|
|
This chapter contains the instructions for advanced configuration of group and user profiles.
The CiscoSecure Administrator advanced configuration program enables you to carry out more advanced and specialized operations: creating user groups and direct assignment of TACACS+ and RADIUS attributes to customize user and group session parameters in more detail than is possible in the CiscoSecure Access Control Server (ACS) web interface mode.
This chapter covers the following topics:
You can start the Java-based CiscoSecure Administrator advanced configuration program from any of the CiscoSecure ACS Administrator web pages.
Step 1 In the CiscoSecure ACS web menu bar of the CiscoSecure ACS web interface, click Advanced and then click the Advanced again.
The Java-based CiscoSecure Administrator advanced configuration program appears. It may require a few minutes to load.
Use the CiscoSecure Administrator advanced configuration program to create and configure group profiles. Cisco recommends creating group profiles to configure detailed authentication, authorization, and accounting requirements for large numbers of similar users. After the group profile is defined, you can use the CiscoSecure ACS Add a User web page to quickly add simple user profiles to the group profile. The advanced requirements you configured for the group will apply to each member user.
To create a group profile:
Step 1 In the CiscoSecure Administrator advanced configuration program, locate and deselect the Browse check box in the Navigator pane of the tabbed Members page. This displays the Create New Profile icon.
Step 2 In the Navigator pane, do one of the following:
Step 3 Click the Create New Profile icon to display the New Profile dialog box.
Step 4 Select the Group check box, enter the name of the group you want to create, and click OK. The new group appears in the tree.
Step 5 After you create the group profile, assign specific TACACS+ or RADIUS attributes to configure specific authentication, authorization and accounting properties, as follows:
You can also use the CiscoSecure Administrator advanced configuration mode to create and configure a user profile. You might do this to customize the user profile's authorization and accounting related attributes in more detail than is possible through the Quick User Add page.
To create a user profile:
Step 1 In the CiscoSecure Administrator advanced configuration program, locate and deselect the Browse check box in the Navigator pane of the tabbed Members page. This displays the Create New Profile icon.
Step 2 In the Navigator pane, do one of the following:
Step 3 Click Create New Profile icon to display the New Profile dialog box.
Step 4 Make sure the Group check box is deselected.
Step 5 Enter the name of the user you want to create and click OK. The new user appears in the tree.
Step 6 After you create the user profile, assign specific TACACS+ or RADIUS attributes to configure specific authentication, authorization and accounting properties as follows:
To assign specific TACACS+ services and attributes to a group or user profile:
Step 1 In the CiscoSecure Administrator advanced configuration program, click the icon for the group or user profile in the tree that is displayed in the Navigator pane of the tabbed Members page.
Step 2 If necessary, in the Profile pane, click the Profile icon to expand it.
A list or dialog box that contains attributes applicable to the selected profile or service appears in the window at the bottom right of the screen. The information in this window changes depending on what you have selected in the Profile pane.
Step 3 Click the service or protocol that you want to add and click Apply.
The service is added to the profile.
Step 4 Enter or select the necessary text in the Attribute window. Valid entries are explained in the chapter "Strategies Applying Attributes."
Step 5 Repeat Step 1 through Step 4 for each additional service or protocol to add.
Step 6 When you have finished making all your changes, click Submit.
Refer to the following section, "Common TACACS+ Attributes," for a listing of most frequently used TACACS+ protocols and services.
If necessary, use Table 4-1 as a guide when assigning a user or group profile TACACS+ attributes.
