Table Of Contents
Performing Administrative Tasks
Define These Settings First
Setting Up User Permissions
Security Manager Permissions
View Permissions
Modify Permissions
Assign Permissions
Approve Permissions
Understanding CiscoWorks Roles
CiscoWorks Common Services Default Roles
Assigning Roles to Users in CiscoWorks Common Services
Understanding Cisco Secure ACS Roles
Cisco Secure ACS Default Roles
Customizing Cisco Secure ACS Roles
Default Associations Between Permissions and Roles in Security Manager
Integrating Security Manager with Cisco Secure ACS
ACS Integration Requirements
Checklist for Initial Cisco Secure ACS Setup
Integration Procedures Performed in Cisco Secure ACS
Defining Users and User Groups in Cisco Secure ACS
Adding Managed Devices as AAA Clients in Cisco Secure ACS
Creating an Administration Control User in Cisco Secure ACS
Integration Procedures Performed in CiscoWorks
Creating a Local User in CiscoWorks
Defining the System Identity User
Configuring the AAA Setup Mode in CiscoWorks
Restarting the Daemon Manager
Assigning Roles to User Groups in Cisco Secure ACS
Assigning Roles to User Groups Without NDGs
Associating NDGs and Roles with User Groups
Selecting a Workflow Mode
Working in Workflow Mode
Working in Non-Workflow Mode
Comparing the Two Workflow Modes
Enabling and Disabling Workflow Modes
Working with AutoLink
Defining Configuration Archive Settings
Customizing Your Desktop
Defining Deployment Settings
Defining Device Communication Settings
Defining Connection and Transport Protocol Settings in the UI
Defining SSH by Editing the DCS Properties File
Adding Certificates for Firewall Devices, FWSMs, ASAs, and Cisco IOS Devices
Working with Device Groups
Defining Discovery Settings
Installing License Files
Getting Help with Licensing
Archiving Log Files
Defining Policy Management Settings
Defining Policy Object Settings
Working with Server Security
Taking Over Another User's Work
Defining TMS (Token Management System) Settings
Performing Administrative Tasks
The following topics describe application settings and preferences:
•
Define These Settings First
•Setting Up User Permissions
•Integrating Security Manager with Cisco Secure ACS
•Selecting a Workflow Mode
•Working with AutoLink
•Defining Configuration Archive Settings
•Customizing Your Desktop
•Defining Deployment Settings
•Defining Device Communication Settings
•Working with Device Groups
•Defining Discovery Settings
•Installing License Files
•Archiving Log Files
•Defining Policy Management Settings
•Defining Policy Object Settings
•Working with Server Security
•Taking Over Another User's Work
•Defining TMS (Token Management System) Settings
Define These Settings First
Use Security Manager to define many application-wide settings that customize your working environment for your needs. This section highlights settings that we recommend you define first to help your organization get up and running with the application. All application settings are located in the Security Administration page. To access application settings, select Tools > Security Administration.
We recommend you perform these actions first:
•Verify you have completed all relevant steps in the Getting Started Checklist, page 1-13.
•Create individual user IDs—Enables each user to log in with a distinct user ID. This enables management of several devices without disrupting your or another user's work. Go to Tools > Security Administration > Application Security and click Local User Setup. See Working with Server Security.
•Select your default deployment method (device or file)—Enables you to set configurations to deploy directly to the device in your network, or to a file in a directory of your choosing. Go to Tools > Security Administration > Deployment. See Defining Deployment Settings.
•Decide whether to allow deployment to device to proceed if there are minor errors on the device—Go to Tools > Security Administration > Deployment. See Defining Deployment Settings.
•Decide how Security Manager will respond when out-of-band changes are made to devices—You can determine whether to issue a warning, cancel deployment, or ignore any out-of-band configuration changes. Go to Tools > Security Administration > Deployment. See Defining Deployment Settings.
Setting Up User Permissions
Cisco Security Manager authenticates your username and password before you can log in. After they are authenticated, Security Manager establishes your role within the application. This role defines your permissions (also called privileges), which are the set of tasks or operations that you are authorized to perform. If you are not authorized for certain tasks or devices, the related menu items, TOC items, and buttons are hidden or disabled. In addition, a message tells you that you do not have permission to view the selected information or perform the selected operation.
Authentication and authorization for Security Manager is managed either by the CiscoWorks server or the Cisco Secure Access Control Server (ACS). By default, CiscoWorks manages authentication and authorization, but you can change to Cisco Secure ACS by using the AAA Mode Setup page in CiscoWorks Common Services.
The following topics describe user permissions:
•Security Manager Permissions
•Understanding CiscoWorks Roles
•Understanding Cisco Secure ACS Roles
•Default Associations Between Permissions and Roles in Security Manager
For more information about ACS integration, see Integrating Security Manager with Cisco Secure ACS.
Security Manager Permissions
Security Manager classifies permissions into the following categories:
•View—Allows you to view the current settings. For more information, see View Permissions.
•Modify—Allows you to change the current settings. For more information, see Modify Permissions.
•Assign—Allows you to assign policies to devices and VPN topologies. For more information, see Assign Permissions.
•Approve—Allows you to approve policy changes and deployment jobs. For more information, see Approve Permissions.
•Import—Allows you to import the configurations that are already deployed on devices into Security Manager.
•Deploy—Allows you to deploy configuration changes to the devices in your network.
•Control—Allows you to issue commands to devices, such as ping.
•Submit—Allows you to submit your configuration changes for approval.
Tip To view the complete Security Manager permissions tree, log in to Cisco Secure ACS, then click Share Profile Components on the navigation bar. For more information, see Customizing Cisco Secure ACS Roles.
Note•When you select modify, approve, assign, import, control or deploy permissions, you must also select the corresponding View permissions; otherwise, Security Manager will not function properly.
•When you permit a policy that uses policy objects as part of its definition, you must also grant View permissions to these object types. For example, if you select the permission for modifying routing policies, you must also select the permissions for viewing network objects and interface roles, which are the object types required by routing policies.
•The same holds true when permitting an object that uses other objects as part of its definition. For example, if you select the permission for modifying user groups, you must also select the permissions for viewing network objects, ACL objects, and AAA server groups.
Related Topics
•Customizing Cisco Secure ACS Roles
•Setting Up User Permissions
View Permissions
View (read-only) permissions in Security Manager are divided into the following categories:
•View Policies Permissions
•View Objects Permissions
•Additional View Permissions
Related Topics
•Customizing Cisco Secure ACS Roles
•Security Manager Permissions
View Policies Permissions
Security Manager includes the following view permissions for policies:
•View > Policies > Firewall. Allows you to view firewall policies, such as access rules and inspection rules.
•View > Policies > Remote Access VPN. Allows you to view remote access VPN policies.
•View > Policies > Site-to-Site VPN. Allows you to view site-to-site VPN policies.
•View > Policies > Device Administration. Allows you to view device administration policies, such as device access policies and interface definitions.
•View > Policies > Security. Allows you to view security policies on firewall devices, such as anti-spoofing, fragment, and timeout policies.
•View > Policies > Routing. Allows you to view routing policies.
•View > Policies > Multicast. Allows you to view multicast policies on firewall devices, such as multicast routing and IGMP policies.
•View > Policies > Logging. Allows you to view logging policies, such as logging setup, server setup, and syslog server policies.
•View > Policies > NAT. Allows you to view network address translation policies, including static rules and dynamic rules.
•View > Policies > Service Policy Rules. Allows you to view service policy rule policies on firewall devices.
•View > Policies > Bridging. Allows you to view bridging policies on firewall devices, such as the ARP table policy.
•View > Policies > User Preferences. Allows you to view user preference policies on firewall devices, such as the deployment policy.
•View > Policies > FlexConfig. Allows you to view FlexConfigs, which are additional CLI commands and instructions that can be deployed to devices.
•View > Policies > Identity. Allows you to view identity policies on Cisco IOS routers, including 802.1x and Network Admission Control policies.
•View > Policies > QoS. Allows you to view quality of service policies on Cisco IOS routers.
•View > Policies > Interfaces. Allows you to view the interfaces that are defined on devices.
Related Topics
•View Permissions
View Objects Permissions
Security Manager includes the following view permissions for objects:
•View > Objects > AAA Server Groups. Allows you to view AAA server group objects.
•View > Objects > AAA Servers. Allows you to view AAA server objects.
•View > Objects > Access Control Lists. Allows you to view standard and extended ACL objects.
•View > Objects > ASA User Groups. Allows you to view ASA user group objects.
•View > Objects > Categories. Allows you to view category objects.
•View > Objects > DN Rules. Allows you to view the DN rules used by DN policies.
•View > Objects > Extended ACEs. Allows you to view extended access control entries in an ACL. To select this permission, you must first select the Access Control Lists permission.
•View > Objects > FlexConfigs. Allows you to view FlexConfig objects.
•View > Objects > FTP Maps. Allows you to view FTP map objects.
•View > Objects > GTP Maps. Allows you to view GTP map objects.
•View > Objects > HTTP Maps. Allows you to view HTTP map objects.
•View > Objects > IKE Proposals. Allows you to view IKE proposal objects.
•View > Objects > Interface Roles. Allows you to view interface role objects.
•View > Objects > IPSec Transform Sets. Allows you to view IPSec transform set objects.
•View > Objects > Networks/Hosts. Allows you to view network/host objects.
•View > Objects > PKI Enrollments. Allows you to view PKI enrollment objects.
•View > Objects > Port Lists. Allows you to view port list objects.
•View > Objects > Services/Service Groups. Allows you to view service and service group objects.
•View > Objects > Standard ACEs. Allows you to view standard access control entries in an ACL. To select this permission, you must first select the Access Control Lists permission.
•View > Objects > TCP Maps. Allows you to view TCP map objects.
•View > Objects > Text Objects. Allows you to view free-form text objects.
•View > Objects > Time Ranges. Allows you to view time range objects.
•View > Objects > Traffic Flows. Allows you to view traffic flow objects.
•View > Objects > User Groups. Allows you to view user group objects.
Related Topics
•View Permissions
Additional View Permissions
Security Manager includes the following additional view permissions:
•View > Config Archive. Allows you to view the list of configurations contained in the configuration archive. You cannot view the device configuration or any CLI commands.
•View > Devices. Allows you to view devices in Device view and all related information, including their device settings, properties, assignments, and so on.
•View > CLI. Allows you to view the CLI commands configured on a device and preview the commands that are about to be deployed.
•View > Admin. Allows you to view Security Manager administrative settings.
•View > Topology. Allows you to view maps configured in Map view.
Related Topics
•View Permissions
Modify Permissions
Modify (read-write) permissions in Security Manager are divided into the following categories:
•Modify Policies Permissions
•Modify Objects Permissions
•Additional Modify Permissions
Related Topics
•Customizing Cisco Secure ACS Roles
•Security Manager Permissions
Modify Policies Permissions
Security Manager includes the following modify permissions for policies:
•Modify > Policies > Firewall. Allows you to modify firewall policies, such as access rules and inspection rules.
