User Guide for Cisco Secure ACS Windows Server 3.1
Setting Up and Managing Shared Profile Components
Download this chapter
Setting Up and Managing Shared Profile ComponentsSetting Up and Managing Shared Profile Components
Download the complete book
User Guide for Cisco Secure ACS 3.1 for Windows ServerUser Guide for Cisco Secure ACS 3.1 for Windows Server (PDF - 6 MB)
give_us_feedback

Table of Contents

Setting Up and Managing Shared Profile Components
About Shared Profile Components
 Downloadable PIX ACLs
 Network Access Restrictions
 Command Authorization Sets

Setting Up and Managing Shared Profile Components

This chapter addresses the Cisco Secure Access Control Server (Cisco Secure ACS) for Windows Server version 3.1 features found in the Shared Profile Components section of the HTML interface. It contains the following sections:

About Shared Profile Components

The Shared Profile Components section enables you to develop and name reusable, shared sets of authorization components which may be applied to one or more users or groups of users and referenced by name within their profiles. These include network access restrictions (NARs), command authorization sets, and downloadable PIX ACLs.

The Shared Profile Components section of Cisco Secure ACS addresses the scalability of selective authorization. Shared profile components can be configured once and then applied to many users or groups. Without this ability, flexible and comprehensive authorization could only be accomplished by explicitly configuring the authorization of each user group for each possible command on each possible device. Creating and applying these named shared profile components (access restrictions, command sets, and ACLs) makes it unnecessary to repeatedly enter long lists of devices or commands when defining network access parameters.

Shared profile components also enable Cisco Secure ACS to authorize a command on behalf of another device or devices. Their scalability extends to the following capabilities:

  • A way to determine the list of commands a user could issue against one or more devices in the network.
  • A way to determine the list of devices on which a particular user may execute a particular command.

Downloadable PIX ACLs

This section describes downloadable PIX ACLs followed by detailed instructions for configuring and managing them.

About Downloadable PIX ACLs

Downloadable PIX ACLs enable you to enter an ACL once, in Cisco Secure ACS, and then load that ACL to any number of PIX Firewalls that authenticate using the Cisco IOS/PIX protocol. This is far more efficient than directly entering the ACL into each PIX Firewall via its CLI. No additional configuration of the PIX Firewall is necessary after it has been configured to undertake authorization using RADIUS.

The ACL definitions that you enter into Cisco Secure ACS consist of one or more PIX ACL commands, with each command on a separate line. Using standard RADIUS Cisco AV-pairs permits you to enter a maximum of 4 kilobytes of ACLs; whereas, downloadable PIX ACLs can be of unlimited size. In entering the ACL definitions in the ACS HTML interface, do not use keyword and name entries; in all other respects, use standard PIX ACL command syntax and semantics. An example of the format you should use to enter ACL Definitions follows:

permit tcp any host 11.0.0.254

permit udp any host 11.0.0.254

permit icmp any host 11.0.0.254

permit tcp any host 11.0.0.253

See the "Command Reference" section of your PIX Firewall configuration guide for detailed ACL definition information.

ACLs entered into the Cisco Secure ACS are protected by whatever backup or replication regime you have established for the Cisco Secure ACS. After you configure an ACL as a named shared profile component, you can include that ACL in any Cisco Secure ACS user, or user group, profile. When Cisco Secure ACS returns an attribute with a named ACL as part of a user session RADIUS access accept packet, the PIX Firewall applies that ACL to the session of that user. Cisco Secure ACS uses a versioning stamp to ensure that the PIX Firewall has cached the latest ACL version. If a PIX Firewall responds that it does not have the current version of the named ACL in its cache (that is, the ACL is new or has changed), Cisco Secure ACS uploads the ACL update to the PIX Firewall cache.

After you configure a downloadable PIX ACL, it can be applied against any number of single users or user groups.

