Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
Setting Up and Managing Shared Profile Components
Download this chapter
Setting Up and Managing Shared Profile ComponentsSetting Up and Managing Shared Profile Components
give_us_feedback

Table of Contents

Setting Up and Managing Shared Profile Components
Downloadable PIX ACLs
 Network Access Restrictions
 Command Authorization Sets

Setting Up and Managing Shared Profile Components

The Shared Profile Components section enables administrators to develop and name reusable, shared sets of authorization components which may be applied to one or more users or groups of users and referenced by name within their profiles. These comprise network access restrictions (NARs), command authorization sets, and downloadable PIX ACLs.

The Shared Profile Components section of Cisco Secure Access Control Server for Windows NT/2000 Servers Version 3.0 (Cisco Secure ACS) addresses the scalability of selective authorization. Shared profile components can be configured once and then applied to many users or groups. Without this ability, flexible and comprehensive authorization could only be accomplished by explicitly configuring the authorization of each user group for each possible command on each possible device. The creation and application of these named shared profile components (access restrictions, command sets, and ACLs) make it unnecessary to repeatedly enter long lists of devices or commands when defining network access parameters.

Shared profile components also provide the means for one device to issue a command on behalf of another device or devices. Their scalability extends to the following capabilities:

  • A means to determine the list of commands a user could issue against one or more devices in the network
  • A means to determine the list of devices on which a particular user may execute a particular command.

This chapter contains the following sections:

Downloadable PIX ACLs

This section includes a description of downloadable PIX ACLs followed by detailed instructions regarding their configuration and management.

About Downloadable PIX ACLs

Downloadable PIX ACLs enable you to enter an ACL once, in Cisco Secure ACS, and then load that ACL to any number of PIX Firewalls that authenticate using the Cisco IOS/PIX protocol. This is far more efficient than directly entering the ACL into each PIX Firewall via its CLI. No additional configuration of the PIX Firewall is necessary after it has been configured to undertake authorization using RADIUS.

The ACL Definitions that you enter into Cisco Secure ACS consist of one or more PIX ACL commands, with each command on a separate line. Using standard RADIUS Cisco AV-pairs permits you to enter a maximum of 4 kilobytes of ACLs; whereas, the downloadable PIX ACLs can be of unlimited size. In entering the ACL definitions in the ACS HTML interface, do not use keyword and name entries; in all other respects, use standard PIX ACL command syntax and semantics. An example of the format you should use to enter ACL Definitions follows:

permit tcp any host 11.0.0.254

permit udp any host 11.0.0.254

permit icmp any host 11.0.0.254

permit tcp any host 11.0.0.253

See the "Command Reference" section of your PIX Firewall configuration guide for detailed ACL definition information.

ACLs entered into the Cisco Secure ACS are protected by whatever backup or replication regime you have established for the Cisco Secure ACS. After you configure an ACL as a named shared profile component, you can include that ACL in any Cisco Secure ACS user, or user group, profile. When Cisco Secure ACS returns an attribute with a named ACL as part of a user's session RADIUS access accept packet, the PIX Firewall applies that ACL to that user's session. Cisco Secure ACS employs a versioning stamp for ensuring that the PIX Firewall has cached the latest ACL version. If a PIX Firewall responds that it does not have the current version of the named ACL in its cache (that is, the ACL is new or has changed), Cisco Secure ACS automatically uploads the ACL update to the PIX Firewall cache.

After you configure a downloadable PIX ACL, it can be applied against any number of single users or user groups.

Downloadable PIX ACL Configuration

This section contains the following procedures:

Adding a Downloadable PIX ACL

To add a downloadable PIX ACL, follow these steps:

Step 1   In the navigation bar, click Shared Profile Components.

Result: The Shared Profile Components page appears.

Step 2   Click Downloadable PIX ACLs.

Step 3   Click Add.

Result: The Downloadable PIX ACLs page appears.

Step 4   In the Name: box, type the name of the new PIX ACL.

