|
|
This chapter contains the instructions for advanced configuration of group and user profiles.
The CiscoSecure Administrator advanced configuration program enables you to carry out more advanced and specialized operations: creating user groups and direct assignment of TACACS+ and RADIUS attributes to customize user and group session parameters in more detail than is possible in the CiscoSecure Access Control Server (ACS) web interface mode.
This chapter covers the following topics:
 |
Note All changes made using the Administrator program are reflected in the database, and all changes made to the database are visible on the Administrator program, after you have refreshed it. |
You can start the Java-based CiscoSecure Administrator advanced configuration program from any of the CiscoSecure ACS Administrator web pages.
In the CiscoSecure ACS web menu bar of the CiscoSecure ACS web interface, click Advanced and then click Advanced again. The Java-based CiscoSecure Administrator advanced configuration program appears. It might require a few minutes to load.
|
Note For security reasons, the use of the Refresh button in Internet Explorer and the Shift + Reload feature in Netscape are not supported in the Advanced Administrator interface. |
Use the CiscoSecure Administrator advanced configuration program to create and configure group profiles. Cisco recommends creating group profiles to configure detailed authentication, authorization, and accounting requirements for large numbers of similar users. After the group profile is defined, you can use the CiscoSecure ACS Add a User web page to quickly add simple user profiles to the group profile. The advanced requirements you configured for the group will apply to each member user.
To create a group profile:
Step 2 In the Navigator pane, do one of the following:
Step 3 Click Create New Profile to display the New Profile dialog box.
Step 4 Select the Group check box, enter the name of the group you want to create, and click OK. The new group appears in the tree.
Step 5 After you create the group profile, assign specific TACACS+ or RADIUS attributes to configure specific authentication, authorization, and accounting properties, as follows:
You can also use the CiscoSecure Administrator advanced configuration mode to create and configure a user profile. You might do this to customize the user profile's authorization and accounting related attributes in more detail than is possible through the Quick User Add page.
To create a user profile:
Step 2 In the Navigator pane, do one of the following:
Step 3 Click Create Profile to display the New Profile dialog box.
Step 4 Make sure the Group check box is deselected.
Step 5 Enter the name of the user you want to create and click OK. The new user appears in the tree.
Step 6 After you create the user profile, assign specific TACACS+ or RADIUS attributes to configure specific authentication, authorization and accounting properties as follows:
To assign specific TACACS+ services and attributes to a group or user profile:
Step 2 If necessary, in the Profile pane, click the Profile icon to expand it.
A list or dialog box that contains attributes applicable to the selected profile or service appears in the window at the bottom right of the screen. The information in this window changes depending on what you have selected in the Profile pane.
Step 3 Click the service or protocol that you want to add and click Apply.
The service is added to the profile.
Step 4 Enter or select the necessary text in the Attribute window. Valid entries are explained in "Strategies for Applying Attributes."
|
Note If you are assigning an attribute value at the group profile level, and the attribute you are specifying displays an Absolute check box, you can select that check box to assign the value absolute status. A value assigned absolute status cannot be overridden by any contending values assigned at subordinate group profile or user profile levels. |
Step 5 Repeat step 1 through step 4 for each additional service or protocol to add.
Step 6 When you have finished making all your changes, click Submit.
Refer to the Common TACACS+ Attributes for a listing of the most frequently used TACACS+ protocols and services.
If necessary, use Table 5-1 as a guide when assigning TACACS+ attributes to a user or group profile.
