User Guide for Cisco Secure ACS for Windows Server 3.2
Shared Profile Components

Table Of Contents

Shared Profile Components

About Shared Profile Components

Downloadable IP ACLs

About Downloadable IP ACLs

Adding a Downloadable IP ACL

Editing a Downloadable IP ACL

Deleting a Downloadable IP ACL

Network Access Restrictions

About Network Access Restrictions

Adding a Shared Network Access Restriction

Editing a Shared Network Access Restriction

Deleting a Shared Network Access Restriction

Command Authorization Sets

About Command Authorization Sets

Adding a Command Authorization Set

Editing a Command Authorization Set

Deleting a Command Authorization Set

Shared Profile Components


This chapter addresses the CiscoSecure ACS for WindowsServer features found in the Shared Profile Components section of the HTML interface.

This chapter contains the following topics:

About Shared Profile Components

Downloadable IP ACLs

Network Access Restrictions

Command Authorization Sets

About Shared Profile Components

The Shared Profile Components section enables you to develop and name reusable, shared sets of authorization components that may be applied to one or more users or groups of users and referenced by name within their profiles. These include downloadable IP access control lists (ACLs), network access restrictions (NARs), and command authorization sets.

The Shared Profile Components section of CiscoSecure ACS addresses the scalability of selective authorization. Shared profile components can be configured once and then applied to many users or groups. Without this ability, flexible and comprehensive authorization could only be accomplished by explicitly configuring the authorization of each user group for each possible command on each possible device. Creating and applying these named shared profile components (ACLs, access restrictions, and command sets) makes it unnecessary to repeatedly enter long lists of devices or commands when defining network access parameters.

Shared profile components also enable CiscoSecure ACS to authorize a command on behalf of another device or devices. Their scalability extends to the following capabilities:

A way to determine the list of commands a user could issue against one or more devices in the network.

A way to determine the list of devices on which a particular user may execute a particular command.

Downloadable IP ACLs

This section describes downloadable ACLs followed by detailed instructions for configuring and managing them.

This section contains the following topics:

About Downloadable IP ACLs

Adding a Downloadable IP ACL

Editing a Downloadable IP ACL

Deleting a Downloadable IP ACL

About Downloadable IP ACLs

Downloadable IP ACLs provide a means of creating sets of ACL commands that you can apply to many users or user groups. When CiscoSecure ACS grants network access to a user whose profile includes a downloadable IP ACL, CiscoSecure ACS returns an attribute with a named ACL as part of a user session RADIUS access accept packet, the network device applies that ACL to the session of that user. CiscoSecure ACS uses a versioning stamp to ensure that the network device has cached the latest ACL version. If a network responds that it does not have the current version of the named ACL in its cache (that is, the ACL is new or has changed), CiscoSecure ACS sends the updated ACL to the device. The network device applies the downloadable IP ACL to the user session.

Downloadable IP ACLs are an alternative to configuring ACLs in the RADIUS Cisco cisco-av-pair attribute [26/9/1] of each user or user group. While the RADIUS Cisco cisco-av-pair attribute is limited to a maximum of 4 kilobytes of ACLs, downloadable IP ACLs can be up to 32 kilobytes, a limit of the HTML interface. You can create a downloadable IP ACL once, give it a name, and then assign the downloadable IP ACL to each applicable user or user group by referencing its name. This is more efficient than configuring the RADIUS Cisco cisco-av-pair attribute for each user or user group. It is far more efficient than directly entering the ACL into each network device. No additional configuration of the network device is necessary after the device has been configured to use downloadable IP ACLs from CiscoSecure ACS. Downloadable ACLs are protected by the backup or replication regimen you have established.

While entering the ACL definitions in the CiscoSecure ACS HTML interface, do not use keyword and name entries; in all other respects, use standard ACL command syntax and semantics for the network device on which you intend to apply the downloadable IP ACL. The ACL definitions that you enter into CiscoSecure ACS consist of one or more ACL commands. Each ACL command must be on a separate line.