Downloadable PIX ACL Configuration

This section contains the following procedures:

Adding a Downloadable PIX ACL

To add a downloadable PIX ACL, follow these steps:

Step 1   In the navigation bar, click Shared Profile Components.

Result: The Shared Profile Components page appears.

Step 2   Click Downloadable PIX ACLs.

Step 3   Click Add.

Result: The Downloadable PIX ACLs page appears.

Step 4   In the Name: box, type the name of the new PIX ACL.

Note    The name of a PIX ACL may contain up to 32 characters. The name may contain spaces; but it cannot contain leading, trailing, or multiple spaces, or the following characters: - [ ] / —

Step 5   In the Description: box, type a description of the new PIX ACL.

Step 6   In the ACL Definitions box, type the new PIX ACL definitions.

Note    In entering the ACL definitions in the ACS HTML interface, you do not use keyword and name entries; rather, you begin with a permit/deny keyword. For an example of the proper format of the ACL definitions, see About Downloadable PIX ACLs.

Step 7   When you have completed specifying the PIX ACL, click Submit.

Result: Cisco Secure ACS enters the new PIX ACL, which takes effect immediately. That is, it is available to be sent to any PIX Firewall that is attempting authentication of a user who has that ACL name as part of his or her user or group profile. For information on assigning a user or a group to a PIX ACL, see Assigning a PIX ACL to a User, or Assigning a Downloadable PIX ACL to a Group.




Editing a Downloadable PIX ACL

To edit a downloadable PIX ACL, follow these steps:

Step 1   In the navigation bar, click Shared Profile Components.

Result: The Shared Profile Components page appears.

Step 2   Click Downloadable PIX ACLs.

Result: The Downloadable PIX ACLs table appears.

Step 3   In the Name column, click the PIX ACL you want to edit.

Result: The Downloadable PIX ACLs page appears with information displayed for the selected ACL.

Step 4   Edit the Name or Description or ACL Definitions information, as applicable.

Step 5   When you have finished editing the information for the PIX ACL, click Submit.

Result: Cisco Secure ACS re-enters the PIX ACL with the new information, which takes effect immediately.




Deleting a Downloadable PIX ACL

Before You Begin

You should remove the association of a PIX ACL with any user, or user group, profile before deleting the PIX ACL.

To delete a PIX ACL, follow these steps:

Step 1   In the navigation bar, click Shared Profile Components.

Result: The Shared Profile Components page appears.

Step 2   Click Downloadable PIX ACLs.

Step 3   Click the name of the downloadable PIX ACL you want to edit.

Result: The Downloadable PIX ACLs page appears with information displayed for the selected PIX ACL.

Step 4   At the bottom of the page, click Delete.

Result: A dialog box warns you that you are about to delete a PIX ACL.

Step 5   To confirm that you intend to delete the PIX ACL, click OK.

Result: The selected PIX ACL is deleted.




Network Access Restrictions

This section describes network access restrictions (NARs) and provides detailed instructions for configuring and managing shared NARs.

About Network Access Restrictions

NARs enable you to define additional authorization and authentication conditions that must be met before a user can access the network. Cisco Secure ACS applies these conditions using information from attributes sent by your AAA clients. Although there are several ways you can set up NARs, they all are based on matching attribute information sent by a AAA client. Therefore, you must understand the format and content of the attributes your AAA clients send if you want to employ effective NARs.

In setting up a NAR you can choose whether the filter operates positively or negatively. That is, you specify in the NAR whether to permit—or deny—access from AAA clients that send information that matches the information stored in the NAR. However, if a NAR encounters insufficient information to operate, it defaults to denied access. This is shown in Table 5-1.

Table 5-1   NAR Permit/Deny Conditions

Match No Match Insufficient Information

Permit

Access Granted

Access Denied

Access Denied

Deny

Access Denied

Access Granted

Access Denied

Cisco Secure ACS supports two basic types of NARs:

  • IP-based restrictions where the originating request relates to an existing IP address.
  • Non-IP-based filters for all other cases where automatic number identification (ANI) may be used.