•Modify > Policies > Remote Access VPN. Allows you to modify remote access VPN policies.
•Modify > Policies > Site-to-Site VPN. Allows you to modify site-to-site VPN policies.
•Modify > Policies > Device Administration. Allows you to modify device administration policies, such as device access policies and interface definitions.
•Modify > Policies > Security. Allows you to modify security policies on firewall devices, such as anti-spoofing, fragment, and timeout policies.
•Modify > Policies > Routing. Allows you to modify routing policies.
•Modify > Policies > Multicast. Allows you to modify multicast policies on firewall devices, such as multicast routing and IGMP policies.
•Modify > Policies > Logging. Allows you to modify logging policies, such as logging setup, server setup, and syslog server policies.
•Modify > Policies > NAT. Allows you to modify network address translation policies, including static rules and dynamic rules.
•Modify > Policies > Service Policy Rules. Allows you to modify service policy rule policies on firewall devices.
•Modify > Policies > Bridging. Allows you to modify bridging policies on firewall devices, such as the ARP table policy.
•Modify > Policies > User Preferences. Allows you to modify user preference policies on firewall devices, such as the deployment policy.
•Modify > Policies > FlexConfig. Allows you to modify FlexConfigs, which are additional CLI commands and instructions that can be deployed to devices.
•Modify > Policies > Identity. Allows you to modify identity policies on Cisco IOS routers, including 802.1x and Network Admission Control policies.
•Modify > Policies > QoS. Allows you to modify quality of service policies on Cisco IOS routers.
•Modify > Policies > Interfaces. Allows you to modify the interfaces that are defined on devices.
Related Topics
•Modify Permissions
Modify Objects Permissions
Security Manager includes the following modify permissions for objects:
•Modify > Objects > AAA Server Groups. Allows you to modify AAA server group objects.
•Modify > Objects > AAA Servers. Allows you to modify AAA server objects.
•Modify > Objects > Access Control Lists. Allows you to modify standard and extended ACL objects.
•Modify > Objects > ASA User Groups. Allows you to modify ASA user group objects.
•Modify > Objects > Categories. Allows you to modify category objects.
•Modify > Objects > DN Rules. Allows you to modify the DN rules used by DN policies.
•Modify > Objects > Extended ACEs. Allows you to modify extended access control entries in an ACL. To select this permission, you must first select the Access Control Lists permission.
•Modify > Objects > FlexConfigs. Allows you to modify FlexConfig objects.
•Modify > Objects > FTP Maps. Allows you to modify FTP map objects.
•Modify > Objects > GTP Maps. Allows you to modify GTP map objects.
•Modify > Objects > HTTP Maps. Allows you to modify HTTP map objects.
•Modify > Objects > IKE Proposals. Allows you to modify IKE proposal objects.
•Modify > Objects > Interface Roles. Allows you to modify interface role objects.
•Modify > Objects > IPSec Transform Sets. Allows you to modify IPSec transform set objects.
•Modify > Objects > Networks/Hosts. Allows you to modify network/host objects.
•Modify > Objects > PKI Enrollments. Allows you to modify PKI enrollment objects.
•Modify > Objects > Port Lists. Allows you to modify port list objects.
•Modify > Objects > Services/Service Groups. Allows you to modify service and service group objects.
•Modify > Objects > Standard ACEs. Allows you to modify standard access control entries in an ACL. To select this permission, you must first select the Access Control Lists permission.
•Modify > Objects > TCP Maps. Allows you to modify TCP map objects.
•Modify > Objects > Text Objects. Allows you to modify free-form text objects.
•Modify > Objects > Time Ranges. Allows you to modify time range objects.
•Modify > Objects > Traffic Flows. Allows you to modify traffic flow objects.
•Modify > Objects > User Groups. Allows you to modify user group objects.
Related Topics
•Modify Permissions
Additional Modify Permissions
Security Manager includes the following additional modify permissions:
•Modify > Config Archive. Allows you to modify the device configuration in the Configuration Archive. In addition, it allows you to add configurations to the archive, roll back to previously deployed configurations, and customize the Configuration Archive tool.
•Modify > Devices. Allows you to add and delete devices, as well as modify device properties and attributes. To discover the policies on the device being added, you must also enable the Import permission. In addition, if you enable the Modify > Devices permission, make sure that you also enable the Assign > Policies > Interfaces permission.
•Modify > Admin. Allows you to modify Security Manager administrative settings.
•Modify > Topology. Allows you to modify maps in Map view.
•Modify > Hierarchy. Allows you to modify device groups.
Related Topics
•Modify Permissions
Assign Permissions
Security Manager provides the following policy assignment permissions:
•Assign > Policies > Firewall. Allows you to assign firewall policies, such as access rules and inspection rules.
•Assign > Policies > Remote Access VPN. Allows you to assign remote access VPN policies.
•Assign > Policies > Site-to-Site VPN. Allows you to assign site-to-site VPN policies.
•Assign > Policies > Device Administration. Allows you to assign device administration policies, such as device access policies and interface definitions.
•Assign > Policies > Security. Allows you to assign security policies on firewall devices, such as anti-spoofing, fragment, and timeout policies.
•Assign > Policies > Routing. Allows you to assign routing policies.
•Assign > Policies > Multicast. Allows you to assign multicast policies on firewall devices, such as multicast routing and IGMP policies.
•Assign > Policies > Logging. Allows you to assign logging policies, such as logging setup, server setup, and syslog server policies.
•Assign > Policies > NAT. Allows you to assign network address translation policies, including static rules and dynamic rules.
•Assign > Policies > Service Policy Rules. Allows you to assign service policy rule policies on firewall devices.
•Assign > Policies > Bridging. Allows you to assign bridging policies on firewall devices, such as the ARP table policy.
•Assign > Policies > User Preferences. Allows you to assign user preference policies on firewall devices, such as the deployment policy.
•Assign > Policies > FlexConfig. Allows you to assign FlexConfigs, which are additional CLI commands and instructions that can be deployed to devices.
•Assign > Policies > Identity. Allows you to assign identity policies on Cisco IOS routers, including 802.1x and Network Admission Control policies.
•Assign > Policies > QoS. Allows you to assign quality of service policies on Cisco IOS routers.
•Assign > Policies > Interfaces. This permission is required in order to configure device interfaces. It is also required for adding devices to Security Manager.
Related Topics
•Customizing Cisco Secure ACS Roles
•Security Manager Permissions
Approve Permissions
Security Manager provides the following approve permissions:
•Approve > Policy. Allows you to approve the configuration changes contained in the policies that were configured in an activity in Workflow mode.
•Approve > CLI. Allows you to approve the CLI command changes contained in a deployment job.
Related Topics
•Customizing Cisco Secure ACS Roles
•Security Manager Permissions
Understanding CiscoWorks Roles
When users are created in CiscoWorks Common Services, they are assigned one or more roles. The permissions associated with each role determine the operations that each user is authorized to perform in Security Manager.
The following topics describe CiscoWorks roles:
•CiscoWorks Common Services Default Roles
•Assigning Roles to Users in CiscoWorks Common Services
Related Topics
•Understanding Cisco Secure ACS Roles
•Setting Up User Permissions
CiscoWorks Common Services Default Roles
CiscoWorks Common Services contains the following default roles:
•Help Desk—Help desk users can view (but not modify) devices, policies, objects, and topology maps.
•Network Operator—In addition to view permissions, network operators can view CLI commands and Security Manager administrative settings. Network operators can also modify the configuration archive and issue commands (such as ping) to devices.
•Approver—In addition to view permissions, approvers can approve or reject deployment jobs. They cannot perform deployment.
•Network Administrator—Network administrators have complete view and modify permissions, except for modifying administrative settings. They can discover devices and the policies configured on these devices, assign policies to devices, and issue commands to devices. Network administrators cannot approve activities or deployment jobs; however, they can deploy jobs that were approved by others.
Note Cisco Secure ACS features a default role called Network Administrator that contains a different set of permissions. For more information, see Understanding Cisco Secure ACS Roles.
•System Administrator—System administrators have complete access to all Security Manager permissions, including modification, policy assignment, activity and job approval, discovery, deployment, and issuing commands to devices.
See Default Permission to Role Associations in Security Manager for details about which Security Manager permissions are associated with each CiscoWorks role.
Although you cannot change the definition of CiscoWorks roles, you can define which roles are assigned to each user. For more information, see Assigning Roles to Users in CiscoWorks Common Services.
Related Topics
•Understanding CiscoWorks Roles
Assigning Roles to Users in CiscoWorks Common Services
CiscoWorks Common Services enables you to define which roles are assigned to each user. By changing the role definition for a user, you change the types of operations this user is authorized perform in Security Manager. For example, if you assign the Help Desk role, the user is limited to view operations and cannot modify any data. However, if you assign the Network Operator role, the user is also able to modify the configuration archive. You can assign multiple roles to each user.
Procedure
Step 1 In Common Services, select Server > Security, then select Single-Server Trust Management > Local User Setup from the TOC.
Step 2 Select the check box next to an existing user, then click Edit.
Step 3 On the User Information page, select the roles to assign to this user by clicking the check boxes.
Note For more information about each role, see CiscoWorks Common Services Default Roles.
Step 4 Click OK to save your changes.
Related Topics
•Security Manager Permissions
•Default Permission to Role Associations in Security Manager
•Understanding CiscoWorks Roles
Understanding Cisco Secure ACS Roles
Cisco Secure ACS provides greater flexibility for managing Security Manager permissions than does CiscoWorks because it supports application-specific roles that you can configure. Each role is made up of a set of permissions that determine the level of authorization to Security Manager tasks. In Cisco Secure ACS, you assign a role to each user group (and optionally, to individual users as well), which enables each user in that group to perform the operations authorized by the permissions defined for that role.
In addition, you can assign these roles to Cisco Secure ACS device groups, allowing permissions to be differentiated on different sets of devices.
Note Cisco Secure ACS device groups are independent of Security Manager device groups.
The following topics describe Cisco Secure ACS roles:
•Cisco Secure ACS Default Roles
•Customizing Cisco Secure ACS Roles
Related Topics
•Understanding CiscoWorks Roles
Cisco Secure ACS Default Roles
Cisco Secure ACS includes the same roles as CiscoWorks (see Understanding CiscoWorks Roles), plus these additional roles:
•Security Approver—Security approvers can view (but not modify) devices, policies, objects, maps, CLI commands, and administrative settings. In addition, security approvers can approve or reject the configuration changes contained in an activity. They cannot approve or reject the deployment job, nor can they perform deployment.
•Security Administrator—In addition to having view permissions, security administrators can modify devices, device groups, policies, objects, and topology maps. They can also assign policies to devices and VPN topologies, and perform discovery to import new devices into the system.