Using downloadable IP ACLs requires the following of the AAA clients that you want to enforce the ACLs on:

AAA clients must use RADIUS for authentication

AAA clients must support downloadable IP ACLs

Examples of Cisco devices that support downloadable IP ACLs are:

PIXFirewalls

VPN 3000-series Concentrators

An example of the format you should use to enter PIXFirewall ACLs in the ACL Definitions box follows:

permit tcp any host 10.0.0.254
permit udp any host 10.0.0.254
permit icmp any host 10.0.0.254
permit tcp any host 10.0.0.253

An example of the format you should use to enter VPN 3000 ACLs in the ACL Definitions box follows:

permit ip 10.153.0.0 0.0.255.255 host 10.158.9.1
permit ip 10.154.0.0 0.0.255.255 10.158.10.0 0.0.0.255
permit 0 any host 10.159.1.22
deny ip 10.155.10.0 0.0.0.255 10.159.2.0 0.0.0.255 log
permit TCP any host 10.160.0.1 eq 80 log
permit TCP any host 10.160.0.2 eq 23 log
permit TCP any host 10.160.0.3 range 20 30
permit 6 any host HOSTNAME1
permit UDP any host HOSTNAME2 neq 53
deny 17 any host HOSTNAME3 lt 137 log
deny 17 any host HOSTNAME4 gt 138
deny ICMP any 10.161.0.0 0.0.255.255 log
permit TCP any host HOSTNAME5 neq 80

For detailed ACL definition information, see the command reference section of your device configuration guide.

Adding a Downloadable IP ACL

To add a downloadable IP ACL, follow these steps:


Step1 In the navigation bar, click Shared Profile Components .

The Shared Profile Components page appears.

Step2 Click Downloadable IP ACLs .


Tip If Downloadable IP ACLs does not appear on the Shared Profile Components page, you must enable either the User-Level Downloadable ACLs or Group-Level Downloadable ACLs option, or both, on the Advanced Options page of the Interface Configuration section.


Step3 Click Add .

The Downloadable IP ACLs page appears.

Step4 In the Name: box, type the name of the new IP ACL.


Note The name of a IP ACL may contain up to 27 characters. The name may contain spaces; but it cannot contain leading, trailing, or multiple spaces, or the following five characters: - [ ] / —


Step5 In the Description: box, type a description of the new IP ACL.

Step6 In the ACL Definitions box, type the new IP ACL definitions.


Note Do not enter more than 32,000 characters.



Tip In entering the ACL definitions in the CiscoSecure ACS HTML interface, you do not use keyword and name entries; rather, you begin with a permit/deny keyword. For an example of the proper format of the ACL definitions, see About Downloadable IP ACLs.


Step7 When you have completed specifying the IP ACL, click Submit .

CiscoSecure ACS enters the new IP ACL, which takes effect immediately. For example, if the IP ACL is for use with PIXFirewalls, it is available to be sent to any PIXFirewall that is attempting authentication of a user who has that ACL name as part of his or her user or group profile. For information on assigning a downloadable IP ACL to user or a user group, see Assigning a Downloadable IP ACL to a User, or Assigning a Downloadable IP ACL to a Group.


Editing a Downloadable IP ACL

To edit a downloadable IP ACL, follow these steps:


Step1 In the navigation bar, click Shared Profile Components .

The Shared Profile Components page appears.

Step2 Click Downloadable IP ACLs .

The Downloadable IP ACLs table appears.

Step3 In the Name column, click the IP ACL you want to edit.

The Downloadable IP ACLs page appears with information displayed for the selected ACL.

Step4 Edit the Name or Description or ACL Definitions information, as applicable.


Note Do not enter more than 32,000 characters in the ACL Definitions box.



Tip Do not use keyword and name entries in the ACL Definitions box; instead, begin with a permit/deny keyword. For an example of the proper format of the ACL definitions, see About Downloadable IP ACLs.


Step5 When you have finished editing the information for the IP ACL, click Submit .

CiscoSecure ACS re-enters the IP ACL with the new information, which takes effect immediately.


Deleting a Downloadable IP ACL

Before You Begin

You should remove the association of a IP ACL with any user, or user group, profile before deleting the IP ACL.

To delete a IP ACL, follow these steps:


Step1 In the navigation bar, click Shared Profile Components .

The Shared Profile Components page appears.

Step2 Click Downloadable IP ACLs .

Step3 Click the name of the downloadable IP ACL you want to edit.

The Downloadable IP ACLs page appears with information displayed for the selected IP ACL.

Step4 At the bottom of the page, click Delete .

