Table Of Contents
Performing Administrative Tasks
Define These Settings First
Setting Up User Permissions
Security Manager Permissions
View Permissions
Modify Permissions
Assign Permissions
Approve Permissions
Understanding CiscoWorks Roles
CiscoWorks Common Services Default Roles
Assigning Roles to Users in CiscoWorks Common Services
Understanding Cisco Secure ACS Roles
Cisco Secure ACS Default Roles
Customizing Cisco Secure ACS Roles
Default Associations Between Permissions and Roles in Security Manager
Integrating Security Manager with Cisco Secure ACS
ACS Integration Requirements
Checklist for Initial Cisco Secure ACS Setup
Integration Procedures Performed in Cisco Secure ACS
Defining Users and User Groups in Cisco Secure ACS
Adding Managed Devices as AAA Clients in Cisco Secure ACS
Creating an Administration Control User in Cisco Secure ACS
Integration Procedures Performed in CiscoWorks
Creating a Local User in CiscoWorks
Defining the System Identity User
Configuring the AAA Setup Mode in CiscoWorks
Restarting the Daemon Manager
Assigning Roles to User Groups in Cisco Secure ACS
Assigning Roles to User Groups Without NDGs
Associating NDGs and Roles with User Groups
Selecting a Workflow Mode
Working in Workflow Mode
Working in Non-Workflow Mode
Comparing the Two Workflow Modes
Enabling and Disabling Workflow Modes
Working with AutoLink
Defining Configuration Archive Settings
Customizing Your Desktop
Defining Deployment Settings
Defining Device Communication Settings
About Security Manager and Device Authentication
Defining Connection and Transport Protocol Settings in the UI
Adding Certificates for IPS Devices, Cisco IOS Devices, and PIX/ASA/FWSM Devices
Defining SSH by Editing the DCS Properties File
Working with Device Groups
Defining Discovery Settings
Administering IPS Update Settings
Establishing the IPS Update Server
Administering IPS Updates
Automating IPS Updates
Administering Licenses
Installing Security Manager License Files
Updating IPS License Files
Redeploying IPS License Files
Automating IPS License File Updates
Getting Help with Licensing
Archiving Log Files
Defining Policy Management Settings
Defining Policy Object Settings
Working with Server Security
Working with Status Providers
Taking Over Another User's Work
Defining TMS (Token Management System) Settings
Configuring VPN Policy Defaults
Performing Administrative Tasks
The following topics describe application settings and preferences:
•
Define These Settings First
•Setting Up User Permissions
•Integrating Security Manager with Cisco Secure ACS
•Selecting a Workflow Mode
•Working with AutoLink
•Defining Configuration Archive Settings
•Customizing Your Desktop
•Defining Deployment Settings
•Defining Device Communication Settings
•Working with Device Groups
•Working With Device OS Management, page 20-6
•Defining Discovery Settings
•Administering IPS Update Settings
•Administering Licenses
•Archiving Log Files
•Defining Policy Management Settings
•Defining Policy Object Settings
•Working with Server Security
•Working with Status Providers
•Taking Over Another User's Work
•Defining TMS (Token Management System) Settings
•Configuring VPN Policy Defaults
Define These Settings First
Use Security Manager to define many application-wide settings that customize your working environment for your needs. This section highlights settings that we recommend you define first to help your organization get up and running with the application. All application settings are located in the Security Administration page. To access application settings, select Tools > Security Administration.
We recommend you perform these actions first:
•Verify you have completed all relevant steps in the Getting Started Checklist, page 1-15.
•Create individual user IDs—Enables each user to log in with a distinct user ID. This enables management of several devices without disrupting your or another user's work. Go to Tools > Security Administration > Application Security and click Local User Setup. See Working with Server Security.
•Select your default deployment method (device or file)—Enables you to set configurations to deploy directly to the device in your network, or to a file in a directory of your choosing. Go to Tools > Security Administration > Deployment. See Defining Deployment Settings.
•Decide whether to allow deployment to device to proceed if there are minor errors on the device—Go to Tools > Security Administration > Deployment. See Defining Deployment Settings.
•Decide how Security Manager will respond when out-of-band changes are made to devices—You can determine whether to issue a warning, cancel deployment, or ignore any out-of-band configuration changes. Go to Tools > Security Administration > Deployment. See Defining Deployment Settings.
Setting Up User Permissions
Cisco Security Manager authenticates your username and password before you can log in. After they are authenticated, Security Manager establishes your role within the application. This role defines your permissions (also called privileges), which are the set of tasks or operations that you are authorized to perform. If you are not authorized for certain tasks or devices, the related menu items, TOC items, and buttons are hidden or disabled. In addition, a message tells you that you do not have permission to view the selected information or perform the selected operation.
Authentication and authorization for Security Manager is managed either by the CiscoWorks server or the Cisco Secure Access Control Server (ACS). By default, CiscoWorks manages authentication and authorization, but you can change to Cisco Secure ACS by using the AAA Mode Setup page in CiscoWorks Common Services.
The major advantages of using Cisco Secure ACS are the ability to create highly granular user roles with specialized permissions sets (for example, allowing the user to configure certain policy types but not others) and the ability to restrict users to certain devices by configuring network device groups (NDGs).
The following topics describe user permissions:
•Security Manager Permissions
•Understanding CiscoWorks Roles
•Understanding Cisco Secure ACS Roles
•Default Associations Between Permissions and Roles in Security Manager
For more information about ACS integration, see Integrating Security Manager with Cisco Secure ACS.
Related Topics
•Understanding Locking, page 6-55
Security Manager Permissions
Security Manager classifies permissions into the following categories:
•View—Allows you to view the current settings. For more information, see View Permissions.
•Modify—Allows you to change the current settings. For more information, see Modify Permissions.
•Assign—Allows you to assign policies to devices and VPN topologies. For more information, see Assign Permissions.
•Approve—Allows you to approve policy changes and deployment jobs. For more information, see Approve Permissions.
•Import—Allows you to import the configurations that are already deployed on devices into Security Manager.
•Deploy—Allows you to deploy configuration changes to the devices in your network and perform rollback to return to a previously deployed configuration.
•Control—Allows you to issue commands to devices, such as ping.
•Submit—Allows you to submit your configuration changes for approval.
Tip To view the complete Security Manager permissions tree, log in to Cisco Secure ACS, then click Share Profile Components on the navigation bar. For more information, see Customizing Cisco Secure ACS Roles.
Note•When you select modify, assign, approve, import, control or deploy permissions, you must also select the corresponding view permissions; otherwise, Security Manager will not function properly.
•When you select modify policy permissions, you must also select the corresponding assign and view policy permissions.
•When you permit a policy that uses policy objects as part of its definition, you must also grant view permissions to these object types. For example, if you select the permission for modifying routing policies, you must also select the permissions for viewing network objects and interface roles, which are the object types required by routing policies.
•The same holds true when permitting an object that uses other objects as part of its definition. For example, if you select the permission for modifying user groups, you must also select the permissions for viewing network objects, ACL objects, and AAA server groups.
Related Topics
•Customizing Cisco Secure ACS Roles
•Default Associations Between Permissions and Roles in Security Manager
•Setting Up User Permissions
View Permissions
View (read-only) permissions in Security Manager are divided into the following categories:
•View Policies Permissions
•View Objects Permissions
•Additional View Permissions
Related Topics
•Customizing Cisco Secure ACS Roles
•Default Associations Between Permissions and Roles in Security Manager
•Security Manager Permissions
View Policies Permissions
Security Manager includes the following view permissions for policies:
•View > Policies > Firewall. Allows you to view firewall service policies (located in the Policy selector under Firewall) on PIX/ASA/FWSM devices, IOS routers, and Catalyst 6500/7600 devices. Examples of firewall service policies include access rules, AAA rules, and inspection rules.
•View > Policies > Intrusion Prevention System. Allows you to view IPS policies (located in the Policy selector under IPS), including policies for IPS running on IOS routers.
•View > Policies > Image. Allows you to select a signature update package in the Apply IPS Updates wizard (located under Tools > Apply IPS Update), but does not allow you to assign the package to specific devices, unless you also have the Modify > Policies > Image permission.
•View > Policies > NAT. Allows you to view network address translation policies on PIX/ASA/FWSM devices and IOS routers. Examples of NAT policies include static rules and dynamic rules.
•View > Policies > Site-to-Site VPN. Allows you to view site-to-site VPN policies on PIX/ASA/FWSM devices, IOS routers, and Catalyst 6500/7600 devices. Examples of site-to-site VPN policies include IKE proposals, IPsec proposals, and preshared keys.
•View > Policies > Remote Access VPN. Allows you to view remote access VPN policies on PIX/ASA/FWSM devices, IOS routers, and Catalyst 6500/7600 devices. Examples of remote access VPN policies include IKE proposals, IPsec proposals, and PKI policies.
•View > Policies > SSL VPN. Allows you to view SSL VPN policies on PIX/ASA/FWSM devices and IOS routers, such as the SSL VPN wizard.
•View > Policies > Interfaces. Allows you to view interface policies (located in the Policy selector under Interfaces) on PIX/ASA/FWSM devices, IOS routers, IPS sensors, and Catalyst 6500/7600 devices:
–On PIX/ASA/FWSM devices, this permission covers hardware ports and interface settings.
–On IOS routers, this permission covers basic and advanced interface settings, as well as other interface-related policies, such as DSL, PVC, PPP, and dialer policies.
–On IPS sensors, this permission covers physical interfaces and summary maps.
–On Catalyst 6500/7600 devices, this permission covers interfaces and VLAN settings.
•View > Policies > Bridging. Allows you to view ARP table policies (located in the Policy selector under Platform > Bridging) on PIX/ASA/FWSM devices.
•View > Policies > Device Administration. Allows you to view device administration policies (located in the Policy selector under Platform > Device Admin) on PIX/ASA/FWSM devices, IOS routers, and Catalyst 6500/7600 devices:
–On PIX/ASA/FWSM devices, examples include device access polices, server access policies, and failover policies.
–On IOS routers, examples include device access (including line access) polices, server access policies, AAA, and Secure Device Provisioning.
–On IPS sensors, this permission covers device access policies and server access policies.
–On Catalyst 6500/7600 devices, this permission covers IDSM settings and VLAN access lists.
•View > Policies > Identity. Allows you to view identity policies (located in the Policy selector under Platform > Identity) on Cisco IOS routers, including 802.1x and Network Admission Control (NAC) policies.
•View > Policies > Logging. Allows you to view logging policies (located in the Policy selector under Platform > Logging) on PIX/ASA/FWSM devices, IOS routers, and IPS sensors. Examples of logging policies include logging setup, server setup, and syslog server policies.
•View > Policies > Multicast. Allows you to view multicast policies (located in the Policy selector under Platform > Multicast) on PIX/ASA/FWSM devices. Examples of multicast policies include multicast routing and IGMP policies.
•View > Policies > QoS. Allows you to view QoS policies (located in the Policy selector under Platform > Quality of Service) on Cisco IOS routers.
•View > Policies > Routing. Allows you to view routing policies (located in the Policy selector under Platform > Routing) on PIX/ASA/FWSM devices and IOS routers. Examples of routing policies include OSPF, RIP, and static routing policies.
•View > Policies > Security. Allows you to view security policies (located in the Policy selector under Platform > Security) on PIX/ASA/FWSM devices and IPS sensors:
–On PIX/ASA/FWSM devices, security policies include anti-spoofing, fragment, and timeout settings.
–On IPS sensors, security policies include blocking settings.
•View > Policies > Service Policy Rules. Allows you to view service policy rule policies (located in the Policy selector under Platform > Service Policy Rules) on PIX 7.x/ASA devices. Examples include priority queues and IPS, QoS, and connection rules.
•View > Policies > User Preferences. Allows you to view the Deployment policy (located in the Policy selector under Platform > User Preferences) on PIX/ASA/FWSM devices. This policy contains an option for clearing all NAT translations on deployment.
•View > Policies > Virtual Device. Allows you to view virtual sensor policies on IPS devices. This policy is used to create virtual sensors.
•View > Policies > FlexConfig. Allows you to view FlexConfigs, which are additional CLI commands and instructions that can be deployed to PIX/ASA/FWSM devices, IOS routers, and Catalyst 6500/7600 devices.
Note Policy permissions are affected when authentication is performed by a Cisco Secure ACS on which network device groups (NDGs) are defined. See NDGs and User Permissions.
Related Topics
•View Permissions
View Objects Permissions
Security Manager includes the following view permissions for objects:
•View > Objects > AAA Server Groups. Allows you to view AAA server group objects. These objects are used in policies that require AAA services (authentication, authorization, and accounting).
•View > Objects > AAA Servers. Allows you to view AAA server objects. These objects represent individual AAA servers that are defined as part of a AAA server group.
•View > Objects > Access Control Lists - Standard/Extended. Allows you to view standard and extended ACL objects. Extended ACL objects are used for a variety of policies, such as NAT and NAC, and for establishing VPN access. Standard ACL objects are used for such policies as OSPF and SNMP, as well as for establishing VPN access.
•View > Objects > Access Control Lists - Web. Allows you to view web ACL objects. Web ACL objects are used to perform content filtering in SSL VPN policies.
•View > Objects > ASA User Groups. Allows you to view ASA user group objects. These objects are configured on ASA security appliances in Easy VPN, remote access VPN, and SSL VPN configurations.
•View > Objects > Categories. Allows you to view category objects. These objects help you easily identify rules and objects in rules tables through the use of color.
•View > Objects > Credentials. Allows you to view credential objects. These objects are used in Easy VPN configuration during IKE Extended Authentication (Xauth).
•View > Objects > FlexConfigs. Allows you to view FlexConfig objects. These objects, which contain configuration commands with additional scripting language instructions, can be used to configure commands that are not supported by the Security Manager user interface.
•View > Objects > IKE Proposals. Allows you to view IKE proposal objects. These objects contain the parameters required for IKE proposals in remote access VPN policies.
•View > Objects > Inspect - Class Maps - DNS. Allows you to view DNS class map objects. These objects match DNS traffic with specific criteria so that actions can be performed on that traffic.
•View > Objects > Inspect - Class Maps - FTP. Allows you to view FTP class map objects. These objects match FTP traffic with specific criteria so that actions can be performed on that traffic.
•View > Objects > Inspect - Class Maps - HTTP. Allows you to view HTTP class map objects. These objects match HTTP traffic with specific criteria so that actions can be performed on that traffic.
•View > Objects > Inspect - Class Maps - IM. Allows you to view IM class map objects. These objects match IM traffic with specific criteria so that actions can be performed on that traffic.
•View > Objects > Inspect - Class Maps - SIP. Allows you to view SIP class map objects. These objects match SIP traffic with specific criteria so that actions can be performed on that traffic.
•View > Objects > Inspect - Policy Maps - DNS. Allows you to view DNS policy map objects. These objects are used to create inspection maps for DNS traffic.
•View > Objects > Inspect - Policy Maps - FTP. Allows you to view FTP policy map objects. These objects are used to create inspection maps for FTP traffic.
•View > Objects > Inspect - Policy Maps - GTP. Allows you to view GTP policy map objects. These objects are used to create inspection maps for GTP traffic.
•View > Objects > Inspect - Policy Maps - HTTP (ASA7.1.x/PIX7.1.x/IOS). Allows you to view HTTP policy map objects created for ASA/PIX 7.1.x devices and IOS routers. These objects are used to create inspection maps for HTTP traffic.
•View > Objects > Inspect - Policy Maps - HTTP (ASA7.2/PIX7.2). Allows you to view HTTP policy map objects created for ASA 7.2/PIX 7.2 devices. These objects are used to create inspection maps for HTTP traffic.
•View > Objects > Inspect - Policy Maps - IM (ASA7.2/PIX7.2). Allows you to view IM policy map objects created for ASA 7.2/PIX 7.2 devices. These objects are used to create inspection maps for IM traffic.
•View > Objects > Inspect - Policy Maps - IM (IOS). Allows you to view IM policy map objects created for IOS devices. These objects are used to create inspection maps for IM traffic.
•View > Objects > Inspect - Policy Maps - SIP. Allows you to view SIP policy map objects. These objects are used to create inspection maps for SIP traffic.
•View > Objects > Inspect - Regular Expressions. Allows you to view regular expression objects. These objects represent individual regular expressions that are defined as part of a regular expression group.
•View > Objects > Inspect - Regular Expressions Groups. Allows you to view regular expression group objects. These objects are used by certain class maps and inspect maps to match text inside a packet.
