User Guide for Cisco Secure Access Control System 5.2
Managing System Administrators
Downloads: This chapterpdf (PDF - 200.0KB) The complete bookPDF (PDF - 17.78MB) | Feedback

Managing System Administrators

Table Of Contents

Managing System Administrators

Understanding Administrator Roles and Accounts

Understanding Authentication

Configuring System Administrators and Accounts

Understanding Roles

Permissions

Predefined Roles

Changing Role Associations

Administrator Accounts and Role Association

Creating, Duplicating, Editing, and Deleting Administrator Accounts

Viewing Predefined Roles

Viewing Role Properties

Configuring Authentication Settings for Administrators

Configuring Session Idle Timeout

Configuring Administrator Access Settings

Resetting the Administrator Password

Changing the Administrator Password

Changing Your Own Administrator Password

Resetting Another Administrator's Password


Managing System Administrators


System administrators are responsible for deploying, configuring, maintaining, and monitoring the ACS servers in your network. They can perform various operations in ACS through the ACS administrative interface. When you define an administrator in ACS, you assign a password and a role or set of roles that determine the access privilege the administrator has for the various operations.

When you create an administrator account, you initially assign a password, which the administrator can subsequently change through the ACS web interface. Irrespective of the roles that are assigned, the administrators can change their own passwords.

ACS provides the following configurable options to manage administrator passwords:

Password Complexity—Required length and character types for passwords.

Password History—Prevents repeated use of same passwords.

Password Lifetime—Forces the administrators to change passwords after a specified time period.

Account Inactivity—Disables the administrator account if it has not been in use for a specified time period.

Password Failures—Disables the administrator account after a specified number of consecutive failed login attempts.

In addition, ACS provides you configurable options that determine the IP addresses from which administrators can access the ACS administrative web interface and the session duration after which idle sessions are logged out from the system.

You can use the Monitoring & Report Viewer to monitor administrator access to the system. The Administrator Access report is used to monitor the administrators who are currently accessing or attempting to access the system.

You can view the Administrator Entitlement report to view the access privileges that the administrators have, the configuration changes that are done by administrators, and the administrator access details. In addition, you can use the Configuration Change and Operational Audit reports to view details of specific operations that each of the administrators perform.

The System Administrator section of the ACS web interface allows you to:

Create, edit, duplicate, or delete administrator accounts

Change the password of other administrators

View predefined roles

Associate roles to administrators

Configure authentication settings that include password complexity, account lifetime, and account inactivity

Configure administrator session setting

Configure administrator access setting

The first time you log in to ACS 5.2, you are prompted for the predefined administrator username (ACSAdmin) and required to change the predefined password name (default). After you change the password, you can start configuring the system.

The predefined administrator has super administrator permissions—Create, Read, Update, Delete, and eXecute (CRUDX)—to all ACS resources. When you register a secondary instance to a primary instance, you can use any account created on the primary instance. The credentials that you create on the primary instance apply to the secondary instance.


Note After installation, the first time you log in to ACS, you must do so through the ACS web interface and install the licenses. You cannot log in to ACS through the CLI immediately after installation.


This section contains the following topics:

Understanding Administrator Roles and Accounts

Configuring System Administrators and Accounts

Understanding Roles

Creating, Duplicating, Editing, and Deleting Administrator Accounts

Viewing Predefined Roles

Configuring Authentication Settings for Administrators

Configuring Session Idle Timeout

Configuring Administrator Access Settings

Resetting the Administrator Password

Changing the Administrator Password

Understanding Administrator Roles and Accounts

The first time you log in to ACS 5.2, you are prompted for the predefined administrator username (ACSAdmin) and required to change the predefined password name (default).


Note You cannot rename, disable, or delete the ACSAdmin account.


After you change the password, you can start configuring the system. The predefined administrator has super administrator permissions—Create, Read, Update, Delete, and eXecute (CRUDX)—to all ACS resources.

If you do not need granular access control, the Super Admin role is most convenient, and this is the role assigned to the predefined ACSAdmin account.

To create further granularity in your access control, follow these steps:

1. Define Administrators. See Configuring System Administrators and Accounts.

2. Associate roles to administrators. See Understanding Roles

When these steps are completed, defined administrators can log in and start working in the system.

Understanding Authentication

An authentication request is the first operation for every management session. If authentication fails, the management session is terminated. But if authentication passes, the management session continues until the administrator logs out or the session times out.