| Attribute | Definition | Value |
|---|---|---|
Indicates that this is an authorization request for starting a primary service. | slip, ppp, arap, shell | |
Network protocol that is a subset of the service. This attribute must be specified when the service is PPP1 to indicate that a protocol is being brought up as a secondary service. | lcp, ip, ipx, atalk, vines, unknown | |
Indicates the command name for a shell command that is to be run. | NULL = shell itself | |
Indicates an argument for the shell command that is to be run. Multiple cmd-arg attributes can be specified and are order dependent. |
| |
ASCII number representing a connection access list. Used only when service = shell and cmd = NULL. |
| |
ASCII number for an interface input access list. |
| |
ASCII number for an interface output access list. |
| |
Numeric zonelist value. Applicable to AppleTalk only. |
| |
Network address. |
| |
Name of an address pool from which the NAS2 should assign an address. |
| |
Specifies whether routing information is to be propagated to and accepted from this interface. | Boolean value | |
Indicates a route that is to be applied to this interface. Values must be of the form: dst_address mask routing_addr If routing_addr is missing, the current interface will be used. |
| |
Sets a value, in minutes, after which a session is terminated. Does not work for PPP. A value of zero indicates no timeout. This is NOT available on Cisco IOS Release 11.0, but is available on Cisco IOS Release 11.1 and 11.2. Used for ARAP3. | 0 - nn where 0 = no timeout | |
Sets a value, in minutes, after which an idle session is terminated. Does not work for PPP. A value of zero indicates no timeout. This is NOT available on Cisco IOS Release 11.0, but is available on Cisco IOS Releases 11.1 and 11.2. | 0 - nn where 0 = no timeout | |
Auto-command to run. Used only when service = shell and cmd = NULL. |
| |
Prevents user from using an escape character. Used only when service=shell and cmd=NULL. | Boolean | |
Do no disconnect after an automatic command. Used only when service=shell and cmd=NULL. | Boolean | |
1 - 15 | ||
Number the NAS will call back. | NULL = dialstring | |
Line the NAS uses to call back the user. |
| |
| ||
Indicates a connection doesn't require authentication after callback. | 1 |
| 1PPP = Point-to-Point Protocol. 2NAS = network access server. 3ARAP = Appletalk Remote Access Protocol. |
To assign specific RADIUS attributes to a group or user profile:
a. On the Members page of the CiscoSecure Administrator advanced configuration program, click the group or user icon, then click the Profile icon in the Profiles pane to display the Options menu in the Attributes pane.
b. In the Options menu, click the name of the RADIUS dictionary you want the group or user to use; for example, RADIUS - Cisco. Then click Apply.
Step 2 Add the required Check Items and Reply Attributes to the RADIUS profile:
|
Note Check items are the attributes required for authentication, such as user ID and password. Reply Attributes are the attributes sent to the NAS after the profile has passed the authentication procedure, such as Framed-Protocol. For lists and explanations of Check Items and Reply Attributes, see the chapter "RADIUS Attribute-Value Pairs and Dictionary Management" in the CiscoSecure ACS 2.3 for UNIX Reference Guide. |
a. In the Profile window, click the RADIUS - dictionaryname folder icon. (You might need to click the profile's + symbol to expand the RADIUS folder.) The Check Items and Reply Attributes options appear in the Attribute Group window.
b. To use one or more of these attributes, click the attribute(s) you want to use, then click Apply. You can add more than one attribute at a time.
c. Click the + symbol for the RADIUS - dictionaryname to expand the folder.
|
Note If you select the RADIUS-Cisco11.3 option, make sure Cisco IOS Release 11.3.3(T) or later is installed on your connecting NASes and add new command lines to your NAS configurations. See the "Fully Enabling the RADIUS-Cisco11.3 Dictionary" section. |
Step 3 Specify values for added Check Items and Reply Attributes:
a. Click Check Items and/or Reply Attributes. A list of applicable Check Items and Reply Attributes values appears in the lower right window. Click the + symbol to expand the folder.
b. Click the values you want to assign, then click Apply. For more information on the values, see the chapter "RADIUS Attribute-Value Pairs and Dictionary Management" in the CiscoSecure ACS 2.3 for UNIX Reference Guide.
|
Note If you are assigning an attribute value at the group profile level, and the attribute you are specifying displays an Absolute check box, you can select that check box to assign the value absolute status. A value assigned absolute status cannot be overridden by any contending values assigned at subordinate group profile or user profile levels. |
c. When you have finished making changes, click Submit.
 |
Caution For the RADIUS protocol, inheritance is additive as opposed to hierarchical inheritance, like TACACS+. For example, if you assign the same reply attributes to both the user and group profiles, authorization will fail because the NAS will be sent twice the number of attributes and will not be able to make sense of the reply attributes. Be careful not to assign the same check item or reply attribute to both the group and user profiles. |
Step 4 To use one or more of these attributes, click the attribute(s) you want to use, then click Apply. You can add more than one attribute at a time.
For more information on specific RADIUS attributes, see the "RADIUS Attributes Used in User Profiles" section.