A dialog box warns you that you are about to delete a IP ACL.

Step5 To confirm that you want to delete the IP ACL, click OK .

The selected IP ACL is deleted.


Network Access Restrictions

This section describes network access restrictions (NARs) and provides detailed instructions for configuring and managing shared NARs.

This section contains the following topics:

About Network Access Restrictions

Adding a Shared Network Access Restriction

Editing a Shared Network Access Restriction

Deleting a Shared Network Access Restriction

About Network Access Restrictions

NARs enable you to define additional authorization and authentication conditions that must be met before a user can access the network. CiscoSecure ACS applies these conditions using information from attributes sent by your AAA clients. Although there are several ways you can set up NARs, they all are based on matching attribute information sent by a AAA client. Therefore, you must understand the format and content of the attributes your AAA clients send if you want to employ effective NARs.

In setting up a NAR you can choose whether the filter operates positively or negatively. That is, you specify in the NAR whether to permit—or deny—access from AAA clients that send information that matches the information stored in the NAR. However, if a NAR encounters insufficient information to operate, it defaults to denied access. This is shown in Table5-1.

Table 5-1 NAR Permit/Deny Conditions 

 
Match
No Match
Insufficient Information

Permit

Access Granted

Access Denied

Access Denied

Deny

Access Denied

Access Granted

Access Denied


CiscoSecure ACS supports two basic types of NARs:

IP-based restrictions where the originating request relates to an existing IP address.

Non-IP-based filters for all other cases where automatic number identification (ANI) may be used.

IP-based restrictions are based on one of the following attribute fields, depending on the protocol the AAA client uses:

If you are using TACACS+ —The rem_addr field is used.

If you are using RADIUS IETF —The calling-station-id (attribute 31) and called-station-id (attribute 30) fields are used.

AAA clients that do not provide sufficient IP address information (for example, some types of firewall) do not support full NAR functionality.

A non-IP-based NAR is a list of permitted or denied "calling/point of access" locations that you can employ in restricting a AAA client when you do not have an IP-based connection established. The non-IP-based NAR generally uses the calling line ID (CLI) number and the Dialed Number Identification Service (DNIS) number.

However, by entering an IP address in place of the CLI you can use the non-IP-based filter even when the AAA client does not use a CiscoIOS release that supports CLI or DNIS. In another exception to entering a CLI, you can enter a MAC address to permit or deny; for example, when you are using a Cisco Aironet AAA client. Likewise, you could enter the Cisco Aironet AP MAC address in place of the DNIS. The format of what you specify in the CLI box—CLI, IP address, or MAC address— must match the format of what you receive from your AAA client. You can determine this format from your RADIUS Accounting Log.

When specifying a NAR you may use asterisks (*) as wildcards for any value, or as part of any value to establish a range. All the values/conditions in a NAR specification must be met for the NAR to restrict access; that is, the values are "ANDed".


Note When an authentication request is forwarded by proxy to a CiscoSecure ACS, any NARs for TACACS+ requests are applied to the IP address of the forwarding AAA server, not to the IP address of the originating AAA client.


You can define a NAR for, and apply it to, a specific user or user group. For more information on this, see Setting Network Access Restrictions for a User, or Setting Network Access Restrictions for a User Group. However, in the Shared Profile Components section of CiscoSecure ACS you can create and name a shared NAR without directly citing any user or user group. You give the shared NAR a name that can be referenced in other parts of the CiscoSecure ACS HTML interface. Then, when you set up users or user groups, you can select none, one, or multiple shared restrictions to be applied. When you specify the application of multiple shared NARs to a user or user group, you choose one of two access criteria: either "All selected filters must permit", or "Any one selected filter must permit".

Shared access restrictions are kept in the CiscoSecure user database. You can use the CiscoSecure ACS backup and restore features to back up and restore them. You can also replicate the shared access restrictions, along with other configurations, to secondary CiscoSecure ACSes.

Adding a Shared Network Access Restriction

You can create a shared NAR that contains many access restrictions. CiscoSecure ACS does not enforce limits to the number of access restrictions in a shared NAR and it does not enforce a limit to the length of each access restriction; however, there are strict limits, as follows.

The combination of fields for each line item cannot exceed 1024 characters.