| Attribute | Definition | Value |
|---|---|---|
| service | Indicates that this is an authorization request for starting a primary service. | slip, ppp, arap, shell |
| protocol | Network protocol that is a subset of the service. This attribute must be specified when the service is PPP1 to indicate that a protocol is being brought up as a secondary service. | lcp, ip, ipx, atalk, vines, unknown |
| cmd | Indicates the command name for a shell command that is to be run. | NULL = shell itself |
| cmd-arg | Indicates an argument for the shell command that is to be run. Multiple cmd-arg attributes can be specified and are order dependent. | |
| acl (access control list) | ASCII number representing a connection access list. Used only when service = shell and cmd = NULL. | |
| inacl | ASCII number for an interface input access list. | |
| outacl | ASCII number for an interface output access list. | |
| zonelist | Numeric zonelist value. Applicable to AppleTalk only. | |
| addr | Network address. | |
| addr-pool | Name of an address pool from which the NAS2 should assign an address. | |
| routing | Specifies whether routing information is to be propagated to, and accepted from this interface. | Boolean value |
| route | Indicates a route that is to be applied to this interface. Values must be of the form:
dst_address mask routing_addr If routing_addr is missing, the current interface will be used. | |
| timeout | Sets a value, in minutes, after which a session is terminated. Does not work for PPP. A value of zero indicates no timeout. This is NOT available on Cisco IOS Release 11.0, but is available on Cisco IOS Release 11.1 and 11.2. Used for ARAP3. | 0 - nn where
0 = no timeout |
| idletime | Sets a value, in minutes, after which an idle session is terminated. Does not work for PPP. A value of zero indicates no timeout. This is NOT available on Cisco IOS Release 11.0, but is available on Cisco IOS Releases 11.1 and 11.2. | 0 - nn where
0 = no timeout |
| autocmd | Auto-command to run. Used only when service = shell and cmd = NULL. | |
| noescape | Prevents user from using an escape character. Used only when service=shell and cmd=NULL. | Boolean |
| nohangup | Do no disconnect after an automatic command. Used only when service=shell and cmd=NULL. | Boolean |
| priv_lvl | Privilege level to be assigned. | 1 - 15 |
| callback-dialstring | Number the NAS will call back. | NULL = dialstring |
| callback-line | Line the NAS uses to call back the user. | |
| callback-rotary | Rotary number to use for a callback. | |
| nocallback-verify | Indicates a connection doesn't require authentication after callback. | 1 |
To assign specific RADIUS attributes to a group or user profile:
Step 1 Assign a RADIUS dictionary to the group profile:
(a) On the Members page of the CiscoSecure Administrator advanced configuration program, click the group or user icon then click the Profile icon in the Profiles pane to display the Options menu in the Attributes pane.
(b) In the Options menu, click the name of the RADIUS dictionary you want the group or user to use; for example, RADIUS - Cisco. Then click Apply.
Step 2 Add the required Check Items and Reply Attributes to the RADIUS profile:
(a) In the Profile window, click the RADIUS - dictionaryname folder icon. (You might need to click the profile's + symbol to expand the RADIUS folder.) The Check Items and Reply Attributes options appear in the Attribute Group window.
(b) To use one or more of these attributes, click the attribute(s) you want to use, then click Apply. You can add more than one attribute at a time.
(c) Click the + symbol for the RADIUS - dictionaryname to expand the folder.
Step 3 Specify values for added Check Items and Reply Attributes:
(a) Click Check Items and/or Reply Attributes. A list of applicable Check Items and Reply Attributes values appears in the lower right window. Click the + symbol to expand the folder.
(b) Click the values you want to assign, then click Apply. For more information on the values, see the appendix "RADIUS Attribute-Value Pairs and Dictionary Management."
(c) When you have finished making changes, click Submit.
Caution For the RADIUS protocol, inheritance is additive as opposed to hierarchical inheritance, like TACACS+. For example, if you assign the same reply attributes to both the user and group profiles, authorization will fail because the NAS will be sent twice the number of atttributes and will not be able to make sense of the reply attributes. Be careful not to assign the same check item or reply attribute to both the group and user profiles.
Step 4 To use one or more of these attributes, click the attribute(s) you want to use, then click Apply. You can add more than one attribute at a time.
For more information on specific RADIUS attributes see the next section, "RADIUS Attributes Used in User Profiles."
