|
|
This chapter contains information about using the CiscoSecure Access Control Server (ACS) group profile feature and TACACS+ and RADIUS attributes to implement authentication and authorization services of network users through the CiscoSecure ACS.
This chapter covers the following topics:
The group profile feature of the CiscoSecure ACS enables you to define a common set of authentication, authorization, and accounting (AAA) requirements for a large number of users.
You can assign a group profile a set of TACACS+ or RADIUS attribute values. These attribute values assigned to the group also apply to any user who is a member or who is added as a member of that group.
To configure the CiscoSecure ACS to manage large numbers and various types of users with complex AAA requirements, Cisco recommends that you use the features of the CiscoSecure Administrator advanced configuration program to create and configure group profiles. The group profile should contain all attributes that are not specific to the user. This usually means all attributes except for the password. Then you can use the Add a User page of the CiscoSecure Administrator to quickly create simple user profiles with password attributes and assign these user profiles to the appropriate group profile.
The features and attribute values defined for a particular group then apply to, or are inherited by, its member users.
You can create a hierarchy of groups. Within a group profile, you can create child group profiles. Attribute values assigned to the parent group profile will be passed down as default values to the child group profiles.
A CiscoSecure system administrator can assign individual CiscoSecure users Group Administrator status. Group Administrator status enables individual users to administer any child group profiles and user profiles that are subordinate to their group but does not allow them to administer any groups or users that fall outside their group's hierarchy. Thus, the system administrator can parcel out the task of administering a large network to other individuals without granting each of them equal authority.
Cisco recommends that you assign individual users basic authentication attribute values that are unique to the user, those attribues that define username, password, password type, and web privilege. You can assign basic athentication attribute values to your users transparently, through the HTML-based CiscoSecure ACS Edit a User or Add a User pages in the CiscoSecure ACS web interface.
Cisco recommends that you define Qualification-, Authorization-, and Accounting-related attributes at the group level.
Figure 7-1 illustrates the way these attributes are assigned to groups and users.
In this example, the group profile named "Dial-In Users" is assigned the attribute-value pairs Frame-Protocol=PPP and Service-Type=Framed.
A subset of the TACACS+ and RADIUS attributes in the CiscoSecure ACS can be assigned absolute status at group profile level. An attribute value enabled for absolute status that has been assigned at group profile level, overrides any contending attribute values that may be assigned at a child group profile or member user profile level.
Within multi-level networks with possibly several levels of group administrators, absolute attributes enable a system administrator to set selected group attribute values that group administrators at lower levels cannot override.
Attributes that can be assigned absolute status will display an Absolute check box in the Attributes box of the CiscoSecure Administrator advanced configuration program. You can enable absolute status by selecting the check box. (See Figure 7-2.)
Conflicts among attribute values assigned to parent group profiles, child group profiles, and member user profiles are resolved differently, depending on whether the attribute values are absolute and whether they are TACACS+ or RADIUS attributes:
For TACACS+, you can override the availability of inherited service values by prefixing the keyword prohibit or permit to the service specification. Although default permissions exist, you can explicitly prohibit or enable particular services using the prohibit or permit keywords. The permit keyword allows specified services; the prohibit keyword disallows specified services. Using these keywords together, you can construct "everything except" configurations. For example, the following configuration allows access from all services except X.25:
default service = permit prohibit service = x25
This section describes some classes of attributes that you can apply through the CiscoSecure Administrator advanced configuration program.
One technique you can use to ensure the security of your network is to qualify users when they attempt to log on or request a service. For example, you might know that your organization intends to employ several new people beginning on a particular date. Depending on your needs, you can immediately add these new users to the CiscoSecure ACS and specify that they cannot log on until a specified date.
You can use the Java-based CiscoSecure Administrator advanced configuration program to apply qualification attributes user profiles, group profiles, and services. If a qualification attribute is found, then its condition must be matched or the operation in progress will fail. The following defined qualification conditions are supported:
allow "NAS-NAME" "Port" "Remote-Address"
refuse "NAS-NAME" "Port" "Remote-Address"
Authentication attributes specify password strings, encryption methods, or methods of generating one-time passwords used by specific users for login.