ACS 5.2 authenticates every login operation by using user credentials (username and password). Then, by using the administrator and role definitions, ACS fetches the appropriate permissions and answers subsequent authorization requests.

The ACS user interface displays the functions and options for which you have the necessary administrator privileges only.


Note Allow a few seconds before logging back in so that changes in the system have time to propagate.


Related Topics

Understanding Administrator Roles and Accounts

Configuring System Administrators and Accounts

Configuring System Administrators and Accounts

This section contains the following topics:

Understanding Roles

Administrator Accounts and Role Association

Creating, Duplicating, Editing, and Deleting Administrator Accounts

Viewing Role Properties

Understanding Roles

Roles consist of typical administrator tasks, each with an associated set of permissions. Each administrator can have more than one predefined role, and a role can apply to multiple administrators. As a result, you can configure multiple tasks for a single administrator and multiple administrators for a single task.

You use the Administrator Accounts page to assign roles. In general, a precise definition of roles is the recommended starting point. Refer to Creating, Duplicating, Editing, and Deleting Administrator Accounts for more information.


Note The ACS web interface displays only the functions for which you have privileges. For example, if your role is Network Device Admin, the System Administration drawer does not appear because you do not have permissions for the functions in that drawer.


Permissions

A permission is an access right that applies to a specific administrative task. Permissions consist of:

A Resource - The list of ACS components that an administrator can access, such as network resources, or policy elements.

Privileges - The privileges are Create, Read, Update, Delete, and eXecute (CRUDX). Some privileges cannot apply to a given resource. For example, the user resource cannot be executed.

A resource given to an administrator without any privileges means that the administrator has no access to resources. In addition, the permissions are discrete. If the privileges create, update, and delete apply to a resource, the read privilege is not available.

If no permission is defined for an object, the administrator cannot access this object, not even for reading.


Note You cannot make permission changes.


Predefined Roles

Table 16-1 shows the predefined roles included in ACS:

Table 16-1 Predefined Role Descriptions  

Role
Privileges

ChangeAdminPassword

This role is intended for ACS administrators who manage other administrator accounts. This role entitles the administrator to change the password of other administrators.

ChangeUserPassword

This role is intended for ACS administrators who manage internal user accounts. This role entitles the administrator to change the password of internal users.

NetworkDeviceAdmin

This role is intended for ACS administrators who need to manage the ACS network device repository only, such as adding, updating, or deleting devices. This role has the following permissions:

Read and write permissions on network devices

Read and write permissions on NDGs and all object types in the Network Resources drawer

PolicyAdmin

This role is intended for the ACS policy administrator responsible for creating and managing ACS access services and access policy rules, and the policy elements referenced by the policy rules. This role has the following permissions:

Read and write permissions on all the elements used in policies, such as authorization profile, NDGs, IDGs, conditions, and so on

Read and write permissions on services policy

ReadOnlyAdmin

This role is intended for ACS administrators who need read-only access to all parts of the ACS user interface.

This role has read-only access to all resources

ReportAdmin

This role is intended for administrators who need access to the ACS Monitoring & Report Viewer to generate and view reports or monitoring data only.

This role has read-only access on logs.

SecurityAdmin

This role is required in order to create, update, or delete ACS administrator accounts, to assign administrative roles, and to change the ACS password policy. This role has the following permissions:

Read and write permissions on internal protocol users and administrator password policies

Read and write permissions on administrator account settings

Read and write permissions on administrator access settings

SuperAdmin

The Super Admin role has complete access to every ACS administrative function. If you do not need granular access control, this role is most convenient, and this is the role assigned to the predefined ACSAdmin account.

This role has Create, Read, Update, Delete, and eXecute (CRUDX) permissions on all resources.

SystemAdmin

This role is intended for administrators responsible for ACS system configuration and operations. This role has the following permissions:

Read and write permissions on all system administration activities except for account definition

Read and write permissions on ACS instances

UserAdmin

This role is intended for administrators who are responsible for adding, updating, or deleting entries in the internal ACS identity stores, which includes internal users and internal hosts. This role has the following permissions:

Read and write permissions on users and hosts

Read permission on IDGs



Note At first login, only the Super Admin is assigned to a specific administrator.


Related Topics

Administrator Accounts and Role Association

Creating, Duplicating, Editing, and Deleting Administrator Accounts

Changing Role Associations

By design, all roles in ACS are predefined and cannot be changed. ACS allows you to only change role associations. Owing to the potential ramifications on the system's entire authorization status, the ACS Super Admin and SecurityAdmin roles alone have the privilege to change role associations.