The following table lists the RADIUS attributes that are most commonly used in user profiles. This list is not an exhaustive list of the attributes supported by all vendors such as Ascend, Cisco, and Livingston and does not include any accounting attributes. This table only attempts to list the standard RADIUS attributes that are meaningful for use in a user profile. The table gives a description of each attribute and an explanation of how the attribute might be used in a user profile. Wherever applicable, special information is provided on Cisco's support for the attribute in current versions of Cisco IOS software.
| Attribute (Mnemonic) | Description / Use in Profile |
| 1 (User-Name) | Specifies the user's name. This attribute is not commonly used in a profile. It is sometimes used, however, as a Check Item in special profiles. |
| 2 (User-Password) | Specifies the user's password. It is used to specify every password type (for example, CHAP, PAP, sdi, and so on) for RADIUS as opposed to TACACS+, which uses different password statements for different password types. Used as a Check Item in a profile. |
| 4 (NAS-IP-Address) | Identifies the NAS that is requesting authentication of the user. It is not commonly used in a profile but can be used as a Check Item to permit or deny access based on the NAS the user is calling into. |
| 5 (NAS-Port) | Specifies the physical port number of the NAS that is requesting authentication of the user. It is not commonly used in a profile but can be used as a Check Item to permit or deny access based on the NAS port the user is calling into if the NAS sends this attribute as part of the authentication request. |
| 6 (Service-Type) | Indicates the type of service to authorize for the user. This is the main RADIUS attribute used in defining authorization with RADIUS. It often determines which additional attributes will be specified. It is most commonly used as a Reply Attribute but in some special profiles it can be used as a Check Item. |
| 7 (Framed-Protocol) | Specifies the framing type to be used for framed access. It is used with Service-Type = Framed-User as a Reply Attribute. |
| 8 (Framed-IP-Address) | Specifies the IP address to be assigned to the user. It is used with Service-Type = Framed-User as a Reply Attribute. |
| 9 (Framed-IP-Netmask) | Indicates the IP subnet mask to be configured for the user when the user is a router. This attribute value results in a static route being added for Framed-IP-Address with the specified subnet mask. It is used with Service-Type = Framed-User as a Reply Attribute. |
| 10 (Framed-Routing) | Indicates the routing method for the user when the user is a router. Cisco IOS only supports "None" and "Send and Listen" values for this attribute. It is used with Service-Type = Framed-User as a Reply Attribute. |
| 11 (Filter-Id) | Indicates the name of the filter list for the user. It is used as a Reply Attribute in a profile. |
| 12 (Framed-MTU) | Indicates the Maximum Transmission Unit (Packet Size) to be configured for the user on the link. It can be used when the MTU is not negotiated by some other means. Cisco IOS software does not currently support this attribute. It is used with Service-Type = Framed-User as a Reply Attribute. |
| 13 (Framed-Compression) | Indicates the compression type to be used for the link. Cisco IOS software does not currently support this attribute for non-EXEC authorization. It is used with Service-Type = Framed-User as a Reply Attribute. |
| 14 (Login-IP-Host) | Indicates the host to which the user will connect when the Login-Service attribute is included. It is used with Service-Type = Login-User. It is most commonly used as a Reply Attribute but in some special profiles it can be used as a Check Item. |
| 15 (Login-Service) | Indicates the type of service that should be used to connect the user to the login host. It is used with Service-Type = Login-User as a Reply Attribute. |
| 16 (Login-TCP-Port) | Indicates the TCP port with which the user is to be connected when the Login-Service attribute is also present. It is used with Service-Type = Login-User as a Reply Attribute. |
| 18 (Reply-Message) | Displays text messages to the user. It can be used only when a "terminal window" is used during login. It is used as a Reply Attribute. |
| 19 (Callback-Number) | Specifies the number to be used by the NAS to call back the user when Callback is configured. Cisco IOS does not currently support this attribute. It is used with Service-Type = Callback-User as a Reply Attribute. |
| 20 (Callback-Id) | Indicates the name of a place to be called back by the NAS. It is the responsibility of the NAS to be able to distinguish the meaning of the name. Cisco IOS does not currently support this attribute. It is used with Service-Type = Callback-User as a Reply Attribute. |
