and the separator is @, the username becomes smith.


Step 3 Click Next to configure the allowed protocols. See Configuring Access Service Allowed Protocols.


Related Topic

Configuring Access Service Allowed Protocols

Configuring Access Services Templates

Configuring Access Service Allowed Protocols

The allowed protocols are the second part of access service creation. Access service definitions contain general and allowed protocol information. When you duplicate and edit services, the Access Service properties page contains tabs.


Step 1 Select Access Policies > Access Services, then click:

Create to create a new access service, then click the Allowed Protocols tab.

Duplicate to duplicate an access service, then click the Allowed Protocols tab.

Edit to edit an access service, then click the Allowed Protocols tab.

Step 2 Complete the fields as shown in Table 10-7:

Table 10-7 Access Service Properties—Allowed Protocols Page 

Option
Description

Process Host Lookup

Check to configure ACS to process the Host Lookup field (for example, when the RADIUS Service-Type equals 10) and use the System UserName attribute from the RADIUS Calling-Station-ID attribute.

Uncheck for ACS to ignore the Host Lookup request and use the original value of the system UserName attribute for authentication and authorization. When unchecked, message processing is according to the protocol (for example, PAP).

Authentication Protocols

Allow PAP/ASCII

Enables PAP/ASCII. PAP uses clear-text passwords (that is, unencrypted passwords) and is the least secure authentication protocol.

When you check Allow PAP/ASCII, you can check Detect PAP as Host Lookup to configure ACS to detect this type of request as a Host Lookup (instead of PAP) request in the network access service.

Allow CHAP

Enables CHAP authentication. CHAP uses a challenge-response mechanism with password encryption. CHAP does not work with the Windows Active Directory.

Allow MS-CHAPv1

Enables MS-CHAPv1.

Allow MSCHAPv2

Enables MSCHAPv2.

Allow EAP-MD5

Enables EAP-based Message Digest 5 hashed authentication.

When you check Allow EAP-MD5, you can check Detect EAP-MD5 as Host Lookup to configure ACS to detect this type of request as a Host Lookup (instead of EAP-MD5) request in the network access service.

Allow EAP-TLS

Enables the EAP-TLS Authentication protocol and configures EAP-TLS settings. You can specify how ACS verifies user identity as presented in the EAP Identity response from the end-user client. User identity is verified against information in the certificate that the end-user client presents. This comparison occurs after an EAP-TLS tunnel is established between ACS and the end-user client.

EAP-TLS is a certificate-based authentication protocol. EAP-TLS authentication can occur only after you have completed the required steps to configure certificates. See Configuring Local Server Certificates for more information.

Allow LEAP

Enables LEAP authentication.

Allow PEAP

Enables the PEAP authentication protocol and PEAP settings. The default inner method is MSCHAPv2.

When you check Allow PEAP, you can configure the following PEAP inner methods:

Allow EAP-MSCHAPv2—Check to use EAP-MSCHAPv2 as the inner method.

Allow Password Change—Check for ACS to support password changes.

Retry Attempts—Specifies how many times ACS requests user credentials before returning login failure. Valid values are 1 to 3.

Allow EAP-GTC—Check to use EAP-GTC as the inner method.

Allow Password Change—Check for ACS to support password changes.

Retry Attempts—Specifies how many times ACS requests user credentials before returning login failure. Valid values are 1 to 3.

Allow EAP-FAST

Enables the EAP-FAST authentication protocol and EAP-FAST settings. The EAP-FAST protocol can support multiple internal protocols on the same server. The default inner method is MSCHAPv2.

When you check Allow EAP-FAST, you can configure EAP-FAST inner methods:

Allow EAP-MSCHAPv2

Allow Password Change—Check for ACS to support password changes in phase zero and phase two of EAP-FAST.

Retry Attempts—Specifies how many times ACS requests user credentials before returning login failure. Valid values are 1-3.

Allow EAP-GTC

Allow Password Change—Check for ACS to support password changes in phase zero and phase two of EAP-FAST.

Retry Attempts—Specifies how many times ACS requests user credentials before returning login failure. Valid values are 1-3.

Allow TLS-Renegotiation—Check for ACS to support TLS-Renegotiation. This option allows an anonymous TLS handshake between the end-user client and ACS. EAP-MS-CHAP will be used as the only inner method in phase zero.

Use PACs—Choose to configure ACS to provision authorization PACs for EAP-FAST clients. Additional PAC Options appear.

Don't use PACs—Choose to configure ACS to use EAP-FAST without issuing or accepting any tunnel or machine PACs. All requests for PACs are ignored and ACS responds with a Success-TLV without a PAC.

When you choose this option, you can configure ACS to perform machine authentication.

Allow EAP-FAST (continued)

PAC Options

Tunnel PAC Time To Live—The Time To Live (TTL) value restricts the lifetime of the PAC. Specify the lifetime value and units. The default is one (1) day.

Proactive PAC Update When: <n%> of PAC TTL is Left—The Update value ensures that the client has a valid PAC. ACS initiates update after the first successful authentication but before the expiration time that is set by the TTL. The Update value is a percentage of the remaining time in the TTL. (Default: 10%)

Allow Anonymous In-band PAC Provisioning—Check for ACS to establish a secure anonymous TLS handshake with the client and provision it with a so-called PAC by using phase zero of EAP-FAST with EAP-MSCHAPv2.

Note To enable Anonymous PAC Provisioning, you must choose both the inner methods, EAP-MSCHAPv2 and EAP-GTC.

Allow Authenticated In-band PAC Provisioning—ACS uses Secure Socket Layer (SSL) server-side authentication to provision the client with a PAC during phase zero of EAP-FAST. This option is more secure than anonymous provisioning but requires that a server certificate and a trusted root CA be installed on ACS.

When you check this option, you can configure ACS to return an Access-Accept message to the client after successful authenticated PAC provisioning.

Allow Machine Authentication—Check for ACS to provision an end-user client with a machine PAC and perform machine authentication (for end-user clients who do not have the machine credentials).

The machine PAC can be provisioned to the client by request (in-band) or by administrator (out-of-band). When ACS receives a valid machine PAC from the end-user client, the machine identity details are extracted from the PAC and verified in the ACS external identity store. After these details are correctly verified, no further authentication is performed.