•View > Objects > Inspect - TCP Maps. Allows you to view TCP map objects. These objects customize inspection on TCP flow in both directions.
•View > Objects > Interface Roles. Allows you to view interface role objects. These objects define naming patterns that can represent multiple interfaces on different types of devices. Interface roles enable you to apply policies to specific interfaces on multiple devices without having to manually define the name of each interface.
•View > Objects > IPsec Transform Sets. Allows you to view IPsec transform set objects. These objects comprise a combination of security protocols, algorithms and other settings that specify exactly how the data in the IPsec tunnel will be encrypted and authenticated.
•View > Objects > LDAP Attribute Maps. Allows you to view LDAP attribute map objects. These objects are used to map custom (user-defined) attribute names to Cisco LDAP attribute names.
•View > Objects > Networks/Hosts. Allows you to view network/host objects. These objects are logical collections of IP addresses that represent networks, hosts, or both. Network/host objects enable you to define policies without specifying each network or host individually.
•View > Objects > PKI Enrollments. Allows you to view PKI enrollment objects. These objects define the Certification Authority (CA) servers that operate within a public key infrastructure.
•View > Objects > Port Forwarding Lists. Allows you to view port forwarding list objects. These objects define the mappings of port numbers on a remote client to the application's IP address and port behind an SSL VPN gateway.
•View > Objects > Secure Desktop Configurations. Allows you to view secure desktop configuration objects. These objects are reusable, named components that can be referenced by SSL VPN policies to provide a reliable means of eliminating all traces of sensitive data that is shared for the duration of an SSL VPN session.
•View > Objects > Services - Port Lists. Allows you to view port list objects. These objects, which contain one or more ranges of port numbers, are used to streamline the process of creating service objects.
•View > Objects > Services/Service Groups. Allows you to view service and service group objects. These objects are defined mappings of protocol and port definitions that describe network services used by policies, such as Kerberos, SSH, and POP3.
•View > Objects > Single Sign On Servers. Allows you to view single sign on server objects. Single Sign-On (SSO) lets SSL VPN users enter a username and password once and be able to access multiple protected services and web servers.
•View > Objects > SLA Monitors. Allows you to view SLA monitor objects. These objects are used by PIX/ASA security appliances running version 7.2 or later to perform route tracking. This feature provides a method to track the availability of a primary route and install a backup route if the primary route fails.
•View > Objects > SSL VPN Customizations. Allows you to view SSL VPN customization objects. These objects define how to change the appearance of SSL VPN pages that are displayed to users, such as Login/Logout and Home pages.
•View > Objects > SSL VPN Gateways. Allows you to view SSL VPN gateway objects. These objects define parameters that enable the gateway to be used as a proxy for connections to the protected resources in your SSL VPN.
•View > Objects > Style Objects. Allows you to view style objects. These objects let you configure style elements, such as font characteristics and colors, to customize the appearance of the SSL VPN page that appears to SSL VPN users when they connect to the security appliance.
•View > Objects > Text Objects. Allows you to view free-form text objects. These objects comprise a name and value pair, where the value can be a single string, a list of strings, or a table of strings.
•View > Objects > Time Ranges. Allows you to view time range objects. These objects are used when creating time-based ACLs and inspection rules. They are also used when defining ASA user groups to restrict VPN access to specific times during the week.
•View > Objects > Traffic Flows. Allows you to view traffic flow objects. These objects define specific traffic flows for use by PIX 7.x/ASA 7.x devices.
•View > Objects > URL Lists. Allows you to view URL list objects. These objects define the URLs that are displayed on the portal page after a successful login. This enables users to access the resources available on SSL VPN websites when operating in Clientless access mode.
•View > Objects > User Groups. Allows you to view user group objects. These objects define groups of remote clients that are used in Easy VPN topologies, remote access VPNs, and SSL VPNs.
•View > Objects > WINS Server Lists. Allows you to view WINS server list objects. These objects represent WINS servers, which are used by SSL VPN to access or share files on remote systems.
•View > Objects > Internal - DN Rules. Allows you to view the DN rules used by DN policies. This is an internal object used by Security Manager that does not appear in the Policy Object Manager.
•View > Objects > Internal - Client Updates. This is an internal object required by user group objects that does not appear in the Policy Object Manager.
•View > Objects > Internal - Standard ACEs. This is an internal object for standard access control entries, which are used by ACL objects.
•View > Objects > Internal - Extended ACEs. This is an internal object for extended access control entries, which are used by ACL objects.
Related Topics
•View Permissions
Additional View Permissions
Security Manager includes the following additional view permissions:
•View > Admin. Allows you to view Security Manager administrative settings.
•View > CLI. Allows you to view the CLI commands configured on a device and preview the commands that are about to be deployed.
•View > Config Archive. Allows you to view the list of configurations contained in the configuration archive. You cannot view the device configuration or any CLI commands.
•View > Devices. Allows you to view devices in Device view and all related information, including their device settings, properties, assignments, and so on.
Note You can limit device permissions to particular sets of devices by configuring network device groups (NDGs) on a Cisco Secure ACS. See Configuring Network Device Groups for Use in Security Manager.
•View > Device Managers. Allows you to launch read-only versions of the device managers for individual devices, such as the Cisco Router and Security Device Manager (SDM) for Cisco IOS routers.
•View > Topology. Allows you to view maps configured in Map view.
Related Topics
•View Permissions
Modify Permissions
Modify (read-write) permissions in Security Manager are divided into the following categories:
•Modify Policies Permissions
•Modify Objects Permissions
•Additional Modify Permissions
Related Topics
•Customizing Cisco Secure ACS Roles
•Default Associations Between Permissions and Roles in Security Manager
•Security Manager Permissions
Modify Policies Permissions
Note When you specify modify policy permissions, make sure that you have selected the corresponding assign and view policy permissions as well.
Security Manager includes the following modify permissions for policies:
•Modify > Policies > Firewall. Allows you to modify firewall service policies (located in the Policy selector under Firewall) on PIX/ASA/FWSM devices, IOS routers, and Catalyst 6500/7600 devices. Examples of firewall service policies include access rules, AAA rules, and inspection rules.
•Modify > Policies > Intrusion Prevention System. Allows you to modify IPS policies (located in the Policy selector under IPS), including policies for IPS running on IOS routers. This permission also allows you to tune signatures in the Signature Update wizard (located under Tools > Apply IPS Update).
•Modify > Policies > Image. Allows you to assign a signature update package to devices in the Apply IPS Updates wizard (located under Tools > Apply IPS Update). This permission also allows you to assign auto update settings to specific devices (located under Tools > Security Manager Administration > IPS Updates).
•Modify > Policies > NAT. Allows you to modify network address translation policies on PIX/ASA/FWSM devices and IOS routers. Examples of NAT policies include static rules and dynamic rules.
•Modify > Policies > Site-to-Site VPN. Allows you to modify site-to-site VPN policies on PIX/ASA/FWSM devices, IOS routers, and Catalyst 6500/7600 devices. Examples of site-to-site VPN policies include IKE proposals, IPsec proposals, and preshared keys.
•Modify > Policies > Remote Access VPN. Allows you to modify remote access VPN policies on PIX/ASA/FWSM devices, IOS routers, and Catalyst 6500/7600 devices. Examples of remote access VPN policies include IKE proposals, IPsec proposals, and PKI policies.
•Modify > Policies > SSL VPN. Allows you to modify SSL VPN policies on PIX/ASA/FWSM devices and IOS routers, such as the SSL VPN wizard.
•Modify > Policies > Interfaces. Allows you to modify interface policies (located in the Policy selector under Interfaces) on PIX/ASA/FWSM devices, IOS routers, IPS sensors, and Catalyst 6500/7600 devices:
–On PIX/ASA/FWSM devices, this permission covers hardware ports and interface settings.
–On IOS routers, this permission covers basic and advanced interface settings, as well as other interface-related policies, such as DSL, PVC, PPP, and dialer policies.
–On IPS sensors, this permission covers physical interfaces and summary maps.
–On Catalyst 6500/7600 devices, this permission covers interfaces and VLAN settings.
•Modify > Policies > Bridging. Allows you to modify ARP table policies (located in the Policy selector under Platform > Bridging) on PIX/ASA/FWSM devices.
•Modify > Policies > Device Administration. Allows you to modify device administration policies (located in the Policy selector under Platform > Device Admin) on PIX/ASA/FWSM devices, IOS routers, and Catalyst 6500/7600 devices:
–On PIX/ASA/FWSM devices, examples include device access polices, server access policies, and failover policies.
–On IOS routers, examples include device access (including line access) polices, server access policies, AAA, and Secure Device Provisioning.
–On IPS sensors, this permission covers device access policies and server access policies.
–On Catalyst 6500/7600 devices, this permission covers IDSM settings and VLAN access lists.
•Modify > Policies > Identity. Allows you to modify identity policies (located in the Policy selector under Platform > Identity) on Cisco IOS routers, including 802.1x and Network Admission Control (NAC) policies.
•Modify > Policies > Logging. Allows you to modify logging policies (located in the Policy selector under Platform > Logging) on PIX/ASA/FWSM devices, IOS routers, and IPS sensors. Examples of logging policies include logging setup, server setup, and syslog server policies.
•Modify > Policies > Multicast. Allows you to modify multicast policies (located in the Policy selector under Platform > Multicast) on PIX/ASA/FWSM devices. Examples of multicast policies include multicast routing and IGMP policies.
•Modify > Policies > QoS. Allows you to modify QoS policies (located in the Policy selector under Platform > Quality of Service) on Cisco IOS routers.
•Modify > Policies > Routing. Allows you to modify routing policies (located in the Policy selector under Platform > Routing) on PIX/ASA/FWSM devices and IOS routers. Examples of routing policies include OSPF, RIP, and static routing policies.
•Modify > Policies > Security. Allows you to modify security policies (located in the Policy selector under Platform > Security) on PIX/ASA/FWSM devices and IPS sensors:
–On PIX/ASA/FWSM devices, security policies include anti-spoofing, fragment, and timeout settings.
–On IPS sensors, security policies include blocking settings.
•Modify > Policies > Service Policy Rules. Allows you to modify service policy rule policies (located in the Policy selector under Platform > Service Policy Rules) on PIX 7.x/ASA devices. Examples include priority queues and IPS, QoS, and connection rules.
•Modify > Policies > User Preferences. Allows you to modify the Deployment policy (located in the Policy selector under Platform > User Preferences) on PIX/ASA/FWSM devices. This policy contains an option for clearing all NAT translations on deployment.
•Modify > Policies > Virtual Device. Allows you to modify virtual sensor policies on IPS devices. Use this policy to create virtual sensors.
•Modify > Policies > FlexConfig. Allows you to modify FlexConfigs, which are additional CLI commands and instructions that can be deployed to PIX/ASA/FWSM devices, IOS routers, and Catalyst 6500/7600 devices.
Note Policy permissions are affected when authentication is performed by a Cisco Secure ACS on which network device groups (NDGs) are defined. See NDGs and User Permissions.
Related Topics
•Modify Permissions
Modify Objects Permissions
Security Manager includes the following view permissions for objects:
•Modify > Objects > AAA Server Groups. Allows you to view AAA server group objects. These objects are used in policies that require AAA services (authentication, authorization, and accounting).
•Modify > Objects > AAA Servers. Allows you to view AAA server objects. These objects represent individual AAA servers that are defined as part of a AAA server group.
•Modify > Objects > Access Control Lists - Standard/Extended. Allows you to view standard and extended ACL objects. Extended ACL objects are used for a variety of policies, such as NAT and NAC, and for establishing VPN access. Standard ACL objects are used for such policies as OSPF and SNMP, as well as for establishing VPN access.
•Modify > Objects > Access Control Lists - Web. Allows you to view web ACL objects. Web ACL objects are used to perform content filtering in SSL VPN policies.
•Modify > Objects > ASA User Groups. Allows you to view ASA user group objects. These objects are configured on ASA security appliances in Easy VPN, remote access VPN, and SSL VPN configurations.
•Modify > Objects > Categories. Allows you to view category objects. These objects help you easily identify rules and objects in rules tables through the use of color.
•Modify > Objects > Credentials. Allows you to view credential objects. These objects are used in Easy VPN configuration during IKE Extended Authentication (Xauth).
•Modify > Objects > FlexConfigs. Allows you to view FlexConfig objects. These objects, which contain configuration commands with additional scripting language instructions, can be used to configure commands that are not supported by the Security Manager user interface.
•Modify > Objects > IKE Proposals. Allows you to view IKE proposal objects. These objects contain the parameters required for IKE proposals in remote access VPN policies.
•Modify > Objects > Inspect - Class Maps - DNS. Allows you to view DNS class map objects. These objects match DNS traffic with specific criteria so that actions can be performed on that traffic.
•Modify > Objects > Inspect - Class Maps - FTP. Allows you to view FTP class map objects. These objects match FTP traffic with specific criteria so that actions can be performed on that traffic.
•Modify > Objects > Inspect - Class Maps - HTTP. Allows you to view HTTP class map objects. These objects match HTTP traffic with specific criteria so that actions can be performed on that traffic.
•Modify > Objects > Inspect - Class Maps - IM. Allows you to view IM class map objects. These objects match IM traffic with specific criteria so that actions can be performed on that traffic.
•Modify > Objects > Inspect - Class Maps - SIP. Allows you to view SIP class map objects. These objects match SIP traffic with specific criteria so that actions can be performed on that traffic.
•Modify > Objects > Inspect - Policy Maps - DNS. Allows you to view DNS policy map objects. These objects are used to create inspection maps for DNS traffic.
•Modify > Objects > Inspect - Policy Maps - FTP. Allows you to view FTP policy map objects. These objects are used to create inspection maps for FTP traffic.
•Modify > Objects > Inspect - Policy Maps - GTP. Allows you to view GTP policy map objects. These objects are used to create inspection maps for GTP traffic.
•Modify > Objects > Inspect - Policy Maps - HTTP (ASA7.1.x/PIX7.1.x/IOS). Allows you to view HTTP policy map objects created for ASA/PIX 7.x devices and IOS routers. These objects are used to create inspection maps for HTTP traffic.
•Modify > Objects > Inspect - Policy Maps - HTTP (ASA7.2/PIX7.2). Allows you to view HTTP policy map objects created for ASA 7.2/PIX 7.2 devices. These objects are used to create inspection maps for HTTP traffic.
•Modify > Objects > Inspect - Policy Maps - IM (ASA7.2/PIX7.2). Allows you to view IM policy map objects created for ASA 7.2/PIX 7.2 devices. These objects are used to create inspection maps for IM traffic.
•Modify > Objects > Inspect - Policy Maps - IM (IOS). Allows you to view IM policy map objects created for IOS devices. These objects are used to create inspection maps for IM traffic.
•Modify > Objects > Inspect - Policy Maps - SIP. Allows you to view SIP policy map objects. These objects are used to create inspection maps for SIP traffic.
•Modify > Objects > Inspect - Regular Expressions. Allows you to view regular expression objects. These objects represent individual regular expressions that are defined as part of a regular expression group.
•Modify > Objects > Inspect - Regular Expressions Groups. Allows you to view regular expression group objects. These objects are used by certain class maps and inspect maps to match text inside a packet.
•Modify > Objects > Inspect - TCP Maps. Allows you to view TCP map objects. These objects customize inspection on TCP flow in both directions.
•Modify > Objects > Interface Roles. Allows you to view interface role objects. These objects define naming patterns that can represent multiple interfaces on different types of devices. Interface roles enable you to apply policies to specific interfaces on multiple devices without having to manually define the name of each interface.
•Modify > Objects > IPsec Transform Sets. Allows you to view IPsec transform set objects. These objects comprise a combination of security protocols, algorithms and other settings that specify exactly how the data in the IPsec tunnel will be encrypted and authenticated.
•Modify > Objects > LDAP Attribute Maps. Allows you to view LDAP attribute map objects. These objects are used to map custom (user-defined) attribute names to Cisco LDAP attribute names.
•Modify > Objects > Networks/Hosts. Allows you to view network/host objects. These objects are logical collections of IP addresses that represent networks, hosts, or both. Network/host objects enable you to define policies without specifying each network or host individually.
•Modify > Objects > PKI Enrollments. Allows you to view PKI enrollment objects. These objects define the Certification Authority (CA) servers that operate within a public key infrastructure.
•Modify > Objects > Port Forwarding Lists. Allows you to view port forwarding list objects. These objects define the mappings of port numbers on a remote client to the application's IP address and port behind an SSL VPN gateway.