Note    The name of a PIX ACL may contain up to 32 characters. The name may contain spaces; but it may not contain leading, trailing, or multiple spaces, or the following characters: - [ ] / —

Step 5   In the Description: box, type a description of the new PIX ACL.

Step 6   In the ACL Definitions box, type the new PIX ACL definitions.

Note    In entering the ACL definitions in the ACS HTML interface, you do not use keyword and name entries; rather, you begin with a permit/deny keyword. For an example of the proper format of the ACL definitions, see the "About Downloadable PIX ACLs" section.

Step 7   When you have completed specifying the PIX ACL, click Submit.

Result: Cisco Secure ACS enters the new PIX ACL, which takes effect immediately. That is, it is available to be sent to any PIX Firewall that is attempting authentication of a user who has that ACL name as part of his or her user or group profile. For information on assigning a user or a group to a PIX ACL, see the "Assigning a PIX ACL to a User" section or the "Assigning a Downloadable PIX ACL to a Group" section, respectively.




Editing a Downloadable PIX ACL

To edit a downloadable PIX ACL, follow these steps:

Step 1   In the navigation bar, click Shared Profile Components.

Result: The Shared Profile Components page appears.

Step 2   Click Downloadable PIX ACLs.

Result: The Downloadable PIX ACLs table appears.

Step 3   In the Name column, click the PIX ACL you want to edit.

Result: The Downloadable PIX ACLs page appears with information displayed for the selected filter.

Step 4   Edit the Name or Description or ACL Definitions information, as applicable.

Step 5   When you have finished editing the information for the PIX ACL, click Submit.

Result: Cisco Secure ACS re-enters the PIX ACL with the new information, which takes effect immediately.




Deleting a Downloadable PIX ACL

Before You Begin

You should remove a PIX ACL's association with any user, or user group, profile before deleting it.

To delete a PIX ACL, follow these steps:

Step 1   In the navigation bar, click Shared Profile Components.

Result: The Shared Profile Components page appears.

Step 2   Click Downloadable PIX ACLs.

Step 3   Click the name of the downloadable PIX ACL you want to edit.

Result: The Downloadable PIX ACLs page appears with information displayed for the selected PIX ACL.

Step 4   At the bottom of the page, click Delete.

Result: A dialog box warns you that you are about to delete a PIX ACL.

Step 5   To confirm that you intend to delete the PIX ACL, click OK.

Result: The selected PIX ACL is deleted.




Network Access Restrictions

This section includes a description of NARs followed by detailed instructions regarding shared NAR access configuration and management.

About Network Access Restrictions

NARs enable you to define additional authorization conditions that must be met before a user can gain access to the network. Cisco Secure ACS supports two basic types of network access restrictions:

  • IP-based restrictions where the originating request relates to an existing IP address
  • Non-IP-based filters for all other cases where automatic number identification (ANI) may be used

A non-IP-based NAR is a list of permitted or denied "calling"/"point of access" locations that you can employ in restricting a AAA client when you do not have an IP-based connection established. The non-IP-based NAR generally uses the calling line ID (CLI) number and the Dialed Number Identification Service (DNIS) number.

However, you can use the non-IP-based filter even when the AAA client does not use a Cisco IOS release that supports CLI or DNIS by entering a IP address in place of the CLI. In another exception to entering a CLI, you can enter a MAC address to permit or deny; for example when you are using a Cisco Aironet AAA client. Likewise, you could enter a the Cisco Aironet AP MAC address in place of the DNIS. The format of what you specify in the CLI box—be it CLI, IP address, or MAC address—must match the format of what you receive from your AAA client. You can determine this format from your RADIUS Accounting Log.

When specifying a NAR you may use asterisks (*) as wildcards for any value, or as part of any value to establish a range. Cisco Secure ACS also accepts comma separated values in NAR definitions. All the values/conditions in a NAR specification must be met for the NAR to restrict access; that is, the values are "ANDed".

Note   When an authentication request is forwarded by proxy to a Cisco Secure ACS, any NARs for TACACS+ requests are applied to the IP address of the forwarding AAA server, not to the IP address of the originating AAA client.

