|
|
This chapter contains information about using the CiscoSecure Access Control Server (ACS) group profile feature and TACACS+ and RADIUS attributes to implement authentication and authorization services of network users through the CiscoSecure ACS.
This chapter covers the following topics:
The group profile feature of the CiscoSecure ACS enables you to define a common set of authentication, authorization, and accounting (AAA) requirements for a large number of users.
You can assign a group profile a set of TACACS+ or RADIUS attribute values. These attribute values assigned to the group also apply to any user who is member or who is added as a member of that group.
To configure the CiscoSecure ACS to manage large numbers and various types of users with complex AAA requirements, Cisco recommends that you use the features of the CiscoSecure Administrator advanced configuration program to create and configure group profiles. The group profile should contain all attributes that are not specific to the user. This usually means all attributes except for the password. Then you can use the Add a User page of the CiscoSecure Administrator to quickly create simple user profiles with password attributes and assign these user profiles to the appropriate group profile.
The features and attribute values defined for a particular group then apply to, or are inherited by, its member users.
You can create a hierarchy of groups. Within a group profile, you can create child group profiles. TACACS+ attribute values assigned to the parent group profile will be passed down as default values to the child group profiles.
A CiscoSecure system administrator can assign individual CiscoSecure users Group Administrator status. Group Administrator status enables individual users to administer any child group profiles and user profiles that are subordinate to their group but does not allow them to administer any groups or users that fall outside their group's hierarchy. Thus, the system administrator can parcel out the task of administering a large network to other individuals without granting each of them equal authority.
Cisco recommends that you assign individual users basic authentication attribute values, those attribues that define username, password, password type, and web privilege. You can assign basic athentication attribute values to your users transparently, through the HTML-based CiscoSecure ACS Edit a User or Add a User pages in the CiscoSecure ACS web interface.
Cisco recommends that you define Qualification-, Authorization-, and Accounting-related attributes at the group level.
Figure 6-1 illustrates the way these attributes are assigned to groups and users.
In this example, the group profile named "Dial-In Users" is assigned the attribute-value pairs Frame-Protocol=PPP and Service-Type=Framed.
A subset of the TACACS+ and RADIUS attributes in the CiscoSecure ACS can be assigned absolute status at group profile level. An attribute value enabled for absolute status that has been assigned at group profile level, overrides any contending attribute values that may be assigned at a child group profile or member user profile level.
Within multi-level networks with possibly several-levels of group administrators, absolute attributes enable a system administrator to set selected group attribute values that group administrators at lower levels cannot override.
Attributes that can be assigned absolute status will display an Absolute check box in the Attributes box of the CiscoSecure Administrator advanced configuration program. You can enable absolute status by selecting the check box. (See Figure 6-2.)
Conflicts among attribute values assigned to parent group profiles, child group profiles, and member user profiles are resolved differently, depending on whether the attribute values are absolute and whether they are TACACS+ or RADIUS attributes:
For TACACS+, you can override the availability of inherited service values by prefixing the keyword prohibit or permit to the service specification. Although default permissions exist, you can explicitly prohibit or enable particular services using the prohibit or permit keywords. The permit keyword allows specified services; the prohibit keyword disallows specified services. Using these keywords together, you can construct "everything except" configurations. For example, the following configuration allows access from all services except X.25:
default service = permit prohibit service = x25
This section describes some classes of attributes that you can apply through the CiscoSecure Administrator advanced configuration program.
One technique you can use to ensure the security of your network is to qualify users when they attempt to log on or request a service. For example, you might know that your organization intends to employ several new people beginning on a particular date. Depending on your needs, you can immediately add these new users to the CiscoSecure ACS and specify that they cannot log on until a specified date.
You can use the Java-based CiscoSecure Administrator advanced configuration program to apply qualification attributes user profiles, group profiles, and services. If a qualification attribute is found, then its condition must be matched or the operation in progress will fail. The following defined qualification conditions are supported:
allow "NAS-NAME" "Port" "Remote-Address"
refuse "NAS-NAME" "Port" "Remote-Address"
Authentication attributes specify password strings, encryption methods, or methods of generating one-time passwords used by specific users for login.
The password keyword allows an extensible range of authentication methods, and you can install additional authentication methods by reconfiguring the CiscoSecure ACS.
CiscoSecure ACS software includes the following password or authentication method support:
You can configure password attributes to expire. For example, the DES-encrypted password shown in Figure 6-3 is valid from March 1, 1997 until October 31, 1997.