•Modify > Objects > Secure Desktop Configurations. Allows you to view secure desktop configuration objects. These objects are reusable, named components that can be referenced by SSL VPN policies to provide a reliable means of eliminating all traces of sensitive data that is shared for the duration of an SSL VPN session.
•Modify > Objects > Services - Port Lists. Allows you to view port list objects. These objects, which contain one or more ranges of port numbers, are used to streamline the process of creating service objects
•Modify > Objects > Services/Service Groups. Allows you to view service and service group objects. These objects are defined mappings of protocol and port definitions that describe network services used by policies, such as Kerberos, SSH, and POP3.
•Modify > Objects > Single Sign On Servers. Allows you to view single sign on server objects. Single Sign-On (SSO) lets SSL VPN users enter a username and password once and be able to access multiple protected services and web servers.
•Modify > Objects > SLA Monitors. Allows you to view SLA monitor objects. These objects are used by PIX/ASA security appliances running version 7.2 or later to perform route tracking. This feature provides a method to track the availability of a primary route and install a backup route if the primary route fails.
•Modify > Objects > SSL VPN Customizations. Allows you to view SSL VPN customization objects. These objects define how to change the appearance of SSL VPN pages that are displayed to users, such as Login/Logout and Home pages.
•Modify > Objects > SSL VPN Gateways. Allows you to view SSL VPN gateway objects. These objects define parameters that enable the gateway to be used as a proxy for connections to the protected resources in your SSL VPN.
•Modify > Objects > Style Objects. Allows you to view style objects. These objects let you configure style elements, such as font characteristics and colors, to customize the appearance of the SSL VPN page that appears to SSL VPN users when they connect to the security appliance.
•Modify > Objects > Text Objects. Allows you to view free-form text objects. These objects comprise a name and value pair, where the value can be a single string, a list of strings, or a table of strings.
•Modify > Objects > Time Ranges. Allows you to view time range objects. These objects are used when creating time-based ACLs and inspection rules. They are also used when defining ASA user groups to restrict VPN access to specific times during the week.
•Modify > Objects > Traffic Flows. Allows you to view traffic flow objects. These objects define specific traffic flows for use by PIX 7.x/ASA 7.x devices.
•Modify > Objects > URL Lists. Allows you to view URL list objects. These objects define the URLs that are displayed on the portal page after a successful login. This enables users to access the resources available on SSL VPN websites when operating in Clientless access mode.
•Modify > Objects > User Groups. Allows you to view user group objects. These objects define groups of remote clients that are used in Easy VPN topologies, remote access VPNs, and SSL VPNs.
•Modify > Objects > WINS Server Lists. Allows you to view WINS server list objects. These objects represent WINS servers, which are used by SSL VPN to access or share files on remote systems.
•Modify > Objects > Internal - DN Rules. Allows you to view the DN rules used by DN policies. This is an internal object used by Security Manager that does not appear in the Policy Object Manager.
•Modify > Objects > Internal - Client Updates. This is an internal object required by user group objects that does not appear in the Policy Object Manager.
•Modify > Objects > Internal - Standard ACE. This is an internal object for standard access control entries, which are used by ACL objects.
•Modify > Objects > Internal - Extended ACE. This is an internal object for extended access control entries, which are used by ACL objects.
Note Users can modify an object even if they do not have modify permissions for all the devices that are using the object. See NDGs and User Permissions.
Related Topics
•Modify Permissions
Additional Modify Permissions
Security Manager includes the following additional modify permissions:
•Modify > Admin. Allows you to modify Security Manager administrative settings.
•Modify > Config Archive. Allows you to modify the device configuration in the Configuration Archive. In addition, it allows you to add configurations to the archive and customize the Configuration Archive tool.
•Modify > Devices. Allows you to add and delete devices, as well as modify device properties and attributes. To discover the policies on the device being added, you must also enable the Import permission. In addition, if you enable the Modify > Devices permission, make sure that you also enable the Assign > Policies > Interfaces permission.
Note You can limit device permissions to particular sets of devices by configuring network device groups (NDGs) on a Cisco Secure ACS. See Configuring Network Device Groups for Use in Security Manager.
•Modify > Hierarchy. Allows you to modify device groups.
•Modify > Topology. Allows you to modify maps in Map view.
Related Topics
•Modify Permissions
Assign Permissions
Security Manager includes the following policy assignment permissions:
•Assign > Policies > Firewall. Allows you to assign firewall service policies (located in the Policy selector under Firewall) to PIX/ASA/FWSM devices, IOS routers, and Catalyst 6500/7600 devices. Examples of firewall service policies include access rules, AAA rules, and inspection rules.
•Assign > Policies > Intrusion Prevention System. Allows you to assign IPS policies (located in the Policy selector under IPS), including policies for IPS running on IOS routers.
•Assign > Policies > Image. This permission is currently not used by Security Manager.
•Assign > Policies > NAT. Allows you to assign network address translation policies to PIX/ASA/FWSM devices and IOS routers. Examples of NAT policies include static rules and dynamic rules.
•Assign > Policies > Site-to-Site VPN. Allows you to assign site-to-site VPN policies to PIX/ASA/FWSM devices, IOS routers, and Catalyst 6500/7600 devices. Examples of site-to-site VPN policies include IKE proposals, IPsec proposals, and preshared keys.
•Assign > Policies > Remote Access VPN. Allows you to assign remote access VPN policies to PIX/ASA/FWSM devices, IOS routers, and Catalyst 6500/7600 devices. Examples of remote access VPN policies include IKE proposals, IPsec proposals, and PKI policies.
•Assign > Policies > SSL VPN. Allows you to assign SSL VPN policies to PIX/ASA/FWSM devices and IOS routers, such as the SSL VPN wizard.
•Assign > Policies > Interfaces. Allows you to assign interface policies (located in the Policy selector under Interfaces) to PIX/ASA/FWSM devices, IOS routers, and Catalyst 6500/7600 devices:
–On PIX/ASA/FWSM devices, this permission covers hardware ports and interface settings.
–On IOS routers, this permission covers basic and advanced interface settings, as well as other interface-related policies, such as DSL, PVC, PPP, and dialer policies.
–On Catalyst 6500/7600 devices, this permission covers interfaces and VLAN settings.
•Assign > Policies > Bridging. Allows you to assign ARP table policies (located in the Policy selector under Platform > Bridging) to PIX/ASA/FWSM devices.
•Assign > Policies > Device Administration. Allows you to assign device administration policies (located in the Policy selector under Platform > Device Admin) to PIX/ASA/FWSM devices, IOS routers, and Catalyst 6500/7600 devices:
–On PIX/ASA/FWSM devices, examples include device access polices, server access policies, and failover policies.
–On IOS routers, examples include device access (including line access) polices, server access policies, AAA, and Secure Device Provisioning.
–On IPS sensors, this permission covers device access policies and server access policies.
–On Catalyst 6500/7600 devices, this permission covers IDSM settings and VLAN access lists.
•Assign > Policies > Identity. Allows you to assign identity policies (located in the Policy selector under Platform > Identity) to Cisco IOS routers, including 802.1x and Network Admission Control (NAC) policies.
•Assign > Policies > Logging. Allows you to assign logging policies (located in the Policy selector under Platform > Logging) to PIX/ASA/FWSM devices and IOS routers. Examples of logging policies include logging setup, server setup, and syslog server policies.
•Assign > Policies > Multicast. Allows you to assign multicast policies (located in the Policy selector under Platform > Multicast) to PIX/ASA/FWSM devices. Examples of multicast policies include multicast routing and IGMP policies.
•Assign > Policies > QoS. Allows you to assign QoS policies (located in the Policy selector under Platform > Quality of Service) to Cisco IOS routers.
•Assign > Policies > Routing. Allows you to assign routing policies (located in the Policy selector under Platform > Routing) to PIX/ASA/FWSM devices and IOS routers. Examples of routing policies include OSPF, RIP, and static routing policies.
•Assign > Policies > Security. Allows you to assign security policies (located in the Policy selector under Platform > Security) to PIX/ASA/FWSM devices. Security policies include anti-spoofing, fragment, and timeout settings.
•Assign > Policies > Service Policy Rules. Allows you to assign service policy rule policies (located in the Policy selector under Platform > Service Policy Rules) to PIX 7.x/ASA devices. Examples include priority queues and IPS, QoS, and connection rules.
•Assign > Policies > User Preferences. Allows you to assign the Deployment policy (located in the Policy selector under Platform > User Preferences) to PIX/ASA/FWSM devices. This policy contains an option for clearing all NAT translations on deployment.
•Assign > Policies > Virtual Device. Allows you to assign virtual sensor policies to IPS devices. Use this policy to create virtual sensors.
•Assign > Policies > FlexConfig. Allows you to assign FlexConfigs, which are additional CLI commands and instructions that can be deployed to PIX/ASA/FWSM devices, IOS routers, and Catalyst 6500/7600 devices.
Note•When you specify assign permissions, make sure that you have selected the corresponding view permissions as well.
•Policy permissions are affected when authentication is performed by a Cisco Secure ACS on which network device groups (NDGs) are defined. See NDGs and User Permissions.
Related Topics
•Customizing Cisco Secure ACS Roles
•Default Associations Between Permissions and Roles in Security Manager
•Security Manager Permissions
Approve Permissions
Security Manager provides the following approve permissions:
•Approve > CLI. Allows you to approve the CLI command changes contained in a deployment job.
•Approve > Policy. Allows you to approve the configuration changes contained in the policies that were configured in a workflow activity.
Related Topics
•Customizing Cisco Secure ACS Roles
•Default Associations Between Permissions and Roles in Security Manager
•Security Manager Permissions
Understanding CiscoWorks Roles
When users are created in CiscoWorks Common Services, they are assigned one or more roles. The permissions associated with each role determine the operations that each user is authorized to perform in Security Manager.
The following topics describe CiscoWorks roles:
•CiscoWorks Common Services Default Roles
•Assigning Roles to Users in CiscoWorks Common Services
Related Topics
•Understanding Cisco Secure ACS Roles
•Setting Up User Permissions
CiscoWorks Common Services Default Roles
CiscoWorks Common Services contains the following default roles:
•Help Desk—Help desk users can view (but not modify) devices, policies, objects, and topology maps.
•Network Operator—In addition to view permissions, network operators can view CLI commands and Security Manager administrative settings. Network operators can also modify the configuration archive and issue commands (such as ping) to devices.
•Approver—In addition to view permissions, approvers can approve or reject deployment jobs. They cannot perform deployment.
•Network Administrator—Network administrators have complete view and modify permissions, except for modifying administrative settings. They can discover devices and the policies configured on these devices, assign policies to devices, and issue commands to devices. Network administrators cannot approve activities or deployment jobs; however, they can deploy jobs that were approved by others.
Note Cisco Secure ACS features a default role called Network Administrator that contains a different set of permissions. For more information, see Understanding Cisco Secure ACS Roles.
•System Administrator—System administrators have complete access to all Security Manager permissions, including modification, policy assignment, activity and job approval, discovery, deployment, and issuing commands to devices.
See Table 2-1 for details about which Security Manager permissions are associated with each CiscoWorks role.
Note Additional roles, such as export data, might be displayed in Common Services if additional applications are installed on the server. The export data role is for third-party developers and is not used by Security Manager.
Tip•Although you cannot change the definition of CiscoWorks roles, you can define which roles are assigned to each user. For more information, see Assigning Roles to Users in CiscoWorks Common Services.
•You can generate a permissions table in CiscoWorks by selecting Server > Reports > Permission Report, then clicking Generate Report.
Related Topics
•Understanding CiscoWorks Roles
Assigning Roles to Users in CiscoWorks Common Services
CiscoWorks Common Services enables you to define which roles are assigned to each user. By changing the role definition for a user, you change the types of operations this user is authorized perform in Security Manager. For example, if you assign the Help Desk role, the user is limited to view operations and cannot modify any data. However, if you assign the Network Operator role, the user is also able to modify the configuration archive. You can assign multiple roles to each user.
Note You must restart Security Manager after making changes to user permissions.
Procedure
Step 1 In Common Services, select Server > Security, then select Single-Server Trust Management > Local User Setup from the TOC.
Tip To reach the Local User Setup page from within Security Manager, select Tools > Security Manager Administration > Server Security, then click Local User Setup.
Step 2 Select the check box next to an existing user, then click Edit.
Step 3 On the User Information page, select the roles to assign to this user by clicking the check boxes.
Note For more information about each role, see CiscoWorks Common Services Default Roles.
Step 4 Click OK to save your changes.
Step 5 Restart Security Manager.
Related Topics
•Security Manager Permissions
•Default Permission to Role Associations in Security Manager
•Understanding CiscoWorks Roles
Understanding Cisco Secure ACS Roles
Cisco Secure ACS provides greater flexibility for managing Security Manager permissions than does CiscoWorks because it supports application-specific roles that you can configure. Each role is made up of a set of permissions that determine the level of authorization to Security Manager tasks. In Cisco Secure ACS, you assign a role to each user group (and optionally, to individual users as well), which enables each user in that group to perform the operations authorized by the permissions defined for that role.
In addition, you can assign these roles to Cisco Secure ACS device groups, allowing permissions to be differentiated on different sets of devices.
Note Cisco Secure ACS device groups are independent of Security Manager device groups.
The following topics describe Cisco Secure ACS roles:
•Cisco Secure ACS Default Roles
•Customizing Cisco Secure ACS Roles
Related Topics
•Understanding CiscoWorks Roles
Cisco Secure ACS Default Roles
Cisco Secure ACS includes the same roles as CiscoWorks (see Understanding CiscoWorks Roles), plus these additional roles:
•Security Approver—Security approvers can view (but not modify) devices, policies, objects, maps, CLI commands, and administrative settings. In addition, security approvers can approve or reject the configuration changes contained in an activity. They cannot approve or reject the deployment job, nor can they perform deployment.
•Security Administrator—In addition to having view permissions, security administrators can modify devices, device groups, policies, objects, and topology maps. They can also assign policies to devices and VPN topologies, and perform discovery to import new devices into the system.
•Network Administrator—In addition to view permissions, network administrators can modify the configuration archive, perform deployment, and issue commands to devices.
Note The permissions contained in the Cisco Secure ACS network administrator role are different from those contained in the CiscoWorks network administrator role. For more information, see Understanding CiscoWorks Roles.
Unlike CiscoWorks, Cisco Secure ACS enables you to customize the permissions associated with each Security Manager role. For more information about modifying the default roles, see Customizing Cisco Secure ACS Roles.
See Table 2-1 for details about which Security Manager permissions are associated with each Cisco Secure ACS role.
Note Cisco Secure ACS 3.3 or later must be installed for Security Manager authorization.
Related Topics
•Integrating Security Manager with Cisco Secure ACS
•Default Associations Between Permissions and Roles in Security Manager
•Setting Up User Permissions
Customizing Cisco Secure ACS Roles
Cisco Secure ACS enables you to modify the permissions associated with each Security Manager role. You can also customize Cisco Secure ACS by creating specialized user roles with permissions that are targeted to particular Security Manager tasks.
Note You must restart Security Manager after making changes to user permissions.
Procedure
Step 1 In Cisco Secure ACS, click Shared Profile Components on the navigation bar.
Step 2 Click Cisco Security Manager on the Shared Components page. The roles that are configured for Security Manager are displayed.
Step 3 Do one of the following:
•To create a role, click Add. Go to Step 4.
•To modify an existing role, click the role. Go to Step 5.
Step 4 Enter a name for the role and, optionally, a description.
Step 5 Select and deselect the check boxes in the permissions tree to define the permissions for this role.
Selecting the check box for a branch of the tree selects all permissions in that branch. For example, selecting Assign selects all the assign permissions.
For a complete list of Security Manager permissions, see Security Manager Permissions.
Note When you select modify, approve, assign, import, control or deploy permissions, you must also select the corresponding view permissions; otherwise, Security Manager will not function properly.
Step 6 Click Submit to save your changes.
Step 7 Restart Security Manager.
Related Topics
•Security Manager Permissions
•Default Permission to Role Associations in Security Manager
•Understanding Cisco Secure ACS Roles
Default Associations Between Permissions and Roles in Security Manager
Table 2-1 shows how Security Manager permissions are associated with CiscoWorks Common Services roles and the default roles in Cisco Secure ACS.
Related Topics
•Security Manager Permissions
•Setting Up User Permissions
Integrating Security Manager with Cisco Secure ACS
This section describes how to integrate your Cisco Secure ACS with Cisco Security Manager.