IP-based restrictions are based on one of the following attribute fields, depending on the protocol the AAA client uses:

  • If you are using TACACS+—The rem_addr field is used.
  • If you are using RADIUS IETF—The calling-station-id (attribute 31) and called-station-id (attribute 30) fields are used.

AAA clients that do not provide sufficient IP-address information (for example, some types of firewall) do not support full NAR functionality.

A non-IP-based NAR is a list of permitted or denied "calling"/ "point of access" locations that you can employ in restricting a AAA client when you do not have an IP-based connection established. The non-IP-based NAR generally uses the calling line ID (CLI) number and the Dialed Number Identification Service (DNIS) number.

However, by entering an IP address in place of the CLI you can use the non-IP-based filter even when the AAA client does not use a Cisco IOS release that supports CLI or DNIS. In another exception to entering a CLI, you can enter a MAC address to permit or deny; for example, when you are using a Cisco Aironet AAA client. Likewise, you could enter the Cisco Aironet AP MAC address in place of the DNIS. The format of what you specify in the CLI box—CLI, IP address, or MAC address—must match the format of what you receive from your AAA client. You can determine this format from your RADIUS Accounting Log.

When specifying a NAR you may use asterisks (*) as wildcards for any value, or as part of any value to establish a range. All the values/conditions in a NAR specification must be met for the NAR to restrict access; that is, the values are "ANDed".

Note   When an authentication request is forwarded by proxy to a Cisco Secure ACS, any NARs for TACACS+ requests are applied to the IP address of the forwarding AAA server, not to the IP address of the originating AAA client.

You can define a NAR for, and apply it to, a specific user or user group. For more information on this, see Setting Network Access Restrictions for a User, or Setting Network Access Restrictions for a User Group. However, in the Shared Profile Components section of Cisco Secure ACS you can create and name a shared NAR without directly citing any user or user group. You give the shared NAR a name that can be referenced in other parts of the Cisco Secure ACS HTML interface. Then, when you set up users or user groups, you can select none, one, or multiple shared restrictions to be applied. When you specify the application of multiple shared NARs to a user or user group, you choose one of two access criteria: either "All selected filters must permit", or "Any one selected filter must permit".

Shared access restrictions are kept in the CiscoSecure user database. You can use the Cisco Secure ACS backup and restore features to back up and restore them. You can also replicate the shared access restrictions, along with other configurations, to secondary Cisco Secure ACSes.

Shared Network Access Restrictions Configuration

You can configure multiple shared NARs to restrict access to particular AAA clients, all AAA clients, or to named NDGs.

This section contains the following procedures:

Adding a Shared Network Access Restriction

To add a shared NAR, follow these steps:

Step 1   In the navigation bar, click Shared Profile Components.

Result: The Shared Profile Components page appears.

Step 2   Click Network Access Restrictions.

Step 3   Click Add.

Result: The Network Access Restriction page appears.

Step 4   In the Name box, type a name for the new shared NAR.

Note    The name can contain up to 32 characters. Leading and trailing spaces are not allowed. Names cannot contain the following four characters:
[ ] , /

Step 5   In the Description box, type a description of the new shared NAR.

Step 6   To permit or deny access based on IP addressing, follow these steps:

Note    This step is performed for IP-based restrictions where an IP connection exists. For other restriction types, see About Network Access Restrictions.

a. Select the Define IP-based access descriptions check box.

b. To specify whether you are listing addresses that are permitted or denied, from the Table Defines list, select the applicable value.

c. Select or type the applicable information in each of the following boxes:

  • AAA Client—Select All AAA clients, or the name of the network device group (NDG), or the individual AAA client, to which access is permitted or denied.
  • Port—Type the number of the port that you want to permit or deny access to. You can use the wildcard asterisk (*) to permit or deny access to all ports on the selected AAA client.
  • Src IP Address—Type the IP address to filter on when performing access restrictions. You can type multiple entries separated by a comma or use the wildcard asterisk (*) to specify all IP addresses.

d. Click enter.