•Network Administrator—In addition to view permissions, network administrators can modify the configuration archive, perform deployment, and issue commands to devices.
Note The permissions contained in the Cisco Secure ACS network administrator role are different from those contained in the CiscoWorks network administrator role. For more information, see Understanding CiscoWorks Roles.
Unlike CiscoWorks, Cisco Secure ACS enables you to customize the permissions associated with each Security Manager role. For more information about modifying the default roles, see Customizing Cisco Secure ACS Roles.
See Default Permission to Role Associations in Security Manager for details about which Security Manager permissions are associated with each Cisco Secure ACS role.
Note Cisco Secure ACS 3.3 or later must be installed for Security Manager authorization.
Related Topics
•Integrating Security Manager with Cisco Secure ACS
•Default Associations Between Permissions and Roles in Security Manager
•Setting Up User Permissions
Customizing Cisco Secure ACS Roles
Cisco Secure ACS enables you to modify the permissions associated with each Security Manager role. You can also customize Cisco Secure ACS by creating specialized user roles with permissions that are targeted to particular Security Manager tasks.
Procedure
Step 1 In Cisco Secure ACS, click Shared Profile Components on the navigation bar.
Step 2 Click Cisco Security Manager on the Shared Components page. The roles that are configured for Security Manager are displayed.
Step 3 Do one of the following:
•To modify an existing role, click the role.
•To create a role, click Add.
Step 4 (When creating a role) Enter a name for the role and, optionally, a description.
Step 5 Select and deselect the check boxes in the permissions tree to define the permissions for this role.
Selecting the check box for a branch of the tree selects all the permissions located in that branch. For example, selecting Assign selects all the assign permissions.
For a complete list of Security Manager permissions, see Security Manager Permissions.
Note When you select modify, approve, assign, import, control or deploy permissions, you must also select the corresponding view permissions; otherwise, Security Manager will not function properly.
Step 6 Click Submit to save your changes.
Related Topics
•Security Manager Permissions
•Default Permission to Role Associations in Security Manager
•Understanding Cisco Secure ACS Roles
Default Associations Between Permissions and Roles in Security Manager
Table 1-1 shows how Security Manager permissions are associated with CiscoWorks Common Services roles and the default roles in Cisco Secure ACS.
Table 1-1 Default Permission to Role Associations in Security Manager
Permissions
|
Roles
|
System Admin.
|
Security Admin.
(ACS)
|
Security Approver
(ACS)
|
Network Admin.
(CW)
|
Network Admin.
(ACS)
|
Approver
|
Network Operator
|
Help Desk
|
View Permissions
|
View Device
|
Yes
|
Yes
|
Yes
|
Yes
|
Yes
|
Yes
|
Yes
|
Yes
|
View Policy
|
Yes
|
Yes
|
Yes
|
Yes
|
Yes
|
Yes
|
Yes
|
Yes
|
View Objects
|
Yes
|
Yes
|
Yes
|
Yes
|
Yes
|
Yes
|
Yes
|
Yes
|
View Topology
|
Yes
|
Yes
|
Yes
|
Yes
|
Yes
|
Yes
|
Yes
|
Yes
|
View CLI
|
Yes
|
Yes
|
Yes
|
Yes
|
Yes
|
Yes
|
Yes
|
No
|
View Admin
|
Yes
|
Yes
|
Yes
|
Yes
|
Yes
|
Yes
|
Yes
|
No
|
View Config Archive
|
Yes
|
Yes
|
Yes
|
Yes
|
Yes
|
Yes
|
Yes
|
Yes
|
Modify Permissions
|
Modify Device
|
Yes
|
Yes
|
No
|
Yes
|
No
|
No
|
No
|
No
|
Modify Hierarchy
|
Yes
|
Yes
|
No
|
Yes
|
No
|
No
|
No
|
No
|
Modify Policy
|
Yes
|
Yes
|
No
|
Yes
|
No
|
No
|
No
|
No
|
Modify Objects
|
Yes
|
Yes
|
No
|
Yes
|
No
|
No
|
No
|
No
|
Modify Topology
|
Yes
|
Yes
|
No
|
Yes
|
No
|
No
|
No
|
No
|
Modify Admin
|
Yes
|
No
|
No
|
No
|
No
|
No
|
No
|
No
|
Modify Config Archive
|
Yes
|
Yes
|
No
|
Yes
|
Yes
|
No
|
Yes
|
No
|
Additional Permissions
|
Assign Policy
|
Yes
|
Yes
|
No
|
Yes
|
No
|
No
|
No
|
No
|
Approve Policy
|
Yes
|
No
|
Yes
|
No
|
No
|
No
|
No
|
No
|
Approve CLI
|
Yes
|
No
|
No
|
No
|
No
|
Yes
|
No
|
No
|
Discover (Import)
|
Yes
|
Yes
|
No
|
Yes
|
No
|
No
|
No
|
No
|
Deploy
|
Yes
|
No
|
No
|
Yes
|
Yes
|
No
|
No
|
No
|
Control
|
Yes
|
No
|
No
|
Yes
|
Yes
|
No
|
Yes
|
No
|
Submit
|
Yes
|
Yes
|
No
|
Yes
|
No
|
No
|
No
|
No
|
Related Topics
•Security Manager Permissions
•Setting Up User Permissions
Integrating Security Manager with Cisco Secure ACS
This section describes how to integrate your Cisco Secure ACS with Cisco Security Manager.
Cisco Secure ACS provides command authorization for users who are using management applications, such as Security Manager, to configure managed network devices. Support for command authorization is provided by unique command authorization set types (called roles in Security Manager) that contain a set of permissions. These permissions (also called privileges) determine the actions that users with particular roles can perform within Security Manager.
Cisco Secure ACS uses TACACS+ to communicate with management applications. For Security Manager to communicate with Cisco Secure ACS, you must configure the CiscoWorks server in Cisco Secure ACS as a AAA client that uses TACACS+. In addition, you must provide the CiscoWorks server with the administrator name and password that you use to log in to the Cisco Secure ACS. Fulfilling these requirements ensures the validity of communications between Security Manager and Cisco Secure ACS.
Note For an understanding of TACACS+ security advantages, see User Guide for Cisco Secure ACS.
When Security Manager initially communicates with Cisco Secure ACS, it dictates to Cisco ACS the creation of default roles, which appear in the Shared Profile Components section of the Cisco Secure ACS HTML interface. It also dictates a custom service to be authorized by TACACS+. This custom service appears on the TACACS+ (Cisco IOS) page in the Interface Configuration section of the HTML interface. You can then modify the permissions included in each Security Manager role and apply these roles to users and user groups.
Related Topics
•ACS Integration Requirements
•Checklist for Initial Cisco Secure ACS Setup
ACS Integration Requirements
To use Cisco Secure ACS, make sure that:
•You defined roles that include the commands required to perform necessary functions in Security Manager.
•The Network Access Restriction (NAR) includes the device group (or the devices) that you want to administer, if you apply a NAR to the profile.
•Managed device names are spelled and capitalized identically in Cisco Secure ACS and in Security Manager.
Note Even when Cisco Secure ACS authentication is used, CiscoWorks Common Services software uses local authorization for CiscoWorks Common Services-specific utilities, such as Compact Database and Database Checkpoint. To use these utilities, you must be defined locally and be assigned the appropriate permissions.
Related Topics
•Checklist for Initial Cisco Secure ACS Setup
•Integrating Security Manager with Cisco Secure ACS
Checklist for Initial Cisco Secure ACS Setup
This checklist describes the steps required to integrate Security Manager with Cisco Secure ACS. Each step might contain several substeps; steps and substeps should be performed in order. The checklist contains references to specific procedures used to perform each step.
| |
Integration Task
|
Step 1
|
Plan your administrative authentication and authorization model.
You should decide on your administrative model before using Security Manager. This includes defining the administrative roles and accounts that you plan to use.
Tip When defining the roles and permissions of potential administrators, you should also consider whether or not to enable Workflow. This selection affects how you can restrict access.
For more information, see:
•Understanding Cisco Secure ACS Roles
•Selecting a Workflow Mode
•User Guide for Cisco Secure ACS for Windows Server
|
Step 2
|
Install Cisco Secure ACS, Cisco Security Manager, and CiscoWorks Common Services.
Install Cisco Secure ACS version 3.3 or later on a Windows 2000/2003 server. Install CiscoWorks Common Services and Cisco Security Manager on a different Windows 2000/Windows 2003 server.
For more information, see:
•Installation Guide for Cisco Security Manager 3.0.1
•Installation Guide for Cisco Secure ACS for Windows Server
|
Step 3
|
Perform integration procedures in Cisco Secure ACS.
Define Security Manager users as ACS users and assign them to user groups based on their planned role, add all your managed devices (as well as the CiscoWorks/Security Manager server) as AAA clients, and create an administration control user.
For more information, see Integration Procedures Performed in Cisco Secure ACS.
|
Step 4
|
Perform integration procedures in CiscoWorks Common Services.
Configure a local user that matches the administrator defined in Cisco Secure ACS, define that same user for the system identity setup, and configure ACS as the AAA setup mode.
For more information, see Integration Procedures Performed in CiscoWorks.
|
Step 5
|
Assign Roles to User Groups in Cisco Secure ACS.
Assign roles to each user group configured in Cisco Secure ACS. The procedure you should use depends on whether you have configured network device groups (NDGs).
For more information, see Assigning Roles to User Groups in Cisco Secure ACS.
|
Related Topics
•ACS Integration Requirements
•Integrating Security Manager with Cisco Secure ACS
Integration Procedures Performed in Cisco Secure ACS
The following topics describe the procedures to perform in Cisco Secure ACS in order when integrating it with Cisco Security Manager:
•Defining Users and User Groups in Cisco Secure ACS
•Adding Managed Devices as AAA Clients in Cisco Secure ACS
•Creating an Administration Control User in Cisco Secure ACS
For more information about the procedures described in these sections, see User Guide for Cisco Secure ACS for Windows Server.
Related Topics
•ACS Integration Requirements
•Integration Procedures Performed in CiscoWorks
•Integrating Security Manager with Cisco Secure ACS
Defining Users and User Groups in Cisco Secure ACS
All users of Security Manager must be defined in Cisco Secure ACS and assigned a role appropriate to their job function. The easiest way to do this is to divide the users into different groups based on each default role available in ACS, for example, assigning all the system administrators to one group, all the network operators to another group, and so on. For more information about the default roles in ACS, see Cisco Secure ACS Default Roles.
In addition, you must create an additional user that is assigned the system administrator role with full permissions. The credentials established for this user are later used on the System Identity Setup page in CiscoWorks. See Defining the System Identity User.
Please note that at this stage you are merely assigning users to different groups. The actual assignment of roles to these groups is performed later, after CiscoWorks, Security Manager, and any other applications have been registered to Cisco Secure ACS.
