Strategies for Applying Attributes

This chapter contains information about using the CiscoSecure Access Control Server (ACS) group profile feature and TACACS+ and RADIUS attributes to implement authentication and authorization services of network users through the CiscoSecure ACS.

Note For information on implementing the accounting feature of the CiscoSecure ACS, see the chapter " CiscoSecure ACS Accounting."

Planning Attributes for Groups and Users

The group profile feature of the CiscoSecure ACS enables you to define a common set of authentication, authorization, and accounting (AAA) requirements for a large number of users.

You can assign a group profile a set of TACACS+ or RADIUS attribute values. These attribute values assigned to the group also apply to any user who is a member or who is added as a member of that group.

Using the Group Profile Feature Effectively

To configure the CiscoSecure ACS to manage large numbers and various types of users with complex AAA requirements, Cisco recommends that you use the features of the CiscoSecure Administrator advanced configuration program to create and configure group profiles. The group profile should contain all attributes that are not specific to the user. This usually means all attributes except for the password. Then you can use the Add a User page of the CiscoSecure Administrator to quickly create simple user profiles with password attributes and assign these user profiles to the appropriate group profile.

The features and attribute values defined for a particular group then apply to, or are inherited by, its member users.

Parent Groups and Child Groups

You can create a hierarchy of groups. Within a group profile, you can create child group profiles. Attribute values assigned to the parent group profile will be passed down as default values to the child group profiles.

Group Level Administration

A CiscoSecure system administrator can assign individual CiscoSecure users Group Administrator status. Group Administrator status enables individual users to administer any child group profiles and user profiles that are subordinate to their group but does not allow them to administer any groups or users that fall outside their group's hierarchy. Thus, the system administrator can parcel out the task of administering a large network to other individuals without granting each of them equal authority.

What Attributes Do I Define for Individual Users?

Cisco recommends that you assign individual users basic authentication attribute values that are unique to the user, those attributes that define username, password, password type, and web privilege. You can assign basic authentication attribute values to your users transparently, through the HTML-based CiscoSecure ACS Edit a User or Add a User pages in the CiscoSecure ACS web interface.

What Attributes Do I Define for Group Profiles?

Cisco recommends that you define Qualification-, Authorization-, and Accounting-related attributes at the group level.

Figure 8-1 illustrates the way these attributes are assigned to groups and users.

In this example, the group profile named "Dial-In Users" is assigned the attribute-value pairs Frame-Protocol=PPP and Service-Type=Framed.

What are Absolute Attributes?

A subset of the TACACS+ and RADIUS attributes in the CiscoSecure ACS can be assigned absolute status at group profile level. An attribute value enabled for absolute status that has been assigned at group profile level, overrides any contending attribute values that may be assigned at a child group profile or member user profile level.

Within multi-level networks with possibly several levels of group administrators, absolute attributes enable a system administrator to set selected group attribute values that group administrators at lower levels cannot override.

Attributes that can be assigned absolute status will display an Absolute check box in the Attributes box of the CiscoSecure Administrator advanced configuration program. You can enable absolute status by selecting the check box. (See Figure 8-2.)

Can Group Attribute Values and User Attribute Values Conflict?

Conflicts among attribute values assigned to parent group profiles, child group profiles, and member user profiles are resolved differently, depending on whether the attribute values are absolute and whether they are TACACS+ or RADIUS attributes:

•

If TACACS+ or RADIUS attribute values assigned to a group profile have absolute status enabled, those values override any contending attribute values set at a child group or user profile level.

•

If a TACACS+ attribute value's absolute status is not enabled at the group profile level, it is overridden by any contending attribute value set at a child group or user profile level.

•

If a RADIUS attribute value's absolute status is not enabled at the parent group level, then any contending attribute values set at a child group result in an unpredictable outcome. When defining RADIUS attribute values for a group and its member users, you must take care to avoid assigning the same attribute to both the user and group profiles.

Using the Prohibit and Permit Options

For TACACS+, you can override the availability of inherited service values by prefixing the keyword prohibit or permit to the service specification. Although default permissions exist, you can explicitly prohibit or enable particular services using the prohibit or permit keywords. The permit keyword allows specified services; the prohibit keyword disallows specified services. Using these keywords together, you can construct "everything except" configurations. For example, the following configuration allows access from all services except X.25:

Applying TACACS+ and RADIUS Attributes

This section describes some classes of attributes that you can apply through the CiscoSecure Administrator advanced configuration program.