Note ACS 5.2 only supports Active Directory as an external identity store for machine authentication.

When you check this option, you can enter a value for the amount of time that a machine PAC is acceptable for use. When ACS receives an expired machine PAC, it automatically reprovisions the end-user client with a new machine PAC (without waiting for a new machine PAC request from the end-user client).

Enable Stateless Session Resume—Check for ACS to provision authorization PACs for EAP-FAST clients and always perform phase two of EAP-FAST (default = enabled).

Uncheck this option:

If you do not want ACS to provision authorization PACs for EAP-FAST clients.

To always perform phase two of EAP-FAST.

When you check this option, you can enter the authorization period of the user authorization PAC. After this period the PAC expires. When ACS receives an expired authorization PAC, it performs phase two EAP-FAST authentication.

Preferred EAP protocol

Select the preferred EAP protocol from the following options available:

EAP-FAST

PEAP

LEAP

EAP-TLS

EAP-MD5

This option helps ACS to be flexible to work with old supplicants (end devices) which are not capable of sending No-Acknowledgement, when a particular protocol is not implemented. You can use this option to place a particular protocol first in list of protocols that is being negotiated with device so that the negotiation is successful.


Step 3 Click Finish to save your changes to the access service.

To enable an access service, you must add it to the service selection policy.


Configuring Access Services Templates

Use a service template to define an access service with policies that are customized to use specific condition types.


Step 1 In the Configuring General Access Service Properties, choose Based on service template and click Select.

Step 2 Complete the fields as described in Table 10-8:

Table 10-8 Access Services Templates  

Template Name
Access Service Type
Protocols
Policies
Conditions
Results

Device Admin - Simple

Device Administration

PAP/ASCII

Identity

None - Simple

Internal users

Authorization

Identity group, NDG:Location, NDG:Device Type, Time and Date

Shell profile

Device Admin - Command Auth

Device Administration

PAP/ASCII

Identity

None - Simple

Internal users

Authorization

Identity group, NDG:Location, NDG: Time and Date

Command sets

Network Access - Simple

Network Access

PEAP, EAP-FAST

Identity

None - Simple

Internal users

Authorization

NDG:Location, Time and date

Authorization profiles

Network Access - MAC Authentication Bypass

Network Access

Process Host Lookup, PAP/ASCII (detect PAP as host lookup) and EAP-MD5 (detect EAP-MD5 as host lookup)

Identity

None - Simple

Internal users

Authorization

Use case

Authorization profiles



Deleting an Access Service

To delete an access service:


Step 1 Select Access Policies > Access Services.

The Access Services page appears with a list of configured services.

Step 2 Check one or more check boxes next to the access services that you want to delete.

Step 3 Click Delete; then click OK in the confirmation message.

The Access Policies page appears without the deleted access service(s).


Related Topic

Creating, Duplicating, and Editing Access Services

Configuring Access Service Policies

You configure access service policies after you create the access service:

Viewing Identity Policies

Configuring Identity Policy Rule Properties

Configuring a Group Mapping Policy

Configuring a Session Authorization Policy for Network Access

Configuring Shell/Command Authorization Policies for Device Administration

You can configure simple policies to apply to the same result to all incoming requests; or, you can create rule-based policies.


Note If you create and save a simple policy, and then change to a rule-based policy, the simple policy becomes the default rule of the rule-based policy. If you have saved a rule-based policy and then change to a simple policy, you will lose all your rules except for the default rule. ACS automatically uses the default rule as the simple policy.


Before you begin to configure policy rules, you must:

Configure the policy conditions and results. See Managing Policy Conditions.

Select the types of conditions and results that the policy rules apply. See Customizing a Policy.

For information about configuring policy rules, see:

Creating Policy Rules

Duplicating a Rule

Editing Policy Rules

Deleting Policy Rules

Viewing Identity Policies

The identity policy in an access service defines the identity source that ACS uses for authentication and attribute retrieval. ACS can use the retrieved attributes in subsequent policies.

The identity source for:

Password-based authentication can be a single identity store, or an identity store sequence.

Certificate-based authentication can be a certificate authentication profile, or an identity store sequence.

An identity store sequence defines the sequence that is used for authentication and an optional additional sequence to retrieve attributes. See Configuring Identity Store Sequences.

If you created an access service that includes an identity policy, you can configure and modify this policy. You can configure a simple policy, which applies the same identity source for authentication of all requests; or, you can configure a rule-based identity policy.

In the rule-based policy, each rule contains one or more conditions and a result, which is the identity source to use for authentication. You can create, duplicate, edit, and delete rules within the identity policy; and you can enable and disable them.


Caution If you switch between the simple policy and the rule-based policy pages, you will lose your previously saved policy.

To configure a simple identity policy:


Step 1 Select Access Policies > Access Services > service > Identity, where service is the name of the access service.

By default, the Simple Identity Policy page appears with the fields described in Table 10-9:

Table 10-9 Simple Identity Policy Page  

Option
Description

Policy type

Defines the type of policy to configure:

Simple—Specifies the result to apply to all requests.

Rule-based—Configure rules to apply different results, depending on the request.

Note If you switch between policy types, you will lose your previously saved policy configuration.

Identity Source

The identity source to apply to all requests. The default is Deny Access. For:

Password-based authentication, choose a single identity store, or an identity store sequence.

Certificate-based authentication, choose a certificate authentication profile, or an identity store sequence.

The identity store sequence defines the sequence that is used for authentication and an optional additional sequence to retrieve attributes. See Configuring Identity Store Sequences.

Advanced options

Specifies whether to reject or drop the request, or continue with authentication for these options:

If authentication failed—Default is reject.

If user not found—Default is reject.

If process failed—Default is drop.

Owing to restrictions on the underlying protocol, ACS cannot always continue processing when the Continue option is chosen. ACS can continue when authentication fails for PAP/ASCII, EAP-TLS, or Host Lookup.

For all other authentication protocols, the request will be dropped even if you choose the Continue option.


Step 2 Select an identity source for authentication; or, choose Deny Access.

You can configure additional advanced options. See Configuring Identity Policy Rule Properties.

Step 3 Click Save Changes to save the policy.


Viewing Rules-Based Identity Policies

Select Access Policies > Access Services > service > Identity, where <service> is the name of the access service.