Table 5-2 lists the RADIUS attributes that are most commonly used in user profiles. This list is not an exhaustive list of the attributes supported by all vendors such as Ascend, Cisco, and Livingston and does not include any accounting attributes. This table only attempts to list the standard RADIUS attributes that are meaningful for use in a user profile. The table gives a description of each attribute and an explanation of how the attribute might be used in a user profile. Wherever applicable, special information is provided on Cisco's support for the attribute in current versions of Cisco IOS software.
| Attribute (Mnemonic) | Description / Use in Profile |
1 (User-Name) | Specifies the user's name. This attribute is not commonly used in a profile. It is sometimes used, however, as a Check Item in special profiles. |
Specifies the user's password. It is used to specify every password type (for example, CHAP, PAP, sdi, and so on) for RADIUS as opposed to TACACS+, which uses different password statements for different password types. Used as a Check Item in a profile. | |
Identifies the NAS that is requesting authentication of the user. It is not commonly used in a profile but can be used as a Check Item to permit or deny access based on the NAS into which the user is calling. | |
5 (NAS-Port) | Specifies the physical port number of the NAS that is requesting authentication of the user. It is not commonly used in a profile but can be used as a Check Item to permit or deny access based on the NAS port the user is calling in to if the NAS sends this attribute as part of the authentication request. |
Indicates the type of service to authorize for the user. This is the main RADIUS attribute used in defining authorization with RADIUS. It often determines which additional attributes will be specified. It is most commonly used as a Reply Attribute but in some special profiles it can be used as a Check Item. | |
Specifies the framing type to be used for framed access. It is used with Service-Type = Framed-User as a Reply Attribute. | |
Specifies the IP address to be assigned to the user. It is used with Service-Type = Framed-User as a Reply Attribute. | |
Indicates the IP subnet mask to be configured for the user when the user is a router. This attribute value results in a static route being added for Framed-IP-Address with the specified subnet mask. It is used with Service-Type = Framed-User as a Reply Attribute. | |
10 (Framed-Routing) | Indicates the routing method for the user when the user is a router. Cisco IOS software supports "None" and "Send and Listen" values for this attribute. It is used with Service-Type = Framed-User as a Reply Attribute. |
11 (Filter-Id) | Indicates the name of the filter list for the user. It is used as a Reply Attribute in a profile. |
12 (Framed-MTU) | |
Indicates the compression type to be used for the link. Cisco IOS software does not currently support this attribute for non-EXEC authorization. It is used with Service-Type = Framed-User as a Reply Attribute. | |
14 (Login-IP-Host) | Indicates the host to which the user will connect when the Login-Service attribute is included. It is used with Service-Type = Login-User. It is most commonly used as a Reply Attribute but in some special profiles it can be used as a Check Item. |
15 (Login-Service) | Indicates the type of service that should be used to connect the user to the login host. It is used with Service-Type = Login-User as a Reply Attribute. |
16 (Login-TCP-Port) | Indicates the TCP port with which the user is to be connected when the Login-Service attribute is also present. It is used with Service-Type = Login-User as a Reply Attribute. |
18 (Reply-Message) | Displays text messages to the user. It can be used only when a "terminal window" is used during login. It is used as a Reply Attribute. |
19 (Callback-Number) | Specifies the number to be used by the NAS to call back the user when Callback is configured. Cisco IOS software does not currently support this attribute. It is used with Service-Type = Callback-User as a Reply Attribute. |
20 (Callback-Id) | Indicates the name of a place to be called back by the NAS. It is the responsibility of the NAS to be able to distinguish the meaning of the name. Cisco IOS software does not currently support this attribute. It is used with Service-Type = Callback-User as a Reply Attribute. |
22 (Framed-Route) | Provides routing information to be configured for the user on the NAS. It is used with Service-Type = Framed-User. Used as a Reply Attribute in a profile. |
Specifies the IPX Network number to be configured for the link. It is used with Service-Type = Framed-User as a Reply Attribute. | |
26 or vendor-Id vendor-type Vendor-Specific | Allows vendors to support their own extended attributes not suitable for general use. It is referred to as attribute 26 or vendor-Id vendor-type. Cisco has implemented a vendor specific attribute called the cisco-avpair that has vendor type 1. Cisco's Vendor-Id is 9. See Cisco's web site for more information. This attribute is used as a Reply Attribute. |
27 (Session-Timeout) | Sets the maximum number of seconds of service to be provided to the user before the session terminates. Cisco IOS software does not currently support this attribute for PPP sessions. This attribute is used as a Reply Attribute. |