Cisco Secure ACS provides command authorization for users who are using management applications, such as Security Manager, to configure managed network devices. Support for command authorization is provided by unique command authorization set types (called roles in Security Manager) that contain a set of permissions. These permissions (also called privileges) determine the actions that users with particular roles can perform within Security Manager.
Cisco Secure ACS uses TACACS+ to communicate with management applications. For Security Manager to communicate with Cisco Secure ACS, you must configure the CiscoWorks server in Cisco Secure ACS as a AAA client that uses TACACS+. In addition, you must provide the CiscoWorks server with the administrator name and password that you use to log in to the Cisco Secure ACS. Fulfilling these requirements ensures the validity of communications between Security Manager and Cisco Secure ACS.
Note For an understanding of TACACS+ security advantages, see User Guide for Cisco Secure ACS.
When Security Manager initially communicates with Cisco Secure ACS, it dictates to Cisco ACS the creation of default roles, which appear in the Shared Profile Components section of the Cisco Secure ACS HTML interface. It also dictates a custom service to be authorized by TACACS+. This custom service appears on the TACACS+ (Cisco IOS) page in the Interface Configuration section of the HTML interface. You can then modify the permissions included in each Security Manager role and apply these roles to users and user groups.
Related Topics
•ACS Integration Requirements
•Checklist for Initial Cisco Secure ACS Setup
ACS Integration Requirements
To use Cisco Secure ACS, make sure that:
•You defined roles that include the commands required to perform necessary functions in Security Manager.
•The Network Access Restriction (NAR) includes the device group (or the devices) that you want to administer, if you apply a NAR to the profile.
•Managed device names are spelled and capitalized identically in Cisco Secure ACS and in Security Manager.
Tip We highly recommend that you create a fault-tolerant infrastructure that utilizes multiple Cisco Secure ACS servers. Having multiple servers helps to ensure your ability to continue work in Security Manager even if connectivity is lost to one of the ACS servers.
Note•You can integrate only one version of Security Manager with a Cisco Secure ACS. Therefore, if your organization is using two different versions of Security Manager at the same time, you must perform intergration with two different Cisco Secure ACS servers. You can, however, upgrade to a new version of Security Manager without having to use a different ACS.
•Even when Cisco Secure ACS authentication is used, CiscoWorks Common Services software uses local authorization for CiscoWorks Common Services-specific utilities, such as Compact Database and Database Checkpoint. To use these utilities, you must be defined locally and be assigned the appropriate permissions.
Related Topics
•Checklist for Initial Cisco Secure ACS Setup
•Integrating Security Manager with Cisco Secure ACS
Checklist for Initial Cisco Secure ACS Setup
This checklist describes the steps required to integrate Security Manager with Cisco Secure ACS. Each step might contain several substeps; steps and substeps should be performed in order. The checklist contains references to specific procedures used to perform each step.
| |
Integration Task
|
Step 1
|
Plan your administrative authentication and authorization model.
You should decide on your administrative model before using Security Manager. This includes defining the administrative roles and accounts that you plan to use.
Tip When defining the roles and permissions of potential administrators, you should also consider whether or not to enable Workflow. This selection affects how you can restrict access.
For more information, see:
•Understanding Cisco Secure ACS Roles
•Selecting a Workflow Mode
•User Guide for Cisco Secure ACS for Windows Server
|
Step 2
|
Install Cisco Secure ACS, Cisco Security Manager, and CiscoWorks Common Services.
Install Cisco Secure ACS version 3.3 or later on a Windows 2000/2003 server. Install CiscoWorks Common Services and Cisco Security Manager on a different Windows 2000/Windows 2003 server.
For more information, see:
•Installation Guide for Cisco Security Manager 3.0.1
•Installation Guide for Cisco Secure ACS for Windows Server
|
Step 3
|
Perform integration procedures in Cisco Secure ACS.
Define Security Manager users as ACS users and assign them to user groups based on their planned role, add all your managed devices (as well as the CiscoWorks/Security Manager server) as AAA clients, and create an administration control user.
For more information, see Integration Procedures Performed in Cisco Secure ACS.
|
Step 4
|
Perform integration procedures in CiscoWorks Common Services.
Configure a local user that matches the administrator defined in Cisco Secure ACS, define that same user for the system identity setup, and configure ACS as the AAA setup mode.
For more information, see Integration Procedures Performed in CiscoWorks.
|
Step 5
|
Restart the Daemon Manager.
You must restart the Security Manager server Daemon Manager for the AAA settings you configured to take effect.
For more information, see Restarting the Daemon Manager.
|
Step 6
|
Assign roles to user groups in Cisco Secure ACS.
Assign roles to each user group configured in Cisco Secure ACS. The procedure you should use depends on whether you have configured network device groups (NDGs).
For more information, see Assigning Roles to User Groups in Cisco Secure ACS.
|
Related Topics
•ACS Integration Requirements
•Integrating Security Manager with Cisco Secure ACS
Integration Procedures Performed in Cisco Secure ACS
The following topics describe the procedures to perform in Cisco Secure ACS in order when integrating it with Cisco Security Manager:
•Defining Users and User Groups in Cisco Secure ACS
•Adding Managed Devices as AAA Clients in Cisco Secure ACS
•Creating an Administration Control User in Cisco Secure ACS
For more information about the procedures described in these sections, see User Guide for Cisco Secure ACS for Windows Server.
Related Topics
•ACS Integration Requirements
•Integration Procedures Performed in CiscoWorks
•Integrating Security Manager with Cisco Secure ACS
Defining Users and User Groups in Cisco Secure ACS
All users of Security Manager must be defined in Cisco Secure ACS and assigned a role appropriate to their job function. The easiest way to do this is to divide the users into different groups based on each default role available in ACS, for example, assigning all the system administrators to one group, all the network operators to another group, and so on. For more information about the default roles in ACS, see Cisco Secure ACS Default Roles.
In addition, you must create an additional user that is assigned the system administrator role with full permissions. The credentials established for this user are later used on the System Identity Setup page in CiscoWorks. See Defining the System Identity User.
Please note that at this stage you are merely assigning users to different groups. The actual assignment of roles to these groups is performed later, after CiscoWorks, Security Manager, and any other applications have been registered to Cisco Secure ACS.
Before You Begin
•Install CiscoWorks Common Services and Cisco Security Manager on one Windows 2000/2003 server. Install Cisco Secure ACS on a different Windows 2000/2003 server.
Procedure
Step 1 Log in to Cisco Secure ACS.
Step 2 Configure a user with full permissions:
a. Click User Setup on the navigation bar.
b. On the User Setup page, enter a name for the new user, then click Add/Edit.
c. Select an authentication method from the Password Authentication list under User Setup.
d. Enter and confirm the password for the new user.
e. Select Group 1 as the group to which the user should be assigned.
f. Click Submit to create the user account.
Note For more information about the options available when configuring users and user groups, see User Guide for Cisco Secure ACS.
Step 3 Repeat step 2 for each Security Manager user. We recommend dividing the users into groups based on the role each user will be assigned:
•Group 1—System Administrators
•Group 2—Security Administrators
•Group 3—Security Approvers
•Group 4—Network Administrators
•Group 5—Approvers
•Group 6—Network Operators
•Group 7—Help Desk
For more information about the default permissions associated with each role, see Table 2-1. For more information about customizing user roles, see Customizing Cisco Secure ACS Roles.
Note At this stage, the groups themselves are collections of users without any role definitions. You will assign roles to each group after completing the integration process. See Assigning Roles to User Groups in Cisco Secure ACS.
Step 4 Create an additional user and assign this user to the system administrators group. The credentials established for this user are later used on the System Identity Setup page in CiscoWorks. See Defining the System Identity User.
Step 5 Continue with Adding Managed Devices as AAA Clients in Cisco Secure ACS.
Related Topics
•Integration Procedures Performed in Cisco Secure ACS
•Checklist for Initial Cisco Secure ACS Setup
Adding Managed Devices as AAA Clients in Cisco Secure ACS
Before you can begin importing devices into Security Manager, you must first configure each device as a AAA client in your Cisco Secure ACS. In addition, you must configure the CiscoWorks/Security Manager server as a AAA client.
If Security Manager is managing security contexts configured on firewall devices, including security contexts configured on FWSMs for Catalyst 6500/7600 devices, each context must be added individually to Cisco Secure ACS.
The method for adding managed devices depends on whether you want to restrict users to managing a particular set of devices by creating network device groups (NDGs). Proceed as follows:
•If you want users to have access to all devices, add the devices as described in Adding Devices as AAA Clients Without NDGs.
•If you want users to have access only to certain NDGs, add the devices as described in Configuring Network Device Groups for Use in Security Manager.
Adding Devices as AAA Clients Without NDGs
This procedure describes how to add devices as AAA clients of a Cisco Secure ACS. For complete information about all available options, see User Guide for Cisco Secure ACS.
Note Remember to add the CiscoWorks/Security Manager server as a AAA client.
Procedure
Step 1 Click Network Configuration on the Cisco Secure ACS navigation bar.
Step 2 Click Add Entry beneath the AAA Clients table.
Step 3 Enter the AAA client hostname (up to 32 characters) on the Add AAA Client page. The hostname of the AAA client must match the display name you plan to use for the device in Security Manager.
For example, if you intend to append a domain name to the device name in Security Manager, the AAA client hostname in ACS must be <device_name>.<domain_name>.
When naming the CiscoWorks server, we recommend using the fully-qualified hostname. Be sure to spell the hostname correctly (it is not case-sensitive).
Additional naming conventions include:
•PIX/ASA 7.0 security context: <parent_display_name>_<context_name>
•FWSM blade: <chassis_name>_FW_<slot_number>
•FWSM security context: <chassis_name>_FW_<slot_number>_<context_name>
•IPS sensor: <IPSParentName>_<virtualSensorName>
Step 4 Enter the IP address of the network device in the AAA Client IP Address field. If the device does not have an IP address (for example, a virtual sensor or a virtual context), enter the word dynamic instead of an address.
Note If you are adding a multihomed device (a device with multiple NICs), enter the IP address of each NIC. Press Enter between each address. In addition, you must modify the gatekeeper.cfg file on the Security Manager server. For more information, see the chapter on post-installation server tasks in the Installation Guide for Cisco Security Manager.
Step 5 Enter the shared secret in the Key field.
Step 6 Select TACACS+ (Cisco IOS) from the Authenticate Using list.
Step 7 Click Submit to save your changes. The device you added is displayed in the AAA Clients table.
Step 8 Repeat Steps 1 through 7 to add additional devices.
Step 9 To save the devices you have added, click Submit + Restart.
Step 10 Continue with Creating an Administration Control User in Cisco Secure ACS.
Related Topics
•Adding Managed Devices as AAA Clients in Cisco Secure ACS
•Integration Procedures Performed in Cisco Secure ACS
•Checklist for Initial Cisco Secure ACS Setup
Configuring Network Device Groups for Use in Security Manager
Cisco Secure ACS enables you to configure network device groups (NDGs) that contain specific devices to be managed. For example, you can create NDGs for each geographic region or NDGs that match your organizational structure. When used with Security Manager, NDGs enable you to provide users with different levels of permissions, depending on the devices they need to manage. For example, by using NDGs you can assign User A system administrator permissions to the devices located in Europe and Help Desk permissions to the devices located in Asia. You can then assign the opposite permissions to User B.
NDGs are not assigned directly to users. Rather, NDGs are assigned to the roles that you define for each user group. Each NDG can be assigned to a single role only, but each role can include multiple NDGs. These definitions are saved as part of the configuration for the selected user group.
The following topics outline the basic steps for configuring NDGs:
•Activating the NDG Feature
•Creating NDGs
•Associating NDGs and Roles with User Groups
Note•Each device can be a member of only one NDG.
•NDGs are not related to the device groups that you can configure in Security Manager. See Understanding Device Grouping, page 5-57.
•For complete details about managing NDGs, see User Guide for Cisco Secure ACS.
Related Topics
•NDGs and User Permissions
•Adding Managed Devices as AAA Clients in Cisco Secure ACS
•Integration Procedures Performed in Cisco Secure ACS
•Checklist for Initial Cisco Secure ACS Setup
NDGs and User Permissions
Because NDGs limit users to particular sets of devices, they affect policy permissions, as follows:
•To view a policy, you must have permissions for at least one device to which the policy is assigned.
•To modify a policy, you must have permissions for all of the devices to which the policy is assigned.
•To view, modify, or assign a VPN policy, you must have permissions for all of the devices in the VPN topology.
•To assign a policy to a device, you need permissions only for that device, regardless of whether you have permissions for any other devices to which the policy is assigned. (VPN policies are an exception, as noted above.) However, if a user assigns a policy to a device for which you do not have permissions, you will not be able to modify that policy. See Modify Policies Permissions.
Note To modify an object, a user does not need modify permissions for all the devices that are using the object. However, a user must have modify permissions for a particular device in order to modify a device-level object override defined on that device.
Related Topics
•Configuring Network Device Groups for Use in Security Manager
•View Policies Permissions
•Modify Policies Permissions
•Setting Up User Permissions
Activating the NDG Feature
You must activate the NDG feature before you can create NDGs and populate them with devices.
Procedure
Step 1 Click Interface Configuration on the Cisco Secure ACS navigation bar.
Step 2 Click Advanced Options.
Step 3 Scroll down, then select the Network Device Groups check box.
Step 4 Click Submit.
Step 5 Continue with Creating NDGs.
Related Topics
•Creating NDGs
•Associating NDGs and Roles with User Groups
•NDGs and User Permissions
•Configuring Network Device Groups for Use in Security Manager
Creating NDGs
This procedure describes how to create NDGs and populate them with devices. Each device can belong to only one NDG.
Note We highly recommend creating a special NDG that contains the CiscoWorks/Security Manager server.
Before You Begin
•Activate the NDG feature. See Activating the NDG Feature.
Procedure
Step 1 Click Network Configuration on the navigation bar.
All devices are initially placed under Not Assigned, which holds all devices that were not placed in an NDG. Please note that Not Assigned is not an NDG.
Step 2 Create NDGs:
a. Click Add Entry.
b. Enter a name for the NDG on the New Network Device Group page. The maximum length is 24 characters. Spaces are permitted.
c. (Optional when using version 4.0 or later) Enter a key to be used by all devices in the NDG. If you define a key for the NDG, it overrides any keys defined for the individual devices in the NDG.
d. Click Submit to save the NDG.
e. Repeat Steps a through d to create more NDGs.
Step 3 Populate the NDGs with devices:
a. Click the name of the NDG in the Network Device Groups area.
b. Click Add Entry in the AAA Clients area.
c. Define the particulars of the device to add to the NDG, then click Submit. For more information, see Adding Devices as AAA Clients Without NDGs.
d. Repeat Steps b and c to add remaining devices to NDGs. The only device to consider leaving in the Not Assigned category is the default AAA server.
e. After you configure the last device, click Submit + Restart.
Note Each device can be a member of only one NDG.
Step 4 Continue with Creating an Administration Control User in Cisco Secure ACS.
Note You can associate roles with each NDG only after completing the integration procedures in Cisco Secure ACS and CiscoWorks Common Services. See Associating NDGs and Roles with User Groups.
Related Topics
•Activating the NDG Feature
•Associating NDGs and Roles with User Groups
•NDGs and User Permissions
•Configuring Network Device Groups for Use in Security Manager
Creating an Administration Control User in Cisco Secure ACS
Use the Administration Control page in Cisco Secure ACS to define the administrator account that is used when defining the AAA setup mode in CiscoWorks Common Services. For more information, see Configuring the AAA Setup Mode in CiscoWorks.
Procedure
Step 1 Click Administration Control on the Cisco Secure ACS navigation bar.
Step 2 Click Add Administrator.
Step 3 On the Add Administrator page, enter a name and password for the administrator.
Step 4 Click Grant All in the Administrator Privileges area to provide full administrative permissions to this administrator.
Step 5 Click Submit to create the administrator.
Note For more information about the options available when configuring an administrator, see User Guide for Cisco Secure ACS.
Related Topics
•Integration Procedures Performed in Cisco Secure ACS
•Checklist for Initial Cisco Secure ACS Setup
Integration Procedures Performed in CiscoWorks
The following topics describe the procedures to perform in CiscoWorks Common Services when integrating it with Cisco Security Manager:
•Creating a Local User in CiscoWorks
•Defining the System Identity User
•Configuring the AAA Setup Mode in CiscoWorks
Perform these procedures after completing the integration procedures performed in Cisco Secure ACS. Common Services performs the actual registration of and any installed applications, such as Cisco Security Manager and Auto-Update Server into Cisco Secure ACS.