Changes in role associations take effect only after the affected administrators log out and log in again. At the new login, ACS reads and applies the role association changes.


Note You must be careful in assigning the ACS Super Admin and SecurityAdmin roles because of the global ramifications of role association changes.


Administrator Accounts and Role Association

Administrator account definitions consist of a name, status, description, e-mail address, password, and role assignment.


Note It is recommended that you create a unique administrator for each person. In this way, operations are clearly recorded in the audit log.


Administrators are authenticated against the internal database only.

You can edit and delete existing accounts. However, the web interface displays an error message if you attempt to delete or disable the last super administrator.

Only appropriate administrators can configure identities and certificates. The identities configured in the System Administration drawer are available in the Users and Identity Stores drawer, but they cannot be modified there.

Related Topics

Understanding Roles

Creating, Duplicating, Editing, and Deleting Administrator Accounts

Creating, Duplicating, Editing, and Deleting Administrator Accounts

To create, duplicate, edit, or delete an administrator account:


Step 1 Choose System Administration > Administrators > Accounts.

The Administrators page appears with a list of configured administrators as described in Table 16-2:

Table 16-2 Accounts Page 

Option
Description

Status

The current status of this administrator:

Enabled—This administrator is active.

Disabled—This administrator is not active.

You cannot log into ACS with a disabled admin account.

Name

The name of the administrator.

Role(s)

The roles assigned to the administrator.

Description

A description of this administrator.


Step 2 Do any of the following:

Click Create.

Check the check box next to the account that you want to duplicate and click Duplicate.

Click the account that you want to modify; or, check the check box for the Name and click Edit.

Check the check box next to the account for which you want to change the password and click Change Password. See Resetting Another Administrator's Password for more information.


Note On the Duplicate page, you must change at least the Admin Name.


Check one or more check boxes next to the accounts that you want to delete and click Delete.


Note Firefox does not display a warning message when you try to delete the last recovery admin account from ACS web interface if you have enabled "Prevent this page from creating additional dialogs" checkbox.


Step 3 Complete the Administrator Accounts Properties page fields as described in Table 16-3:

Table 16-3 Administrator Accounts Properties Page  

Option
Description
General

Admin Name

The configured name of this administrator. If you are duplicating a rule, be sure to enter a unique name.

Status

From the Status drop-down menu, select whether the account is enabled or disabled. This option is disabled if you check the Account never disabled check box.

Description

A description of this administrator.

Email Address

Administrator e-mail address. ACS View will direct alerts to this e-mail address.

Account never disabled

Check to ensure that your account is never disabled. Your account will not be disabled even when:

Your password expires

Your account becomes inactive

You exceed the specified number of login retries

Authentication Information

Password

Authentication password.

Confirm Password

Confirmation of the authentication password.

Change password on next login

Check to prompt the user for a new password at the next login.

Role Assignment

Available Roles

A list of all configured roles. Select the roles that you want to assign for this administrator and click >. Click >> to assign all the roles for this administrator.

Assigned Roles

The roles that apply to this administrator.


Step 4 Click Submit.

The new account is saved. The Administrators page appears, with the new account that you created or duplicated.


Related Topics

Understanding Roles

Administrator Accounts and Role Association

Viewing Predefined Roles

Configuring Authentication Settings for Administrators

Viewing Predefined Roles

See Table 16-1 for description of the predefined roles included in ACS.

To view predefined roles:

Choose System Administration > Administrators > Roles.

The Roles page appears with a list of predefined roles. Table 16-4 describes the Roles page fields.

Table 16-4 Roles Page 

Field
Description

Name

A list of all configured roles. See Predefined Roles for a list of predefined roles.

Description

The description of each role.


Viewing Role Properties

Use this page to view the properties of each role.

Choose System Administration > Administrators > Roles, and click a role or choose the role's radio button and click View.

The Roles Properties page appears as described in Table 16-5:

Table 16-5 Roles Properties Page 

Field
Description

Name

The name of the role. If you are duplicating a role, you must enter a unique name as a minimum configuration; all other fields are optional. Roles cannot be created or edited. See Table 16-4 for a list of predefined roles.

Description

The description of the role. See Predefined Roles for more information.

Permissions List

Resource

A list of available resources.

Privileges

The privileges that can be assigned to each resource. If a privilege does not apply, the privilege check box is dimmed (not available).