28 (Idle-Timeout) | Sets the maximum number of consecutive seconds of idle connection allowed to the user before the session terminates. Cisco IOS software does not currently support this attribute for PPP sessions. This attribute is used as a Reply Attribute. |
32 (NAS-Identifier) | Indicates a name for the NAS requesting authentication. Cisco IOS software does not currently support this attribute. It is not commonly used in a profile, but can be used as Check Item to permit / deny based on the name of the NAS if the NAS sends this attribute as part of the authentication request. Attribute 4 (NAS-IP-Address) is more commonly sent by NASes than this attribute. The name specified must match exactly what is sent by the NAS. |
Indicates the system with which the user is to be connected by LAT. It is only used with Service-Type = Login-User and Login-Service = LAT. Cisco IOS software only supports this attribute in EXEC mode. This attribute is used as a Reply Attribute. | |
35 (Login-LAT-Node) | Indicates the node with which the user is to be automatically connected by LAT. It is only used with Service-Type = Login-User and Login-Service = LAT. This attribute is used as a Reply Attribute. |
35 (Login-LAT-Group) | Identifies the LAT group codes that this user is authorized to use. It is only used with Service-Type = Login-User and Login-Service = LAT. This attribute is used as a Reply Attribute. |
61 (NAS-Port-Type) | Indicates the type of physical port the NAS is using for the user that is requesting authentication. It is not commonly used in a profile but can be used as a Check Item to permit or deny access based on the type of port the user is dialing into if the NAS sends this attribute as part of the authentication request. |
|
Caution Care should be taken when using any attributes besides User-Password as Check Items in a user profile. Unless all Check Items match the information that is sent by the NAS exactly, authentication will fail. |
The RADIUS-Cisco11.3 dictionary includes Cisco's set of vendor-proprietary extended RADIUS attributes. To take full advantage of this version, configure the associated NAS as follows:
radius-server host hostname|ip-address non-standard
radius-server configurenas
For a description of the vendor-proprietary attributes themselves, see "RADIUS Vendor-Proprietary Attributes," in the appendix "RADIUS Attributes" in the document Security Configuration Guide, accessible at the Cisco documentation web site at the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed
/113ed_cr/secur_c/scprt6/index.htm
The superuser administrator can use the web privilege= attribute to assign a level of access control privilege to CiscoSecure users.
Step 2 In the options menu, click web privilege and select one of the following values.
|
Note If you select any web privilege option other than 0, you must also specify a password. To satisfy the web privilege password requirement, a single blank space is minimally acceptable. |
Step 3 Click Apply and then click Submit.
Use the Copy a Profile button to add a group or user whose profile is a duplicate of an existing username or group profile:
Step 2 Click the Copy a Profile button.
Step 3 When prompted, enter the new group name or username.
Step 4 Click OK.
Step 5 The new group name or username appears in the tree.
To find a group or user profile:
Step 2 Enter the name of the group or user to search for in the Group or User Name field.
The profile of the group or user you selected is placed in a temporary folder that appears at the top of the list of users. Use this folder as a "shortcut" to the groups or users to work with during this session.
|
Note The temporary folder appears for this session only. |
Step 3 Repeat Step 2 as many times as necessary for the groups or users to work with during this session.
To display a group or user profile in text format, go to the Members tab of the CiscoSecure Administrator advanced configuration program, select the user or group profile whose text format you want to display, and click the Display a Profile button.
Information similar to that shown in Figure 5-9 will display.
The information displayed is the same information as that shown in the Profile window, but it is shown in CiscoSecure ACS 1.0 format.
The text format is a representation of the actual data that is stored in the RDBMS. Reading the text format of a user or group profile is a quick way of understanding the TACACS+ or RADIUS-based attributes of a user profile.
In the following example user profile, configured through the Java-based CiscoSecure Advanced configuration program, the text format indicates that the user ga_simpson:
user = ga_simpson {
password = clear "sesame1"
service = shell {
cmd = show {
permit version
}
cmd = telnet {
permit "10\.6\.8\.11"
}
}
}
The curly braces { } in the above expression enclose either:
cmd = telnet {
permit "10\.6\.8\.11"
}
service = shell {
cmd = show {
permit version
}
cmd = telnet {
permit "10\.6\.8\.11"
}
}
|
Note For a thorough description of CiscoSecure profile syntax, consult the online document titled, CiscoSecure Syntax Guide and Sample Profiles, accessed through the Help menu option in the CiscoSecure ACS Administrator web pages. |
The CiscoSecure Properties window opens. To view the system summary, click the Summary Statistics tab. (See Figure 5-11.)