Related Topics
•ACS Integration Requirements
•Integration Procedures Performed in Cisco Secure ACS
•Integrating Security Manager with Cisco Secure ACS
Creating a Local User in CiscoWorks
Use the Local User Setup page in CiscoWorks Common Services to create a local user account that duplicates the administrator you previously created in Cisco Secure ACS. This local user account is later used for the system identity setup. For more information, see Defining the System Identity User.
Before You Begin
•Create an administrator in Cisco Secure ACS. See Defining Users and User Groups in Cisco Secure ACS.
Procedure
Step 1 Log in to CiscoWorks using the default admin user account.
Step 2 Select Server > Security from Common Services, then select Local User Setup from the TOC.
Step 3 Click Add.
Step 4 Enter the same name and password that you entered when creating the administrator in Cisco Secure ACS. See Step 4 in Defining Users and User Groups in Cisco Secure ACS.
Step 5 Select all check boxes under Roles except Export Data.
Step 6 Click OK to create the user.
Related Topics
•Integration Procedures Performed in CiscoWorks
•Checklist for Initial Cisco Secure ACS Setup
Defining the System Identity User
Use the System Identity Setup page in CiscoWorks Common Services to create a trust user (called the System Identity user) that enables communication between servers that are part of the same domain and application processes that are located on the same server. Applications use the System Identity user to authenticate processes on local or remote CiscoWorks servers. This is especially useful when the applications must synchronize before any users have logged in.
In addition, the System Identity user is often used to perform a subtask when the primary task has already been authorized for the logged in user. For example, editing a device in Security Manager requires interapplication communication between Security Manager and the Common Services DCR. After the user has been authorized to perform the editing task, the System Identity user is used to invoke the DCR.
The System Identity user you configure here must be identical to the administrator with full permissions that you configured in ACS. Failure to do so could result in your being unable to view all the devices and policies configured in Security Manager.
Before You Begin
•Create a local user with the same name and password as this administrator in CiscoWorks Common Services. See Creating a Local User in CiscoWorks.
Procedure
Step 1 Select Server > Security, then select Multi-Server Trust Management > System Identity Setup from the TOC.
Step 2 Enter the name of the administrator that you created for Cisco Secure ACS. See Step 4 in Defining Users and User Groups in Cisco Secure ACS.
Step 3 Enter and verify the password for this user.
Step 4 Click Apply.
Related Topics
•Integration Procedures Performed in CiscoWorks
•Checklist for Initial Cisco Secure ACS Setup
Configuring the AAA Setup Mode in CiscoWorks
Use the AAA Setup Mode page in CiscoWorks Common Services to define your Cisco Secure ACS as the AAA server, including the required port and shared secret key. In addition, you can define up to two backup servers.
This procedure performs the actual registration of CiscoWorks and Security Manager (and optionally, Auto-Update Server) into Cisco Secure ACS.
Procedure
Step 1 Select Server > Security, then select AAA Mode Setup from the TOC.
Step 2 Select the TACACS+ check box under Available Login Modules.
Step 3 Select ACS as the AAA type.
Step 4 Enter the IP addresses of up to three Cisco Secure ACS servers in the Server Details area. The secondary and tertiary servers act as backups in case the primary server fails.
Note If all the configured TACACS+ servers fail to respond, you must log in using the admin CiscoWorks Local account, then change the AAA mode back to Non-ACS/CiscoWorks Local. After the TACACS+ servers are restored to service, you must change the AAA mode back to ACS.
Step 5 In the Login area, enter the name of the administrator that you defined on the Administration Control page of Cisco Secure ACS. For more information, see Creating an Administration Control User in Cisco Secure ACS.
Step 6 Enter and verify the password for this administrator.
Step 7 Enter and verify the shared secret key that you entered when you added the Security Manager server as a AAA client of Cisco Secure ACS. See Step 5 in Adding Devices as AAA Clients Without NDGs.
Step 8 Select the Register all installed applications with ACS check box to register Security Manager and any other installed applications with Cisco Secure ACS.
Step 9 Click Apply to save your settings. A progress bar displays the progress of the registration. A message is displayed when registration is complete.
Step 10 Restart the Cisco Security Manager Daemon Manager service. See Restarting the Daemon Manager.
Step 11 Log back in to Cisco Secure ACS to assign roles to each user group. See Assigning Roles to User Groups in Cisco Secure ACS.
Note The AAA setup configured here is not retained if you uninstall CiscoWorks Common Services or Cisco Security Manager. In addition, this configuration cannot be backed up and restored after reinstallation. Therefore, if you upgrade to a new version of either application, you must reconfigure the AAA setup mode and reregister Security Manager with ACS. This process is not required for incremental updates. If you install additional applications, such as AUS, on top of CiscoWorks, you must reregister the new applications and Cisco Security Manager.
Related Topics
•Integration Procedures Performed in CiscoWorks
•Checklist for Initial Cisco Secure ACS Setup
Restarting the Daemon Manager
This procedure describes how to restart the Daemon Manager of the Security Manager server. You must do this so the AAA settings that you configured take effect. You can then log back in to CiscoWorks using the credentials defined in Cisco Secure ACS.
Procedure
Step 1 Log in to the machine on which the Security Manager server is installed.
Step 2 Select Start > Programs > Administrative Tools > Services to open the Services window.
Step 3 From the list of services displayed in the right pane, select Cisco Security Manager Daemon Manager.
Step 4 Click the Restart Service button on the toolbar.
Step 5 Continue with Assigning Roles to User Groups in Cisco Secure ACS.
Related Topics
•Checklist for Initial Cisco Secure ACS Setup
•Integrating Security Manager with Cisco Secure ACS
Assigning Roles to User Groups in Cisco Secure ACS
After you have registered CiscoWorks, Security Manager and other installed applications to Cisco Secure ACS, you can assign roles to each of the user groups that you previously configured in Cisco Secure ACS. These roles determine the actions that the users in each group are permitted to perform in Security Manager.
The procedure for assigning roles to user groups depends on whether NDGs are being used:
•Assigning Roles to User Groups Without NDGs
•Associating NDGs and Roles with User Groups
Related Topics
•Checklist for Initial Cisco Secure ACS Setup
•Integrating Security Manager with Cisco Secure ACS
Assigning Roles to User Groups Without NDGs
This procedure describes how to assign the default roles to user groups when NDGs have not been defined. For more information, see Cisco Secure ACS Default Roles.
Before You Begin
•Create a user group for each default role. See Defining Users and User Groups in Cisco Secure ACS.
•Complete the procedures described in Integration Procedures Performed in Cisco Secure ACS, and Integration Procedures Performed in CiscoWorks.
Procedure
Step 1 Log in to Cisco Secure ACS.
Step 2 Click Group Setup on the navigation bar.
Step 3 Select the user group for system administrators from the list (see Step 2 of Defining Users and User Groups in Cisco Secure ACS), then click Edit Settings.
Step 4 Assign the system administrator role to this group:
a. Scroll down to the CiscoWorks area under TACACS+ Settings.
b. Select the first Assign option, then select System Administrator from the list of CiscoWorks roles.
c. Scroll down to the Cisco Security Manager Shared Services area.
d. Select the first Assign option, then select System Administrator from the list of Cisco Secure ACS roles.
e. Click Submit to save the group settings.
Step 5 Repeat Steps 3 and 4 for the remaining roles, assigning each role to the appropriate user group.
Note When selecting the Security Approver or Security Administrator roles in Cisco Secure ACS, we recommend selecting Network Administrator as the closest equivalent CiscoWorks role.
Note For more information about customizing the default roles in ACS, see Customizing Cisco Secure ACS Roles.
Related Topics
•Understanding CiscoWorks Roles
•Understanding Cisco Secure ACS Roles
•Integrating Security Manager with Cisco Secure ACS
Associating NDGs and Roles with User Groups
When you associate NDGs with roles for use in Security Manager, you must create definitions in two places on the Group Setup page:
•CiscoWorks area
•Cisco Security Manager area
The definitions in each area should match as closely as possible. When associating custom roles or ACS roles that do not exist in CiscoWorks Common Services, try to define as close an equivalent as possible based on the permissions assigned to that role.
You must create associations for each user group that will be used with Security Manager. For example, if you have a user group containing support personnel for the Western region, you can select that user group, then associate the NDG containing the devices in that region with the Help Desk role.
Before You Begin
•Activate the NDG feature and create NDGs. See Configuring Network Device Groups for Use in Security Manager.
Procedure
Step 1 Click Group Setup on the navigation bar.
Step 2 Select a user group from the Group list, then click Edit Settings.
Step 3 Map NDGs and roles for use in CiscoWorks:
a. On the Group Setup page, scroll down to the CiscoWorks area under TACACS+ Settings.
b. Select Assign a Ciscoworks on a per Network Device Group Basis.
c. Select an NDG from the Device Group list.
d. Select the role to which this NDG should be associated from the second list.
e. Click Add Association. The association appears in the Device Group box.
f. Repeat Steps c through e to create additional associations.
Note To remove an association, select it from the Device Group, then click Remove Association.
Step 4 Scroll down to the Cisco Security Manager area and create associations that match as closely as possible the associations defined in Step 3.
Note When selecting the Security Approver or Security Administrator roles in Cisco Secure ACS, we recommend selecting Network Administrator as the closest equivalent CiscoWorks role.
Step 5 Click Submit to save your settings.
Step 6 Repeat Steps 2 through 5 to define NDGs for the remaining user groups.
Step 7 To save the associations that you have created, click Submit + Restart.
Note For more information about customizing the default roles in ACS, see Customizing Cisco Secure ACS Roles.
Related Topics
•Integrating Security Manager with Cisco Secure ACS
•Checklist for Initial Cisco Secure ACS Setup
Selecting a Workflow Mode
Security Manager workflow has two main modes:
•Workflow mode (with or without approvers).
•Non-Workflow mode (default).
The workflow mode you choose depends on your organizational structure and the level of control you wish to have over changes to the network. The following topics help you understand the different workflow modes so that you can make an informed decision as to which mode you prefer:
•Working in Workflow Mode
•Working in Non-Workflow Mode
•Comparing the Two Workflow Modes
•Enabling and Disabling Workflow Modes
Working in Workflow Mode
Workflow mode is an advanced mode of operation that imposes a formal change-tracking and change-management system. Workflow mode is suitable for organizations in which there is division of responsibility among security and network operators for defining policies and deploying those policies to devices. For example, a security operator might be responsible for defining security policies on devices, another security operator might be responsible for approving the policy definitions, and a network operator for deploying the resulting configurations to a device. This separation of responsibility helps maintain the integrity of deployed device configurations.
You can use Workflow mode with or without an approver. When using Workflow mode with an approver, device management and policy configuration changes performed by one user are reviewed and approved by another user before being deployed to the relevant devices. When using Workflow mode without an approver, device and policy configuration changes can be created and approved by a single user, thus simplifying the change process.
In Workflow mode:
•A user must create an activity before defining or changing policy configurations. An activity is essentially a proposal to make configuration changes. The changes made within the activity are applied only after the activity is approved by a user with the appropriate permissions. An activity can either be submitted to another user for review and approval (Workflow mode with an activity approver), or it can be approved by the current user (Workflow mode without an activity approver). For detailed information about the process of creating, submitting, and approving activities, see Chapter 7, "Managing Activities."
•After the activity is approved, the configuration changes need to be deployed to the relevant devices. To do this, a user must create a deployment job. A deployment job defines the devices to which configurations will be deployed, and the deployment method to be used. A deployment job can either be submitted to another user for review and approval (Workflow mode with a job approver), or it can be approved by the current user (Workflow mode without a job approver). Deployment preferences can be configured with or without job approval. For more information, see Chapter 18, "Managing Deployment."
Working in Non-Workflow Mode
Some organizations have no division of responsibility between users when defining and administering their VPN and firewall policies. These organizations can work in non-Workflow mode, which is the default mode of operation. When using non-Workflow mode, there is no need to create activities and jobs. When you log in, Security Manager creates an activity for you. This activity is transparent to the user and does not need to be managed in any way. In addition, when you save and deploy configuration changes, Security Manager creates a job for you as well. Like activities, jobs are transparent and do not need to be managed.
When using non-Workflow mode, multiple users with the same username and password cannot be logged into Security Manager at the same time. If another user logs in with the same username and password while you are working, your session will be terminated and you will have to log in again.
Comparing the Two Workflow Modes
Table 2-2 highlights the differences between the two workflow modes.
Table 2-2 Comparison Between Workflow Mode and Non-Workflow Mode
FAQ
|
Non-Workflow Mode
|
Workflow Mode
|
What is the default mode for Security Manager?
|
Default
|
Not default
|
How do I know which mode is currently selected?
|
•In Tools > Security Manager Administration > Workflow, the Enable Workflow check box is not selected.
|
•In Tools > Security Manager Administration > Workflow, the Enable Workflow check box is selected.
|
Must I create activities to make configuration changes?
|
No. Security Manager automatically creates an activity when you log in.
|
Yes.
|
Must I create jobs to deploy configurations to devices?
|
No.
|
Yes.
|
How do I deploy my configuration changes to the devices?
|
Do one of the following:
•Click the Submit and Deploy Changes in the Main toolbar.
•Select File > Submit and Deploy.
•Select Tools > Deployment Manager and click Deploy.
|
Select Tools > Deployment Manager and create a deployment job.
|
At what stage are the CLI commands for my configuration changes generated?
|
When initiating deployment.
|
When creating a deployment job.
|
How do I delete my current changes?
|
Select the File > Discard, or if you have already started deploying devices, abort the deployment by selecting Tools > Deployment Manager > Abort.
|
Select Tools > Deployment Manager > Discard. If the job has already been deployed, you can abort the job by selecting Tools > Deployment Manager > Abort.
|
Can multiple users log into Security Manager at the same time?
|
Yes, but only if each one has a different username and password. Access to Security Manager is discontinued if a user with the same username logs into Security Manager.
|
Yes. Each user can open a different activity and make configuration changes.
|
What if another user is configuring the devices I want to configure?
|
You will receive a message indicating that the devices are locked. See Activities and Locking, page 7-4.
|
You will receive a message indicating that the devices are locked. See Activities and Locking, page 7-4.
|
Enabling and Disabling Workflow Modes
The default mode in Security Manager is non-Workflow mode. If you have Administrator permissions, you can change the workflow mode in Tools > Security Manager Administration. Before doing so, be sure to understand the following notes:
•When you change the workflow mode, the change will take effect for all Security Manager users working from the same server.
•Before you can change to non-Workflow mode, all activities in editable states (Edit, Edit Open, Submit, or Submit Open) must be approved or discarded, and all generated jobs must be deployed, failed, rejected, discarded, or aborted so that the locks on the devices can be released.
•If you change to non-Workflow mode and then restore an earlier version of the database, Security Manager automatically changes to Workflow mode if the restored database has any activities in an editable state (Edit, Edit Open, Submit, or Submit Open). Approve or delete the editable activities, and then turn workflow off again.
•Both Workflow and non-Workflow modes use activities. However, Security Manager hides and automatically manages activities when in non-Workflow mode. Therefore, when changing from non-Workflow mode to Workflow mode, the current hidden activity is then exposed and placed in the Edit_Open state.
This procedure will help you establish Workflow mode settings.
Procedure
Step 1 Click Tools > Security Manager Administration.
Step 2 Click Workflow. The Workflow page appears in the right-hand pane. For a description of the fields on this page, see Table A-28 on page A-48.
Step 3 To disable Workflow mode, deselect the Enable Workflow check box, and then click Save.
Step 4 To enable Workflow mode, select the Enable Workflow check box.
Step 5 To eliminate the requirement that activities be approved before they are committed to the database, deselect the Require Activity Approval check box. (Check box is selected by default.)
Step 6 To eliminate the requirement that deployment jobs are approved before deployment to devices, deselect the Require Deployment Approval check box. (Check box is selected by default.)
Step 7 Enter the email address for the default Sender. (This is the address that appears on every deployment job submitted.)
Step 8 Enter the email address for the default Activity Approver.
Step 9 Enter the email address for the default Deployment Job Approver.
Step 10 To change the number of days you keep the activity logs, enter a new value in the Keep Activity for field.
Step 11 Click Purge Now to delete activity logs older than the number of days you specify.
Step 12 To change the number of days you keep the deployment job logs, enter a new value in the Keep Job for text box.
Step 13 Click Purge Now to delete deployment logs older than the number of days you specify.