Result: The AAA client, port, and address information appears as a line item in the table.

e. To enter additional IP-based line items, repeat Step c and Step d.

Step 7   To permit or deny access based on calling location or values other than an established IP address, follow these steps:

a. Select the Define CLI/DNIS based access restrictions check box.

b. To specify whether you are listing addresses that are permitted or denied, from the Table Defines list, select the applicable value.

c. To specify the applicability of this NAR, from the AAA Client list, select one of the following values:

  • The name of the NDG
  • The name of the particular AAA client
  • All AAA clients
Tip Only NDGs that you have already configured are listed.

d. To specify the information that this NAR should filter on, type values in the following boxes, as applicable:

Tip You can type an asterisk (*) as a wildcard to specify "all" as a value or within a range.
  • Port—Type the number of the port to filter on.
  • CLI—Type the CLI number to filter on. You can also use this box to restrict access based on values other than CLIs, such as an IP address or MAC address; for information, see About Network Access Restrictions.
  • DNIS—Type the number being dialed into to filter on.

e. Click enter.

Result: The information specifying the NAR line item appears in the table.

f. To enter additional non-IP based NAR line items, repeat Step c through Step e.

Step 8   When you are finished defining the shared NAR, click Submit.

Result: Cisco Secure ACS saves the named shared NAR and lists it in the Network Access Restriction Sets table.




Editing a Shared Network Access Restriction

To edit a shared network access restriction, follow these steps:

Step 1   In the navigation bar, click Shared Profile Components.

Result: The Shared Profile Components page appears.

Step 2   Click Network Access Restrictions.

Result: The Network Access Restrictions table appears.

Step 3   In the Name column, click the shared NAR you want to edit.

Result: The Network Access Restriction page appears with information displayed for the selected NAR.

Step 4   To edit the Name or Description of the filter, type and delete information, as applicable.

Step 5   To edit a line item in the IP-based access restrictions table, follow these steps:

a. Double-click the line item that you want to edit.

Result: Information for the line item is removed from the table and written to the boxes below the table.

b. Edit the information, as applicable.

c. Click enter.

Result: The edited information for this line item is written to the IP-based access restrictions table.

Step 6   To remove a line item from the IP-based access restrictions table, follow these steps:

a. Select the line item.

b. Below the table, click remove.

Result: The line item is removed from the IP-based access restrictions table.

Step 7   To edit a line item in the CLI/DNIS access restrictions table, follow these steps:

a. Double-click the line item that you want to edit.

Result: Information for the line item is removed from the table and written to the boxes below the table.

b. Edit the information, as applicable.

c. Click enter.

Result: The edited information for this line item is written to the CLI/DNIS access restrictions table.

Step 8   To remove a line item from the CLI/DNIS access restrictions table, follow these steps:

a. Select the line item.

b. Below the table, click remove.

Result: The line item is removed from the CLI/DNIS access restrictions table.

Step 9   When you have finished editing the line items that make up the filter, click Submit.

Result: Cisco Secure ACS re-enters the filter with the new information, which takes effect immediately.




Deleting a Shared Network Access Restriction

To delete a shared network access restriction, follow these steps:

Step 1   In the navigation bar, click Shared Profile Components.

Result: The Shared Profile Components page appears.

Step 2   Click Network Access Restrictions.

Step 3   Click the Name of the shared NAR you want to delete.

Result: The Network Access Restriction page appears with information displayed for the selected NAR.

Step 4   At the bottom of the page, click Delete.

Result: A dialog box warns you that you are about to delete a shared NAR.

Step 5   To confirm that you want to delete the shared NAR, click OK.

Result: The selected shared NAR is deleted.




Command Authorization Sets

This section describes command authorization sets and pattern matching and provides detailed instructions for configuring and managing them.