Before You Begin
•Install CiscoWorks Common Services and Cisco Security Manager on one Windows 2000/2003 server. Install Cisco Secure ACS on a different Windows 2000/2003 server.
Procedure
Step 1 Log in to Cisco Secure ACS.
Step 2 Configure a user with full permissions:
a. Click User Setup on the navigation bar.
b. On the User Setup page, enter a name for the new user, then click Add/Edit.
c. Select an authentication method from the Password Authentication list under User Setup.
d. Enter and confirm the password for the new user.
e. Select Group 1 as the group to which the user should be assigned.
f. Click Submit to create the user account.
Note For more information about the options available when configuring users and user groups, see User Guide for Cisco Secure ACS.
Step 3 Repeat step 2 for each Security Manager user. We recommend dividing the users into groups based on the role each user will be assigned:
•Group 1—System Administrators
•Group 2—Security Administrators
•Group 3—Security Approvers
•Group 4—Network Administrators
•Group 5—Approvers
•Group 6—Network Operators
•Group 7—Help Desk
For more information about the default permissions associated with each role, see Table 1-1. For more information about customizing user roles, see Customizing Cisco Secure ACS Roles.
Note At this stage, the groups themselves are collections of users without any role definitions. You will assign roles to each group after completing the integration process. See Assigning Roles to User Groups in Cisco Secure ACS.
Step 4 Create an additional user and assign this user to the system administrators group. The credentials established for this user are later used on the System Identity Setup page in CiscoWorks. See Defining the System Identity User.
Step 5 Continue with Adding Managed Devices as AAA Clients in Cisco Secure ACS.
Related Topics
•Integration Procedures Performed in Cisco Secure ACS
•Checklist for Initial Cisco Secure ACS Setup
Adding Managed Devices as AAA Clients in Cisco Secure ACS
Before you can begin importing devices into Security Manager, you must first configure each device as a AAA client in your Cisco Secure ACS. In addition, you must configure the CiscoWorks/Security Manager server as a AAA client.
If Security Manager is managing security contexts configured on firewall devices (including security contexts configured on FWSMs for Catalyst 6500/7600 devices), each context must be added individually to Cisco Secure ACS.
The method for adding managed devices depends on whether you want to restrict users to managing a particular set of devices by creating network device groups (NDGs). Proceed as follows:
•If you want users to have access to all devices, add the devices as described in Adding Devices as AAA Clients Without NDGs.
•If you want users to have access only to certain NDGs, add the devices as described in Configuring Network Device Groups for Use in Security Manager.
Adding Devices as AAA Clients Without NDGs
This procedure describes how to add devices as AAA clients of a Cisco Secure ACS. For complete information about all available options, see User Guide for Cisco Secure ACS.
Note Remember to add the CiscoWorks/Security Manager server as a AAA client.
Procedure
Step 1 Click Network Configuration on the Cisco Secure ACS navigation bar.
Step 2 Click Add Entry beneath the AAA Clients table.
Step 3 Enter the AAA client hostname (up to 32 characters) on the Add AAA Client page. The hostname of the AAA client must match the display name you plan to use for the device in Security Manager.
For example, if you intend to append a domain name to the device name in Security Manager, the AAA client hostname in ACS must be <device_name>.<domain_name>.
When naming the CiscoWorks server, we recommend using the fully-qualified hostname. Be sure to spell the hostname correctly. (The hostname is not case sensitive.)
When naming a security context, append the context name (_<context_name>) to the device name. For FWSMs, the naming convention is as follows:
•FWSM blade—<chassis_name>_FW_<slot_number>
•Security context—<chassis_name>_FW_<slot_number>_<context_name>
Step 4 Enter the IP address of the network device in the AAA Client IP Address field.
Step 5 Enter the shared secret in the Key field.
Step 6 Select TACACS+ (Cisco IOS) from the Authenticate Using list.
Step 7 Click Submit to save your changes. The device you added is displayed in the AAA Clients table.
Step 8 Repeat steps 1 through 7 to add additional devices.
Step 9 When you have finished adding devices, click Submit + Restart.
Step 10 Continue with Creating an Administration Control User in Cisco Secure ACS.
Related Topics
•Adding Managed Devices as AAA Clients in Cisco Secure ACS
•Integration Procedures Performed in Cisco Secure ACS
•Checklist for Initial Cisco Secure ACS Setup
Configuring Network Device Groups for Use in Security Manager
Cisco Secure ACS enables you to configure network device groups (NDGs) that contain specific devices to be managed. For example, you can create NDGs for each geographic region or NDGs that match your organizational structure. When used with Security Manager, NDGs enable you to provide users with different levels of permissions, depending on the devices they need to manage. For example, by using NDGs you can assign User A system administrator permissions to the devices located in Europe and Help Desk permissions to the devices located in Asia. You can then assign the opposite permissions to User B.
NDGs are not assigned directly to users. Rather, NDGs are assigned to the roles that you define for each user group. Each NDG can be assigned to a single role only, but each role can include multiple NDGs. These definitions are saved as part of the configuration for the selected user group.
The following topics outline the basic steps for configuring NDGs:
•Activating the NDG Feature
•Creating NDGs
•Associating NDGs and Roles with User Groups
Note For complete details about managing NDGs, see User Guide for Cisco Secure ACS.
Related Topics
•Adding Managed Devices as AAA Clients in Cisco Secure ACS
•Integration Procedures Performed in Cisco Secure ACS
•Checklist for Initial Cisco Secure ACS Setup
Activating the NDG Feature
You must activate the NDG feature before you can create NDGs and populate them with devices.
Procedure
Step 1 Click Interface Configuration on the Cisco Secure ACS navigation bar.
Step 2 Click Advanced Options.
Step 3 Scroll down, then select the Network Device Groups check box.
Step 4 Click Submit.
Step 5 Continue with Creating NDGs.
Related Topics
•Creating NDGs
•Associating NDGs and Roles with User Groups
•Configuring Network Device Groups for Use in Security Manager
Creating NDGs
This procedure describes how to create NDGs and populate them with devices. Each device can belong to only one NDG.
Note Important: We recommend creating a special NDG that contains the CiscoWorks/Security Manager server.
Before You Begin
•Activate the NDG feature. See Activating the NDG Feature.
Procedure
Step 1 Click Network Configuration on the navigation bar.
All devices are initially placed under Not Assigned, which holds all devices that were not placed in an NDG. Please note that Not Assigned is not an NDG.
Step 2 Create NDGs:
a. Click Add Entry.
b. Enter a name for the NDG on the New Network Device Group page. The maximum length is 24 characters. Spaces are permitted.
c. (Optional when using version 4.0 or later) Enter a key to be used by all the devices in the NDG. If you define a key for the NDG, it overrides any keys defined for the individual devices in the NDG.
d. Click Submit to save the NDG.
e. Repeat steps a through d to create more NDGs.
Step 3 Populate the NDGs with devices:
a. Click the name of the NDG in the Network Device Groups area.
b. Click Add Entry in the AAA Clients area.
c. Define the particulars of the device to add to the NDG, then click Submit. For more information, see Adding Devices as AAA Clients Without NDGs.
d. Repeat steps b and c to add the remaining devices to NDGs. The only device you should consider leaving in the Not Assigned category is the default AAA server.
e. After you configure the last device, click Submit + Restart.
Step 4 Continue with Creating an Administration Control User in Cisco Secure ACS.
Note You can associate roles with each NDG only after completing the integration procedures in Cisco Secure ACS and CiscoWorks Common Services. See Associating NDGs and Roles with User Groups.
Related Topics
•Activating the NDG Feature
•Associating NDGs and Roles with User Groups
•Configuring Network Device Groups for Use in Security Manager
Creating an Administration Control User in Cisco Secure ACS
Use the Administration Control page in Cisco Secure ACS to define the administrator account that is used when defining the AAA setup mode in CiscoWorks Common Services. For more information, see Configuring the AAA Setup Mode in CiscoWorks.
Procedure
Step 1 Click Administration Control on the Cisco Secure ACS navigation bar.
Step 2 Click Add Administrator.
Step 3 On the Add Administrator page, enter a name and password for the administrator.
Step 4 Click Grant All in the Administrator Privileges area to provide full administrative permissions to this administrator.
Step 5 Click Submit to create the administrator.
Note For more information about the options available when configuring an administrator, see User Guide for Cisco Secure ACS.
Related Topics
•Integration Procedures Performed in Cisco Secure ACS
•Checklist for Initial Cisco Secure ACS Setup
Integration Procedures Performed in CiscoWorks
The following topics describe the procedures to perform in CiscoWorks Common Services when integrating it with Cisco Security Manager:
•Creating a Local User in CiscoWorks
•Defining the System Identity User
•Configuring the AAA Setup Mode in CiscoWorks
Perform these procedures after completing the integration procedures performed in Cisco Secure ACS. Common Services performs the actual registration of and any installed applications, such as Cisco Security Manager, Auto-Update Server, and IPS Manager into Cisco Secure ACS.
Related Topics
•ACS Integration Requirements
•Integration Procedures Performed in Cisco Secure ACS
•Integrating Security Manager with Cisco Secure ACS
Creating a Local User in CiscoWorks
Use the Local User Setup page in CiscoWorks Common Services to create a local user account that duplicates the administrator you previously created in Cisco Secure ACS. This local user account is later used for the system identity setup. For more information, see Defining the System Identity User.
Before You Begin
•Create an administrator in Cisco Secure ACS. See Defining Users and User Groups in Cisco Secure ACS.
Procedure
Step 1 Log in to CiscoWorks using the default admin user account.
Step 2 Select Server > Security from Common Services, then select Local User Setup from the TOC.
Step 3 Click Add.
Step 4 Enter the same name and password that you entered when creating the administrator in Cisco Secure ACS. See step 4 in Defining Users and User Groups in Cisco Secure ACS.
Step 5 Select all the check boxes under Roles except Export Data.
Step 6 Click OK to create the user.
Related Topics
•Integration Procedures Performed in CiscoWorks
•Checklist for Initial Cisco Secure ACS Setup
Defining the System Identity User
Use the System Identity Setup page in CiscoWorks Common Services to create a trust user (called the System Identity user) that enables communication between servers that are part of the same domain and application processes that are located on the same server. Applications use the System Identity user to authenticate processes on local or remote CiscoWorks servers. This is especially useful when the applications must synchronize before any users have logged in.
In addition, the System Identity user is often used to perform a subtask when the primary task has already been authorized for the logged in user. For example, editing a device in Security Manager requires interapplication communication between Security Manager and the Common Services DCR. After the user has been authorized to perform the editing task, the System Identity user is used to invoke the DCR.
The System Identity user you configure here must be identical to the administrator with full permissions that you configured in ACS. Failure to do so could result in your being unable to view all the devices and policies configured in Security Manager.
Before You Begin
•Create a local user with the same name and password as this administrator in CiscoWorks Common Services. See Creating a Local User in CiscoWorks.