By default, the Simple Identity Policy page appears with the fields described in Table 10-9. If configured, the Rules-Based Identity Policy page appears with the fields described in Table 10-10:

Table 10-10 Rule-based Identity Policy Page  

Option
Description

Policy type

Defines the type of policy to configure:

Simple—Specifies the results to apply to all requests.

Rule-based—Configure rules to apply different results depending on the request.


Caution If you switch between policy types, you will lose your previously saved policy configuration.

Status

The current status of the rule. The rule statuses are:

Enabled—The rule is active.

Disabled—ACS does not apply the results of the rule.

Monitor—The rule is active, but ACS does not apply the results of the rule. Results such as hit count are written to the log, and the log entry includes an identification that the rule is monitor only. The Monitor option is especially useful for watching the results of a new rule.

Name

The rule name.

Conditions

The conditions that determine the scope of the policy. This column displays all current conditions in subcolumns.

Results

The identity source that is used for authentication as a result of the evaluation of the rule.

Hit Count

The number of times that the rule is matched. Click the Hit Count button to refresh and reset this column.

Default Rule

ACS applies the Default rule when:

Enabled rules are not matched.

No other rules are defined.

Click the link to edit the Default Rule. You can edit only the results of the Default Rule; you cannot delete, disable, or duplicate it.

Customize button

Opens the Customize page in which you choose the types of conditions to use in policy rules. A new Conditions column appears in the Policy page for each condition that you add.


Caution If you remove a condition type after defining rules, you will lose any conditions that you configured for that condition type.

Hit Count button

Opens a window that enables you to reset and refresh the Hit Count display in the Policy page. See Displaying Hit Counts.


To configure a rule-based policy, see these topics:

Creating Policy Rules

Duplicating a Rule

Editing Policy Rules

Deleting Policy Rules

For information about configuring an identity policy for Host Lookup requests, see Configuring an Authorization Policy for Host Lookup Requests.

Related Topics

Configuring a Group Mapping Policy

Configuring a Session Authorization Policy for Network Access

Configuring a Session Authorization Policy for Network Access

Configuring Shell/Command Authorization Policies for Device Administration

Configuring Identity Policy Rule Properties

You can create, duplicate, or edit an identity policy rule to determine the identity databases that are used to authenticate the client and retrieve attributes for the client.

To display this page:


Step 1 Choose Access Policies > Access Services > service > Identity, then do one of the following:

Click Create.

Check a rule check box, and click Duplicate.

Click a rule name or check a rule check box, then click Edit.

Step 2 Complete the fields as shown in the Identity Rule Properties page described in Table 10-11:

Table 10-11 Identity Rule Properties Page   

Option
Description
General

Rule Name

The name of the rule. If you are duplicating a rule, you must enter a unique name as a minimum configuration; all other fields are optional.

Rule Status

The rule statuses are:

Enabled—The rule is active.

Disabled—ACS does not apply the results of the rule.

Monitor—The rule is active, but ACS does not apply the results of the rule. Results such as hit count are written to the log, and the log entry includes an identification that the rule is monitor only. The Monitor option is especially useful for watching the results of a new rule.

Conditions

<condition(s)>

The conditions that you can configure for the rule. By default the compound condition appears. You can change the conditions that appear by using the Customize button in the Policy page.

The default value for each condition is ANY. To change the value for a condition, check the condition check box, then specify the value.

If you check Compound Condition, an expression builder appears in the conditions frame. For more information, see Configuring Compound Conditions.

Results

Identity Source

The identity source to apply to requests. The default is Deny Access. For:

Password-based authentication, choose a single identity store, or an identity store sequence.

Certificate-based authentication, choose a certificate authentication profile, or an identity store sequence.

The identity store sequence defines the sequence that is used for authentication and attribute retrieval and an optional sequence to retrieve additional attributes. See Configuring Identity Store Sequences.

Advanced options

Specifies whether to reject or drop the request, or continue with authentication for these options:

If authentication failed—Default is reject.

If user not found—Default is reject.

If process failed—Default is drop.

Due to restrictions on the underlying protocol, ACS cannot always continue processing when the Continue option is chosen. ACS can continue when authentication fails for PAP/ASCII, EAP-TLS or Host Lookup.

For all other authentication protocols, the request is dropped even if you choose the Continue option.



Configuring a Group Mapping Policy

Configure a group mapping policy to map groups and attributes that are retrieved from external identity stores to ACS identity groups. When ACS processes a request for a user or host, this policy retrieves the relevant identity group which can be used in authorization policy rules.

If you created an access service that includes a group mapping policy, you can configure and modify this policy. You can configure a simple policy, which applies the same identity group to all requests; or, you can configure a rule-based policy.

In the rule-based policy, each rule contains one or more conditions and a result. The conditions can be based only on attributes or groups retrieved from external attribute stores, and the result is an identity group within the identity group hierarchy. You can create, duplicate, edit, and delete rules within the policy; and you can enable and disable them.


Caution If you switch between the simple policy and the rule-based policy pages, you will lose your previously saved policy.

To configure a simple group mapping policy:


Step 1 Select Access Policies > Access Services > service > Group Mapping, where service is the name of the access service.

By default, the Simple Group Mapping Policy page appears. See Table 10-12 for field descriptions.

See Table 10-13 for Rule-Based Group Mapping Policy page field descriptions.

Table 10-12 Simple Group Mapping Policy Page 

Option
Description

Policy type

Defines the type of policy to configure:

Simple—Specifies the results to apply to all requests.

Rule-based—Configure rules to apply different results depending on the request.


Caution If you switch between policy types, you will lose your previously saved policy configuration.

Identity Group

The identity group to which attributes and groups from all requests are mapped.


Table 10-13 Rule-based Group Mapping Policy Page 

Option
Description

Policy type

Defines the type of policy to configure:

Simple—Specifies the results to apply to all requests.

Rule-based—Configure rules to apply different results depending on the request.


Caution If you switch between policy types, you will lose your previously saved policy configuration.

Status

The current status of the rule. The rule statuses are:

Enabled—The rule is active.

Disabled—ACS does not apply the results of the rule.

Monitor—The rule is active, but ACS does not apply the results of the rule. Results such as hit count are written to the log, and the log entry includes an identification that the rule is monitor only. The monitor option is especially useful for watching the results of a new rule.

Name

The rule name.