The shared NAR cannot have more than 16 KB of characters. The number of line items supported depends on the length of each line item. For example, if you create a CLI/DINIS-based NAR where the AAA client names are 10 characters, the port numbers are 5 characters, the CLI entries are 15 characters, and the DNIS entries are 20 characters, you can add 450 line items before reaching the 16 KB limit.

To add a shared NAR, follow these steps:


Step1 In the navigation bar, click Shared Profile Components .

The Shared Profile Components page appears.

Step2 Click Network Access Restrictions .

Step3 Click Add .

The Network Access Restriction page appears.

Step4 In the Name box, type a name for the new shared NAR.


Note The name can contain up to 31 characters. Leading and trailing spaces are not allowed. Names cannot contain the following four characters:
[ ] , /


Step5 In the Description box, type a description of the new shared NAR.

Step6 To permit or deny access based on IP addressing, follow these steps:


Note This step is performed for IP-based restrictions where an IP connection exists. For other restriction types, see About Network Access Restrictions.


a. Select the Define IP-based access descriptions check box.

b. To specify whether you are listing addresses that are permitted or denied, from the Table Defines list, select the applicable value.

c. Select or type the applicable information in each of the following boxes:

AAA Client —Select All AAA clients , or the name of the network device group (NDG), or the individual AAA client, to which access is permitted or denied.

Port —Type the number of the port that you want to permit or deny access to. You can use the wildcard asterisk (*) to permit or deny access to all ports on the selected AAA client.

Src IP Address —Type the IP address to filter on when performing access restrictions. You can use the wildcard asterisk (*) to specify all IP addresses.


Note The total number of characters in the AAA Client list and the Port and Src IP Address boxes must not exceed 1024. Although CiscoSecure ACS accepts more than 1024 characters when you add a NAR, you cannot edit the NAR and CiscoSecure ACS cannot accurately apply it to users.


d. Click enter .

The AAA client, port, and address information appears as a line item in the table.

e. To enter additional IP-based line items, repeat Step c and Step d.

Step7 To permit or deny access based on calling location or values other than an established IP address, follow these steps:

a. Select the Define CLI/DNIS based access restrictions check box.

b. To specify whether you are listing addresses that are permitted or denied, from the Table Defines list, select the applicable value.

c. To specify the applicability of this NAR, from the AAA Client list, select one of the following values:

The name of the NDG

The name of the particular AAA client

All AAA clients


Tip Only NDGs that you have already configured are listed.


d. To specify the information that this NAR should filter on, type values in the following boxes, as applicable:


Tip You can type an asterisk (*) as a wildcard to specify "all" as a value.


Port —Type the number of the port to filter on.

CLI —Type the CLI number to filter on. You can also use this box to restrict access based on values other than CLIs, such as an IP address or MAC address; for information, see About Network Access Restrictions .

DNIS —Type the number being dialed into to filter on.


Note The total number of characters in the AAA Client list and the Port, CLI, and DNIS boxes must not exceed 1024. Although CiscoSecure ACS accepts more than 1024 characters when you add a NAR, you cannot edit the NAR and CiscoSecure ACS cannot accurately apply it to users.


e. Click enter .

The information specifying the NAR line item appears in the table.

f. To enter additional non-IP-based NAR line items, repeat Step c through Step e.

Step8 When you are finished defining the shared NAR, click Submit .

CiscoSecure ACS saves the named shared NAR and lists it in the Network Access Restrictions table.


Editing a Shared Network Access Restriction

To edit a shared NAR, follow these steps:


Step1 In the navigation bar, click Shared Profile Components .

The Shared Profile Components page appears.

Step2 Click Network Access Restrictions .

The Network Access Restrictions table appears.

Step3 In the Name column, click the shared NAR you want to edit.

The Network Access Restriction page appears with information displayed for the selected NAR.

Step4 To edit the Name or Description of the filter, type and delete information, as applicable.

Step5 To edit a line item in the IP-based access restrictions table, follow these steps:

a. Double-click the line item that you want to edit.

Information for the line item is removed from the table and written to the boxes below the table.

b. Edit the information, as necessary.


Note The total number of characters in the AAA Client list and the Port and Src IP Address boxes must not exceed 1024. Although CiscoSecure ACS accepts more than 1024 characters when you add a NAR, you cannot edit the NAR and CiscoSecure ACS cannot accurately apply it to users.


c. Click enter .