If the RADIUS sub-profile has a password, the server will use that password. If it does not, the RADIUS server will supply one according to the rules specified in Figure 6-1.
| NAS Sends Attribute | Use the RADIUS Password |
|---|---|
| 2 User password | One-time password (OTP), file (UNIX, shadow, or file), PAP. |
| 3 CHAP password | CHAP (Note that users cannot enter the CHAP password in a profile). |
| 181 Ascend ARA password | ARAP (Note that ARAP applies only to Ascend routers, not to Cisco IOS software.) |
Users can change their own CLEAR, CHAP, or PAP passwords if they have the appropriate privilege levels.
To enable users to change their own passwords, you must enable Privilege = Web and assign a privilege level in their user profiles. (See "Quick Editing a User Profile" in the chapter, "Simple User and ACS Management" or "Assigning Access Control Privilege Levels" in the chapter, "Advanced Group and User Management," for details.) Additionally, you must provide the users with the URL of the web-based interface for the CiscoSecure ACS.
When users change their own passwords, they must supply as few as 6 and as many as 13 characters. Of those characters, at least one number and one letter are required.
To assign a new minimum privilege level for changing your own password through the NAS via TACACS+, add or modify the following statement in the CSU.cfg file:
number config_priv_level_for_own_chpass=1;
Restart the access control server.
The CiscoSecure ACS software checks passwords when they are changed to make sure that easily guessed or deciphered passwords are not used.
You can establish global default settings for the name of the NAS and port of the caller, as well as set them up for individual services, commands, and protocols. System Administrators can also set time-of-day and day-of-week restrictions, allowing them to control access to highly contended or expensive resources during periods of demand. For example, if you are using the TACACS+ protocol, you can use a declaration that allows the Telnet command to be used at any time on weekends and outside normal office hours.
The CiscoSecure ACS software also allows for multiple declarations of the same service, protocol, or command. Because each declaration can include different attributes and qualifications, administrators can place restrictions on users that take effect only at certain times or under certain conditions.
This section provides a list of service attributes and the corresponding protocol values. It also provides an example of how to set a service attribute.
The CiscoSecure ACS supports all four service attributes available to dial-in users:
After the NAS has authorized the user for a specified service, the CiscoSecure ACS returns a list of attribute-value pairs appropriate for that service to the NAS. For each service, several attribute-value pairs are generally available depending on the configurability of the service.
To view the available attribute pairs, use the Java-based CiscoSecure ACS Administrator advanced configuration program to toggle between the Profile window and Options menu to specify attributes. For example, to view the attribute-value pairs for PPP, you would perform the following steps while in the CiscoSecure ACS Administrator and operating with administrator privileges:
Step 1 For a specified user, select Service - PPP from the Options menu and click Apply.
Step 2 While Service - PPP is selected under Profile, select Protocol and click Apply.
Step 3 Cascade the Service - PPP icon under Profile to view the Protocol icon.
Step 4 From the upper portion of the Profile window, click the Protocol icon.
Step 5 From the lower portion of the Profile window, click the Protocol tab. You see the available protocols, which are described in the following section.
cmd=telnet
set acl=2
set outacl=4
set addr=1.2.3.4
set timeout=60
set autocmd="telnet gem.com"
set noescape=true
set nohangup=true
set zonelist=5
ip address-pool local
ip local pool moo 1.0.0.1 1.0.0.10
ip local pool baz 2.0.0.1 2.0.0.20
int bri0
peer default_ip
service=ppp protocol=ip {
set route = "<dst_addr> <mask> [ <gateway> ]"
}
set callback-rotary=34
set callback-dialstring=408-555-1212
set callback-line = 1
set nocallback-verify=1
With the RADIUS protocol, authentication and authorization are not separate. See the appendix "RADIUS Attribute-Value Pairs and Dictionary Management" for more information on authorization attributes for RADIUS.
The following section shows sample configurations for group profiles assigned TACACS+ and RADIUS attributes.
This section shows how to configure some sample profiles for TACACS+ groups.
Follow these general steps to configure a profile for a group using a PPP dial-up connection using IP or an ISDN connection:
Step 1 Add a new group: tacgroup1.
Step 2 Add a CHAP or PAP password to the profile.
Step 3 Add SERVICE=PPP to the profile.
Step 4 Add the following protocol set(s) under SERVICE=PPP:
Step 5 Add the IPX protocol if needed:
Be sure to have your Cisco network access server (NAS) set for AAA, modem access, PPP encapsulation, and the CHAP or PAP authentication method.
Follow these general steps to configure a Simple Async SLIP group profile:
Step 1 Add a new group: tacgroup2.
Step 2 Add a CLEAR password to the profile.
Step 3 Add SERVICE=SLIP to the profile.