The password keyword allows an extensible range of authentication methods, and you can install additional authentication methods by reconfiguring the CiscoSecure ACS.
CiscoSecure ACS software includes the following password or authentication method support:
You can configure password attributes to expire. For example, the DES-encrypted password shown in Figure 7-3 is valid from June 1, 1998 until December 31, 1998.
If the RADIUS sub-profile has a password, the server will use that password. If it does not, the RADIUS server will supply one according to the rules specified in Table 7-1.
2 User password One-time password (OTP), file (UNIX, shadow, or file), PAP. 3 CHAP password CHAP (Note that users cannot enter the CHAP password in a profile). 181 Ascend ARA password ARAP (Note that ARAP applies only to Ascend routers, not to Cisco IOS software.)
Table 7-1: Password Behavior by RADIUS Servers
NAS Sends Attribute
Use the RADIUS Password
Users can change their own CLEAR, CHAP, or PAP passwords if they have the appropriate privilege levels.
When users change their own passwords, they must supply as few as 6 and as many as 13 characters. Of those characters, at least 1 number and 1 letter are required.
To assign a new minimum privilege level for changing your own password through the NAS via TACACS+, add or modify the following statement in the CSU.cfg file:
number config_priv_level_for_own_chpass=1;
Restart the access control server.
The CiscoSecure ACS software checks passwords when they are changed to make sure that easily guessed or deciphered passwords are not used.
You can establish global default settings for the name of the NAS and port of the caller, as well as set them up for individual services, commands, and protocols. System Administrators can also set time-of-day and day-of-week restrictions, allowing them to control access to highly contended or expensive resources during periods of demand. For example, if you are using the TACACS+ protocol, you can use a declaration that allows the Telnet command to be used at any time on weekends and outside normal office hours.
The CiscoSecure ACS software also allows for multiple declarations of the same service, protocol, or command. Because each declaration can include different attributes and qualifications, administrators can place restrictions on users that take effect only at certain times or under certain conditions.
This section provides a list of service attributes and the corresponding protocol values. It also provides an example of how to set a service attribute.
The CiscoSecure ACS supports all 4 service attributes available to dial-in users:
After the NAS has authorized the user for a specified service, the CiscoSecure ACS returns a list of attribute-value pairs appropriate for that service to the NAS. For each service, several attribute-value pairs are generally available depending on the configurability of the service.
To view the available attribute pairs, use the Java-based CiscoSecure ACS Administrator advanced configuration program to toggle between the Profile window and Options menu to specify attributes. For example, to view the attribute-value pairs for PPP, you would perform the following steps while in the CiscoSecure ACS Administrator and operating with administrator privileges:
Step 1 For a specified user, select Service - PPP from the Options menu and click Apply.
Step 2 While Service - PPP is selected under Profile, select Protocol and click Apply.
Step 3 Cascade the Service - PPP icon under Profile to view the Protocol icon.
Step 4 From the upper portion of the Profile window, click the Protocol icon.
Step 5 From the lower portion of the Profile window, click the Protocol tab. You see the available protocols, which are described in the following section.
cmd=telnetset acl=2set outacl=4set addr=1.2.3.4set timeout=60set autocmd="telnet gem.com"set noescape=trueset nohangup=trueset zonelist=5ip address-pool localip local pool moo 1.0.0.1 1.0.0.10ip local pool baz 2.0.0.1 2.0.0.20int bri0 peer default_ip
service=ppp protocol=ip {set route = "<dst_addr> <mask> [ <gateway> ]"}set callback-rotary=34set callback-dialstring=408-555-1212set callback-line = 1set nocallback-verify=1With the RADIUS protocol, authentication and authorization are not separate. See the chapter "RADIUS Attribute-Value Pairs and Dictionary Management" in the CiscoSecure ACS 2.3 for UNIX Reference Guide for more information on authorization attributes for RADIUS.