You can define a NAR for, and apply it to, a single, particular user or user group. For more information on this, see the "Setting Network Access Restrictions for a User" section or the "Setting Network Access Restrictions for a User Group" section. However, in the Shared Profile Components section of Cisco Secure ACS you can create and name a shared NAR without directly citing any user or user group. You give the shared NAR a name that can be referenced in other parts of the Cisco Secure ACS HTML interface. Then, when you set up users or user groups, you can select none, one, or multiple shared restrictions to be applied. When you specify the application of multiple shared NARs to a user or user group, you choose one of two access criteria: either "All selected filters must permit", or "Any one selected filter must permit".

Shared access restrictions are kept in the CiscoSecure user database and can be backed up/restored by the Cisco Secure ACS backup and restore features and replicated to secondary Cisco Secure ACS servers along with other configurations.

Shared Network Access Restrictions Configuration

You can configure multiple shared NARs to restrict access to particular AAA clients, all AAA clients, or to named NDGs.

This section contains the following procedures:

Adding a Shared Network Access Restriction

To add a shared NAR, follow these steps:

Step 1   In the navigation bar, click Shared Profile Components.

Result: The Shared Profile Components page appears.

Step 2   Click Network Access Restrictions.

Step 3   Click Add.

Result: The Network Access Restriction page appears.

Step 4   In the Name box, type a name for the new shared NAR.

Note    The name can contain up to 32 characters. Leading and trailing spaces are not allowed. Names cannot contain the following four special characters: [ ] , /

Step 5   In the Description box, type a description of the new shared NAR.

Step 6   To permit or deny access based on IP addressing, follow these steps:

Note   This step is performed for IP-based restrictions where an IP connection exists. For other restriction types, see the "About Network Access Restrictions" section.

a. Select the Define IP-based access descriptions check box.

b. To specify whether you are listing addresses that are permitted or denied, from the Table Defines list, select the applicable value.

c. Select or type the applicable information in each of the following boxes:

  • AAA Client—Select All AAA clients, or the name of the network device group (NDG), or the individual AAA client, to which access is permitted or denied.
  • Port—Type the number of the port to which to permit or deny access. You can use the wildcard asterisk (*) to permit or deny access to all ports on the selected AAA client.
  • Src IP Address—Type the IP address to filter on when performing access restrictions. You can type multiple entries separated by a comma or use the wildcard asterisk (*) to specify all IP addresses.

d. Click enter.

Result: The AAA client, port, and address information appears as a line item in the table.

e. To enter additional IP-based line items, repeat Steps c and d.

Step 7   To permit or deny access based on calling location or values other than an established IP address, follow these steps:

a. Select the Define CLI/DNIS based access restrictions check box.

b. To specify whether you are listing addresses that are permitted or denied, from the Table Defines list, select the applicable value.

c. To specify the applicability of this NAR, from the AAA Client list, select one of the following values:

  • The name of the NDG
  • The name of the particular AAA client
  • All AAA clients
Tip Only NDGs that you have previously configured appear in the list.

d. To specify the information that this NAR should filter on, fill in the following boxes, as applicable:

Tip You can type an asterisk (*) as a wild card to specify "all" either as a value or within a range.
  • Port—Type the number of the port to filter on.
  • CLI—Type the CLI number to filter on. You can also use this box to restrict access based on values other than CLIs, such as an IP address or MAC address; for information, see the "About Network Access Restrictions" section.
  • DNIS—Type the number being dialed into to filter on.

e. Click enter.

Result: The information specifying the NAR line item appears in the table.

f. To enter additional non-IP based NAR line items, repeat Steps C through E.

Step 8   When you are finished defining the shared NAR, click Submit.

Result: Cisco Secure ACS saves the named shared NAR and lists it in the Network Access Restriction Sets table.




Editing a Shared Network Access Restriction

To edit a shared network access restriction, follow these steps:

Step 1   In the navigation bar, click Shared Profile Components.