Procedure
Step 1 Select Server > Security, then select Multi-Server Trust Management > System Identity Setup from the TOC.
Step 2 Enter the name of the administrator that you created for Cisco Secure ACS. See step 4 in Defining Users and User Groups in Cisco Secure ACS.
Step 3 Enter and verify the password for this user.
Step 4 Click Apply.
Related Topics
•Integration Procedures Performed in CiscoWorks
•Checklist for Initial Cisco Secure ACS Setup
Configuring the AAA Setup Mode in CiscoWorks
Use the AAA Setup Mode page in CiscoWorks Common Services to define your Cisco Secure ACS as the AAA server, including the required port and shared secret key. In addition, you can define up to two backup servers.
This procedure performs the actual registration of CiscoWorks, Security Manager, IPS Manager (and optionally, Auto-Update Server) into Cisco Secure ACS.
Procedure
Step 1 Select Server > Security, then select AAA Mode Setup from the TOC.
Step 2 Select the TACACS+ check box under Available Login Modules.
Step 3 Select ACS as the AAA type.
Step 4 Enter the IP addresses of up to three Cisco Secure ACS servers in the Server Details area. The secondary and tertiary servers act as backups in case the primary server fails.
Note If all the configured TACACS+ servers fail to respond, you must log in using the admin CiscoWorks Local account, then change the AAA mode back to Non-ACS/CiscoWorks Local. After the TACACS+ servers are restored to service, you must change the AAA mode back to ACS.
Step 5 In the Login area, enter the name of the administrator that you defined on the Administration Control page of Cisco Secure ACS. For more information, see Creating an Administration Control User in Cisco Secure ACS.
Step 6 Enter and verify the password for this administrator.
Step 7 Enter and verify the shared secret key that you entered when you added the Security Manager server as a AAA client of Cisco Secure ACS. See step 5 in Adding Devices as AAA Clients Without NDGs.
Step 8 Select the Register all installed applications with ACS check box to register Security Manager and any other installed applications with Cisco Secure ACS.
Step 9 Click Apply to save your settings. A progress bar displays the progress of the registration. A message is displayed when registration is complete.
Step 10 (If you are integrating Security Manager with ACS 3.3(x)) Restart the Cisco Security Manager Daemon Manager service. See Restarting the Daemon Manager.
Step 11 Log back in to Cisco Secure ACS to assign roles to each user group. See Assigning Roles to User Groups in Cisco Secure ACS.
Note Important: The AAA setup configured here is not retained if you uninstall CiscoWorks Common Services or Cisco Security Manager. In addition, this configuration cannot be backed up and restored after reinstallation. Therefore, if you upgrade to a new version of either application, you must reconfigure the AAA setup mode and reregister Security Manager with ACS. This process is not required for incremental updates. If you install additional applications, such as AUS, on top of CiscoWorks, you must reregister the new applications and Cisco Security Manager.
Related Topics
•Integration Procedures Performed in CiscoWorks
•Checklist for Initial Cisco Secure ACS Setup
Restarting the Daemon Manager
This procedure describes how to restart the Daemon Manager of the Security Manager server. You must do this in order for the AAA settings you configured to take effect. You can then log back in to CiscoWorks using the credentials defined in Cisco Secure ACS.
Note Important: You need to perform this procedure only when integrating Security Manager with Cisco Secure ACS 3.3(x). This procedure is not required when using ACS 4.0(x).
Procedure
Step 1 Log in to the machine on which the Security Manager server is installed.
Step 2 Select Start > Programs > Administrative Tools > Services to open the Services window.
Step 3 From the list of services displayed in the right pane, select Cisco Security Manager Daemon Manager.
Step 4 Click the Restart Service button on the toolbar.
Step 5 Continue with Assigning Roles to User Groups in Cisco Secure ACS.
Related Topics
•Checklist for Initial Cisco Secure ACS Setup
•Integrating Security Manager with Cisco Secure ACS
Assigning Roles to User Groups in Cisco Secure ACS
After you have registered CiscoWorks, Security Manager and other installed applications to Cisco Secure ACS, you can assign roles to each of the user groups that you previously configured in Cisco Secure ACS. These roles determine the actions that the users in each group are permitted to perform in Security Manager.
The procedure for assigning roles to user groups depends on whether NDGs are being used:
•Assigning Roles to User Groups Without NDGs
•Associating NDGs and Roles with User Groups
Related Topics
•Checklist for Initial Cisco Secure ACS Setup
•Integrating Security Manager with Cisco Secure ACS
Assigning Roles to User Groups Without NDGs
This procedure describes how to assign the default roles to user groups when NDGs have not been defined. For more information, see Cisco Secure ACS Default Roles.
Before You Begin
•Create a user group for each default role. See Defining Users and User Groups in Cisco Secure ACS.
•Complete the procedures described in Integration Procedures Performed in Cisco Secure ACS and Integration Procedures Performed in CiscoWorks.
Procedure
Step 1 Log in to Cisco Secure ACS.
Step 2 Click Group Setup on the navigation bar.
Step 3 Select the user group for system administrators from the list (see step 2 of Defining Users and User Groups in Cisco Secure ACS), then click Edit Settings.
Step 4 Assign the system administrator role to this group:
a. Scroll down to the CiscoWorks area under TACACS+ Settings.
b. Select the first Assign option, then select System Administrator from the list of CiscoWorks roles.
c. Scroll down to the Cisco Security Manager Shared Services area.
d. Select the first Assign option, then select System Administrator from the list of Cisco Secure ACS roles.
e. Click Submit to save the group settings.
Step 5 Repeat steps 3 and 4 for the remaining roles, assigning each role to the appropriate user group.
Note For more information about customizing the default roles in ACS, see Customizing Cisco Secure ACS Roles.
Related Topics
•Understanding CiscoWorks Roles
•Understanding Cisco Secure ACS Roles
•Integrating Security Manager with Cisco Secure ACS
Associating NDGs and Roles with User Groups
When you associate NDGs with roles for use in Security Manager, you must create definitions in two places on the Group Setup page:
•CiscoWorks area
•Cisco Security Manager area
The definitions in each area should match as closely as possible. When associating custom roles or ACS roles that do not exist in CiscoWorks Common Services, try to define as close an equivalent as possible based on the permissions assigned to that role.
You must create associations for each user group that will be used with Security Manager. For example, if you have a user group containing support personnel for the Western region, you can select that user group, then associate the NDG containing the devices in that region with the Help Desk role.
Before You Begin
•Activate the NDG feature and create NDGs. See Configuring Network Device Groups for Use in Security Manager.
Procedure
Step 1 Click Group Setup on the navigation bar.
Step 2 Select a user group from the Group list, then click Edit Settings.
Step 3 Map NDGs and roles for use in CiscoWorks:
a. On the Group Setup page, scroll down to the CiscoWorks area under TACACS+ Settings.
b. Select Assign a Ciscoworks on a per Network Device Group Basis.
c. Select an NDG from the Device Group list.
d. Select the role to which this NDG should be associated from the second list.
e. Click Add Association. The association appears in the Device Group box.
f. Repeat steps c through e to create additional associations.
Note To remove an association, select it from the Device Group, then click Remove Association.
Step 4 Scroll down to the Cisco Security Manager area and create associations that match as closely as possible the associations defined in step 3.
Note When selecting the Security Approver or Security Administrator roles in Cisco Secure ACS, we recommend selecting Network Administrator as the closest equivalent CiscoWorks role.
Step 5 Click Submit to save your settings.
Step 6 Repeat steps 2 through 5 to define NDGs for the remaining user groups.
Step 7 When you have finished associating NDGs and roles with each user group, click Submit + Restart.
Note For more information about customizing the default roles in ACS, see Customizing Cisco Secure ACS Roles.
Related Topics
•Integrating Security Manager with Cisco Secure ACS
•Checklist for Initial Cisco Secure ACS Setup
Selecting a Workflow Mode
Security Manager workflow mode has two main modes of operation:
•Workflow mode (with and without approvers).
•Non Workflow mode (default).
The workflow mode you choose depends on your organizational structure and the level of control you wish to have over changes to the network. The following topics help you understand the different workflow modes so that you can make an informed decision as to which mode you prefer:
•Working in Workflow Mode
•Working in Non-Workflow Mode
•Comparing the Two Workflow Modes
•Enabling and Disabling Workflow Modes
Working in Workflow Mode
Workflow mode is an advanced mode of operation that imposes a formal change-tracking and management system. Workflow mode is suitable for organizations in which there is division of responsibility among security and network operators for defining VPN or firewall policies and deploying these policies to devices. For example, a security operator might be responsible for defining security policies on devices, another security operator might be responsible for approving the policy definitions, and a network operator for deploying the resulting configurations to a device. This separation of responsibility helps maintain the integrity of deployed device configurations.
You can use Workflow mode with or without an approver. When using Workflow mode with an approver, device management and policy configuration changes performed by one user may be reviewed and approved by another user before being deployed to the relevant devices. When using Workflow mode without an approver, device and policy configuration changes can be created and approved by a single user, thus simplifying the change process.
In Workflow mode:
•A user must create an activity before defining or changing policy configurations. An activity is essentially a proposal to make configuration changes. The changes made within the activity are only applied after the activity is approved by a user with the appropriate permissions. An activity can either be submitted to another user for review and approval (Workflow mode with an activity approver), or it can be approved by the current user (Workflow mode without an activity approver). For detailed information about the process of creating, submitting, and approving activities, see Chapter 1, "Managing Activities."
•After the activity is approved, the configuration changes need to be deployed to the relevant devices. To do this, a user must create a deployment job. A deployment job defines the devices to which configurations will be deployed, and the deployment method to be used. A deployment job can either be submitted to another user for review and approval (Workflow mode with a job approver), or it can be approved by the current user (Workflow mode without a job approver). Deployment preferences can be configured with or without job approval. For more information, see Chapter 1, "Managing Deployment."
Working in Non-Workflow Mode
Some organizations have no division of responsibility between users when defining and administering their VPN and firewall policies. These organizations can work in non Workflow mode, which is the default mode of operation. When using non Workflow mode, there is no need to create activities and jobs. When you log in, Security Manager automatically creates an activity for you. This activity is transparent to the user and does not need to be managed in any way. In addition, when you save and deploy configuration changes, Security Manager automatically creates a job for you as well. Like activities, jobs are transparent and do not need to be managed.
When using non Workflow mode, multiple users with the same username and password cannot be logged into Security Manager at the same time. If another user logs in with the same username and password while you are working, your session will be terminated and you will have to log in again.
Comparing the Two Workflow Modes
Table 1-2 highlights the differences between the two workflow modes.