About Command Authorization Sets

Command authorization sets provide a central mechanism to control the authorization of each command on each network device. This greatly enhances the scalability and manageability of setting authorization restrictions. In Cisco Secure ACS, the default command authorization sets include the Shell Command Authorization Sets and the PIX Command Authorization Sets. Cisco device-management applications, such as Management Center for PIX Firewall, may be enabled to instruct ACS to support additional command authorization set types.

To offer fine-grained control of device-hosted, administrative Telnet sessions, a network device using TACACS+ can request authorization for each command line before its execution. You can define a set of commands that are either permitted or denied for execution by a particular user on a given device. Cisco Secure ACS has further enhanced this capability as follows:

  • Reusable Named Command Authorization Sets—Without directly citing any user or user group, you can create a named set of command authorizations. You can define several command authorization sets, each delineating different access profiles. For example, a "Help desk" command authorization set could permit access to high level browsing commands, such as "show run", and deny any configuration commands. An "All network engineers" command authorization set could contain a limited list of permitted commands for any network engineer in the enterprise. A "Local network engineers" command authorization set could permit all commands, including IP-address configuration.
  • Fine Configuration Granularity—You can create associations between named command authorization sets and NDGs. Thus, you are able to define different access profiles for users depending on which network devices they access. You can associate the same named command authorization set with more than one NDG and use it for more than one user group. Cisco Secure ACS enforces data integrity. Named command authorization sets are kept in the CiscoSecure user database. You can use the Cisco Secure ACS backup and restore features to backup and restore them. You can also replicate command authorization sets to secondary Cisco Secure ACSes along with other configuration data.

For command authorization set types that support Cisco device-management applications, the benefits of using command authorization sets are similar. You can enforce authorization of various privileges in a device-management application by applying command authorization sets to Cisco Secure ACS groups that contain users of the device-management application. The Cisco Secure ACS groups can correspond to different roles within the device-management application and you can apply different command authorization sets to each group, as applicable.

For information on assigning command authorization sets, see the following procedures:

About Pattern Matching

For permit/deny command arguments, Cisco Secure ACS applies pattern matching. That is, the argument permit wid matches any argument that contains the string wid. Thus, for example, permit wid would allow not only the argument wid but also the arguments anywid and widget.

To limit the extent of pattern matching you can add the following expressions:

  • dollarsign ($)—Expresses that the argument must end with what has gone before. Thus permit wid$ would match against wid or anywid, but not widget.
  • caret (^)—Expresses that the argument must begin with what follows. Thus permit ^wid would match against wid or widget, but not against anywid.

You can combine these expressions to specify absolute matching. In the example given, you would use permit ^wid$ to ensure that only wid was permitted, and not anywid or widget.

Command Authorization Sets Configuration

This section contains the following procedures:

Adding a Command Authorization Set

To add a command authorization set, follow these steps:

Step 1   In the navigation bar, click Shared Profile Components.

Result: The Shared Profile Components page lists the command authorization set types available. These always include Shell Command Authorization Sets and may include others, such as command authorization set types that support Cisco device-management applications.

Step 2   Click one of the listed command authorization set types, as applicable.

Result: The selected Command Authorization Sets table appears.

Step 3   Click Add.

Result: The applicable Command Authorization Set page appears. Depending upon the type of command authorization set you are adding, the contents of the page vary. Below the Name and Description boxes, Cisco Secure ACS displays either additional boxes or an expandable checklist tree. The expandable checklist tree appears for device command set types that support a Cisco device-management application.

Step 4   In the Name box, type a name for the command authorization set

Note    The set name can contain up to 32 characters. Names cannot contain the following characters:
# ? " * > <
Leading and trailing spaces are not allowed.

Step 5   In the Description box, type a description of the command authorization set.