Step 14 Click Save to apply and save changes. A confirmation dialog box states that changes were saved.
Note You can restore all values to their previous settings by clicking Reset, or you can restore the system defaults by clicking Restore Defaults.
Step 15 Click Yes in the confirmation dialog box to confirm your choice. A message states that this action was successful.
Related Topics
•Managing Activities, page 7-1
•Managing Deployment, page 18-1
Working with AutoLink
The Security Manager Map view provides a graphical view of your VPN and Layer 3 network topology. Using device nodes to represent managed devices and map objects to represent unmanaged objects such as devices, clouds, and networks, you can create topology maps with which to study your network. AutoLink settings enable you to exclude any one of five private or reserved networks from Map view. For example, you might want to exclude any networks that are not relevant to the management tasks you are using Security Manager to perform, for example, test networks. This will prevent them from appearing on your topology map.
This procedure will help you define AutoLink settings.
Procedure
Step 1 Select Tools > Security Manager Administration.
Step 2 Click AutoLink. The AutoLink settings page appears. For a description of the fields on this page, see Table A-1 on page A-3.
Step 3 Deselect the check box for each IP address you want to omit from any topology maps you create.
Step 4 Click Save to apply and save changes. A confirmation dialog box states that changes were saved.
Note You can restore all values to their previous settings by clicking Reset, or you can restore the system defaults by clicking Restore Defaults.
Step 5 Click Yes in the confirmation dialog box to confirm your choice. A message indicates that this action was successful.
Related Topics
•Displaying Layer 3 Links on the Map, page 4-21
•Displaying Your Network on the Map, page 4-16
•Understanding Maps, page 4-1
•Working With Maps, page 4-2
Defining Configuration Archive Settings
From the Configuration Archive preferences window, you can purge configuration file versions maintained for devices managed by Security Manager. Here you can also enter the Trivial File Transfer Protocol (TFTP) server and directory information for Cisco IOS devices used during configuration rollback.
This procedure will help you define Configuration Archive settings.
Procedure
Step 1 Select Tools > Security Manager Administration.
Step 2 Click Configuration Archive. The Configuration Archive Purge dialog box is on the top half of the window and the TFTP for Configuration Version Rollback server settings are below. For a description of the fields on this page, see Table A-2 on page A-4.
Step 3 To specify how many configuration versions to retain for each device, enter a value in the Max. Versions Per Device field.
Step 4 Click Purge Now to delete older configurations in excess of the number of configurations you specified in Step 3.
Step 5 To change the default TFTP server for IOS devices, enter the server name or IP address for TFTP file transfers.
Step 6 To change the default directory for TFTP file transfers, enter the root directory for configuration file transfers on your TFTP server.
Tip To return to values that were present when you first opened a settings page, click Reset at any time before you click Save. If you clicked Save in error and do not remember what was there before, you can click Reset to Factory Defaults to reestablish Security Manager defaults.
Step 7 Click Save to apply and save changes. A confirmation dialog box states that changes were saved.
Note You can restore all values to their previous settings by clicking Reset, or you can restore the system defaults by clicking Restore Defaults.
Step 8 Click Yes in the confirmation dialog box to confirm your choice. A message indicates that this action was successful.
Related Topics
•Configuration Archive Window, page Q-12
•Using the Configuration Archive Tool, page 20-11
Customizing Your Desktop
Adjust your GUI timeout and `Do Not Ask' settings from the Customize Desktop page.
This procedure will help you adjust your GUI timeout and `Do Not Ask' settings.
Procedure
Step 1 Select Tools > Security Manager Administration.
Step 2 Click Customize Desktop. For a description of the fields on this page, see Table A-3 on page A-4.
Step 3 To reestablish the appearance of `Are you sure . . .?' reminders anywhere in the application, click Reset `Do Not Ask' on Warnings, and then click Yes in the confirmation dialog box to confirm your choice.
Step 4 To log users out according to the specified number of minutes in the Idle Timeout text field, click the Enable Idle Timeout check box.
Step 5 In the Enable Idle Timeout check box, enter the number of minutes of idleness after which you want Security Manager to log a user out.
Step 6 Do one of the following:
•Click Save to save and apply changes. A message confirms that your changes were saved successfully.
•Click Reset to restore all fields and check boxes to their previous values.
•Click Restore Defaults to restore Security Manager defaults.
Step 7 Click Yes in the confirmation dialog box to confirm your choice. A message indicates that this action was successful.
Related Topics
•Working with the Security Manager User Interface, page 3-1
Defining Deployment Settings
Use the Deployment settings page to define the following:
•Number of days to archive debugging files.
•Whether configuration changes are deployed to a file or to a device.
•Whether to warn, cancel, or skip deployment when out-of-band changes are detected.
•Whether reference configurations for deployments should be taken from an archive or a device.
•How to optimize the deployment of firewall access lists. (Optimized to reduce deployment time or to minimize traffic disruption).
•Whether to allow FWSM to compile access lists automatically instead of using Security Manager to control the ACL compilation.
•Whether to enable advanced debugging.
•Whether deployments will proceed with errors.
•Whether to delete unreferenced object groups from devices.
•Whether to automatically create object groups for policy objects and for multiple sources, destinations, or services (for PIX, FWSM, and ASA devices).
•Whether to remove unreferenced access lists from devices.
•Whether any changes to the device configuration for Cisco IOS, PIX, FWSM, and ASA devices are copied to the startup configuration for those device types.
•Whether ACL remarks should be generated during deployment.
•Whether to optimize network object groups during deployment.
This procedure will help you define deployment settings.
Procedure
Step 1 Select Tools > Security Manager Administration.
Step 2 Click Deployment.
The Deployment window appears. For a description of the fields on this page, see Table A-4 on page A-5.
Step 3 To specify how long to keep debugging files, enter the number of days in the Purge Debugging Files Older Than field.
Step 4 To specify how configurations should be deployed to devices, select the Default Deployment Method; select either Device or File.
Step 5 If you selected File as the default deployment method in the previous step, enter a directory path to which the file should be saved. Or, you can click Browse to select the directory to which to save the file.
Step 6 Select the desired system response when Security Manager detects changes made directly to the device (Out of Band Changes).
Step 7 Choose the File Reference Configuration object (the configuration against which file changes are to be compared if you are deploying to a reference file). You can choose one of the following:
•Archive (default)—Uses the most recently archived configuration against which to compare changes; then generates the CLI to be deployed.
•Device—Uses the current device configuration against which to compare changes; then generates the CLI to be deployed.
Step 8 Choose the Device Reference Configuration object (the configuration against which device changes are to be compared if you are deploying to a device). You can choose one of the following:
•Archive—Uses the most recently archived configuration against which to compare changes; then generates the CLI needed to be deployed.
•Device (default)—Uses the current device configuration against which to compare changes; then generates the CLI to be deployed.
Step 9 Select how firewall rules are to be deployed from the Optimize Firewall Deployment for list. Choose one of the following two criteria:
•Speed—Increases deployment speed, thereby using less system memory, but increases risk of traffic interruption.
•Traffic—Inhibits traffic interruption during deployment, but increases system memory usage and deployments take longer
See Table A-4 on page A-5 for more information.
Step 10 Determine whether existing Firewall Access Names should be reused, or whether the name values should be reset to names generated by Security Manager. You do this by selecting one of the two options from the list. For more information, see Preserving User-Defined ACL Names, page 12-56 and to How ACL Names Are Generated, page 12-54.
Step 11 Determine how firewall rules should be deployed to devices in the Firewall Rule Deployment Preference list. Select the Disable Access-list Compilation During Deployment (FWSM) check box to specify that FWSM should automatically compile access lists. If you do not select this check box, Security Manager controls ACL compilation (to avoid traffic interruption and to minimize peak memory usage on the device). For more information, see Understanding Access Rules, page 12-49.
Caution Do not select this check box unless you are experiencing deployment problems and are an advanced user.
Step 12 To generate data files about information about configuration generation, deployment, and discovery as these functions are performed, select Enable Advanced Debugging.
Step 13 To allow deployment to devices to continue even if there are minor device configuration errors, select Allow Download On Error.
Step 14 To delete from devices during deployment any object groups that are not being used by other CLI commands, select Remove Unreferenced ObjectGroups from Device (PIX, ASA, FWSM).
Step 15 (Optional) To automatically create network objects and service objects that replace comma-separated values in a rule table cell, ensure that Create Object Groups for Policy Objects (PIX, ASA, FWSM) is selected. When deselected, Security Manager flattens the object groups for PIX/ASA/FWSM devices to IP addresses and disables the following check box: Create Object Groups for Multiple Sources, Destinations or Services in a Rule (PIX, ASA, FWSM). The objects are created during deployment.
Step 16 (Optional) To automatically create network objects and service objects that replace comma-separated values in a rule table cell, select Create Object Groups for Multiple Sources, Destinations or Services in a Rule (PIX, ASA, FWSM). The objects are created during deployment.
Step 17 To delete from devices during deployment any access lists that are not being used by other CLI commands, select Remove Unreferenced Access-lists on Device.
Step 18 To ensure that any changes to device configurations for PIX, FWSM, ASA, or Cisco IOS devices are copied to the startup configuration for that device, select Save Changes Permanently on Device.
Step 19 To display ACL warning messages and remarks during deployment, select Generate ACL Remarks During Deployment.
Step 20 To optimize network object groups during deployment, select Optimize Network Object Groups During Deployment (PIX, ASA, FWSM). For more information on optimizing policy objects, see Optimizing Policy Objects in Rules, page 12-47.
Step 21 Click Save.
Certain options display a confirmation dialog box and ask if you want to continue. To continue, click Yes.
Note To return to values that were present when you first opened a settings page, click Reset at any time before you click Save. If you clicked Save in error and do not remember what was there before, you can click Restore Defaults to reestablish Security Manager defaults.
Related Topics
•Managing Deployment, page 18-1
Defining Device Communication Settings
Use the Device Communication settings page to define these settings for all devices managed by Security Manager:
•The number of seconds that Security Manager has to establish a connection with a device before timing out.
•The number of seconds Security Manager can spend blocked waiting for incoming data.
•The default transport protocol for contacting all Cisco IOS devices running IOS versions 12.3 and later, Cisco IOS IPS routers, IPS sensors, Catalyst 6500 Series switches, Cisco 7600 Series routers, and routers running Cisco IOS software release 12.1 and 12.2.
•The credentials that Security Manager uses to contact the device for various operations, such as deployment, discovery, and rollback of configurations. For more information, see About Security Manager and Device Authentication.
•The certificate authentication mechanism to be used for IPS devices, IOS devices, firewall devices, FWSMs, and ASAs.
•The default HTTPS port number to be used for secure communication between Security Manager (as well as management and monitoring tools that use HTTPS) and a device.
•Whether Security Manager will apply changes to SSH keys made directly on the device.
When you add routers running Cisco IOS software versions 12.1, 12.2, and associated releases from the CiscoWorks DCR into the Security Manager inventory, Security Manager uses the option you selected from the Transport Protocol (IOS Routers 12.3 and above) list of the Device Communications page to communicate with these devices, regardless of the option you selected from the Transport Protocol (IOS Routers 12.2, 12.1) list. Security Manager has a limitation that it uses the same transport protocol configured for routers running Cisco IOS version 12.3 and later to communicate with routers running Cisco IOS versions 12.1, 12.2, and associated releases as well.
The protocol used to contact Cisco IOS routers running versions 12.3 and later might be incompatible with Cisco IOS routers running versions 12.1, 12.2, and associated releases. As a result, device addition from DCR to Security Manager might fail. To work around this problem, select a protocol that is supported on Cisco IOS version 12.1 and 12.2 routers, such as Telnet or SSH, from the Transport Protocol (IOS Routers 12.3 and above) list of the Device Communications page to add the routers running 12.1 or 12.2 versions from DCR to Security Manager. After you add the routers running Cisco IOS versions 12.1, 12.2, and associated releases to Security Manager, select a different protocol that is compatible with Cisco IOS 12.3 routers, such as SSL, from the Transport Protocol (IOS Routers 12.3 and above) list to add routers running Cisco IOS software versions 12.3 or higher to Security Manager.
To make changes for only a single device, see Working with Device Policies, page 5-54.
The following topics describe device communication settings:
•Defining Connection and Transport Protocol Settings in the UI
•Adding Certificates for IPS Devices, Cisco IOS Devices, and PIX/ASA/FWSM Devices
About Security Manager and Device Authentication
In Security Manager 3.0.1 and earlier, Security Manager used the credentials that you entered on the Device Credentials page or on the Device Properties page to log in to a device. You must also configure these credentials on the device if local authentication was used, or on an external AAA server, such as Cisco Secure Access Control Server (ACS), if the device was configured to perform authentication with the external AAA server. These credentials are called Security Manager device credentials, which are a set of user credentials specified on each device and also stored in the Security Manager inventory or in the Device and Credential Admin (DCA) in DCR. To connect to the device, Security Manager uses these credentials regardless of the credentials that were entered to log in to Security Manager.
Using Security Manager device credentials has a drawback in environments where user accounts and suitable privileges for device-level access have been configured. In such scenarios, an external AAA server, such as ACS, might be used to perform user authentication. In addition, AAA or TACACS+ accounting would be used for auditing purposes. TACACS+ accounting records provide information on the user who configured CLI commands on a device. In addition, creating a separate user account in the Security Manager database and on the device only for Security Manager to contact the device might not be beneficial. If the Security Manager device credentials are used to connect to the device, the related TACACS+ accounting records would not accurately indicate the user ID that originated the request, resulting in a particular CLI configuration change on the device.
In Security Manager 3.1, you can configure Security Manager to contact the device using the credentials that were used to log in to Security Manager, instead of the credentials defined on the Device Credentials page or Device Properties page. These credentials are called Security Manager user login credentials. This option is useful when you use TACACS+ or RADIUS accounting for auditing purposes, when you have already configured user accounts in an external AAA server with suitable permissions for device-level access, or when Security Manager and the device are configured to authenticate users using an external AAA server, such as ACS.
Login credentials are cached by Security Manager when you successfully log in to the CiscoWorks and Cisco Security Management Suite home pages. These credentials are discarded when you exit the Security Manager client or the idle session timeout period is exceeded. For any Security Manager operation that requires access to the device, such as discovery, deployment, rollback, and preview, the cached user credentials are retrieved and added to the authentication request sent to the device.
Defining Connection and Transport Protocol Settings in the UI
This procedure will help you define device communication settings.
Procedure
Step 1 Select Tools > Security Manager Administration.
Step 2 Click Device Communication. The Device Communication settings window opens. For a description of the fields on this page, see Table A-5 on page A-11.
Step 3 Under Device Connection Parameters, perform the following:
a. Enter the number of seconds for Device Connection timeout.
b. Enter a value for Retry Count.
c. Enter the number of seconds for Socket Read timeout for SSH and telnet sessions.
d. Select a default transport protocol for contacting all Cisco IOS IPS devices and IPS sensors from the list if needed.
e. Select a default transport protocol for contacting all Cisco IOS devices running IOS versions 12.3 and later from the list if needed.
f. Select a default transport protocol for contacting all Catalyst 6500 Series switches and Cisco 7600 Series routers from the list if needed.
g. Select a default transport protocol for contacting all routers running Cisco IOS software version 12.1 or 12.2 from the list if needed.
Note The selection does not apply to Catalyst 6500/6000 series swiches running Cisco IOS software 12.2 or earlier.
h. Select the authentication mechanism to use when Security Manager contacts the device from the following options. For more information, see About Security Manager and Device Authentication.
Step 4 Under SSL Certificate Parameters, perform the following:
a. Select a certificate authentication method for devices using SSL:
–Retrieve while adding devices enables Security Manager to automatically obtain certificates from devices while you add one or more devices from the network or DCR. Security Manager calculates the device certificate thumbprints and stores the calculated thumbprint(s) in the certificate data store. For information and procedures see Adding Devices to the Security Manager Inventory, page 5-30.
–Manually add certificates prevents Security Manager from automatically accepting certificates using the Add Device From Network or the Add Device From DCR wizards (see Adding Devices to the Security Manager Inventory, page 5-30). You must add the device thumbprint manually before you the devices. See Adding Certificates for IPS Devices, Cisco IOS Devices, and PIX/ASA/FWSM Devices.
–Do not use certificate authentication prevents automatic certificate validation for devices using SSL.
Caution This option leaves your system vulnerable to third-party interference with device validation. We recommend that you use
only the Retrieve while adding devices or Manually add certificates options.
b. Select the Accept Device SSL Certificate after Rollback check box if you want Security Manager to obtain the certificate installed on a firewall device, FWSM, ASA, or Cisco IOS router after you perform a configuration rollback.