Conditions

The conditions that determine the scope of the policy. This column displays all current conditions in subcolumns.

Results

The identity group that is used as a result of the evaluation of the rule.

Hit Count

The number of times that the rule is matched. Click the Hit Count button to refresh and reset this column.

Default Rule

ACS applies the Default rule when:

Enabled rules are not matched.

No other rules are defined.

Click the link to edit the Default Rule. You can edit only the results of the Default Rule; you cannot delete, disable, or duplicate it.

Customize button

Opens the Customize page in which you choose the types of conditions to use in policy rules. A new Conditions column appears in the Policy page for each condition that you add.


Caution If you remove a condition type after defining rules, you will lose any conditions that you configured for that condition type.

Hit Count button

Opens a window that enables you to reset and refresh the Hit Count display in the Policy page. See Displaying Hit Counts.


Step 2 Select an identity group.

Step 3 Click Save Changes to save the policy.


To configure a rule-based policy, see these topics:

Creating Policy Rules

Duplicating a Rule

Editing Policy Rules

Deleting Policy Rules

Related Topics

Viewing Identity Policies

Configuring a Session Authorization Policy for Network Access

Configuring a Session Authorization Policy for Network Access

Configuring Shell/Command Authorization Policies for Device Administration

Configuring Group Mapping Policy Rule Properties

Use this page to create, duplicate, or edit a group mapping policy rule to define the mapping of attributes and groups that are retrieved from external databases to ACS identity groups.


Step 1 Select Access Policies > Access Services > service > Group Mapping, then do one of the following:

Click Create.

Check a rule check box, and click Duplicate.

Click a rule name or check a rule check box, then click Edit.

Step 2 Complete the fields as described in Table 10-14:

Table 10-14 Group Mapping Rule Properties Page 

Option
Description
General

Rule Name

The name of the rule. If you are duplicating a rule, you must enter a unique name as a minimum configuration; all other fields are optional.

Rule Status

The rule statuses are:

Enabled—The rule is active.

Disabled—ACS does not apply the results of the rule.

Monitor—The rule is active, but ACS does not apply the results of the rule. Results such as hit count are written to the log, and the log entry includes an identification that the rule is monitor only. The monitor option is especially useful for watching the results of a new rule.

Conditions

<condition(s)>

The conditions that you can configure for the rule. By default, the compound condition appears. You can change the conditions that appear by using the Customize button in the Policy page.

The default value for each condition is ANY. To change the value for a condition, check the condition check box, then specify the value.

If you check Compound Condition, an expression builder appears in the conditions frame. For more information, see Configuring Compound Conditions.

Results

Identity Group

The identity group to which attributes and groups from requests are mapped.



Configuring a Session Authorization Policy for Network Access

When you create an access service for network access authorization, it creates a Session Authorization policy. You can then add and modify rules to this policy to determine the access permissions for the client session.

You can create a standalone authorization policy for an access service, which is a standard first-match rule table. You can also create an authorization policy with an exception policy. See Configuring Authorization Exception Policies. When a request matches an exception rule, the policy exception rule result is always applied.

The rules can contain any conditions and multiple results:

Authorization profile—Defines the user-defined attributes and, optionally, the downloadable ACL that the Access-Accept message should return.

Security Group Tag (SGT)—If you have installed Cisco TrustSec, the authorization rules can define which SGT to apply to the request.

For information about how ACS processes rules with multiple authorization profiles, see Processing Rules with Multiple Authorization Profiles.

To configure an authorization policy, see these topics:

Creating Policy Rules

Duplicating a Rule

Editing Policy Rules

Deleting Policy Rules

For information about creating an authorization policy for:

Host Lookup requests, see ACS and Cisco TrustSec.

TrustSec support, see Creating an Endpoint Admission Control Policy.


Step 1 Select Access Policies > Access Services > service > Authorization.

Step 2 Complete the fields as described in Table 10-15:

Table 10-15 Network Access Authorization Policy Page 

Option
Description

Status

The rule statuses are:

Enabled—The rule is active.

Disabled—ACS does not apply the results of the rule.

Monitor—The rule is active, but ACS does not apply the results of the rule. Results such as hit count are written to the log, and the log entry includes an identification that the rule is monitor only. The monitor option is especially useful for watching the results of a new rule.

Name

The name of the rule.

Conditions

Identity Group

Name of the internal identity group to which this is matching against.

NDG:name

Network device group. The two predefined NDGs are Location and Device Type.

Condition Name

The conditions that define the scope of the rule. To change the types of conditions that the rule uses, click the Customize button. You must have previously defined the conditions that you want to use.

Results

Shell Profile

Displays the authorization profile that will be applied when the corresponding rule is matched.

When you enable the TrustSec feature, you can customize rule results; a rule can determine the access permission of an endpoint, the security group of that endpoint, or both. The columns that appear reflect the customization settings.

Hit Count

The number of times that the rule is matched. Click the Hit Count button to refresh and reset this column.

Default Rule

ACS applies the Default rule when:

Enabled rules are not matched.

No other rules are defined.

Click the link to edit the Default Rule. You can edit only the results of the Default Rule; you cannot delete, disable, or duplicate it.

Customize button

Opens the Customize page in which you choose the types of conditions to use in policy rules. A new Conditions column appears in the Policy page for each condition that you add.

When you enable the TrustSec feature, you can also choose the set of rule results; only session authorization profiles, only security groups, or both.


Caution If you remove a condition type after defining rules, you will lose any conditions that you configured for that condition type.

Hit Count button

Opens a window that enables you to reset and refresh the Hit Count display in the Policy page. See Displaying Hit Counts.



Configuring Network Access Authorization Rule Properties

Use this page to create, duplicate, and edit the rules to determine access permissions in a network access service.


Step 1 Select Access Policies > Access Services > <service> > Authorization, and click Create, Edit, or Duplicate.

Step 2 Complete the fields as described in Table 10-16:

Table 10-16 Network Access Authorization Rule Properties Page  

Option
Description
General

Name

The name of the rule. If you are duplicating a rule, you must enter a unique name as a minimum configuration; all other fields are optional.

Status

The rule statuses are:

Enabled—The rule is active.

Disabled—ACS does not apply the results of the rule.