Row color is irrelevant to availability of a given privilege and is determined by the explicit text in the Privileges column.


Related Topics

Understanding Roles

Administrator Accounts and Role Association

Configuring Authentication Settings for Administrators

Configuring Authentication Settings for Administrators

Authentication settings are a set of rules that enhance security by forcing administrators to use strong passwords, regularly change their passwords, and so on. Any password policy changes that you make apply to all ACS system administrator accounts.

To configure a password policy:


Step 1 Choose System Administration > Administrators > Settings > Authentication.

The Password Policies page appears with the Password Complexity and Advanced tabs.

Step 2 In the Password Complexity tab, check each check box that you want to use to configure your administrator password.

Table 16-6 describes the fields in the Password Complexity tab.

Table 16-6 Password Complexity Tab 

Option
Description
Applies to all ACS system administrator accounts

Minimum length

The required minimum length; the valid options are 4 to 20.

Password may not contain the username or its characters in reversed order

Check to specify that the password cannot contain the username or reverse username. For example, if your username is john, your password cannot be john or nhoj.

Password may not contain `cisco' or its characters in reversed order

Check to specify that the password cannot contain the word cisco or its characters in reverse order, that is, ocsic.

Password may not contain `' or its characters in reversed order

Check to specify that the password does not contain the string that you enter or its characters in reverse order. For example, if you specify a string, polly, your password cannot be polly or yllop.

Password may not contain repeated characters four or more times consecutively

Check to specify that the password cannot repeat characters four or more times consecutively. For example, you cannot have the string apppple as your password. The letter p appears four times consecutively.

Password must contain at least one character of each of the selected types

Lowercase alphabetic characters

Password must contain at least one lowercase alphabetic character.

Upper case alphabetic characters

Password must contain at least one uppercase alphabetic character.

Numeric characters

Password must contain at least one numeric character.

Non alphanumeric characters

Password must contain at least one nonalphanumeric character.


Step 3 In the Advanced tab, enter the values for the criteria that you want to configure for your administrator authentication process.

Table 16-7 describes the fields in the Advanced tab.

Table 16-7 Advanced Tab

Options
Description
Password History

Password must be different from the previous n versions

Specifies the number of previous passwords for this administrator to be compared against. This option prevents the administrators from setting a password that was recently used. Valid options are 1 to 99.

Password Lifetime: Administrators are required to periodically change password

Display reminder after n days

Displays a reminder after n days to change password; the valid options are 1 to 365. This option, when set, only displays a reminder. It does not prompt you for a new password.

Require a password change after n days

Specifies that the password must be changed after n days; the valid options are 1 to 365. This option, when set, ensures that you change the password after n days.

Disable administrator account after n days if password is not changed

Specifies that the administrator account must be disabled after n days if the password is not changed; the valid options are 1 to 365.

ACS does not allow you to configure this option without configuring the Display reminder after n days option.

Account Inactivity
Inactive accounts are disabled

Require a password change after n days of inactivity

Specifies that the password must be changed after n days of inactivity; the valid options are 1 to 365. This option, when set, ensures that you change the password after n days.

ACS does not allow you to configure this option without configuring the Display reminder after n days option.

Disable administrator account after n days of inactivity

Specifies that the administrator account must be disabled after n days of inactivity; the valid options are 1 to 365.

ACS does not allow you to configure this option without configuring the Display reminder after n days option.

Incorrect Password Attempts

Disable account after n successive failed attempts

Specifies the maximum number of login retries after which the account is disabled; the valid options are 1 to 10.



Note ACS automatically deactivates or disables your account based on your last login, last password change, or number of login retries. The CLI and PI user accounts are blocked and they receive a notification that they can change the password through the web interface. If your account is disabled, contact another administrator to enable your account.


Step 4 Click Submit.

The administrator password is configured with the defined criteria. These criteria will apply only for future logins.


Related Topics

Understanding Roles

Administrator Accounts and Role Association

Viewing Predefined Roles

Configuring Session Idle Timeout

A GUI session, by default, is assigned a timeout period of 30 minutes. You can configure a timeout period for anywhere from 5 to 90 minutes.

To configure the timeout period:


Step 1 Choose System Administration > Administrators > Settings > Session.

The GUI Session page appears.

Step 2 Enter the Session Idle Timeout value in minutes. Valid values are 5 to 90 minutes.

Step 3 Click Submit.