Table 1-2 Comparison Between Workflow Mode and Non Workflow Mode
FAQ
|
Non Workflow Mode
|
Workflow Mode
|
What is the default mode for Security Manager?
|
Default
|
Not default
|
How do I know which mode is currently selected?
|
•In Tools > Security Manager Administration > Workflow, the Enable Workflow check box is not selected.
|
•In Tools > Security Manager Administration > Workflow, the Enable Workflow check box is selected.
|
Must I create activities to make configuration changes?
|
No. Security Manager automatically creates an activity when you log in.
|
Yes.
|
Must I create jobs to deploy configurations to devices?
|
No.
|
Yes.
|
How do I deploy my configuration changes to the devices?
|
Do one of the following:
•Click the Submit and Deploy Changes in the Main toolbar.
•Select File > Submit and Deploy.
•Select Tools > Deployment Manager and click Deploy.
|
Select Tools > Deployment Manager and create a deployment job.
|
At what stage are the CLI commands for my configuration changes generated?
|
When initiating deployment.
|
When creating a deployment job.
|
How do I delete my current changes?
|
Select the File > Discard, or if you have already started deploying devices, abort the deployment by selecting Tools > Deployment Manager > Abort.
|
Select Tools > Deployment Manager > Discard. If the job has already been deployed, you can abort the job by selecting Tools > Deployment Manager > Abort.
|
Can multiple users log into Security Manager at the same time?
|
Yes, but only if each one has a different username and password. Access to Security Manager is discontinued if a user with the same username logs into Security Manager.
|
Yes. Each user can open a different activity and make configuration changes.
|
What if another user is configuring the devices I want to configure?
|
You will receive a message indicating that the devices are locked. See Activities and Locking, page 1-4.
|
You will receive a message indicating that the devices are locked. See Activities and Locking, page 1-4.
|
Enabling and Disabling Workflow Modes
The default mode in Security Manager is non Workflow mode. If you have Administrator permissions, you can change the workflow mode in Tools > Security Manager Administration. Before doing so, be sure to understand the following notes:
•When you change the workflow mode, the change will take effect for all Security Manager users working from the same server.
•Before you can change to non Workflow mode, all activities in editable states (Edit, Edit Open, Submit, or Submit Open) must be approved or discarded, and all generated jobs must be deployed, failed, rejected, discarded, or aborted so that the locks on the devices can be released.
•If you change to non Workflow mode and then restore an earlier version of the database, Security Manager automatically changes to Workflow mode if the restored database has any activities in an editable state (Edit, Edit Open, Submit, or Submit Open). Approve or delete the editable activities, and then turn workflow off again.
•Both Workflow and non Workflow modes use activities. However, Security Manager hides and automatically manages activities when in non Workflow mode. Therefore, when changing from non Workflow mode to Workflow mode, the current hidden activity is then exposed and placed in the Edit_Open state.
This procedure will help you establish Workflow mode settings.
Procedure
Step 1 Click Tools > Security Manager Administration.
Step 2 Click Workflow. The Workflow page appears in the right-hand pane. For a description of the fields on this page, see Table A-16 on page A-24.
Step 3 To disable Workflow mode, deselect the Enable Workflow check box, and then click Save.
Step 4 To enable Workflow mode, perform as many of the following steps as are needed:
Step 5 To enable Workflow mode, select the Enable Workflow check box.
Step 6 To require that activities to be approved before they are committed to the database, select the Require Activity Approval check box.
Step 7 To require that deployment jobs are approved before deployment to devices, select the Require Deployment Approval check box.
Step 8 Enter the email address for the activity approver.
Step 9 Enter the email address for the deployment job approver.
Step 10 To change the number of days you keep the activity logs, enter a new value in the Keep Activity for field.
Note Purge Now deletes activity logs older than the number of days you specify immediately.
Step 11 To change the number of days you keep the deployment job logs, enter a new value in the Keep Job for text box.
Note Purge Now deletes deployment job logs older than the number of days you specify immediately.
Step 12 Perform one of the following steps:
•Click Save to apply and save changes. A confirmation dialog box indicates that changes were saved successfully.
•Click Reset to restore all fields and check boxes to their previous values.
•Click Restore Defaults to restore Security Manager defaults.
Step 13 Click Yes to the confirmation dialog box to confirm your choice. A message appears indicating that this action was successful.
Related Topics
•Managing Activities, page 1-1
•Managing Deployment, page 1-1
Working with AutoLink
The Security Manager Map view provides a graphical view of your VPN and Layer 3 network topology. Using device nodes to represent managed devices and map objects to represent unmanaged objects such as devices, clouds, and networks, you can create topology maps with which to study your network. AutoLink settings enable you to exclude any one of five private or reserved networks from Map view. For example, you might want to exclude any networks that are not relevant to the management tasks you are using Security Manager to perform, for example, test networks. This will prevent them from appearing on your topology map.
This procedure will help you define AutoLink settings.
Procedure
Step 1 Select Tools > Security Manager Administration.
Step 2 Click AutoLink. The AutoLink settings page appears. For a description of the fields on this page, see Table A-1 on page A-2.
Step 3 Deselect any check boxes adjacent to those network IP addresses you would like to omit from any topology maps you create.
Step 4 Do one of the following:
•Click Save to apply and save changes. A confirmation dialog box indicates that changes were saved successfully.
•Click Reset to restore all fields and check boxes to their previous values.
•Click Restore Defaults to restore Security Manager defaults.
Step 5 Click Yes in the confirmation dialog box to confirm your choice. A message indicates that this action was successful.
Related Topics
•Displaying Layer 3 Links on the Map, page 1-22
•Displaying Your Network on the Map, page 1-16
•Understanding Maps, page 1-1
•Working With Maps, page 1-2
Defining Configuration Archive Settings
From the Configuration Archive preferences window, you can purge configuration file versions maintained for devices managed by Security Manager. Here you can also enter the TFTP server and directory information for Cisco IOS devices used during configuration rollback.
This procedure will help you define Configuration Archive settings.
Procedure
Step 1 Select Tools > Security Manager Administration.
Step 2 Click Configuration Archive. The Configuration Archive Purge dialog box is on the top half of the window and the TFTP for Configuration Version Rollback server settings are below. For a description of the fields on this page, see Table A-2 on page A-3.
Step 3 Do any or all of the following:
•Enter the maximum number of configurations to be retained in Configuration Archive for each device after you click Purge Now.
•To change the default TFTP server, enter the server name or IP address for TFTP file transfers.
Tip To return to values that were present when you first opened a settings page, click Reset at any time before you click Save. If you clicked Save in error and do not remember what was there before, you can click Reset to Factory Defaults to reestablish Security Manager defaults.
•To change the default directory for TFTP file transfers, enter the root directory for configuration file transfers on your TFTP server.
Step 4 Do one of the following:
•Click Save to apply and save changes. A confirmation dialog box indicates that changes were saved successfully.
•Click Reset to restore all fields and check boxes to their previous values.
•Click Restore Defaults to restore Security Manager defaults.
Step 5 Click Yes in the confirmation dialog box to confirm your choice. A message indicates that this action was successful.
Related Topics
•Configuration Archive Window, page A-10
•Using the Configuration Archive Tool, page 1-9
Customizing Your Desktop
Adjust your GUI timeout and `Do Not Ask' settings from the Customize Desktop page.
This procedure will help you adjust your GUI timeout and `Do Not Ask' settings.
Procedure
Step 1 Select Tools > Security Manager Administration.
Step 2 Click Customize Desktop. For a description of the fields on this page, see Table A-3 on page A-4.
Step 3 Perform as many of the following steps as are needed:
•If you enabled any Do Not Ask Me Again settings and wish to reestablish the appearance of warning messages anywhere in the application, click Reset `Do Not Ask' on Warnings.
•Click the Enable Idle Timeout check box to enable Security Manager to log users out according to the specified number of minutes in the Idle Timeout text field.
•Enter the number of minutes after which you want Security Manager to log users out.
Step 4 Do one of the following:
•Click Save to apply and save changes. A confirmation dialog box indicates that changes were saved successfully.
•Click Reset to restore all fields and check boxes to their previous values.
•Click Restore Defaults to restore Security Manager defaults.
Step 5 Click Yes in the confirmation dialog box to confirm your choice. A message indicates that this action was successful.
Related Topics
•Working With the Security Manager User Interface, page 1-1
Defining Deployment Settings
Use the Deployment settings page to define the following:
•Number of days to archive debugging files.
•Whether configuration changes are deployed to a file or to a device.
•Whether to warn, cancel, or skip deployment when out-of-band changes are detected.
•Whether reference configurations for deployments should be taken from an archive or a device.
•How to optimize the deployment of firewall access lists. (Optimized to reduce deployment time or to minimize traffic disruption).
•Whether to allow FWSM to compile access lists automatically instead of using Security Manager to control the ACL compilation.
•Whether to enable advanced debugging.
•Whether deployments will proceed with errors.
•Whether to delete unreferenced object groups from devices.
•Whether to delete unreferenced access lists from devices.
•Whether any changes to the device configuration for Cisco IOS, PIX, FWSM, and ASA devices are copied to the startup configuration for those device Types.
•Whether ACL remarks should be generated during deployment.
This procedure will help you define deployment settings.
Procedure
Step 1 Select Tools > Security Manager Administration.
Step 2 Click Deployment.
The Deployment window appears. For a description of the fields on this page, see Table A-4 on page A-5.
Step 3 Do any of the following according to your deployment needs:
•Enter the number of days to retain debugging files. After the time limit is reached, the files are purged. If you change the time limit from 10 days to 7 days, for example, you can click Purge Now to immediately purge files older than 7 days.
•Select a default deployment method from the Default Deployment Method list. If you select File, you can use the Browse button to select a target directory to which to deploy the file.
•Select the appropriate system response when out-of-band changes are detected.
•When deploying to a file, choose whether to use the most recently archived configuration or the current device configuration against which to compare changes for generating the CLI needed to be deployed.
•When deploying to a device, choose whether to use the most recently archived configuration or the current device configuration against which to compare changes for generating the CLI needed to be deployed.
•Select Speed or Traffic from the Firewall Rule Optimization list.
•To switch FWSM to automatic ACL compilation mode in which FWSM determines when to compile access lists, check Let FWSM decide when to compile access lists. Selecting this option might increase deployment speed but has potential negative impacts. Traffic might be disrupted and the system becomes incapable of reporting ACL compilation error messages. Deselect this option to use manual ACL commit for firewall rule deployment if, for example, you have a large number of ACLs. For more information, see Understanding Access Rules, page 1-6.
Caution You should not check this option unless you are otherwise experiencing deployment problems and are an advanced user.
•To have Security Manager generate data files containing information about configuration generation, deployment, and discovery as these functions are performed, select Enable Advanced Debugging.
•To allow deployment to devices (as opposed to a file) to continue even if there are minor device configuration errors, select Allow Download On Error.
•To delete from devices during deployment any object groups that are not being used by other CLI commands select Remove unreferenced ObjectGroups on device.
•To delete from devices during deployment any access lists that are not being used by other CLI commands, select Remove unreferenced access-lists on device.