Monitor—The rule is active, but ACS does not apply the results of the rule. Results such as hit count are written to the log, and the log entry includes an identification that the rule is monitor only. The monitor option is especially useful for watching the results of a new rule.

Conditions

<condition(s)>

The conditions that you can configure for the rule. By default the compound condition appears. You can change the conditions that appear by using the Customize button in the Policy page.

The default value for each condition is ANY. To change the value for a condition, check the condition check box, then specify the value.

If you check Compound Condition, an expression builder appears in the conditions frame. For more information, see Configuring Compound Conditions.

Results

Authorization Profiles

A list of available and selected profiles. You can choose multiple authorization profiles to apply to a request. See Processing Rules with Multiple Authorization Profiles for information about the importance of authorization profile order when resolving conflicts.

Security Group

(TrustSec only) The security group to apply.

When you enable TrustSec, you can customize the results options to display only session authorization profiles, only security groups, or both.




Tip Do not configure more than 300 authorization rules on your ACS server. Beyond this, performance of the ACS server deteriorates.


Configuring Device Administration Authorization Policies

A device administration authorization policy determines the authorizations and permissions for network administrators.

You create an authorization policy during access service creation. See Configuring General Access Service Properties for details of the Access Service Create page.

Use this page to:

View rules.

Delete rules.

Open pages that enable you to create, duplicate, edit, and customize rules.

Select Access Policies > Access Services > service > Authorization.

The Device Administration Authorization Policy page appears as described in Table 10-17.

Table 10-17 Device Administration Authorization Policy Page 

Option
Description

Status

The rule statuses are:

Enabled—The rule is active.

Disabled—ACS does not apply the results of the rule.

Monitor—The rule is active, but ACS does not apply the results of the rule. Results such as hit count are written to the log, and the log entry includes an identification that the rule is monitor only. The monitor option is especially useful for watching the results of a new rule.

Name

The name of the rule.

Conditions

The conditions that define the scope of the rule. To change the types of conditions that the rule uses, click the Customize button. You must have previously defined the conditions that you want to use.

Results

Displays the shell profiles and command sets that will be applied when the corresponding rule is matched.

You can customize rule results; a rule can apply shell profiles, or command sets, or both. The columns that appear reflect the customization settings.

Hit Count

The number of times that the rule is matched. Click the Hit Count button to refresh and reset this column.

Default Rule

ACS applies the Default rule when:

Enabled rules are not matched.

No other rules are defined.

Click the link to edit the Default Rule. You can edit only the results of the Default Rule; you cannot delete, disable, or duplicate it.

Customize button

Opens the Customize page in which you choose the types of conditions and results to use in policy rules. The Conditions and Results columns reflect your customized settings.


Caution If you remove a condition type after defining rules, you will lose any conditions that you configured for that condition type.

Hit Count button

Opens a window that enables you to reset and refresh the Hit Count display in the Policy page. See Displaying Hit Counts.


Configuring Device Administration Authorization Rule Properties

Use this page to create, duplicate, and edit the rules to determine authorizations and permissions in a device administration access service.

Select Access Policies > Access Services > service > Authorization, and click Create, Edit, or Duplicate.

The Device Administration Authorization Rule Properties page appears as described in Table 10-18.

Table 10-18 Device Administration Authorization Rule Properties Page   

Option
Description
General

Name

The name of the rule. If you are duplicating a rule, you must enter a unique name as a minimum configuration; all other fields are optional.

Status

The rule statuses are:

Enabled—The rule is active.

Disabled—ACS does not apply the results of the rule.

Monitor—The rule is active, but ACS does not apply the results of the rule. Results such as hit count are written to the log, and the log entry includes an identification that the rule is monitor only. The monitor option is especially useful for watching the results of a new rule.

Conditions

<condition(s)>

The conditions that you can configure for the rule. By default the compound condition appears. You can change the conditions that appear by using the Customize button in the Policy page.

The default value for each condition is ANY. To change the value for a condition, check the condition check box, then specify the value.

If you check Compound Condition, an expression builder appears in the conditions frame. For more information, see Configuring Compound Conditions.

Results

Shell Profiles

The shell profile to apply for the rule.

Command Sets

A list of available and selected command sets. You can choose multiple command sets to apply.


Configuring Device Administration Authorization Exception Policies

You can create a device administration authorization exception policy for a defined authorization policy. Results from the exception rules always override authorization policy rules.

Use this page to:

View exception rules.

Delete exception rules.

Open pages that create, duplicate, edit, and customize exception rules.

Select Access Policies > Access Services > service > Authorization, and click Device Administration Authorization Exception Policy.

The Device Administration Authorization Exception Policy page appears as described in Table 10-19.

Table 10-19 Device Administration Authorization Exception Policy Page 

Option
Description

Status

The rule statuses are:

Enabled—The rule is active.

Disabled—ACS does not apply the results of the rule.

Monitor—The rule is active, but ACS does not apply the results of the rule. Results such as hit count are written to the log, and the log entry includes an identification that the rule is monitor only. The monitor option is especially useful for watching the results of a new rule.

Name

The name of the rule.

Conditions

Identity Group

Name of the internal identity group to which this is matching against.

NDG:<name>

Network device group. The two predefined NDGs are Location and Device Type.

Condition Name

The conditions that define the scope of the rule. To change the types of conditions that the rule uses, click the Customize button. You must have previously defined the conditions that you want to use.

Results

Displays the shell profile and command sets that will be applied when the corresponding rule is matched.

You can customize rule results; a rule can determine the shell profile, the command sets, or both. The columns that appear reflect the customization settings.

Hit Count

The number of times that the rule is matched. Click the Hit Count button to refresh and reset this column.

Customize button

Opens the Customize page in which you choose the types of conditions to use in policy rules. A new Conditions column appears in the Policy page for each condition that you add. You do not need to use the same set of conditions and results as in the corresponding authorization policy.


Caution If you remove a condition type after defining rules, you will lose any conditions that you configured for that condition type.

Hit Count button

Opens a window that enables you to reset and refresh the Hit Count display in the Policy page. See Displaying Hit Counts.


Configuring Shell/Command Authorization Policies for Device Administration

When you create an access service and select a service policy structure for Device Administration, ACS automatically creates a shell/command authorization policy. You can then create and modify policy rules.