The edited information for this line item is written to the IP-based access restrictions table.

Step6 To remove a line item from the IP-based access restrictions table, follow these steps:

a. Select the line item.

b. Below the table, click remove .

The line item is removed from the IP-based access restrictions table.

Step7 To edit a line item in the CLI/DNIS access restrictions table, follow these steps:

a. Double-click the line item that you want to edit.

Information for the line item is removed from the table and written to the boxes below the table.

b. Edit the information, as necessary.


Note The total number of characters in the AAA Client list and the Port, CLI, and DNIS boxes must not exceed 1024. Although CiscoSecure ACS accepts more than 1024 characters when you add a NAR, you cannot edit the NAR and CiscoSecure ACS cannot accurately apply it to users.


c. Click enter .

The edited information for this line item is written to the CLI/DNIS access restrictions table.

Step8 To remove a line item from the CLI/DNIS access restrictions table, follow these steps:

a. Select the line item.

b. Below the table, click remove .

The line item is removed from the CLI/DNIS access restrictions table.

Step9 When you have finished editing the line items that make up the filter, click Submit .

CiscoSecure ACS re-enters the filter with the new information, which takes effect immediately.


Deleting a Shared Network Access Restriction

To delete a shared NAR, follow these steps:


Step1 In the navigation bar, click Shared Profile Components .

The Shared Profile Components page appears.

Step2 Click Network Access Restrictions .

Step3 Click the Name of the shared NAR you want to delete.

The Network Access Restriction page appears with information displayed for the selected NAR.

Step4 At the bottom of the page, click Delete .

A dialog box warns you that you are about to delete a shared NAR.

Step5 To confirm that you want to delete the shared NAR, click OK .

The selected shared NAR is deleted.


Command Authorization Sets

This section describes command authorization sets and pattern matching and provides detailed instructions for configuring and managing them.

This section contains the following topics:

About Command Authorization Sets

Command Authorization Sets Description

Command Authorization Sets Assignment

Case Sensitivity and Command Authorization

Arguments and Command Authorization

About Pattern Matching

Adding a Command Authorization Set

Editing a Command Authorization Set

Deleting a Command Authorization Set

About Command Authorization Sets

This section contains the following topics:

Command Authorization Sets Description

Command Authorization Sets Assignment

Case Sensitivity and Command Authorization

Arguments and Command Authorization

About Pattern Matching

Command Authorization Sets Description

Command authorization sets provide a central mechanism to control the authorization of each command issued on any given network device. This greatly enhances the scalability and manageability of setting authorization restrictions. In CiscoSecure ACS, the default command authorization sets include Shell Command Authorization Sets and PIX Command Authorization Sets. Cisco device-management applications, such as Management Center for Firewalls (Firewall MC), can instruct CiscoSecure ACS to support additional command authorization set types.

To offer fine-grained control of device-hosted, administrative Telnet sessions, a network device using TACACS+ can request authorization for each command line before its execution. You can define a set of commands that are either permitted or denied for execution by a particular user on a given device. CiscoSecure ACS has further enhanced this capability as follows:

Reusable Named Command Authorization Sets —Without directly citing any user or user group, you can create a named set of command authorizations. You can define several command authorization sets, each delineating different access profiles. For example, a "Help desk" command authorization set could permit access to high level browsing commands, such as "show run", and deny any configuration commands. An "All network engineers" command authorization set could contain a limited list of permitted commands for any network engineer in the enterprise. A "Local network engineers" command authorization set could permit all commands, including IP address configuration.

Fine Configuration Granularity —You can create associations between named command authorization sets and NDGs. Thus, you can define different access profiles for users depending on which network devices they access. You can associate the same named command authorization set with more than one NDG and use it for more than one user group. CiscoSecure ACS enforces data integrity. Named command authorization sets are kept in the CiscoSecure user database. You can use the CiscoSecure ACS backup and restore features to back up and restore them. You can also replicate command authorization sets to secondary CiscoSecure ACSes along with other configuration data.

For command authorization set types that support Cisco device-management applications, the benefits of using command authorization sets are similar. You can enforce authorization of various privileges in a device-management application by applying command authorization sets to CiscoSecure ACS groups that contain users of the device-management application. The CiscoSecure ACS groups can correspond to different roles within the device-management application and you can apply different command authorization sets to each group, as applicable.