Applying Qualification Attributes

One technique you can use to ensure the security of your network is to qualify users when they attempt to log on or request a service. For example, you might know that your organization intends to employ several new people beginning on a particular date. Depending on your needs, you can immediately add these new users to the CiscoSecure ACS and specify that they cannot log on until a specified date.

You can use the Java-based CiscoSecure Administrator advanced configuration program to apply qualification attributes user profiles, group profiles, and services. If a qualification attribute is found, then its condition must be matched or the operation in progress will fail. The following defined qualification conditions are supported:

•

expires—(TACACS+ only) No operation involving this entity can succeed after the date specified. You can apply this attribute to User and Group profiles and services through the CiscoSecure Administrator attributes window.

•

time—(TACACS+ only) No operation involving this entity can succeed outside the specified time or day period. You can apply this attribute to User and Group profiles and services through the CiscoSecure Administrator attributes window.

•

valid—(TACACS+ only) No operation involving this entity can succeed before the specified date. You can apply this attribute to User and Group profiles and services through the CiscoSecure Administrator attributes window.

•

allow expression(s)—Permit operations involving this entity when performed from a port or network access server (NAS) combination that matches the specified regular expressions. When applied, this attribute sends a command of the following syntax to the client NAS:

Note

Regular expressions only work for TACACS+. RADIUS only uses the NAS-NAME parameter.

•

refuse expression(s)—Deny operations involving this entity when performed from a port or NAS combination that matches the specified regular expressions. When applied, this attribute sends a command of the following syntax to the client NAS.

Note

Regular expressions only work for TACACS+. RADIUS only uses the NAS-NAME parameter.

Authentication Attributes

Authentication attributes specify password strings, encryption methods, or methods of generating one-time passwords used by specific users for login.

Supported Password Types

The password keyword allows an extensible range of authentication methods, and you can install additional authentication methods by reconfiguring the CiscoSecure ACS.

CiscoSecure ACS software includes the following password or authentication method support:

Password Expiration

You can configure password attributes to expire. You set expiry_period in CSU.cfg. The until date of the clear text password is updated upon password change; however, PAP, CHAP, and other types of passwords are not updated.

Sample Password Expiration

For example, the DES-encrypted password shown in Figure 8-3 is valid from June 1, 1998 until December 31, 1998.

Password Expiration Notification

In order for users to receive notification that their password has expired, you must use one of the following statements:

Changing the password, either via the web or pressing enter at password prompt, invokes the expiry_period and warning_period statements in the CSU.cfg file.

For a warning message to display, the user's profile must have either the "Expires" attribute specified, or the password must have the "until" date specified in the _password_ section of the profile. There must not be a "from" date.

Incrementing the Expiration Date When Password Changes

When a user's password is changed through the CiscoSecure Administrator GUI, the new expiration date is incremented by the value of the RADIUS Attribute 208 (Password-Lifetime), if Attribute 21 (Password-Expiration) and Attribute 208 are present.

Password Behavior by RADIUS Servers

If the RADIUS sub-profile has a password, the server will use that password. If it does not, the RADIUS server will supply one according to the rules specified in Table 8-1.

Table 8-1 Password Behavior by RADIUS Servers
NAS Sends Attribute	Use the RADIUS Password
2 User password	One-time password (OTP), file (UNIX, shadow, or file), PAP.
3 CHAP password	CHAP (Note that users cannot enter the CHAP password in a profile).
181 Ascend ARA password	ARAP (Note that ARAP applies only to Ascend routers, not to Cisco IOS software.)

Password Expiration with RADIUS Servers

CiscoSecure ACS supports the password expiration attribute (Ascend attribute 21) compatible with Ascend RADIUS servers. The RADIUS server checks the RADIUS sub-profile first. If it finds an expired password, it stops checking. If the password was chosen from the RADIUS profile section, the time limit for the chosen password entry is applied. See the previous section "Password Behavior by RADIUS Servers" to find which password is applied.

Enabling Users to Change their Personal Passwords

Users can change their own CLEAR, CHAP, or PAP passwords if they have the appropriate privilege levels.

To enable users to change their own passwords, you must enable Privilege = Web and assign a privilege level in their user profiles. (See "Quick Editing a User Profile" in the chapter, "Simple User and ACS Management" or "Assigning Access Control Privilege Levels" in the chapter, "Advanced Group and User Management," for details.) Additionally, you must provide the users with the URL of the web-based interface for the CiscoSecure ACS.

When users change their own passwords, they must supply as few as 6 and as many as 13 characters. Of those characters, at least 1 number and 1 letter are required.