•To ensure that any changes to device configurations (PIX, FWSM, ASA, or IOS devices) are copied to the startup configuration for that device, select Copy running config to startup config.
•To display ACL warning messages during deployment, select Generate ACL rules during deployment.
Step 4 Click Save.
Certain options will display a warning dialog box and ask if you want to continue. To continue, click Yes.
Note To return to values that were present when you first opened a settings page, click Reset at any time before you click Save. If you clicked Save in error and do not remember what was there before, you can click Restore Defaults to reestablish Security Manager defaults.
Related Topics
•Managing Deployment, page 1-1
Defining Device Communication Settings
Use the Device Communication settings page to define these settings for all devices managed by Security Manager:
•The number of seconds that Security Manager has to establish a connection with a device before timing out.
•The number of seconds Security Manager can spend blocked waiting for incoming data.
•The default transport protocol for contacting all Cisco IOS devices.
•Whether Security Manager will apply changes to SSH keys made directly on the device.
To make changes for only a single device, see Editing Device Properties, page 1-78.
The following topics describe device communication settings:
•Defining Connection and Transport Protocol Settings in the UI
•Defining SSH by Editing the DCS Properties File
•Adding Certificates for Firewall Devices, FWSMs, ASAs, and Cisco IOS Devices
Defining Connection and Transport Protocol Settings in the UI
This procedure will help you define device communication settings.
Procedure
Step 1 Select Tools > Security Manager Administration.
Step 2 Click Device Communication. The Device Communication settings window opens. For a description of the fields on this page, see Table A-5 on page A-9.
Step 3 Perform as many of the following steps as are needed:
•Enter the number of seconds for Device Connection timeout. This is the amount of time Security Manager attempts to establish a connection with a device before timing out.
•Enter a value for Retry Count. This is the number of times Security Manager should reattempt establishing a device connection after timing out.
•Enter the number of seconds for Socket Read timeout. This is the amount of time Security Manager remains blocked waiting for incoming data. If no incoming data is received within this period, an error is displayed.
•Select a default transport protocol for contacting all Cisco IOS devices from the list if needed.
•Select one of the following certificate authentication methods for devices using SSL:
–Retrieve while adding devices enables Security Manager to automatically obtain certificates from devices while you add one or more devices from the network or DCR. Security Manager calculates the device certificate thumbprints and stores the calculated thumbprint(s) in the certificate data store. For information and procedures see Adding Devices to the Security Manager Inventory, page 1-29.
–Manually add certificates prevents Security Manager from automatically accepting certificates using the Adding Devices from the Network or the Adding Devices from DCR wizards. You must add the device thumbprint manually before you the devices. See Adding Certificates for Firewall Devices, FWSMs, ASAs, and Cisco IOS Devices.
–Do not use certificate authentication prevents automatic certificate validation for devices using SSL.
Caution This option leaves your system vulnerable to third-party interference with device validation. We recommend that you use
only the Retrieve while adding devices or Manually add certificates options.
•To add the device certificate thumbprint immediately, see Adding Certificates for Firewall Devices, FWSMs, ASAs, and Cisco IOS Devices.
•To allow Security Manager to apply changes to the device's SSH keys when they are updated directly on the device, check Overwrite SSH Keys.
Step 4 Do one of the following:
•Click Save to apply and save changes. A confirmation dialog box states that changes were saved.
•Click Reset to restore all fields and check boxes to their previous values.
•Click Restore Defaults to restore Security Manager defaults.
Step 5 Click Yes in the confirmation dialog box to confirm your choice. A message states that this action was successful.
Defining SSH by Editing the DCS Properties File
Security Manager works with SSH transport protocols, known as SSH1 and SSH2. SSH2 encryption algorithms or ciphers are negotiated between the device and Security Manager. Security Manager stores the device public keys in known_hosts file and this file is found in the ../CSCOpx/MDC/be/tmp/.ssh directory. The protocol version being used on a particular device is automatically detected and used by Security Manager to deploy to the device. For devices being managed by Security Manager that support SSH1, the default encryption algorithm or cipher is DES (Data Encryption Standard).
You make the following global changes to devices by editing the DCS.properties file:
•Change the encryption algorithm for devices using SSH1.
•Choose whether Security Manager applies changes in the SSH keys for a device when these are updated directly on the device.
•Edit a list of warning expressions generated during deployment for all devices.
Note You must restart the daemon manager to see changes after you edit DCS.properites file.
Related Topics
•Managing Devices, page 1-1
•Preparing the Devices for Security Manager to Manage, page 1-2
Adding Certificates for Firewall Devices, FWSMs, ASAs, and Cisco IOS Devices
Security Manager enables you to authenticate a Firewall device, FWSM, ASA, or Cisco IOS router by validating the certificate installed on the device. Note that this is true only for devices that use SSL as their transport protocol.
This procedure will help you manually add device certificates.
Before You Begin
Make sure that the certificate thumbprint (hexadecimal string) is available.
Tip If the thumbprint is not readily available, you can copy it from the error message that is displayed when you add a live device, or a device from the network, or from the DCR.
Procedure
Step 1 Select Tools > Security Manager Administration.
Step 2 Click Device Communication. The Device Communication settings window opens. For a description of the fields on this page, see Table A-5 on page A-9.
Step 3 Enter the hostname or IP address of the device.
Step 4 Enter the certificate thumbprint in its hexadecimal form.
Step 5 Do one of the following:
•Click OK to initiate device contact, apply, and save changes. A confirmation dialog box states that changes were saved.
Note The OK button becomes active only when at least 32 characters (the number contained in the MD-5 hash file) of the thumbprint are entered.
•Click Cancel to stop the operation and close the dialog box.
Step 6 Click Yes in the confirmation dialog box to confirm your choice. A message indicates that this action was successful.
Working with Device Groups
Grouping devices enables you to view a subset of devices that have similar group attributes.
You can create groups and assign devices to them when you add devices, or you can create the groups later, using the Device Groups page under the Tools menu. From the Device Groups page, you can create group types and groups, delete groups, and modify group names. To access this page, select Tools > Security Manager Administration > Device Groups. For procedure, see Working With Groups, page 1-85.
Related Topics
•Understanding Device Grouping, page 1-83
•Working With Groups, page 1-85
•Grouping Devices, page 1-40
•Edit Device Groups Page, page A-70
Defining Discovery Settings
From the Discovery page you can define how long to keep a record of discovery and device-import tasks. Any tasks older than the number of days you specify will be deleted. You can also determine wether to substitute any matching named objects that are already defined in Security Manager for any inline values found in the CLI, and whether to roll back all policies if an error is encountered during policy discovery.
This procedure will help you define settings for policy and device discovery.
Procedure
Step 1 Click Tools > Security Manager Administration.
Step 2 Click Discovery. The Discovery page appears in the right-hand pane. For a description of the fields on this page, see Table A-8 on page A-13.
Step 3 Perform as many of the following steps as are needed:
•To change the number of days you keep discovery and device-import tasks, enter a new value in the Purge discovery tasks older than (days) text field.
•To substitute any matching named policy objects already defined in Security Manager for inline values in the CLI such as IP addresses, check Reuse policy objects for inline values.
•To roll back all policies discovered if even one error is encountered for a single policy, check On error, rollback discovery for entire device check box.
Step 4 Do one of the following:
•Click Save to apply and save changes. A confirmation dialog box indicates that changes were saved successfully.
•Click Reset to restore all fields and check boxes to their previous values.
•Click Restore Defaults to restore Security Manager defaults.
Step 5 Click Yes to the confirmation dialog box to confirm your choice. A message indicates that this action was successful.
Related Topics
•Frequently Asked Questions about Policy Discovery, page 1-10
•Understanding the Policy Object Manager Window, page 1-5
Installing License Files
The terms of your Security Manager software license determine many things, including the features that are available to you and the number of devices that you can manage. For licensing purposes, the device count includes any physical device, security context, or Catalyst security services module that uses an IP address. Failover pairs count as one device.
When you upgrade from an earlier release, Security Manager does not prompt you for a license; instead, it retains your license and continues to enforce its terms. If you upgrade during a free evaluation, the remaining time in your evaluation period does not change.
Note For a complete list of Cisco part numbers for the Security Manager kits and licenses that you can purchase, as well as information about the Cisco Software Application Support service agreement contracts that you can purchase, see http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5739/ps6498/prod_bulletin0900aecd803ffd79.html.
Two license types, Standard and Professional, are available, in addition to a free 90-day evaluation period, restricted to 50 devices.
•Security Manager and IPS Manager share one base license file and share as many other, additional licenses as you might purchase. To obtain the base license, you must have (or obtain) a Cisco.com user ID, and you must register your copy of the software on Cisco.com. When registering, you must provide the Product Authorization Key (PAK) that is attached to the Software License Claim Certificate inside the shipped software package.
–If you are a registered Cisco.com user, start here:
http://www.cisco.com/go/license
–If you are not a registered Cisco.com user, start here:
http://tools.cisco.com/RPF/register/register.do
After registration, the base software license is sent to the email address that you provided during registration. Keep the license in a secure location.
•Common Services does not require a license file.
•Auto Update Server does not require a license file.
•Your license files for Resource Manager Essentials (RME.lic) and Performance Monitor (mcpULperm.lic) are in the \license_files folder on your Security Manager installation DVD.
Standard Edition
If you purchase the Standard Edition, your license supports:
•One installation of Security Manager on one Windows-based server.
•The configuration or management of 5 devices (in the Standard-5 option) or 25 devices (in the Standard-25 option), excluding Catalyst 6500 and 7600 Series devices and their associated service modules.
If you purchase either the Standard-5 or Standard-25 license, you cannot purchase an incremental device license. Your license is fixed at either 5 or 25 devices.
Professional Edition
If you purchase the Professional Edition, your license supports:
•One installation of Security Manager on one Windows-based server.
•The configuration and management of 50 devices of all kinds (including Catalyst 6500 and 7600 Series devices and their associated service modules), with an option to purchase additional device license increments — 50-, 100-, 500-, or 1,000-device licenses.
License limits are imposed when you exceed the allotted time (in the case of the evaluation license), or the number of devices that your license allows you to manage. The evaluation license provides the same privileges as the Professional Edition license. It is important that you register Security Manager as soon as you can within the first 90 days, and for the number of devices that you need, to ensure uninterrupted use of the product. Each time you start the application you are reminded of how many days remain on your evaluation license, and you are prompted to upgrade during the evaluation period. At the end of the evaluation period, you are prevented from logging in until you upgrade your license.
Note You must store your license files on a disk that is local to your Security Manager server. Security Manager does not see mapped drives if you use it to browse directories on your server. Windows imposes this limitation, which serves to improve Security Manager performance and security. For more information, log in to your Cisco.com account, then use Bug Toolkit to learn about CSCsb43414.
Procedure
Step 1 Select Tools > Security Manager Administration.
Step 2 Click Licensing. For a description of the fields on this page, see Table A-9 on page A-14.