The following section shows sample configurations for group profiles assigned TACACS+ and RADIUS attributes.
This section shows how to configure some sample profiles for TACACS+ groups.
Follow these general steps to configure a profile for a group using a PPP dial-up connection using IP or an ISDN connection:
Step 1 Add a new group: tacgroup1.
Step 2 Add a CHAP or PAP password to the profile.
Step 3 Add SERVICE=PPP to the profile.
Step 4 Add the following protocol set(s) under SERVICE=PPP:
Step 5 Add the IPX protocol if needed:
Follow these general steps to configure a Simple Async SLIP group profile:
Step 1 Add a new group: tacgroup2.
Step 2 Add a CLEAR password to the profile.
Step 3 Add SERVICE=SLIP to the profile.
Step 4 Add the following Protocol Set under SERVICE=PPP:
Follow these general steps to configure a Simple Async Shell group profile:
Step 1 Add a new group: tacgroup3.
Step 2 Add a CLEAR password to the profile.
Step 3 Add SERVICE=SHELL to the profile.
Step 4 Add the following protocol set under SERVICE=PPP:
Follow these general steps to configure a group profile for Simple Async Shell that will issue an autocommand:
Step 1 Add a new group: tacgroup4.
Step 2 Add a CLEAR password to the profile.
Step 3 Add SERVICE=SHELL to the profile.
Step 4 Add the following protocol set(s) under SERVICE=PPP:
This section contains sample configurations of profiles for RADIUS groups.
Groups can use more than one protocol; for example, ISDN from home and Frame Relay from a branch office, as long as the profiles are the same except for the protocol. The NAS the group dials in to is a determining factor for which protocol is used.
Follow these general steps to configure a Simple Asynchronous PPP group profile:
Step 1 Add a new group: ciscoasync.
Step 2 Add a RADIUS dictionary to the profile: RADIUS-Cisco.
Step 3 Add the Reply Attributes and Checked Items in Table 7-2.
| Attributes | Value | ||
|---|---|---|---|
| Reply Attributes |
|
|
2 | User-Service-Type | 2 | Framed-User (enumeration) |
1 | Framed-Protocol |
| PPP (enumeration) |
| Checked Items |
| |
2 | Password |
| dialup (actual password) |
Follow these general steps to configure a Simple ISDN group profile:
Step 1 Add a new group: ciscoisdn.
Step 2 Add a RADIUS dictionary to the profile: RADIUS-Cisco.
Step 3 Add the reply attributes and checked items in Table 7-3.
| Attributes | Value | ||
|---|---|---|---|
| Reply Attributes | |||
2 | User-Service-Type | 2 | Framed-User (enumeration) |
1 | Framed-Protocol |
| PPP (enumeration) |
| Checked Items |
| |
2 | Password |
| isdnuser (actual password) |
Follow these general steps to configure a minimum profile for an Async SLIP group profile:
Step 1 Add a new group: ciscoslip.
Step 2 Add a RADIUS dictionary to the profile: RADIUS-Cisco.
Step 3 Add the reply attributes and checked items in Table 7-4.
| Attributes | Value | ||
|---|---|---|---|
| Reply Attributes | |||
2 | User-Service-Type | 2 | Login-User (enumeration) |
1 | Framed-Protocol |
| SLIP (enumeration) |
| Checked Items |
| |
2 | Password |
| dialupslip (actual password) |
Follow these general steps to configure a minimum profile for an Asynchronous Telnet Shell group profile:
Step 1 Add a new group: ciscoshell.
Step 2 Add a RADIUS dictionary to the profile: RADIUS-Cisco.