Step 4 Add the following Protocol Set(s) under SERVICE=PPP:
Be sure to have your Cisco NAS set for AAA, modem access, and SLIP encapsulation.
Follow these general steps to configure a Simple Async Shell group profile:
Step 1 Add a new group: tacgroup3.
Step 2 Add a CLEAR password to the profile.
Step 3 Add SERVICE=SHELL to the profile.
Step 4 Add the following protocol set(s) under SERVICE=PPP:
Be sure to have your Cisco NAS set for AAA with login.
Follow these general steps to configure a group profile for Simple Async Shell that will issue an autocommand:
Step 1 Add a new group: tacgroup4.
Step 2 Add a CLEAR password to the profile.
Step 3 Add SERVICE=SHELL to the profile.
Step 4 Add the following protocol set(s) under SERVICE=PPP:
Be sure to have your Cisco NAS set for AAA and to enable Authorization EXEC.
This section contains sample configurations of profiles for RADIUS groups.
Groups can use more than one protocol; for example, ISDN from home and Frame Relay from a branch office, as long as the profiles are the same except for the protocol. The NAS the group dials in to is a determining factor for which protocol is used.
Follow these general steps to configure a Simple Asynchronous PPP group profile:
Step 1 Add a new group: ciscoasync.
Step 2 Add a RADIUS dictionary to the profile: RADIUS-Cisco.
Step 3 Add the Reply Attributes and Checked Items in Table 6-2.
| Attributes | Value | ||
|---|---|---|---|
| Reply Attributes | |||
| 2 | User-Service-Type | 2 | Framed-User (enumeration) |
| 1 | Framed-Protocol | PPP (enumeration) | |
| Checked Items | |||
| 2 | Password | dialup (actual password) |
Be sure to have your Cisco NAS set for AAA, modem access, and PPP encapsulation.
Follow these general steps to configure a Simple ISDN group profile:
Step 1 Add a new group: ciscoisdn.
Step 2 Add a RADIUS dictionary to the profile: RADIUS-Cisco.
Step 3 Add the reply attributes and checked items in Figure 6-4.
| Attributes | Value | ||
|---|---|---|---|
| Replay Attributes | |||
| 2 | User-Service-Type | 2 | Framed-User (enumeration) |
| 1 | Framed-Protocol | PPP (enumeration) | |
| Checked Items | |||
| 2 | Password | isdnuser (actual password) |
Be sure to have your Cisco NAS set for AAA service, PPP encapsulation, and ISDN.
Follow these general steps to configure a minimum profile for an Async SLIP group profile:
Step 1 Add a new group: ciscoslip.
Step 2 Add a RADIUS dictionary to the profile: RADIUS-Cisco.
Step 3 Add the reply attributes and checked items in Table 6-4.
| Attributes | Value | ||
|---|---|---|---|
| Replay Attributes | |||
| 2 | User-Service-Type | 2 | Login-User (enumeration) |
| 1 | Framed-Protocol | SLIP (enumeration) | |
| Checked Items | |||
| 2 | Password | dialupslip (actual password) |
Follow these general steps to configure a minimum profile for an Asynchronous Telnet Shell group profile:
Step 1 Add a new group: ciscoshell.
Step 2 Add a RADIUS dictionary to the profile: RADIUS-Cisco.
Step 3 Add the reply attributes and checked items in Table 6-5.
| Attributes | Value | ||
|---|---|---|---|
| Replay Attributes | |||
| 2 | User-Service-Type | 2 | Shell-User (enumeration) |
| Checked Items | |||
| 2 | Password | dialupshell (actual password) |
Be sure to have your Cisco NAS set for AAA, with login, tty lines, and modem access.
Follow these general steps to configure a minimum profile for an Asynchronous Telnet group profile:
Step 1 Add a new group: ciscotelnet.
Step 2 Add a RADIUS dictionary to the profile: RADIUS-Cisco.
Step 3 Add the reply attributes and checked items in Table 6-6.
| Attributes | Value | ||
|---|---|---|---|
| Replay Attributes | |||
| 2 | User-Service-Type | 2 | Login-User (enumeration) |
| 14 | Login-Host | 200.200.200.210 (ipaddrs) | |
| 15 | Login-Service | 0 | Telnet (enumeration) |
| 16 | Login-TCP-Por | 23 | (port ID-integer) |
| 1 | Framed-Protocol | PPP (enumeration) | |
| Checked Items | |||
| 2 | Password | dialuptelnet (actual password) |
Be sure to have your Cisco NAS set for login and modem access. Use this profile for autologin to a different host.
|
|