Command Authorization Sets Assignment

For information on assigning command authorization sets, see the following procedures:

Shell Command Authorization Sets —See either of the following:

Configuring a Shell Command Authorization Set for a User Group

Configuring a Shell Command Authorization Set for a User

PIX Command Authorization Sets —See either of the following:

Configuring a PIX Command Authorization Set for a User Group

Configuring a PIX Command Authorization Set for a User

Device Management Command Authorization Sets —See either of the following:

Configuring Device-Management Command Authorization for a User Group

Configuring Device-Management Command Authorization for a User

Case Sensitivity and Command Authorization

When performing command authorization, CiscoSecure ACS evaluates commands and arguments in a case-sensitive manner. For successful command authorization, you must configure command authorization sets with case-sensitive commands and arguments.

As an additional complication, a device requesting command authorization may send commands and arguments using different case than you type to issue the command.

For example, if you type the following command during a router-hosted session:

interface FASTETHERNET 0/1

the router may submit the command and arguments to CiscoSecure ACS as:

interface FastEthernet 0 1

If, for the interface command, the command authorization set explicitly permits the FastEthernet argument using the spelling "fastethernet", CiscoSecure ACS fails the command authorization request. If the command authorization rule instead permits the argument "FastEthernet", CiscoSecure ACS grants the command authorization request. The case used in command authorization sets must match what the device sends, which may or may not match the case you use when you type the command.

Arguments and Command Authorization

When you explicitly permit or deny arguments rather than rely on CiscoSecure ACS to permit unmatched arguments, you must make certain that you know how devices send arguments to CiscoSecure ACS. A device requesting command authorization may send different arguments than the user typed to issue the command.

For example, if a user typed the following command during a router-hosted session:

interface FastEthernet0/1

the router may send the command and arguments CiscoSecure ACS as follows:

01:44:53: tty2 AAA/AUTHOR/CMD(390074395): send AV cmd=interface
01:44:53: tty2 AAA/AUTHOR/CMD(390074395): send AV cmd-arg=FastEthernet
01:44:53: tty2 AAA/AUTHOR/CMD(390074395): send AV cmd-arg=0
01:44:53: tty2 AAA/AUTHOR/CMD(390074395): send AV cmd-arg=1
01:44:53: tty2 AAA/AUTHOR/CMD(390074395): send AV cmd-arg=<cr>

In this example, the router sees multiple arguments where the user typed one string of characters without spaces after the command. It also omits the slash character that separated 0 and 1 when the user issued the command.

If the command authorization rule for the interface command explicitly permits the FastEthernet argument using the spelling "FastEthernet0/1", CiscoSecure ACS fails the command authorization request because it does not match what the router submitted to CiscoSecure ACS. If the command authorization rule instead permits the argument "FastEthernet 0 1", CiscoSecure ACS grants the command authorization request. The case of arguments specified in command authorization sets must match what the device sends, which may or may not match the case you use when you type the arguments.

About Pattern Matching

For permit/deny command arguments, CiscoSecure ACS applies pattern matching. That is, the argument permit wid matches any argument that contains the string wid . Thus, for example, permit wid would allow not only the argument wid but also the arguments anywid and widget .

To limit the extent of pattern matching you can add the following expressions:

dollar sign ($) —Expresses that the argument must end with what has gone before. Thus permit wid$ would match wid or anywid , but not widget .

caret (^) —Expresses that the argument must begin with what follows. Thus permit ^wid would match wid or widget , but not anywid .

You can combine these expressions to specify absolute matching. In the example given, you would use permit ^wid$ to ensure that only wid was permitted, and not anywid or widget .

Adding a Command Authorization Set

To add a command authorization set, follow these steps:


Step1 In the navigation bar, click Shared Profile Components .

The Shared Profile Components page lists the command authorization set types available. These always include Shell Command Authorization Sets and may include others, such as command authorization set types that support Cisco device-management applications.

Step2 Click one of the listed command authorization set types, as applicable.

The selected Command Authorization Sets table appears.

Step3 Click Add .