| 22 (Framed-Route) | Provides routing information to be configured for the user on the NAS. It is used with Service-Type = Framed-User. Used as a Reply Attribute in a profile. |
| 23 (Framed-IPX-Network) | Specifies the IPX Network number to be configured for the link. It is used with Service-Type = Framed-User as a Reply Attribute. |
| 26
or vendor-Id vendor-type Vendor-Specific | TAllows vendors to support their own extended attributes not suitable for general use. It is referred to as attribute 26 or vendor-Id vendor-type. Cisco has implemented a vendor specific attribute called the cisco-avpair that has vendor type 1. Cisco's Vendor-Id is 9. See Cisco's Web site for more information. This attribute is used as a Reply Attribute. |
| 27 (Session-Timeout) | Sets the maximum number of seconds of service to be provided to the user before the session terminates. Cisco IOS does not currently support this attribute for PPP sessions. This attribute is used as a Reply Attribute. |
| 28 (Idle-Timeout) | ISets the maximum number of consecutive seconds of idle connection allowed to the user before the session terminates. Cisco IOS does not currently support this attribute for PPP sessions. This attribute is used as a Reply Attribute. |
| 32 (NAS-Identifier) | Indicates a name for the NAS requesting authentication. Cisco IOS does not currently support this attribute. It is not commonly used in a profile, but can be used as Check Item to permit / deny based on the name of the NAS if the NAS sends this attribute as part of the authentication request. Attribute 4 (NAS-IP-Address) is more commonly sent by NASes than this attribute. The name specified must match exactly what is sent by the NAS. |
| 34 (Login-LAT-Service) | Indicates the system with which the user is to be connected by LAT. It is only used with Service-Type = Login-User and Login-Service = LAT. Cisco IOS only supports this attribute in EXEC mode. This attribute is used as a Reply Attribute. |
| 35 (Login-LAT-Node) | Indicates the node with which the user is to be automatically connected by LAT. It is only used with Service-Type = Login-User and Login-Service = LAT. This attribute is used as a Reply Attribute. |
| 35 (Login-LAT-Group) | Identifies the LAT group codes that this user is authorized to use. It is only used with Service-Type = Login-User and Login-Service = LAT. This attribute is used as a Reply Attribute. |
| 61 (NAS-Port-Type) | Indicates the type of physical port the NAS is using for the user that is requesting authentication. It is not commonly used in a profile but can be used as a Check Item to permit or deny access based on the type of port the user is dialing into if the NAS sends this attribute as part of the authentication request. |
Caution Care should be taken when using any attributes besides User-Password as Check Items in a user profile. Unless all Check Items match the information that is sent by the NAS exactly, authentication will fail.
The superuser administrator can use the web privilege= attribute to assign a level of access control privilege to CiscoSecure users.
Step 1 In the CiscoSecure Administrator advanced configuration program, click the user whose access control privilege you want to assign, then click the Profile icon in the Profiles pane.
Step 2 In the options menu, click web privilege and select one of the following values.
Step 3 Click Apply and then click Submit.
Use the Copy a Profile button to add a group or user whose profile is a duplicate of an existing username or group profile:
Step 1 In the Members tabbed page of the CiscoSecure Administrator advanced configuration program, click the group or user to be copied.
Step 2 Click the Copy a Profile button.
Step 3 When prompted, enter the new group name or username.
Step 4 Click OK.
Step 5 The new group name or username appears in the tree.
Use the Find a Group or User button to find a group or user profile:
Step 1 In the Members page of the CiscoSecure Administrator advanced configuration program, click the Find a Group or User button.
Step 2 Enter the name of the group or user to search for in the Group or User Name field.
The profile of the group or user you selected is placed in a temporary folder that appears at the top of the list of users. Use this folder as a "shortcut" to the groups or users to work with during this session.
Step 3 Repeat Step 2 as many times as necessary for the groups or users to work with during this session.
To display a group or user profile in text format, go the Members tab of the CiscoSecure Administrator advanced configuration program, select the user or group profile whose text format you want to display, and click the Display a Profile button.
Information similar to that shown in Figure 4-9 will display.
The information displayed is the same information as that shown in the Profile window, but it is shown in CiscoSecure ACS 1.0 format. This information is normally used for debugging only.