To view expired passwords, click the Expired Passwords tab. (See Figure 5-12.)
Use the Move a Profile button to move a group or user to a different or new group. This is useful, for example, to change an employee from one department to another.
To move a profile:
Step 2 Click the group or user to be moved.
Step 3 Click Move a Profile.
Step 4 Enter the name of the destination group. The group name or user icon moves from its current group to the new one.
|
Note The moved group or user will inherit the attributes of the group to which it is moved. |
Use the Unlock a Profile button to unlock a record that became locked inadvertently. When a profile is locked, a keyhole icon displays next to the group's folder icon. Profiles are locked when they are being updated; however, it is possible to have a locked record that is not in use, such as when the computer is rebooted while updating a profile.
To unlock a profile:
Step 2 Click the locked profile.
Step 3 Click Unlock a Profile. The keyhole icon disappears.
To delete a profile attribute from a group or user profile:
Step 2 Click the icon for the applicable group or user in the tree that is displayed in the Navigator (left) window.
Step 3 In the Profile window, click whatever services or attributes you require to expand the directory structure until you see the attribute you want to delete.
Step 4 Click the applicable attribute.
Step 5 Click the Delete a Profile Attribute (minus sign) button at the top of the Profile window.
Step 6 Repeat Step 2 through Step 5 for each additional attribute to delete.
Step 7 When you have finished making changes, click Submit.
The CiscoSecure ACS unknown_user default profile feature enables access to users not specified (unknown) in the CiscoSecure database. The unknown_user profile can support unknown users requesting authentication via both the TACACS+ and RADIUS protocol.
When you install the CiscoSecure ACS, the unknown_user profile is empty, but you can edit it to provide a default profile for non-CiscoSecure users dialing in to a supported NAS.
Edit the unkown_user default profile as follows:
Step 2 Click the Members tab.
Step 3 Deselect Browse.
Step 4 Select the unknown_user profile in the Navigator pane and click the Profile icon in the Profile pane to view the unknown_user profile configuration.
You can edit the unknown_user profile like any other user profile. See the section "Creating a User Profile in Advanced Configuration Mode" earlier in this chapter for details on assigning attributes through the CiscoSecure Administrator advanced configuration program.
The effect that this unknown_user profile has on unknown users dialing in to the network varies depending on how the client NAS is configured. For example, the unknown_user profile shown in Figure 5-16 is not configured for RADIUS and therefore does not allow any access to unknown users who are communicating with CiscoSecure via NASes enabled for RADIUS protocol only.
For TACACS+ the default unknown_user profile shown in Figure 5-16 authenticates any users who are configured in the UNIX authentication system on which the ACS is running.
The concept of the Default Profile is useful if you already have a large number of users defined in another authentication system, such as the UNIX /etc/passwd and /etc/shadow files or a Security Dynamics, Inc. ACE Server.
The unknown_user profile enables you to grant users specified in these other authentication systems immediate access to the network without having to respecify them in CiscoSecure database. For example, the following default profile might be used to authorize a shell on the NAS via RADIUS for users who are configured in an ACE Server but not yet specified in the CiscoSecure database:
unknown_user = {
radius = Cisco {
check_items = {
2 = sdi
}
reply_attributes = {
6 = 6
}
}
}
Additionally, the unknown_user profile can be used to grant guest access to the network for unknown users. The following unknown_user profile might be used to allow guests to log in without a password via TACACS+:
unknown_user = {
password = no_password
service = shell {
}
}
If there is no unknown_user profile declared, then users not declared in the CiscoSecure database cannot be authenticated or authorized to use any service when dialing in to the CiscoSecure ACS client NASes.
|
Note The attribute values assigned to the unknown_user profile never apply to users who are already configured with a CiscoSecure user profile. |
To exit the Administrator program, click Logoff.
|
Note If you are using Netscape and you want to log out of the Java-based CiscoSecure Administrator advanced configuration program, the program might require several minutes to shut down. |
Posted: Sun Apr 2 16:13:07 PDT 2000
Copyright 1989 - 2000©Cisco Systems Inc.