Note This applies only for devices that use SSL as their transport protocol.
Note To add the device certificate thumbprint immediately, see Adding Certificates for IPS Devices, Cisco IOS Devices, and PIX/ASA/FWSM Devices.
Step 5 Enter the default HTTPS port number to be used for secure communication between a device and Security Manager if needed. This port number is used by HTTPS for all devices managed by Security Manager. The HTTPS port number you specify here overrides the port number that you configured for the device in the HTTP policy in the Device Access section.
Note If you configure the local HTTP policy to be a shared policy and assign the HTTP policy to multiple devices, the HTTPS port number setting in the shared policy overrides the port number configured in the Device Credentials page for all devices to which the policy is assigned.
Step 6 To allow Security Manager to apply changes to the device's SSH keys when they are updated directly on the device, select Overwrite SSH Keys.
Step 7 Click Save to apply and save changes. A confirmation dialog box states that changes were saved.
Step 8 Click Yes in the confirmation dialog box to confirm your choice. A message states that this action was successful.
Adding Certificates for IPS Devices, Cisco IOS Devices, and PIX/ASA/FWSM Devices
Security Manager enables you to authenticate an IPS device, Cisco IOS device, or PIX/ASA/FWSM devices by validating the certificate installed on the device. Note that this is true only for devices that use SSL as their transport protocol.
This procedure will help you manually add device certificates.
Before You Begin
Make sure that the certificate thumbprint (hexadecimal string) is available.
Tip If the thumbprint is not readily available, you can copy it from the error message that is displayed when you add a live device, or a device from the network, or from the DCR.
Procedure
Step 1 Select Tools > Security Manager Administration.
Step 2 Click Device Communication. The Device Communication settings window opens.
Step 3 Ensure that the device type for which you are entering a certificate is set to Manually add certificates, then click Add Certificate.
The Add Certificate dialog box appears. For a description of the fields in this dialog box, see Table A-6 on page A-15.
Step 4 Enter the Host Name or IP Address of the device.
Step 5 Enter the Certificate Thumbprint in its hexadecimal form.
Step 6 To initiate device contact, apply, and save changes click OK. A confirmation dialog box states that changes were saved.
Note The OK button becomes active only when at least 32 characters (the number contained in the MD-5 hash file) of the thumbprint are entered.
Step 7 Click OK in the message that indicates that the action was successful.
Step 8 From the Device Communication page, click Save.
Defining SSH by Editing the DCS Properties File
Security Manager works with SSH transport protocols, known as SSH1 and SSH2. SSH2 encryption algorithms or ciphers are negotiated between the device and Security Manager. Security Manager stores the device public keys in known_hosts file and this file is found in the .../CSCOpx/MDC/be/tmp/.ssh directory. The protocol version being used on a particular device is automatically detected and used by Security Manager to deploy to the device. For devices being managed by Security Manager that support SSH1, the default encryption algorithm or cipher is DES (Data Encryption Standard).
You make the following global changes to devices by editing the DCS properties file:
•Change the encryption algorithm for devices using SSH1.
•Choose whether Security Manager applies changes in the SSH keys for a device when these are updated directly on the device.
•Edit a list of warning expressions generated during deployment for all devices.
Note You must restart the daemon manager to see changes after you edit DCS.properites file.
Related Topics
•Managing Devices, page 5-1
•Preparing the Devices for Security Manager to Manage, page 5-2
Working with Device Groups
Grouping devices enables you to view a subset of devices that have similar group attributes.
You can create groups and assign devices to them when you add devices, or you can create the groups later, using the Device Groups page under the Tools menu. From the Device Groups page, you can create group types and groups, delete groups, and modify group names. To access this page, select Tools > Security Manager Administration > Device Groups. For procedure, see Working With Device Groups, page 5-59.
Note Device groups and subgroups are simple, arbitrary, organizational collections of devices that you create for more effective network visualization. They are not policy-sharing entities. They are distinct from the various policy object groups (for example: AAA server group objects, service group objects, and user group objects).
Related Topics
•Understanding Device Grouping, page 5-57
•Working With Device Groups, page 5-59
•Adding Devices to Device Groups, page 5-62
•Edit Device Groups Page, page C-66
Defining Discovery Settings
From the Discovery page you can define how long to keep a record of discovery and device-import tasks. Any tasks older than the number of days you specify will be deleted. You can also determine wether to substitute any matching named objects that are already defined in Security Manager for any inline values found in the CLI, and whether to roll back all policies if an error is encountered during policy discovery.
This procedure will help you define settings for policy and device discovery.
Procedure
Step 1 Click Tools > Security Manager Administration.
Step 2 Click Discovery. The Discovery page appears in the right-hand pane. For a description of the fields on this page, see Table A-9 on page A-18.
Step 3 To prepend device names when generating security context names, select the Prepend Device Names when Generating Security Context Names check box.
Note By selecting this option, you disable Security Manager's method for ensuring unique names. Instead, Security Manager will append a number to any duplicate name it encounters. (So, for example, the name "mydevice" when encountered a second time would be rendered as "mydevice_01".)
Step 4 To change the number of days you keep discovery and device import tasks, enter a new value in the Purge discovery tasks older than (days) text field.
Step 5 To substitute any named policy objects already defined in Security Manager for inline values in the CLI, select the Reuse policy objects for inline values check box. For more information, see Preserving User-Defined ACL Names, page 12-56.
Step 6 To override the parent object values at the device level for certain devices, select the Allow Device Override for Discovered Policy Objects check box. For more information see, Overriding Global Objects for Individual Devices, page 8-196.
Step 7 To roll back all discovered policies if even one error is encountered for a single policy, select the On error, rollback discovery for entire device check box.
Step 8 To auto-expand object groups that have particular prefixes, type those prefixes in the Auto-Expand object-groups with prefixes box. Separate the prefixes you type with a comma. This expansion causes the specified items to display as separate CLI during discovery. For more information see, Expanding Object Groups During Discovery, page 12-49.
Step 9 Click Save to apply and save changes. A confirmation dialog box states that changes were saved.
Note You can restore all values to their previous settings by clicking Reset, or you can restore the system defaults by clicking Restore Defaults.
Step 10 Click Yes to the confirmation dialog box to confirm your choice. A message indicates that this action was successful.
Related Topics
•Frequently Asked Questions about Policy Discovery, page 6-13
•Understanding the Policy Object Manager Window, page 8-5
Administering IPS Update Settings
The administrative settings for IPS updates in Security Manager are contained on the IPS Updates page. This section contains the following procedures for establishing IPS update settings:
Establishing the IPS Update Server
Administering IPS Updates
Automating IPS Updates
Establishing the IPS Update Server
To obtain the latest IPS sensor update packages, you must first establish the settings for the IPS update server that provides that update information.
This procedure will help you define settings for update server and update policy.
Procedure
Step 1 Click Tools > Security Manager Administration.
Step 2 Click IPS Updates. The IPS Updates page appears in the right-hand pane. For a description of the fields on this page, see Table A-10 on page A-20.
Step 3 In the Update Server area, click Edit Settings.
The Edit Update Server Settings dialog box appears.
Step 4 Add (or modify) the following:
•IP Address or Host Name
•Web Server Port
•Username
•Password and confirmation (two fields)
•Path to Update files
Step 5 To connect using SSL, select the Connect Using HTTPS check box.
Step 6 To enable a proxy server, select the Enable Proxy Server check box.
Step 7 In the proxy server area, add (or modify) the following:
•IP Address or Host Name
•Web Server Port
•User Name
•Password and confirmation (two fields)
Step 8 Click OK.
Tip To test connectivity to the IPS server or proxy server, you can perform the IPS update procedure. For information, see Administering IPS Updates.
Administering IPS Updates
From the Update Status section of the IPS Updates page you can view IPS update status, check the availability of IPS updates, and download the latest IPS updates.
Before you can administer IPS updates you must establish the IPS update server. For the procedure to establish the server, see Establishing the IPS Update Server.
For more information on IPS in Security Manager, see Chapter 13, "Managing IPS Services."
This procedure will help you monitor and update IPS updates.
Procedure
Step 1 Click Tools > Security Manager Administration.
Step 2 Click IPS Updates. The IPS Updates page appears in the right-hand pane. For a description of the fields on this page, see Table A-10 on page A-20.
Step 3 Review the status listing of IPS update information, as required.
Step 4 To determine whether new IPS updates are available, click Check for Updates.
The Checking Sensor Updates dialog box appears.
Step 5 Click Start.
Security Manager contacts the IPS update server for the information. When finished, the results are listed in the Update Status section.
Step 6 To download the latest updates, click Download Latest Updates.
The Downloading Sensor Updates dialog box appears.
Step 7 Click Start.
Automating IPS Updates
Security Manager provides administrators with a variety of options for automating the IPS updates. Checking for, downloading, applying, and deploying IPS updates can be separately selected for automation. For more information about using IPS for network sensing, see Understanding Network Sensing, page 13-2.
From the Auto Update Settings section of the IPS Updates page you can:
•Set the auto update mode
•Specify the source of updates
•Specify the notification email address for updates
•Determine how to deploy updates
•Specify the scope to which to apply automatic updates
This procedure will help you administer automatic IPS updates.
Procedure
Step 1 Click Tools > Security Manager Administration.
Step 2 Click IPS Updates. The IPS Updates page appears in the right-hand pane. For a description of the fields on this page, see Table A-10 on page A-20.
Tip If you have not done so already, establish an IPS update server. For details, see Establishing the IPS Update Server.
Step 3 In the Auto Update Settings area in the lower portion of the IPS Updates page, select an Auto Update Mode to establish the extent of automation. Choices include:
•Download, Apply, and Deploy Updates
•Disable Auto Update (the default)
•Check for Updates
•Download Updates
•Download and Apply Updates
Step 4 To specify the time to check for updates, enter the time (in hh:mm:ss format) in the Check for Updates At field. After you enable it, it will happen daily.
Step 5 To specify an email address to which update notification is sent, enter the address in the Notify Email field.
Step 6 From the Deploy Updates list, select whether updates are to be deployed when applied, or at a given time. If you select timed deployment, specify the deployment time (in hh:mm:ss format) in the Time field. In non-Workflow mode, "when applied" is the only choice.
Step 7 In the Apply Update To box, specify whether to apply updates to local or shared Update Levels policies. If you select local policy update application, further specify the extent of the policy update in the device selector that appears.
Step 8 Use the Devices Assigned to Selected Policies window to monitor which devices are assigned to which policies.
Step 9 To modify existing signature update policies, perform the following steps:
a. Select a device row and click Edit Row (pencil icon).
The Modify Signature Update Policies dialog box appears.
b. From the Auto Update list, select the level of updates you want to apply to the selected row. Choices include the following:
•None (default)
•Minor Updates and Service Packs
•Service Packs
c. To enable signatures to be automatically updated, select the Auto Update Signature Update Level.
d. Click OK.
Step 10 Click Save to apply and save changes. A confirmation dialog box states that changes were saved.
Note You can restore all values to their previous settings by clicking Reset, or you can restore the system defaults by clicking Restore Defaults. Reset and Restore Defaults do not apply to the settings in the Apply Update To Table or to the setting in the Update Status area.
Administering Licenses
This section details license administration information and procedures. The following topics describe topics covering both Security Manager licenses and IPS licenses:
•Installing Security Manager License Files
•Updating IPS License Files
•Redeploying IPS License Files
•Automating IPS License File Updates
•Getting Help with Licensing
Installing Security Manager License Files
The terms of your Security Manager software license determine many things, including the features that are available to you and the number of devices that you can manage. For licensing purposes, the device count includes any physical device, security context, or Catalyst security services module that uses an IP address. Failover pairs count as one device.
When you upgrade from an earlier release, Security Manager does not prompt you for a license; instead, it retains your license and continues to enforce its terms. If you upgrade during a free evaluation, the remaining time in your evaluation period does not change.
Note For a complete list of Cisco part numbers for the Security Manager kits and licenses that you can purchase, as well as information about the Cisco Software Application Support service agreement contracts that you can purchase, see http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5739/ps6498/prod_bulletin0900aecd8062bd79.html.
Two license types, Standard and Professional, are available, in addition to a free 90-day evaluation period, restricted to 50 devices.
•Security Manager and IPS Manager share one base license file and share as many other, additional licenses as you might purchase. To obtain the base license, you must have (or obtain) a Cisco.com user ID, and you must register your copy of the software on Cisco.com. When registering, you must provide the Product Authorization Key (PAK) that is attached to the Software License Claim Certificate inside the shipped software package.
–If you are a registered Cisco.com user, start here:
http://www.cisco.com/go/license
–If you are not a registered Cisco.com user, start here:
http://tools.cisco.com/RPF/register/register.do
After registration, the base software license is sent to the email address that you provided during registration. Keep the license in a secure location.
•Common Services does not require a license file.
•Auto Update Server does not require a license file.
•Your license files for Resource Manager Essentials (RME.lic) and Performance Monitor (mcpULperm.lic) are in the \license_files folder on your Security Manager installation DVD.
Standard Edition
If you purchase the Standard Edition, your license supports:
•One installation of Security Manager on one Windows-based server.
•The configuration or management of 5 devices (in the Standard-5 option) or 25 devices (in the Standard-25 option), excluding Catalyst 6500 and 7600 Series devices and their associated service modules.
If you purchase either the Standard-5 or Standard-25 license, you cannot purchase an incremental device license. Your license is fixed at either 5 or 25 devices.
Professional Edition
If you purchase the Professional Edition, your license supports:
•One installation of Security Manager on one Windows-based server.
•The configuration and management of 50 devices of all kinds (including Catalyst 6500 and 7600 Series devices and their associated service modules), with an option to purchase additional device license increments — 50-, 100-, 500-, or 1,000-device licenses.
License limits are imposed when you exceed the allotted time (in the case of the evaluation license), or the number of devices that your license allows you to manage. The evaluation license provides the same privileges as the Professional Edition license. It is important that you register Security Manager as soon as you can within the first 90 days, and for the number of devices that you need, to ensure uninterrupted use of the product. Each time you start the application you are reminded of how many days remain on your evaluation license, and you are prompted to upgrade during the evaluation period. At the end of the evaluation period, you are prevented from logging in until you upgrade your license.
Note You must store your license files on a disk that is local to your Security Manager server. Security Manager does not see mapped drives if you use it to browse directories on your server. Windows imposes this limitation, which serves to improve Security Manager performance and security. For more information, log in to your Cisco.com account, then use Support's Bug Toolkit to learn about bug CSCsb43414.
Procedure
Step 1 Select Tools > Security Manager Administration.
Step 2 Click Licensing.
Step 3 Select the CSM tab. For a description of the fields on this page, see Table A-12 on page A-26.
Step 4 Click Install a License to begin product registration to install a new license. If you are installing a new license, go to Step 8.
Step 5 Perform either of the following steps to complete product registration and to obtain a new production license from Cisco.com:
a. go to http://www.cisco.com/go/license (login required).
or
b. go to http://tools.cisco.com/RPF/register/register.do.
After you register, a Product Authorization Keys (PAK) is sent to the e-mail address you provided during registration. In addition to receiving a PAK and license for Security Manager, you might receive one additional PAK for each incremental device count pack you purchased. Retain these with your Cisco Security Manager software records.
Step 6 Repeat Step 5 for each solution product you are licensing until all PAKs and licenses have been sent. You must transfer the license files onto the Security Manager server if they are not already there, using FTP or some other means. The license file must be on a local drive like C: or D:, not on a mapped drive like O:, or CSM cannot use it.
Step 7 Click Upgrade License again if the Upgrade License dialog box with the Browse button is no longer visible.
Step 8 Click Browse to navigate to the folder containing the license file.
Step 9 Select the file.
Step 10 Click OK.
Updating IPS License Files
The following procedure details how to obtain and apply IPS license updates. For information on how to configure Security Manager to automatically download and apply IPS licenses on a regular schedule, see Automating IPS License File Updates. For information on
Procedure
Step 1 Select Tools > Security Manager Administration.
Step 2 Click Licensing.
Step 3 Click on the IPS tab in the upper left of the page. For a description of the fields on this page, see Table A-13 on page A-27.
The main window displays the current IPS license details, including the following parameters:
•Type
•Device
•Serial Number
•Status (valid, invalid, expired, no license, or trial license)
•Expiration date
Step 4 To update from a stored license file, click Update from License File. The Updating Licenses from File dialog box appears.