The CiscoSecure Properties window opens. To view the system summary, click the Summary Statistics tab. (See Figure 4-11.)
To view expired passwords, click the Expired Passwords tab. See Figure 4-12.
Use the Move a Profile button to move a group or user to a different or new group. This is useful, for example, to change an employee from one department to another.
To move a profile:
Step 1 Go the Members tab of the CiscoSecure Administrator advanced configuration program.
Step 2 Click the group or user to be moved.
Step 3 Click the Move a Profile button.
Step 4 Enter the name of the destination group. The group name or user icon moves from its current group to the new one.
Use the Unlock a Profile button to unlock a record that became locked inadvertently. When a profile is locked, a keyhole icon displays next to the group's folder icon. Profiles are locked when they are being updated; however, it is possible to have a locked record that is not in use, such as when the computer is rebooted while updating a profile.
To unlock a profile:
Step 1 Go the Members tab of the CiscoSecure Administrator advanced configuration program.
Step 2 Click the locked profile.
Step 3 Click the Unlock a Profile button. The keyhole icon disappears.
To delete a profile attribute from a group or user profile:
Step 1 Go the Members tab of the CiscoSecure Administrator advanced configuration program.
Step 2 Click the icon for the applicable group or user in the tree that is displayed in the Navigator (left) window.
Step 3 In the Profile window, click whatever services or attributes you require to expand the directory structure until you see the attribute you want to delete.
Step 4 Click the applicable attribute.
Step 5 Click the Delete a Profile Attribute (minus sign) icon at the top of the Profile window.
Step 6 Repeat Step 2 through Step 5 for each additional attribute to delete.
Step 7 When you have finished making changes, click Submit.
The CiscoSecure ACS unknown_user default profile feature enables access to users not specified (unknown) in the CiscoSecure database. The unknown_user profile can support unknown users requesting authentication via both the TACACS+ and RADIUS protocol.
When you install the CiscoSecure ACS, the unknown_user profile is empty, but you can edit it to provide a default profile for non-CiscoSecure users dialing in to a supported NAS.
Edit the unkown_user default profile as follows:
Step 1 Start the CiscoSecure Administrator advanced configuration program.
Step 2 Click the Members tab.
Step 3 Deselect Browse.
Step 4 Select the unknown_user profile in the Navigator pane and click the Profile icon in the Profile pane to view the unknown_user profile configuration.
You can edit the unknown_user profile like any other user profile. See the section "Creating a User Profile in Advanced Configuration Mode" earlier in this chapter for details on assigning attributes through the CiscoSecure Administrator advanced configuration program.
The effect that this unknown_user profile has on unknown users dialing into the network varies depending on how the client NAS is configured. For example, the unknown_user profile shown in Figure 4-16 is not configured for RADIUS and therefore does not allow any access to unknown users who are communicating with CiscoSecure via NASes enabled for RADIUS protocol only.
For TACACS+ the default unknown_user profile shown in Figure 4-16 authenticates any users who are configured in the UNIX authentication system on which the ACS is running.
The concept of the Default Profile is useful if you already have a large number of users defined in another authentication system, such as the UNIX /etc/passwd and /etc/shadow files or a Security Dynamics, Inc. ACE Server.
The unknown_user profile enables you to grant users specified in these other authentication systems immediate access to the network without having to re-specify them in CiscoSecure database. For example, the following default profile might be used to authorize a shell on the NAS via RADIUS for users who are configured in an ACE Server but not yet specified in the CiscoSecure database.
unknown_user = {
radius = Cisco {
check_items = {
2 = sdi
}
reply_attributes = {
6 = 6
}
}
}
Additionally, the unknown_user profile can be used to grant guest access to the network for unknown users. The following unknown_user profile might be used to allow guests to log in without a password via TACACS+:
unknown_user = {
password = no_password
service = shell {
}
}
If there is no unknown_user profile declared, then users not declared in the CiscoSecure database cannot be authenticated or authorized to use any service when dialing in to the CiscoSecure ACS client NASes.
To exit the web-based interface, click Logoff.
|
|