The applicable Command Authorization Set page appears. Depending upon the type of command authorization set you are adding, the contents of the page vary. Below the Name and Description boxes, CiscoSecure ACS displays either additional boxes or an expandable checklist tree. The expandable checklist tree appears for device command set types that support a Cisco device-management application.

Step4 In the Name box, type a name for the command authorization set.


Note The set name can contain up to 27 characters. Names cannot contain the following characters:
# ? " * > <
Leading and trailing spaces are not allowed.


Step5 In the Description box, type a description of the command authorization set.

Step6 If CiscoSecure ACS displays an expandable checklist tree below the Name and Description boxes, use the checklist tree to specify the actions permitted by the command authorization set. To do so, follow these steps:

a. To expand a checklist node, click the plus (+) symbol to its left.

b. To enable an action, select its check box. For example, to enable a Device View action, select the View check box under the Device checklist node.


Tip Selecting an expandable check box node selects all check boxes within that node. Selecting the first check box in the checklist tree selects all check boxes in the checklist tree.


c. To enable other actions in this command authorization set, repeat Step a and Step b, as needed.

Step7 If CiscoSecure ACS displays additional boxes below the Name and Description boxes, use the boxes to specify the commands and arguments permitted or denied by the command authorization set. To do so, follow these steps:

a. To specify how Cisco Secure ACS should handle unmatched commands, select either the Permit or Deny option, as applicable.


Note The default setting is Deny.


b. In the box just above the Add Command button, type a command that is to be part of the set.


Caution Enter the full command word; if you use command abbreviations, authorization control may not function.



Note Enter only the command portion of the command/argument string here. Arguments are added only after the command is listed. For example, with the command/argument string "show run" you would type only the command show .


c. Click Add Command .

The typed command is added to the command list box.

d. To add an argument to a command, in the command list box, select the command and then type the argument in the box to the right of the command.


Note The correct format for arguments is <permit | deny> <argument>. For example, with the command show already listed, you might enter permit run as the argument.



Tip You can list several arguments for a single command by pressing Enter between arguments.


e. To allow arguments, which you have not listed, to be effective with this command, select the Permit Unmatched Args check box.

f. To add other commands to this command authorization set, repeat Step a through Step e.

Step8 When you finish creating the command authorization set, click Submit .

CiscoSecure ACS displays the name and description of the new command authorization set in the applicable Command Authorization Sets table.


Editing a Command Authorization Set

To edit a command authorization set, follow these steps:


Step1 In the navigation bar, click Shared Profile Components .

The Shared Profile Components page lists the command authorization set types available.

Step2 Click a command authorization set type, as applicable.

The selected Command Authorization Sets table appears.

Step3 From the Name column, click the name of the set you want to change.

Information for the selected set appears on the applicable Command Authorization Set page.

Step4 If an expandable checklist tree appears below the Name and Description boxes, you can do any or all of the following:

To expand a checklist node, click the plus (+) symbol to its left. To collapse an expanded checklist node, click the minus (-) symbol to its left.

To enable an action, select its check box. For example, to enable a Device View action, select the View check box under the Device checklist node.


Tip Selecting an expandable check box node selects all check boxes within that node. Selecting the first check box in the checklist tree selects all check boxes in the checklist tree.


To disable an action, clear its check box. For example, to disable a Device View action, clear the View check box under the Device checklist node.

Step5 If additional boxes appear below the Name and Description boxes, you can do any or all of the following:

To change the set Name or Description, edit the words in the corresponding box.

To remove a command from the set, from the Matched Commands list, select the command, and then click Remove Command .

To edit arguments of a command, from the command list box, select the command and then type changes to the arguments in the box to the right of the command list box.

Step6 When you finish editing the set, click Submit .


Deleting a Command Authorization Set

To delete a command authorization set, follow these steps:


Step1 In the navigation bar, click Shared Profile Components .

The Shared Profile Components page lists the command authorization set types available.

Step2 Click a command authorization set type, as applicable.

The selected Command Authorization Sets table appears.

Step3 From the Name column, click the name of the command set you want to delete.

Information for the selected set appears on the applicable Command Authorization Set page.

Step4 Click Delete .

A dialog box warns you that you are about to delete a command authorization set.

Step5 To confirm that you want to delete that command authorization set, click OK .

CiscoSecure ACS displays the applicable Command Authorization Sets table. The command authorization set is no longer listed.