Step 5 Click Browse.
Step 6 In the Choose the License Files window, navigate to the location of the license file update, select it, and click OK. The license file is obtained and applied.
Step 7 To update licenses via CCO, select the device license to update and then click Update Selected via CCO. Review the list of devices in the dialog box that appears, and click OK.
Step 8 In the warning box, confirm the update by clicking OK. The license file is obtained and applied.
Redeploying IPS License Files
The following procedure details how to redeploy IPS licenses in the event that the update fails to apply the new license file. Redeployment requires that you first perform an update.
Procedure
Step 1 Select Tools > Security Manager Administration.
Step 2 Click Licensing.
Step 3 Click on the IPS tab in the upper left of the page. For a description of the fields on this page, see Table A-13 on page A-27.
Step 4 Select the IPS device or IPS devices to update.
Step 5 Click Redeploy Selected License.
Step 6 Review the list of devices in the dialog box that appears, and click OK.
Step 7 The License Update Status Details page appears and displays all relevant details about the status of the license update for the IPS device(s) that was (were) selected for update.
Automating IPS License File Updates
The following procedure details how to configure automatic IPS license downloading and application. This sets Security Manager to download and apply all license files on a regular basis with a frequency that you can determine.
Procedure
Step 1 Select Tools > Security Manager Administration.
Step 2 Click Licensing.
Step 3 Click on the IPS tab in the upper left of the page. For a description of the fields on this page, see Table A-13 on page A-27.
Step 4 To set the system to automatically download and apply IPS licenses, select Download and Apply Licenses Automatically.
Step 5 Select from the Check list how often Security Manager should check for new licenses. You can specify the frequency of the checking as:
•Daily: Once a day at midnight
•Weekly: Once a week at midnight on Sunday
•Monthly: Once a month at midnight on the first day of the month.
Getting Help with Licensing
If you have trouble using the registration website, contact the Licensing Department in the Cisco Technical Assistance Center (TAC):
•Phone: +1 (800) 553-2447
•E-Mail: licensing@cisco.com
•http://www.cisco.com/tac
Archiving Log Files
When state changes occur in Security Manager, an event is generated and an audit entry is created in the audit log. You can display the aggregated results of the audit entries by defining the parameters in the audit report page. The System Administration Logs page enables you to determine how long to keep log files archived.
This procedure will help you define the detail level and the purge settings for log files.
Procedure
Step 1 Click Tools > Security Manager Administration.
Step 2 Click Logs. The Logs page appears in the right-hand pane. For a description of the fields on this page, see Table A-18 on page A-31.
Step 3 To specify how many days to keep the logs, enter a new value in the Keep Audit Log For text box.
Step 4 Click Purge Now to delete logs older than the number of days you specify.
Step 5 To specify how many logs or entries that you keep, enter a new value in the Purge Audit Log after text box.
Note Logs are purged according to whichever maximum, days or entries, is reached the soonest.
Step 6 To specify how many days you keep the operation logs, enter a new value in the Keep Operation Log For text box.
Step 7 Adjust the Log Level according to the amount of data you wish to capture.
Step 8 Click Save to apply and save changes. A confirmation dialog box states that changes were saved.
Note You can restore all values to their previous settings by clicking Reset, or you can restore the system defaults by clicking Restore Defaults.
Step 9 Click Yes to the confirmation dialog box to confirm your choice. A message indicates that this action was successful.
Related Topics
•Audit Report Page, page Q-8
•Understanding Audit Reports, page 20-7
Defining Policy Management Settings
Customizing policy management settings on a Cisco IOS router makes it possible, for example, to use Security Manager to manage DHCP and NAT policies on Cisco IOS routers while leaving routing protocol policies, such as EIGRP and RIP, unmanaged. These settings, which can be modified only by a user with administrative permissions, apply globally in Security Manager.
Unmanaged policies are removed from both Device view and Policy view. Any unmanaged policies, local or shared, are removed from the Security Manager database.
You cannot unmanage a policy type if you have configured and assigned policies of that type in Security Manager. You must first remove the assignments and then unassign the policy type. If the configurations defined by those policies have already been deployed, these configurations are left in place on the devices, but the policies are no longer stored in the database or accessible from the Security Manager interface.
Tip You can make changes to unmanaged policies using FlexConfigs (see Understanding FlexConfig Objects, page 8-52) or the CLI.
This procedure will help you define Cisco IOS router policy settings.
Procedure
Step 1 Click Tools > Security Manager Administration.
Step 2 Click Policy Management. The Policy Management page appears in the right-hand pane. For a description of the fields on this page, see Table A-19 on page A-33.
Step 3 Expand NAT and Router Platform folders to see a complete list of those policy types.
Step 4 Deselect the check boxes for each policy type that you do not want to manage using Security Manager.
Tip You can make changes to unmanaged policies using FlexConfigs (see Understanding FlexConfig Objects, page 8-52) or the CLI.
Step 5 Click Save to apply and save changes. You receive a warning message that unmanaged policies will be removed from Device view and Policy view.
If policies of the selected type are assigned to even one device, an error is displayed if you deselected that policy type. The error message displays the names of the policies that are assigned, the devices to which they are assigned, and the name of the user or activity associated with this action.
Note If you get this error message, click Cancel and manually remove the assignments in Policy view or Device view, after which you can repeat this procedure from Step 1. If the activities of other users are involved, you need to have these users remove the assignments in question. For detailed procedures, see Working with Activities, page 7-9
Step 6 Click Save to apply and save changes. A confirmation dialog box states that changes were saved.
Note You can restore all values to their previous settings by clicking Reset, or you can restore the system defaults by clicking Restore Defaults.
Step 7 Click Yes to the confirmation dialog box to confirm your choice. A message indicates that this action was successful.
Related Topics
•Advanced Policy Features, page 6-49
•Managing Policies, page 6-1
•Managing Routers, page 14-1
•Managing Shared Policies in Policy View, page 6-40
•Understanding Policies, page 6-1
Defining Policy Object Settings
Two different types of settings can be defined from the Policy Object settings page. When you are about to create an object whose definition conflicts with, or matches identically with the definition of another object, you can have Security Manager warn, prevent, or, if appropriate, ignore the event completely. You can also define port list ranges for service ports from this page.
This procedure will help you define policy settings.
Procedure
Step 1 Click Tools > Security Manager Administration.
Step 2 Click Policy Objects. The Policy Objects page appears in the right-hand pane. For a description of the fields on this page, see Table A-20 on page A-34.
Step 3 Select the action you want Security Manager to take when you try to create a policy object that is identical to an existing object.
Step 4 To change Default Source Ports used in the creation of Port List Objects, use the list to the right of the Default Source Ports field.
Note If you change the default source port, you must manually redeploy any deployed devices that might be affected. These redeployments might not be reflected in any open activities until you refresh the data.
Step 5 Click Save to apply and save changes. A confirmation dialog box states that changes were saved.
Note You can restore all values to their previous settings by clicking Reset, or you can restore the system defaults by clicking Restore Defaults.
Step 6 Click Yes to the confirmation dialog box to confirm your choice. A message indicates that this action was successful.
Related Topics
•Managing Objects, page 8-1
Working with Server Security
Common Services provides the administrative functions that control a user's access in Security Manager. Security Manager provides access to these functions through the Application Security page. The buttons found in the Application Security page are actually a series of buttons that open Commons Services functions.
When you log in to Security Manager, your username and password are compared with the account information stored in the CiscoWorks or Cisco Secure Access Control Server (ACS) database, depending on which you established at installation as your AAA provider. After the authentication of your credentials, you have access according to the role you have been assigned.
For more information on Security Manager roles and privileges, including descriptions of how Common Services roles translate to user functions in Security Manager, see Setting Up User Permissions.
This procedure will help you modify Common Services security settings in Security Manager. Further details on each function are available from the Common Services Help system.
Procedure
Step 1 Click Tools > Security Manager Administration.
Step 2 Click Server Security. The Server Security page appears in the right-hand pane. For a description of the fields on this page, see Table A-21 on page A-35.
Step 3 To adjust AAA mode setup, including login modules, click AAA Setup. The Common Services AAA Mode Setup page appears. Make changes as necessary; for details, click Help from the Common Services window or refer to the Common Services user documentation.
Step 4 To create or change the details of the self-signed certificate setup, click Certificate Setup. The Common Services Certificate Setup page appears. Make changes as necessary; for details, click Help from the Common Services window or refer to the Common Services user documentation.
Step 5 To create or change the details of the single sign-on setup, click Single Sign On. The Common Services Single Sign-On Setup page appears. Make changes as necessary; for details, click Help from the Common Services window or refer to the Common Services user documentation.
Step 6 To add or delete users or change the details of user permissions, click Local User Setup. The Common Services Local User Setup page appears. Make changes as necessary; for details, click Help from the Common Services window or refer to the Common Services user documentation.
Step 7 To create or change the details of the system identity setup, click System Identity Setup. The Common Services System Identity Setup page appears. Make changes as necessary; for details, click Help from the Common Services window or refer to the Common Services user documentation.
Step 8 Click Save to apply and save changes. A confirmation dialog box states that changes were saved.
Note You can restore all values to their previous settings by clicking Reset, or you can restore the system defaults by clicking Restore Defaults.
Step 9 Click Yes to the confirmation dialog box to confirm your choice. A message indicates that this action was successful.
Related Topics
•Default Associations Between Permissions and Roles in Security Manager
•Understanding Cisco Secure ACS Roles
•Understanding CiscoWorks Roles
Working with Status Providers
Deployment and Monitoring Center for Performance (Performance Monitor), are the two status providers you can enable in this release. As a status provider, Performance Monitor collects the status of events, such as VPN tunnels, device connectivity, and CPU usage threshold, and reports them to Security Manager. Enabling Deployment as a status provider allows Security Manager to send information about whether or not deployment succeeded or failed. Deployment is enabled as a default on the Status page.
Performance Monitor, which is an external status provider, must be registered with Security Manager and needs to be authenticated by Security Manager to send status on events it is monitoring. Once credentials are authenticated, Security Manager begins to receive the status of events. This procedure will help you add and enable status providers.
Procedure
Step 1 Click Tools > Security Manager Administration.
Step 2 Click Status. The Status page appears. For a description of the fields on this page, see Table A-22 on page A-37.
Note Click the Provider column header to sort the Providers table according to the contents of that column. Click the column header again to sort the table in reverse order.
Step 3 Details about deployment to specific devices on the Status tab of the Inventory Status window are enabled by default, to turn these off deselect the Deployment check box.
Step 4 To enable Performance Monitor, select Enabled from the list in the Status column to have Security Manager poll this provider for event status. If you do not select Enabled, the status provider definition is retained, but Security Manager will not poll the provider for updates.
Step 5 Click the Add button. The Add Status Provider dialog box opens. After you complete the definition, the new provider is listed in the Providers table. You can add up to five status providers. For more information, see Add Status Provider Dialog Box, page A-37.
Step 6 To edit a status provider, select a row in the Providers table, then click the Edit button. The Edit Status Provider dialog box opens. For more information, see Add Status Provider Dialog Box, page A-37.
Step 7 To delete a status provider, select a row in the Providers table, then click the Delete button. You are prompted to confirm the deletion. Click Yes to confirm the deletion.
Step 8 Click Save to apply and save changes. A confirmation dialog box states that changes were saved.
Note You can restore all values to their previous settings by clicking Reset, or you can restore the system defaults by clicking Restore Defaults.
Step 9 Click Yes to the confirmation dialog box to confirm your choice. A message indicates that this action was successful.
Related Topics
•Add Status Provider Dialog Box, page A-37
•Edit Status Provider Dialog Box, page A-39
•Inventory Status Window, page Q-6
•Understanding Inventory Status, page 20-6
Taking Over Another User's Work
A user with administrative privileges can take over the work of another user from the Take Over User session page in non-Workflow mode. This feature is useful when a user is working on devices and policies, causing the devices and policies to be locked, and another user needs access to the same devices and policies.
Note You can take over another user session only if you have administrator privileges and are working in non-Workflow mode.
This procedure will help you take over the user session of another user.
Procedure
Step 1 Click Tools > Security Manager Administration.
Step 2 Click Take Over User Session. The Take Over User Session page appears in the right-hand pane. For a description of the fields on this page, see Table A-25 on page A-42.
Step 3 Click to highlight the user session you want to take over.
Step 4 Click Take over session.
Step 5 Click Save to apply and save changes. A confirmation dialog box states that changes were saved.
Note You can restore all values to their previous settings by clicking Reset, or you can restore the system defaults by clicking Restore Defaults.
Step 6 Click Yes to the confirmation dialog box to confirm your choice. A message indicates that this action was successful.
Related Topics
•Activities and Multiple Users, page 7-5
•Understanding Activities, page 7-2
Defining TMS (Token Management System) Settings
Security Manager uses FTP to deploy the configuration file to the TMS server, from which it can be downloaded and encrypted onto an eToken. Security Manager uses the server settings and passwords you provide to connect to the TMS server.
Note To use TMS with Cisco IOS routers, you must specify TMS as the transport protocol in the device properties. (This is set by going to Device properties > DCS settings > Transport protocols. See Working with Device Policies, page 5-54.) You must also configure the TMS server as an FTP server, otherwise deployment will fail.
This procedure will help you configure TMS server settings.
Procedure
Step 1 Select Tools > Security Manager Administration.
Step 2 Click Token Management. The Token Management settings window opens. For a description of the fields on this page, see Table A-26 on page A-43.
The TMS server name, password information, directory where configuration files are to be copied, and public key file information fields all display defaults.
Step 3 Add or modify any of the following:
•Server Name or IP Address
•Username
•Password and confirmation (two fields)
•Directory on the TMS server onto which configuration files are to be copied
•Public key full path location on the TMS server
Step 4 Click Save to apply and save changes. A confirmation dialog box states that changes were saved.
Note You can restore all values to their previous settings by clicking Reset, or you can restore the system defaults by clicking Restore Defaults.
Step 5 Click Yes to the confirmation dialog box to confirm your choice. A message indicates that this action was successful.
Related Topics
•Understanding Deployment, page 18-1
•Understanding Device Properties, page 5-51
Configuring VPN Policy Defaults
You use the VPN Policy Defaults page to view or assign the default VPN policies that Security Manager uses for each IPsec technology.
Security Manager uses VPN policy defaults to simplify VPN configuration while ensuring that policy consistency is maintained. Security Manager provides mandatory policies as factory defaults, which means they are configured on the devices in your VPN topology with predefined values, depending on the assigned IPsec technology. Factory default policies with their default configurations enable you to deploy to your devices immediately after creating the VPN topology. Factory default policies are private policies and are not viewable. Optional policies are not provided as factory defaults.
When you create a new VPN topology using the Create VPN wizard, you can configure new policies and, if you want, configure those policies as shared policies. You can assign an approved shared policy as a default policy. For more information, see Understanding VPN Default Policies, page 9-12.
The VPN Policy Default page in the Security Manager Administration section presents eight tabbed areas. Six of these tabs are for the following VPN technologies:
•DMVPN
•Large Scale DMVPN
•Easy VPN
•IPsec/GRE
•GRE Dynamic IP
•Regular IPsec
The other two tabs on this page cover default settings for S2S (site-to-site) Endpoints and Remote Access.
This procedure will help you view and configure VPN policy defaults. For information on assigning default VPN policies, see Assigning Default Policies to Your VPN Topology, page 9-31.
Procedure
Step 1 Select Tools > Security Manager Administration.
Step 2 Click VPN Policy Defaults. For a description of the fields on this page, see VPN Policy Defaults Page, page A-44.
Step 3 Click on the tab for the VPN technology for which you want to view or configure the defaults.
The names of the VPN policy defaults for the technology you selected are displayed.
Step 4 To change a policy's default assignment, select the new policy from the drop-down list and then click Save.
Note In the drop-down list Security Manager displays all assignable shared policies.
Step 5 To view the setting details of a particular default policy, click View Content.
Note Some policy types have empty factory defaults. When you try to view content of an empty policy type you receive the following message:
Info- There are no policy defaults for this policy type.
Step 6 Click Save to save and apply changes. A message confirms that your changes were saved successfully.
Note Click Reset to restore all fields and check boxes to their previous values. Click Restore Defaults to restore Security Manager defaults.
Related Topics
•VPN Policy Defaults Page, page A-44
•Understanding VPN Default Policies, page 9-12
•Assigning Default Policies to Your VPN Topology, page 9-31
•Assigning the Default Remote Access VPN Policies, page 10-11