The web interface supports the creation of multiple command sets for device administration. With this capability, you can maintain a smaller number of basic command sets. You can then choose the command sets in combination as rule results, rather than maintaining all the combinations themselves in individual command sets.

You can also create an authorization policy with an exception policy, which can override the standard policy results. See Configuring Authorization Exception Policies.

For information about how ACS processes rules with multiple command sets, see Processing Rules with Multiple Command Sets.

To configure rules, see:

Creating Policy Rules

Duplicating a Rule

Editing Policy Rules

Deleting Policy Rules

Configuring Authorization Exception Policies

An authorization policy can include exception policies. In general, exceptions are temporary policies; for example, to grant provisional access to visitors or increase the level of access to specific users. Use exception policies to react efficiently to changing circumstances and events.

The results from the exception rules always override the standard authorization policy rules.

You create exception policies in a separate rule table from the main authorization policy table. You do not need to use the same policy conditions in the exception policy as you used in the corresponding standard authorization policy.

To access the exception policy rules page:


Step 1 Select Access Policies > Service Selection Policy service > authorization policy, where service is the name of the access service, and authorization policy is the session authorization or shell/command set authorization policy.

Step 2 In the Rule-Based Policy page, click the Exception Policy link above the rules table.

The Exception Policy table appears with the fields described in Table 10-20:

Table 10-20 Network Access Authorization Exception Policy Page 

Option
Description

Status

The rule statuses are:

Enabled—The rule is active.

Disabled—ACS does not apply the results of the rule.

Monitor—The rule is active, but ACS does not apply the results of the rule. Results such as hit count are written to the log, and the log entry includes an identification that the rule is monitor only. The monitor option is especially useful for watching the results of a new rule.

Name

The name of the rule.

Conditions

Identity Group

Name of the internal identity group to which this is matching against.

NDG:<name>

Network device group. The two predefined NDGs are Location and Device Type.

Condition Name

The conditions that define the scope of the rule. To change the types of conditions that the rule uses, click the Customize button. You must have previously defined the conditions that you want to use.

Results

Displays the authorization profile that will be applied when the corresponding rule is matched.

When you enable the TrustSec feature, you can customize rule results; a rule can determine the access permission of an endpoint, the security group of that endpoint, or both. The columns that appear reflect the customization settings.

Hit Count

The number of times that the rule is matched. Click the Hit Count button to refresh and reset this column.

Customize button

Opens the Customize page in which you choose the types of conditions to use in policy rules. A new Conditions column appears in the Policy page for each condition that you add. You do not need to use the same set of conditions as in the corresponding authorization policy.

When you enable the TrustSec feature, you can also choose the set of rule results; only session authorization profiles, only security groups, or both.


Caution If you remove a condition type after defining rules, you will lose any conditions that you configured for that condition type.

Hit Count button

Opens a window that enables you to reset and refresh the Hit Count display in the Policy page. See Displaying Hit Counts.



To configure rules, see:

Creating Policy Rules

Duplicating a Rule

Editing Policy Rules

Deleting Policy Rules

Related Topics

Configuring a Session Authorization Policy for Network Access

Configuring Shell/Command Authorization Policies for Device Administration

Creating Policy Rules

When you create rules, remember that the order of the rules is important. When ACS encounters a match as it processes the request of a client that tries to access the ACS network, all further processing stops and the associated result of that match is found. No further rules are considered after a match is found.

The Default Rule provides a default policy in cases where no rules are matched or defined. You can edit the result of a default rule.

Before You Begin

Configure the policy conditions and results. See Managing Policy Conditions.

Select the types of conditions and results that the policy rules apply. See Customizing a Policy.

To create a new policy rule:


Step 1 Select Access Policies > Service Selection Policy service > policy, where service is the name of the access service, and policy is the type of policy. If you:

Previously created a rule-based policy, the Rule-Based Policy page appears, with a list of configured rules.

Have not created a rule-based policy, the Simple Policy page appears. Click Rule-Based.

Step 2 In the Rule-Based Policy page, click Create.

The Rule page appears.

Step 3 Define the rule.

Step 4 Click OK

The Policy page appears with the new rule.

Step 5 Click Save Changes to save the new rule.


To configure a simple policy to use the same result for all requests that an access service processes, see:

Viewing Identity Policies

Configuring a Group Mapping Policy

Configuring a Session Authorization Policy for Network Access

Configuring a Session Authorization Policy for Network Access

Configuring Shell/Command Authorization Policies for Device Administration

Related Topics

Duplicating a Rule

Editing Policy Rules

Deleting Policy Rules

Duplicating a Rule

You can duplicate a rule if you want to create a new rule that is the same, or very similar to, an existing rule. The duplicate rule name is based on the original rule with parentheses to indicate duplication; for example, Rule-1(1).

After duplication is complete, you access each rule (original and duplicated) separately.


Note You cannot duplicate the Default rule.


To duplicate a rule:


Step 1 Select Access Policies > Service Selection Policy > service > policy, where service is the name of the access service, and policy is the type of policy.

The Policy page appears with a list of configured rules.

Step 2 Check the check box next to the rule that you want to duplicate. You cannot duplicate the Default Rule.

Step 3 Click Duplicate.

The Rule page appears.

Step 4 Change the name of the rule and complete the other applicable field options.

Step 5 Click OK.

The Policy page appears with the new rule.

Step 6 Click Save Changes to save the new rule.


Related Topics

Creating Policy Rules

Editing Policy Rules

Deleting Policy Rules

Editing Policy Rules

You can edit all values of policy rules; you can also edit the result in the Default rule.

To edit a rule:


Step 1 Select Access Policies > Service Selection Policy > service > policy, where service is the name of the access service, and policy is the type of policy.

The Policy page appears, with a list of configured rules.

Step 2 Click the rule name that you want to modify; or, check the check box for the Name and click Edit.

The Rule page appears.

Step 3 Edit the appropriate values.

Step 4 Click OK.

The Policy page appears with the edited rule.

Step 5 Click Save Changes to save the new configuration.


Related Topics

Creating Policy Rules

Duplicating a Rule

Deleting Policy Rules

Deleting Policy Rules


Note You cannot delete the Default rule.


To delete a policy rule:


Step 1 Select Access Policies > Service Selection Policy > service > policy, where service is the name of the access service, and policy is the type of policy.

The Policy page appears, with a list of configured rules.