Result: The Shared Profile Components page appears.

Step 2   Click Network Access Restrictions.

Result: The Network Access Restrictions table appears.

Step 3   In the Name column, click the shared NAR you want to edit.

Result: The Network Access Restriction page appears with information displayed for the selected filter.

Step 4   To edit the Name or Description of the filter, type and delete information, as applicable.

Step 5   To edit a line item in the IP-based access restrictions table, follow these steps:

a. Double-click the line item to be edited.

Result: Information for the line item is removed from the table and written to the boxes below the table.

b. Edit the information, as applicable.

c. Click enter.

Result: The edited information for this line item is written to the IP-based access restrictions table.

Step 6   To remove a line item from the IP-based access restrictions table, follow these steps:

a. Select the line item.

b. Below the table, click remove.

Result: The line item is removed from the IP-based access restrictions table.

Step 7   To edit a line item in the CLI/DNIS access restrictions table, follow these steps:

a. Double-click the line item to be edited.

Result: Information for the line item is removed from the table and written to the boxes below the table.

b. Edit the information, as applicable.

c. Click enter.

Result: The edited information for this line item is written to the CLI/DNIS access restrictions table.

Step 8   To remove a line item from the CLI/DNIS access restrictions table, follow these steps:

a. Select the line item.

b. Below the table, click remove.

Result: The line item is removed from the CLI/DNIS access restrictions table.

Step 9   When you have finished editing the line items that make up the filter, click Submit.

Result: Cisco Secure ACS re-enters the filter with the new information, which takes effect immediately.




Deleting a Shared Network Access Restriction

To delete a shared network access restriction, follow these steps:

Step 1   In the navigation bar, click Shared Profile Components.

Result: The Shared Profile Components page appears.

Step 2   Click Network Access Restrictions.

Step 3   Click the Name of the shared NAR you want to delete.

Result: The Network Access Restriction page appears with information displayed for the selected NAR.

Step 4   At the bottom of the page, click Delete.

Result: A dialog box warns you that you are about to delete a shared NAR.

Step 5   To confirm that you intend to delete the shared NAR, click OK.

Result: The selected shared NAR is deleted.




Command Authorization Sets

This section includes a description of command authorization sets and pattern matching followed by detailed instructions regarding their configuration and management.

About Command Authorization Sets

Command authorization sets provide a central mechanism to control the authorization of each command on each network device. This greatly enhances the scalability and manageability of setting authorization restrictions. In Cisco Secure ACS, the default command authorization sets include the Shell Command Authorization Sets and the PIX Command Authorization Sets. Other Cisco network management applications, such as CiscoWorks2000, may be enabled to instruct ACS to support additional command authorization set types.

To offer fine-grained control of network devices, by administrators, using a Telnet administration session, a network device using TACACS+ can request authorization for each command line before its execution. Cisco Secure ACS administrators can define a set of commands, which are either permitted or denied for execution by a particular user on a given device. Cisco Secure ACS has further enhanced this capability as follows:

  • Reusable Named Command Authorization Sets—You can create a named set of device commands without directly citing any user or user group. The administrator can define a number of device command sets, each of which delineates different access profiles. For example, a "help desk" device command set could permit access to high level browsing commands, such as "show run", and deny any configuration commands. An "All network engineers" command set could contain a limited list of permitted device commands for any network engineer in the enterprise. The "Local Network Engineers" command set could permit all device commands, including IP-address configuration.
  • Finer Configuration Granularity—You can create associations between named command authorization sets and NDGs. Thus, you are able to define different access profiles for users depending on which network devices they access. You can associate the same named command authorization set with more than one NDG and use it for more than one user group. Cisco Secure ACS enforces data integrity. Named command authorization sets are kept in the CiscoSecure user database and can be backed up/restored by the Cisco Secure ACS backup and restore features and replicated to secondary Cisco Secure ACS servers along with other configuration.