Step 6   If Cisco Secure ACS displays an expandable checklist tree below the Name and Description boxes, use the checklist tree to specify the actions permitted by the command authorization set. To do so, follow these steps:

a. To expand a checklist node, click the plus (+) symbol to its left.

b. To enable an action, select its check box. For example, to enable a Device View action, select the View check box under the Device checklist node.

Tip Selecting an expandable check box node selects all the check boxes within that node. Selecting the first check box in the checklist tree selects all check boxes in the checklist tree.

c. To enable other actions in this command authorization set, repeat Step a and Step b, as needed.

Step 7   If Cisco Secure ACS displays additional boxes below the Name and Description boxes, use the boxes to specify the commands and arguments permitted or denied by the command authorization set. To do so, follow these steps:

a. To specify how Cisco Secure ACS should handle unmatched commands, select either the Permit or Deny option, as applicable.

Note    The default setting is Deny.

b. In the box just above the Add Command button, type a command that is to be part of the set.

Caution   Enter the full command word; if you use command abbreviations, authorization control may not function.
Note    Enter only the command portion of the command/argument string here. Arguments are added only after the command is listed. For example, with the command/argument string "show run" you would type only the command show.

c. Click Add Command.

Result: The typed command is added to the command list box.

d. To add an argument to a command, in the command list box, select the command and then type the argument in the box to the right of the command.

Note    The correct format for arguments is <permit | deny> <argument>. For example, with the command show already listed, you might enter permit run as the argument.
Tip You can list several arguments for a single command by pressing Enter between arguments.

e. To allow arguments, which you have not listed, to be effective with this command, select the Permit Unmatched Args check box.

f. To add other commands to this command authorization set, repeat Step a through Step e.

Step 8   When you finish creating the command authorization set, click Submit.

Result: Cisco Secure ACS displays the name and description of the new command authorization set in the applicable Command Authorization Sets table.




Editing a Command Authorization Set

To edit a command authorization set, follow these steps:

Step 1   In the navigation bar, click Shared Profile Components.

Result: The Shared Profile Components page lists the command authorization set types available.

Step 2   Click a command authorization set type, as applicable.

Result: The selected Command Authorization Sets table appears.

Step 3   From the Name column, click the name of the set you want to change.

Result: Information for the selected set appears on the applicable Command Authorization Set page.

Step 4   If an expandable checklist tree appears below the Name and Description boxes, you can do any or all of the following:

  • To expand a checklist node, click the plus (+) symbol to its left. To collapse an expanded checklist node, click the minus (-) symbol to its left.
  • To enable an action, select its check box. For example, to enable a Device View action, select the View check box under the Device checklist node.
Tip Selecting an expandable check box node selects all the check boxes within that node. Selecting the first check box in the checklist tree selects all check boxes in the checklist tree.
  • To disable an action, clear its check box. For example, to disable a Device View action, clear the View check box under the Device checklist node.

Step 5   If additional boxes appear below the Name and Description boxes, you can do any or all of the following:

  • To change the set Name or Description, edit the words in the corresponding box.
  • To remove a command from the set, from the Matched Commands list, select the command, and then click Remove Command.
  • To edit arguments of a command, from the command list box, select the command and then type changes to the arguments in the box to the right of the command list box.

Step 6   When you finish editing the set, click Submit.




Deleting a Command Authorization Set

To delete a command authorization set, follow these steps:

Step 1   In the navigation bar, click Shared Profile Components.

Result: The Shared Profile Components page lists the command authorization set types available.

Step 2   Click a command authorization set type, as applicable.

Result: The selected Command Authorization Sets table appears.

Step 3   From the Name column, click the name of the command set you want to delete.

Result: Information for the selected set appears on the applicable Command Authorization Set page.

Step 4   Click Delete.

Result: A dialog box warns you that you are about to delete a command authorization set.

Step 5   To confirm that you want to delete that command authorization set, click OK.

Result: Cisco Secure ACS displays the applicable Command Authorization Sets table. The command authorization set is no longer listed.