Step 2 Check one or more check boxes next to the rules that you want to delete.

Step 3 Click Delete.

The Policy page appears without the deleted rule(s).

Step 4 Click Save Changes to save the new configuration.


Related Topics

Creating Policy Rules

Duplicating a Rule

Editing Policy Rules

Configuring Compound Conditions

Use compound conditions to define a set of conditions based on any attributes allowed in simple policy conditions. You define compound conditions in a policy rule page; you cannot define them as separate condition objects.

This section contains the following topics:

Compound Condition Building Blocks

Types of Compound Conditions

Using the Compound Expression Builder

Compound Condition Building Blocks

Figure 10-1 shows the building blocks of a compound condition.

Figure 10-1 Building Blocks of a Compound Condition

Operands—Any attribute or condition type, such as Protocol/Request Attributes, Identity Attributes, Identity Groups, Network Device Groups (NDGs), Date/Time, and Custom or Standard Conditions.

Relational Operators—Operators that specify the relation between an operand and a value; for example, equals (=), or does not match. The operators that you can use in any condition vary according to the type of operand.

Binary condition—A binary condition defines the relation between a specified operand and value; for example, [username = "Smith"].

Logical Operators—The logical operators operate on or between binary conditions. The supported logical operators are AND and OR.

Precedence Control—You can alter the precedence of logical operators by using parentheses. Nested parentheses provide administrator control of precedence. The natural precedence of logical operators, that is, without parenthesis intervention, is NOT, AND, OR, where NOT has the highest precedence and OR the lowest.

Related Topics

Types of Compound Conditions

Using the Compound Expression Builder

Types of Compound Conditions

You can create three types of compound conditions:

Atomic Condition

Consists of a single predicate and is the only entry in the list. Because all simple conditions in a rule table, except for NDGs, assume the equals (=) operation between the attribute and value, the atomic condition is used to choose an operator other than equals (=). See Figure 10-2 for an example.

Figure 10-2 Compound Expression - Atomic Condition

Single Nested Compound Condition

Consists of a single operator followed by a set of predicates (>=2). The operator is applied between each of the predicates. See Figure 10-3 for an example. The preview window displays parentheses [()] to indicate precedence of logical operators.

Figure 10-3 Single Nested Compound Expression

Multiple Nested Compound Condition

You can extend the simple nested compound condition by replacing any predicate in the condition with another simple nested compound condition. See Figure 10-4 for an example. The preview window displays parentheses [()] to indicate precedence of logical operators.

Figure 10-4 Multiple Nested Compound Expression

Related Topics

Compound Condition Building Blocks

Using the Compound Expression Builder

Using the Compound Expression Builder

You construct compound conditions by using the expression builder in Rule Properties pages. The expression builder contains two sections: a predicate builder to create primary conditions and controls for managing the expression.

In the first section, you define the primary conditions; choose the dictionary and attribute to define the operand, then choose the operator, and specify a value for the condition. Use the second section to organize the order of conditions and the logical operators that operate on or between binary conditions.

Table 10-21 describes the fields in the compound expression builder.

Table 10-21 Expression Builder Fields   

Field
Description
Condition

Use this section to define the primary conditions.

Dictionary

Specifies the dictionary from which to take the operand. These available options depend on the policy that you are defining. For example, when you define a service selection policy, the Identity dictionaries are not available.

Attribute

Specifies the attribute that is the operand of the condition. The available attributes depend on the dictionary that you chose.

Operator

The relational operator content is dynamically determined according to the choice in the preceding operand field.

Value

The condition value. The type of this field depends on the type of condition or attribute.

Current Condition Set

Use this section to organize the order of conditions and the logical operators that operate on or between binary conditions.

Condition list

Displays a list of defined binary conditions for the compound conditions and their associated logical operators.

Add

After you define a binary condition, click Add to add it to the Condition list.

Edit

To edit a binary condition, select the condition in the Condition list and click Edit. The condition properties appear in the Condition fields. Modify the condition as required, then click Replace.

Replace

Click to replace the selected condition with the condition currently defined in the Condition fields.

And

Or

Specifies the logical operator on a selected condition, or between the selected condition and the one above it. Click the appropriate operator, and click Insert to add the operator as a separate line; click the operator and click Replace, to replace the selected line.

Delete

Click to delete the selected binary condition or operator from the condition list.

Preview

Click to display the current expression in corresponding parenthesis representation. The rule table displays the parenthesis representation after the compound expression is created.


Related Topics

Compound Condition Building Blocks

Types of Compound Conditions

TrustSec Access Control Pages

This section contains the following topics:

Egress Policy Matrix Page

Editing a Cell in the Egress Policy Matrix

Defining a Default Policy for Egress Policy Page

NDAC Policy Page

NDAC Policy Properties Page

Network Device Access EAP-FAST Settings Page

Egress Policy Matrix Page

The Egress policy, also known as an SGACL policy, determines which SGACLs to apply at the Egress points of the network, based on the source and destination SGTs. ACS presents the Egress policy as a matrix; it displays all the security groups in the source and destination axes. Each cell in the matrix can contain a set of ACLs to apply to the corresponding source and destination SGTs.

The network devices add the default policy to the specific policies that you defined for the cells. For empty cells, only the default policy applies.

Use the Egress policy matrix to view, define, and edit the sets of ACLs to apply to the corresponding source and destination SGTs.

To display this page, choose Access Policies > TrustSec Access Control > Egress Policy.

Table 10-22 Egress Policy Matrix Page 

Option
Description

Destination Security Group

Column header displaying all destination security groups.

Source Security Group

Row header displaying all source security groups.

Cells

Contain the SGACLs to apply to the corresponding source and destination security group.

Edit

Click a cell, then click Edit to open the Edit dialog box for that cell. See Editing a Cell in the Egress Policy Matrix.

Default Policy

Click to open a dialog box to define the default Egress policy. See Defining a Default Policy for Egress Policy Page.

Set Matrix View

To change the Egress policy matrix display, choose an option, then click Go:

All—Clears all the rows and columns in the Egress policy matrix.

Customize View—Launches a window where you can customize source and destination security groups corresponding to the selected cell.


Related Topic

Creating an Egress Policy

Editing a Cell in the Egress Policy Matrix

Use this page to configure the policy for the selected cell. You can configure the SGACLs to apply to the corresponding source and destination security group.