Assigning a New Privilege Level for Changing your Password via TACACS+

To assign a new minimum privilege level for changing your own password through the NAS via TACACS+, add or modify the following statement in the CSU.cfg file:

The CiscoSecure ACS software checks passwords when they are changed to make sure that easily guessed or deciphered passwords are not used.

Authorization in the CiscoSecure ACS (TACACS+ Only)

You can establish global default settings for the name of the NAS and port of the caller, as well as set them up for individual services, commands, and protocols. System Administrators can also set time-of-day and day-of-week restrictions, allowing them to control access to highly contended or expensive resources during periods of demand. For example, if you are using the TACACS+ protocol, you can use a declaration that allows the Telnet command to be used at any time on weekends and outside normal office hours.

The CiscoSecure ACS software also allows for multiple declarations of the same service, protocol, or command. Because each declaration can include different attributes and qualifications, administrators can place restrictions on users that take effect only at certain times or under certain conditions.

Authorization Attribute-Value Pairs

This section provides a list of service attributes and the corresponding protocol values. It also provides an example of how to set a service attribute.

The CiscoSecure ACS supports all four service attributes available to dial-in users:

After the NAS has authorized the user for a specified service, the CiscoSecure ACS returns a list of attribute-value pairs appropriate for that service to the NAS. For each service, several attribute-value pairs are generally available depending on the configurability of the service.

To view the available attribute pairs, use the Java-based CiscoSecure ACS Administrator advanced configuration program to toggle between the Profile window and Options menu to specify attributes. For example, to view the attribute-value pairs for PPP, you would perform the following steps while in the CiscoSecure ACS Administrator and operating with administrator privileges:

Step 1

For a specified user, select Service - PPP from the Options menu and click Apply.

Step 2

While Service - PPP is selected under Profile, select Protocol and click Apply.

Step 3

Cascade the Service - PPP icon under Profile to view the Protocol icon.

Step 4

From the upper portion of the Profile window, click the Protocol icon.

Step 5

From the lower portion of the Profile window, click the Protocol tab. You see the available protocols, which are described in the following section.

Note

The authorization attribute-value pairs documented here are supported by NASs running Cisco IOS Release 10.3(3) or greater, except where noted.

•

protocol=lcp—Used with service=ppp. The lower layer of Point-to-Point Protocol (PPP), always brought up before IP, Internetwork Packet Exchange (IPX), or another protocol capable of running under PPP is brought up.

•

protocol=ip—Used with service=ppp and service=slip to indicate which protocol layer is being authorized.

•

protocol=ipx—Used with service=ppp to indicate which protocol layer is being authorized.

•

protocol=vpdn—Used with service=ppp to set up VPDN tunneling communication with remote NAS sites.

•

protocol=unknown—Used for undefined or unsupported conditions. The use of this pairing should not occur under normal circumstances.

•

cmd (EXEC)—Used with service=shell and cmd=NULL. If the value of cmd is NULL; for example, the attribute-value pair is cmd*, then this is an authorization request for starting an EXEC command.

If cmd has a value other than NULL, this is a command authorization request. It contains the name of the command being authorized. When applied, this attribute issues a NAS command such as the following:

•

acl (ARAP, EXEC)—Used with service=arap and service=shell. For AppleTalk Remote Access Protocol (ARAP) this contains an access-list number. For EXEC authorization, acl contains an access-class number. When applied, this attribute issues a NAS command such as the following:

•

inacl (PPP/IP)—Used with service=ppp, service=SLIP and protocol=ip. This attribute-value pair contains an inbound IP access list for SLIP or PPP/IP, for example, inacl=3.

The access list must be preconfigured on the Cisco NAS. Per-user access lists do not currently work with Integrated Services Digital Network (ISDN) interfaces.

•

outacl (PPP/IP, PPP/IPX)—This attribute-value pair contains an IP or IPX output access-list number for SLIP, PPP/IP, or PPP/IPX connections. When applied, this attribute issues a NAS command such as the following:

The access list must be preconfigured on the Cisco NAS. Per-user access lists do not currently work with ISDN interfaces. PPP/IPX is supported only in Cisco IOS Release 11.1 and greater.

•

addr (SLIP, PPP/IP)—The IP address of the remote host should be assigned when using a SLIP or PPP/IP connection. When applied, this attribute issues a NAS command such as the following:

•

routing (SLIP, PPP/IP)—Used with service=slip, service=ppp, and protocol=ip. Equivalent in function to the routing flag in SLIP and PPP commands. Can either be true or false.

Used with service=arap. The number of minutes before an ARA session disconnects—for example, timeout=120.

•

autocmd (EXEC)—Used with service=shell and cmd=NULL. Specifies a command to be automatically executed at EXEC startup—for example, autocmd=telnet server1.far.com.