Step 3 Click Install License to begin product registration or install a new license. If you are installing a new license, see Step 7.
Step 4 Perform either of the following steps to complete product registration and obtain a new production license from Cisco.com:
•Go to http://www.cisco.com/go/license if you are a registered user of Cisco.com (login required).
•Go to http://tools.cisco.com/RPF/register/register.do if you are not a registered user of Cisco.com.
After registration, a Product Authorization Keys (PAK) is sent to the e-mail address you provided during registration. In addition to a PAK and license for Security Manager, you might receive one additional PAK for each incremental device count pack you purchased. Retain these with your Cisco Security Manager software records.
Step 5 Repeat Step 4 for each solution product you are licensing until all PAKs and licenses have been sent. You must transfer the license files onto the Security Manager server if they are not already there, using FTP or some other means. The license file must be on a local drive like C: or D:, not on a mapped drive like O:, or CSM cannot use it.
Step 6 Click Upgrade License again if the Upgrade License dialog box with the Browse button is no longer visible.
Step 7 Click Browse to navigate to the folder containing the license file.
Step 8 Select the file.
Step 9 Click OK.
Getting Help with Licensing
If you have trouble using the registration website, contact the Licensing Department in the Cisco Technical Assistance Center (TAC):
•Phone: +1 (800) 553-2447
•E-Mail: licensing@cisco.com
•http://www.cisco.com/tac
Archiving Log Files
When state changes occur in Security Manager, an event is generated and an audit entry is created in the audit log. You can display the aggregated results of the audit entries by defining the parameters in the audit report page. The System Administration Logs page enables you to determine how long to keep log files archived.
This procedure will help you define log file purge settings.
Procedure
Step 1 Click Tools > Security Manager Administration.
Step 2 Click Logs. The Logs page appears in the right-hand pane. For a description of the fields on this page, see Table A-10 on page A-15.
Step 3 Perform as many of the following steps as are needed:
•To change the number of days to keep the logs, enter a new value in the Keep Audit Log For text box.
Note Clicking Purge Now deletes logs older than the number of days you specify immediately.
•To change the number of logs or entries that you keep, enter a new value in the Purge Audit Log after text box.
Note Logs are purged according to whichever maximum, days or entries, is reached the soonest.
•To change the number of days you keep the operation logs, enter a new value in the Keep Operation Log For text box.
•Adjust the Log Level according to the amount of data you wish to capture.
Step 4 Do one of the following:
•Click Save to apply and save changes. A confirmation dialog box indicates that changes were saved successfully.
•Click Reset to restore all fields and check boxes to their previous values.
•Click Restore Defaults to restore Security Manager defaults.
Step 5 Click Yes to the confirmation dialog box to confirm your choice. A message indicates that this action was successful.
Related Topics
•Audit Report Page, page A-6
•Understanding Audit Reports, page 1-6
Defining Policy Management Settings
Customizing policy management settings on a Cisco IOS router makes it possible, for example, to use Security Manager to manage DHCP and NAT policies on Cisco IOS routers while leaving routing protocol policies, such as EIGRP and RIP, unmanaged. These settings, which can be modified only by a user with administrative permissions, apply globally in Security Manager.
Unmanaged policies are removed from both Device view and Policy view. Any unmanaged policies, local or shared are removed from the Security Manager database.
You cannot unmanage a policy type if you have configured and assigned policies of that type in Security Manager. You must first remove the assignments and then unassign the policy type. If the configurations defined by those policies have already been deployed, these configurations are left in place on the devices, but the policies are no longer stored in the database or accessible from the Security Manager interface.
Tip You can make changes to unmanaged policies using FlexConfigs (see Working with FlexConfig Objects, page 1-69) or the CLI.
This procedure will help you define Cisco IOS router policy settings.
Procedure
Step 1 Click Tools > Security Manager Administration.
Step 2 Click Policy Management. The Policy Management page appears in the right-hand pane. For a description of the fields on this page, see Table A-11 on page A-17.
Step 3 Expand NAT and Router Platform folders (Translation Rules, Device Admin, Routing, and Identity) to see a complete list of those policy types.
Step 4 Deselect check boxes belonging to any policy types you do not want to manage using Security Manager.
Tip You can make changes to unmanaged policies using FlexConfigs (see Working with FlexConfig Objects, page 1-69) or the CLI.
Step 5 Click Save to apply and save changes. You receive a warning message that unmanaged policies will be removed from Device view and Policy view.
If policies of the selected type are assigned to at least one device, an error is displayed when you try unmanaging that policy type. The error message displays the names of the policies that have been assigned, the devices to which they have been assigned, and the name of the user or activity responsible.
Note If you get this error message, you need to cancel this operation and manually remove the assignments in Policy view or Device view, after which you can repeat this procedure from Step 1. If the activities of other users are involved, you need to have these users remove the assignments in question. For detailed procedures, see Working with Activities, page 1-9
Step 6 If needed, do one of the following:
•Click Reset to restore all fields and check boxes to their previous values.
•Click Restore Defaults to restore Security Manager defaults.
Step 7 Click Yes to the confirmation dialog box to confirm your choice. A message indicates that this action was successful.
Related Topics
•Advanced Policy Features, page 1-44
•Managing Policies, page 1-1
•Managing Routers, page 1-1
•Managing Shared Policies in Policy View, page 1-35
•Understanding Policies, page 1-1
Defining Policy Object Settings
Two different types of settings can be defined from the Policy Object settings page. When you are about to create an object whose definition conflicts with, or matches identically with the definition of another object, you can have Security Manager warn, prevent, or, if appropriate, ignore the event completely. You can also define port list ranges for service ports from this page.
This procedure will help you define policy settings.
Procedure
Step 1 Click Tools > Security Manager Administration.
Step 2 Click Policy. The Policy page appears in the right-hand pane. For a description of the fields on this page, see Table A-12 on page A-19.
Step 3 Perform as many of the following steps as are needed:
•To change the warning level for redundant object detection, use the pull-down menu to the right of the When Redundant Objects Detected field. (The default is Warn.)
•To change Default Source Ports used in the creation of Port List Objects, use the pull-down menu to the right of the Default Source Ports field. (The default is Use All Ports.)
Note If you change the default source port, you must manually redeploy any deployed devices that might be affected. These changes might not be reflected in any open activities until you refresh the data.
Step 4 Do one of the following:
•Click Save to apply and save changes. A confirmation dialog box indicates that changes were saved successfully.
•Click Reset to restore all fields and check boxes to their previous values.
•Click Restore Defaults to restore Security Manager defaults.
Step 5 Click Yes to the confirmation dialog box to confirm your choice. A message indicates that this action was successful.
Related Topics
•Managing Objects, page 1-1
Working with Server Security
Common Services provides the administrative functions that control a user's access in Security Manager. Security Manager provides access to these functions through the Application Security page. The buttons found in the Application Security page are actually a series of buttons that open Commons Services functions.
When you log in to Security Manager, your username and password are compared with the account information stored in the CiscoWorks or Cisco Secure Access Control Server (ACS) database, depending on which you established at installation as your AAA provider. After the authentication of your credentials, you have access according to the role you have been assigned.
For more information on Security Manager roles and privileges, including descriptions of how Common Services roles translate to user functions in Security Manager, see Setting Up User Permissions.
This procedure will help you modify Common Services security settings in Security Manager.
Procedure
Step 1 Click Tools > Security Manager Administration.
Step 2 Click Application Security. The Security page appears in the right-hand pane. For a description of the fields on this page, see Table A-13 on page A-20.
Step 3 Do one of the following:
•Click AAA Setup to adjust AAA mode setup, including login modules.
•Click Certificate Setup to create or change the details of the self-signed certificate setup.
•Click Single Sign On to create or change the details of the single sign-on setup.
•Click Local User Setup to add or delete users or change the details of user permissions.
•Click System Identity Setup create or change the details of the system identity setup.
Step 4 Do one of the following:
•Click Save to apply and save changes. A confirmation dialog box indicates that changes were saved successfully.
•Click Reset to restore all fields and check boxes to their previous values.
•Click Restore Defaults to restore Security Manager defaults.
Step 5 Click Yes to the confirmation dialog box to confirm your choice. A message indicates that this action was successful.
Related Topics
•Default Associations Between Permissions and Roles in Security Manager
•Understanding Cisco Secure ACS Roles
•Understanding CiscoWorks Roles
Taking Over Another User's Work
A user with administrative privileges can take over the work of another user from the Take Over User session page in non-Workflow mode. This feature is useful when a user is working on devices and policies, causing the devices and policies to be locked, and another user needs access to the same devices and policies.
Note You can take over another user session only if you have administrator privileges and are working in non-Workflow mode.
This procedure will help you take over the user session of another user.
Procedure
Step 1 Click Tools > Security Manager Administration.
Step 2 Click Take Over User Session. The Take Over User Session page appears in the right-hand pane. For a description of the fields on this page, see Table A-14 on page A-22.
Step 3 Highlight the user session you want to take over.
Step 4 Click Take over session at the lower right of the user session pane.
Step 5 Do one of the following:
•Click Save to apply and save changes. A confirmation dialog box indicates that changes were saved successfully.
•Click Reset to restore all fields and check boxes to their previous values.
•Click Restore Defaults to restore Security Manager defaults.
Step 6 Click Yes to the confirmation dialog box to confirm your choice. A message indicates that this action was successful.
Related Topics
•Activities and Multiple Users, page 1-5
•Understanding Activities, page 1-2
Defining TMS (Token Management System) Settings
Security Manager uses FTP to deploy the configuration file to the TMS server, from which it can be downloaded and encrypted onto an eToken. Security Manager uses the server settings and passwords you provide to connect to the TMS server.
Note To use TMS with Cisco IOS routers, you must specify TMS as the transport protocol in the device properties. (This is set by going to Device properties > DCS settings > Transport protocols. See Editing Device Properties, page 1-78.) You must also configure the TMS server as an FTP server, otherwise deployment will fail.
This procedure will help you configure TMS server settings.
Procedure
Step 1 Select Tools > Security Manager Administration.
Step 2 Click Token Management. The Token Management settings window opens. For a description of the fields on this page, see Table A-15 on page A-23.
The TMS server name, password information, directory where configuration files are to be copied, and public key file information fields all have default values displayed.
Step 3 Add or modify any of the following:
•Server Name or IP Address
•Username
•Password and confirmation (two fields)
•Directory on the TMS server onto which configuration files are to be copied
•Public key full path location on the TMS server
Step 4 Do one of the following:
•Click Save to apply and save changes. A confirmation dialog box indicates that changes were saved successfully.
•Click Reset to restore all fields and check boxes to their previous values.
•Click Restore To to Factory Defaults to restore Security Manager defaults.
Step 5 Click Yes to the confirmation dialog box to confirm your choice. A message indicates that this action was successful.
Related Topics
•Understanding Deployment, page 1-1
•Understanding Device Properties, page 1-74