To display this page, choose Access Policies > TrustSec Access Control > Egress Policy, select a cell, then click Edit.

Table 10-23 Edit Cell Page 

Option
Description

Configure Security Groups

Display only. Displays the source and destination security group name for the selected cell.

General

A description for the cell policy.

ACLs

Move the SGACLs that you want to apply to the corresponding source and destination security group from the Available list to the Selected list. To specify the order of the list of SGACLs, use the Up (^) and Down (v) arrows.


Related Topic

Creating an Egress Policy

Defining a Default Policy for Egress Policy Page

Use this page to define the default Egress policy. The network devices add the default policy to the specific policies defined for the cells. For empty cells, only the default policy applies.

To display this page, choose Access Policies > TrustSec Access Control > Egress Policy, then click Default Policy.

Table 10-24 Default Policy Page 

Option
Description

ACLs

Move the SGACLs that you want to apply to the corresponding source and destination security group from the Available list to the Selected list. To specify the order of the list of SGACLs, use the Up (^) and Down (v) arrows.

Select Permit All or Deny All as a final catch-all rule.


Related Topics

Creating an Egress Policy

Creating a Default Policy

NDAC Policy Page

The Network Device Admission Control (NDAC) policy determines the SGT for network devices in a TrustSec environment. The NDAC policy handles:

Peer authorization requests from one device about its neighbor.

Environment requests (a device is collecting information about itself).

The policy returns the same SGT for a specific device, regardless of the request type.


Note You do not add an NDAC policy to an access service; it is implemented by default. However, for endpoint admission control, you must define an access service and session authorization policy. See Configuring Network Access Authorization Rule Properties, for information about creating a session authorization policy.


Use this page to configure a simple policy that assigns the same security group to all devices, or configure a rule-based policy.

To display this page, choose Access Policies > TrustSec Access Control > Network Device Access > Authentication Policy.

If you have already configured an NDAC policy, the corresponding Simple Policy page or Rule-based Policy page opens; otherwise, the Simple Policy page opens by default.

Simple Policy Page

Use this page to define a simple NDAC policy.

Table 10-25 Simple NDAC Policy Page  

Option
Description

Policy type

Defines the type of policy to configure:

Simple—Specifies that the result applies to all requests.

Rule-based—Configure rules to apply different results depending on the request.

If you switch between policy types, you will lose your previously saved policy configuration.

Security Group

Select the security group to assign to devices. The default is Unknown.


Rule-Based Policy Page

Use this page for a rule-based policy to:

View rules.

Delete rules.

Open pages that create, duplicate, edit, and customize rules.

Table 10-26 Rule-Based NDAC Policy Page  

Option
Description

Policy type

Defines the type of policy to configure:

Simple—Specifies the result to apply to all requests.

Rule-based—Configure rules to apply different results depending on the request.

If you switch between policy types, you will lose your previously saved policy configuration.

Status

The rule statuses are:

Enabled—The rule is active.

Disabled—ACS does not apply the results of the rule.

Monitor—The rule is active, but ACS does not apply the results of the rule. Results such as hit count are written to the log, and the log entry includes an identification that the rule is monitor only. The monitor option is especially useful for watching the results of a new rule.

Name

The name of the rule. The Default Rule is available for conditions for which:

Enabled rules are not matched.

Rules are not defined.

Click a link to edit or duplicate a rule.

You can edit the Default Rule but you cannot delete, disable, or duplicate it.

Conditions

The conditions that you can use to define policy rules. To change the display of rule conditions, click the Customize button. You must have previously defined the conditions that you want to use.

Results

Displays the security group assigned to the device when it matches the corresponding condition.

Hit Count

The number of times that the rule is matched. Click the Hit Count button to refresh and reset this column.

Customize button

Opens the Customize page in which you choose the types of conditions to use in policy rules. A new Conditions column appears in the Policy page for each condition that you add. You do not need to use the same set of conditions as in the corresponding authorization policy.


Caution If you remove a condition type after defining rules, you will lose any conditions that you configured for that condition type.

Hit Count button

Opens a window that enables you to reset and refresh the Hit Count display in the Policy page. See Displaying Hit Counts.


Related Topics:

Configuring an NDAC Policy

NDAC Policy Properties Page

NDAC Policy Properties Page

Use this page to create, duplicate, and edit rules to determine the SGT for a device.

To display this page, choose Access Policies > TrustSec Access Control > Network Device Access > Authentication Policy, then click Create, Edit, or Duplicate.


Note For endpoint admission control, you must define an access service and session authorization policy. See Configuring Network Access Authorization Rule Properties for information about creating a session authorization policy.


Table 10-27 NDAC Policy Properties Page  

Option
Description
General

Name

The name of the rule. If you are duplicating a rule, you must enter a unique name as a minimum configuration; all other fields are optional.

Status

The rule statuses are:

Enabled—The rule is active.

Disabled—ACS does not apply the results of the rule.

Monitor—The rule is active, but ACS does not apply the results of the rule. Results such as hit count are written to the log, and the log entry includes an identification that the rule is monitor only. The monitor option is especially useful for watching the results of a new rule.

Conditions

<condition(s)>

The conditions that you can configure for the rule. The default value for each condition is ANY. To change the value for a condition, check the condition check box, then enter the value.

If compound expression conditions are available, when you check Compound Expression, an expression builder appears. For more information, see Configuring Compound Conditions.

To change the list of conditions for the policy, click the Customize button in the NDAC Policy Page.

Results

Security Group

Select the security group to assign to the device when it matches the corresponding conditions.


Related Topics:

Configuring an NDAC Policy

NDAC Policy Page

Network Device Access EAP-FAST Settings Page

Use this page to configure parameters for the EAP-FAST protocol that the NDAC policy uses.

To display this page, choose Access Policies > TrustSec Access Control > Network Device Access.

Table 10-28 Network Device Access EAP-FAST Settings Page 

Option
Description
EAP-FAST Settings

Tunnel PAC Time To Live

The time to live (TTL), or duration, of a PAC before it expires and requires replacing.

Proactive PAC Update When % of PAC TTL is Left

The percentage of PAC TTL remaining when you should update the PAC.


Related Topics:

Configuring an NDAC Policy

Configuring EAP-FAST Settings for TrustSec

NDAC Policy Page