For information on assigning command authorization sets, see the following procedures:

About Pattern Matching

For permit/deny command arguments, Cisco Secure ACS applies pattern matching. That is, the argument permit foo matches any argument that contains the string foo. Thus, for example, permit foo would allow not only the argument foo but also the arguments anyfoo and foobar.

To limit the extent of pattern matching you can add the following expressions:

  • dollarsign ($)—Expresses that the argument must end with what has gone before. Thus permit foo$ would match against foo or anyfoo, but not foobar.
  • caret (^)—Expresses that the argument must begin with what follows. Thus permit ^foo would match against foo or foobar, but not against anyfoo.

You can combine these expressions to specify absolute matching. In the example given, you would use permit ^foo$ to ensure that only foo was permitted, and not anyfoo or foobar.

Command Authorization Sets Configuration

This section contains the following procedures:

Adding a Command Authorization Set

To add a command authorization set, follow these steps:

Step 1   In the navigation bar, click Shared Profile Components.

Result: The Shared Profile Components page lists the command authorization set types available. These always include Shell Command Authorization Sets and PIX Command Authorization Sets.

Step 2   Click one of the listed command authorization set types, as applicable.

Result: The selected Command Authorization Sets table appears.

Step 3   Click Add.

Result: The applicable Command Authorization Set page appears.

Step 4   In the Name box, type a name for the command authorization set

Note    The set name can contain up to 32 characters. Names cannot contain the following special characters:
# ? " * > <
Leading and trailing spaces are not allowed.

Step 5   In the Description box, type a description of the command authorization set.

Step 6   To specify how Cisco Secure ACS is to handle unmatched commands, select either the Permit or Deny option, as applicable.

Tip The default setting is Deny.

Step 7   For each command you want to enter as part of this command authorization set, follow these steps:

a. In the box just above the Add Command button, type a command that is to be part of the set.

Note    Enter only the command portion of the command/argument string here. Arguments are added only after the command is listed. For example, with the command/argument string "show run" you would type only the command show.

b. Click Add Command.

Result: The typed command is added to the command list box.

c. To add an argument to a command, in the command list box, select the command and then type the argument in the box to the right of the command.

Note    The correct format for arguments is <permit | deny> <argument>. For example, with the command show already listed, you might enter permit run as the argument.
Tip You can list several arguments for a single command by pressing Enter between arguments.

d. To allow arguments, which you have not listed, to be effective with this command, select the Permit Unmatched Args check box.

Step 8   When you are finished adding commands and associated arguments, click Submit.

Result: Cisco Secure ACS displays the name and description of the new command authorization set in the applicable Command Authorization Sets table.




Editing a Command Authorization Set

To edit a command authorization set, follow these steps:

Step 1   In the navigation bar, click Shared Profile Components.

Result: The Shared Profile Components page lists the command authorization set types available.

Step 2   Click a command authorization set, as applicable.

Result: The selected Command Authorization Sets table appears.

Step 3   From the Name column, click the name of the set you want to change.

Result: Information for the selected set appears on the applicable Command Authorization Set page.

Step 4   Do any or all of the following:

a. To change the set's Name or Description, edit the words in the corresponding box.

b. To remove a command from the set, from the Matched Commands list, select the command, and then click Remove Command.

c. To edit a command's arguments, from the command list box, select the command and then type changes to the arguments in the box to the right of the command list box.

Step 5   When you have finished editing the set, click Submit.




Deleting a Command Authorization Set

To delete a command authorization set, follow these steps:

Step 1   In the navigation bar, click Shared Profile Components.

Result: The Shared Profile Components page lists the command authorization set types available.

Step 2   Click a command authorization set, as applicable.

Result: The selected Command Authorization Sets table appears.

Step 3   From the Name column, click the name of the command set you want to delete.

Result: Information for the selected set appears on the applicable Command Authorization Set page.

Step 4   Click Delete.

Result: A dialog box warns you that you are about to delete an command authorization set.

Step 5   To confirm that you intend to delete that command authorization set, click OK.

Result: Cisco Secure ACS displays the applicable Command Authorization Sets table. The command authorization set no longer listed.