Step 3 Add the reply attributes and checked items in Table 7-5.
| Attributes | Value | ||
|---|---|---|---|
| Reply Attributes | |||
2 | User-Service-Type | 2 | Shell-User (enumeration) |
| Checked Items |
| |
2 | Password |
| dialupshell (actual password) |
Follow these general steps to configure a minimum profile for an Asynchronous Telnet group profile:
Step 1 Add a new group: ciscotelnet.
Step 2 Add a RADIUS dictionary to the profile: RADIUS-Cisco.
Step 3 Add the reply attributes and checked items in Table 7-6.
| Attributes | Value | ||
|---|---|---|---|
| Reply Attributes | |||
2 | User-Service-Type | 2 | Login-User (enumeration) |
14 | Login-Host |
| 200.200.200.210 (ipaddrs) |
15 | Login-Service | 0 | Telnet (enumeration) |
16 | Login-TCP-Por | 23 | (port ID-integer) |
| Checked Items |
| |
2 | Password |
| dialuptelnet (actual password) |
The system administrator can use the Java-based CiscoSecure Administrator advanced configuration program to enable the Filter attributes: Allow and Refuse. The Allow and Refuse attributes enable the system administrator to allow or refuse users or groups of users access to specific TTY ports or ranges of TTY ports on specific NASes.
Step 1 In the Java-based CiscoSecure Administrator advanced configuration program, select the user or group whose NAS and port access you want to filter and click the Profile icon.
Step 2 In the Options menu, click Filter and click Apply.
Step 3 Click the Filter icon and in the Permission menu, select either Allow or Refuse and click Apply.
Step 4 Click the Filter tab and fill out the following fields:
| Field | Description |
|---|---|
NAS | The IP Address or the FQDN of the NAS to which you want to allow or refuse access. Standard UNIX regular expression pattern matching syntax conventions apply. Example: To specify access to the NAS at IP address 10.8.1.176, enter: ^10\.8\.1\.176$ |
Port | The port on the specified NAS through which you want to allow or refuse access. Standard UNIX regular expression pattern matching syntax conventions apply. Example: To specify access through TTY ports, tty0, tty1, tty2,tty3, enter: ^tty[0-3]$ |
Remote Address (optional)
| Remote IP addresses through which you can allow or refuse access to the target NAS whose IP address or FQDN you specified in the NAS field. Standard UNIX regular expression pattern matching syntax conventions apply. Example: To specify access to the target NAS through remote IP address 10.98.12.180, enter: ^10\.98\.12\.180$ |
Step 5 Repeat Step 2 through Step 4 for any other filter you want to specify.
Step 6 When you have specified all the filters to apply to this profile, click Submit.
In the following NAS filtering profile example:
user = boscotam {
service = shell {
default cmd = permit
default attribute = permit
{
profile_id = 137
profile_cycle = 1
password = clear "*************"
allow "^10\.8\.1\.176$" "tty([0-9]|10)$"
allow "^10\.8\.1\.176$" "tty(2[1-9]|30)$"
refuse "^10\.8\.1\.176$" "tty(1[1-9]|20)$"
refuse "^171\.68\.118\.238$" ".*"
refuse "apps-comm1\.xyz\.zcorp\.com" ".*"
}
If your phone line and equipment support caller ID, TACACS+ and RADIUS support for caller ID allows you to base profiles on the calling number, rather than the username being passed. Identifying users by their telephone number is especially useful for accounting purposes because you can directly bill charges according to the calling number.
To configure support for caller ID:
Step 1 Create a new user profile and enter a designated telephone number instead of a username.
The following example shows a user profile configured for caller ID:
user = 5551212
password = chap01
Step 2 Edit the $BASEDIR/config/CSU.cfg file. Verify that the following settings and values are entered:
In this case, if a user dials in to the NAS, the NAS passes the user's information including "rem_addr (5551212)" to the CiscoSecure ACS. The CiscoSecure ACS first attempts to authenticate the user based on the username field, but in this case, the user is not in the CiscoSecure database. However, because the user profile contains the caller ID, the CiscoSecure ACS uses the rem_addr (5551212) to index into the database.
|
|