Note The CLI client interface has a default session timeout value of 6 hours. You cannot configure the session timeout period in the CLI client interface.


Configuring Administrator Access Settings

ACS 5.2 allows you to restrict administrative access to ACS based on the IP address of the remote client. You can filter IP addresses in any one of the following ways:

Allow All IP Addresses to Connect

Allow Remote Administration from a Select List of IP Addresses

Reject Remote Administration from a Select List of IP Addresses

Allow All IP Addresses to Connect

You can choose the Allow all IP addresses to connect option to allow all connections; this is the default option.

Allow Remote Administration from a Select List of IP Addresses

To allow administrators to access ACS remotely:


Step 1 Choose System Administration > Administrators > Settings > Access.

The IP Addresses Filtering page appears.

Step 2 Click Allow only listed IP addresses to connect radio button.

The IP Range(s) area appears.

Step 3 Click Create in the IP Range(s) area.

A new window appears. Enter the IP address of the machine from which you want to allow remote access to ACS. Enter a subnet mask for an entire IP address range.

Step 4 Click OK.

The IP Range(s) area is populated with the IP addresses. Repeat Step 3 to add other IP addresses or ranges for which you want to provide remote access.

Step 5 Click Submit.


Reject Remote Administration from a Select List of IP Addresses

To reject administrators from accessing ACS remotely:


Step 1 Choose System Administration > Administrators > Settings > Access.

The IP Addresses Filtering page appears.

Step 2 Click Reject connections from listed IP addresses radio button.

The IP Range(s) area appears.

Step 3 Click Create in the IP Range(s) area.

A new window appears.

Step 4 Enter the IP address of the machine that you do not want to access ACS remotely. Enter a subnet mask for an entire IP address range.

Step 5 Click OK.

The IP Range(s) area is populated with the IP addresses. Repeat Step 3 to add other IP addresses or ranges that you want to reject.

Step 6 Click Submit.



Note It is possible to reject connection from all IP addresses. You cannot reset this condition through the ACS web interface. However, you can use the following CLI command:

acs reset-password

Refer to the CLI Reference Guide for Cisco Secure Access Control System 5.2 for more information.


Resetting the Administrator Password

While configuring administrator access settings, it is possible for all administrator accounts to get locked out, with none of the administrators able to access ACS from any IP address in your enterprise. If this happens, you must reset the administrator password from the ACS Config CLI. You must use the following command to reset all administrator passwords:

access-setting accept-all

For more information on this command, refer to http://www.cisco.com/en/US/docs/net_mgmt/
cisco_secure_access_control_system/5.2/command/reference/cli_app_a.html#wp1697683
.


Note You cannot reset the administrator password through the ACS web interface.


Changing the Administrator Password

ACS 5.2 introduces a new role Change Admin Password that entitles an administrator to change another administrator's password. If an administrator's account is disabled, any other administrator who is assigned the Change Admin Password role can reset the disabled account through the ACS web interface. This section contains the following topics:

Changing Your Own Administrator Password

Resetting Another Administrator's Password

Changing Your Own Administrator Password


Note All administrators can change their own passwords. You do not need any special roles to perform this operation.


To change your password:


Step 1 Choose My Workspace > My Account.

The My Account page appears. See My Account Page for valid values.

Step 2 In the Password field section, enter the current administrator password.

Step 3 In the New Password field, enter a new administrator password.

Step 4 In the Confirm Password field, re-enter the new administration password.

Step 5 Click Submit.

The administrator password is created.


You can also use the acs reset-password command to reset your ACSAdmin account password. For more information on this command, refer to http://www.cisco.com/en/US/docs/net_mgmt/cisco
_secure_access_control_system/5.2/command/reference/cli_app_a.html#wp1208469
.

Resetting Another Administrator's Password

To reset another administrator's password:


Step 1 Choose System Administration > Administrators > Accounts.

The Accounts page appears with a list of administrator accounts.

Step 2 Check the check box next to the administrator account for which you want to change the password and click Change Password.

The Authentication Information page appears, listing the date when the administrator's password was last changed.

Step 3 In the Password field, enter a new administrator password.

Step 4 In the Confirm Password field, re-enter the new administrator password.

Step 5 Check the Change password on next login check box for the other administrator to change password at first login.

Step 6 Click Submit.

The administrator password is reset.


Related Topics

Configuring Authentication Settings for Administrators

Understanding Roles

Administrator Accounts and Role Association

Viewing Predefined Roles