•

noescape (EXEC)—Used with service=shell and cmd=NULL. Specifies noescape (users cannot use the escape character), equivalent to the noescape option in the username configuration command. Can be either true or false—for example, noescape=true.

•

nohangup (EXEC)—Used with service=shell and cmd=NULL. Specifies a nohangup option, equivalent to the option for the username command. Can be either true or false, for example—nohangup=false.

•

priv-lvl (EXEC)—Used with service=shell and cmd=NULL. Specifies the privilege level for a command authorization. Can be any number from 0 to 15—for example, priv-lvl=15.

•

zonelist (ARAP)—Used with service=arap. An AppleTalk zonelist for ARAP equivalent to the line configuration command ARAP zonelist. Specifies an AppleTalk zonelist for the ARA protocol—for example, zonelist=8.

•

addr-pool (supported in Cisco IOS Release 11.0 and greater, PPP/IP, SLIP)—Used with service=ppp and protocol=ip. Specifies the name of a local address pool from which to get the address of the remote host.

Note

The attribute-value pair "addr-pool" works in conjunction with local pooling. It specifies the name of a local pool (which needs to be preconfigured on the NAS).

Use the ip-local pool IOS configuration command to declare local pools, such as those on the NAS, as follows:

You can indicate from which address pool you want to get this remote node's address. As shown in Figure 8-4, you can use the TACACS+ protocol to return addr-pool=moo or set addr-pool=baz.

•

route (supported in Cisco IOS Release 11.1 or greater, PPP/IP, SLIP)—This attribute-value pair specifies a route to be applied to an interface.

During network authorization, the "route" attribute can be used to specify a per-user static route, to be installed by means of TACACS+. Cisco IOS Release 11.2(4)F and greater support more than one route attribute.

This indicates a temporary static route that is to be applied. The parameters <dst_address>, <mask> and [<gateway>] are expected to be in the usual dotted-decimal notation, with meanings that are the same as the familiar ip route configuration command on a NAS.

•

callback-rotary (supported in Cisco IOS Release 11.1 and greater, valid for ARAP, EXEC, SLIP or PPP)—The number of a rotary group (from 0 to 100, inclusive) to use for callback. When applied, this attribute issues a NAS command such as the following:

•

callback-dialstring (supported in Cisco IOS Release 11.1 and greater, valid for ARAP, EXEC, SLIP or PPP)—Sets the telephone number for a callback.When applied, this attribute issues a NAS command such as the following:

•

callback-line (supported in Cisco IOS Release 11.1 and greater, valid for ARAP, EXEC, SLIP or PPP). When applied, this attribute issues a NAS command such as the following:

•

nocallback-verify—The number of a tty line to use for callback, for example, nocallback-verify (supported in Cisco IOS Release 11.1 or greater, valid for ARAP, EXEC, SLIP or PPP). Indicates that no callback verification is required. The only valid value for this parameter is the digit 1. When applied, this attribute issues a NAS command such as the following:

•

idletime (supported in Cisco IOS Release 11.1 and greater, EXEC)—Sets a value, in minutes, after which an idle session will be terminated.

•

tunnel-id (supported in Cisco IOS Release 11.2 and greater, PPP/Virtual Private Dialup Network [VPDN] )—This attribute-value pair specifies the username that will be used to authenticate the tunnel over which the individual user multiplex-ID will be projected. This is analogous to the "NAS name" in the vpdn outgoing command.

•

ip-addresses (supported in Cisco IOS Release 11.2 and greater, PPP/VPDN)—This is a space-separated list of possible IP addresses that can be used for the endpoint of the tunnel. Must be wrapped in double quotation marks.

Authorization for RADIUS

Sample Profiles and Attribute Assignments

The following section shows sample configurations for group profiles assigned TACACS+ and RADIUS attributes.

Sample TACACS+ Group Profiles

PPP Dial-Up Connection: IP-Only Group Profile or Simple ISDN Group Profile—Sample Configuration

To configure a profile for a group using a PPP dial-up connection using IP or an ISDN connection:

Note NAS support requirements—Be sure to have your Cisco network access server (NAS) set for AAA, modem access, PPP encapsulation, and the CHAP or PAP authentication method.

Simple Async SLIP Group Profile—Sample Configuration

Note NAS support requirements—Be sure to have your Cisco NAS set for AAA, modem access, and SLIP encapsulation.

Simple Async Shell Group Profile—Sample Configuration

Note NAS support requirements—Be sure to have your Cisco NAS set for AAA with login.

Simple Async Shell Group Profile to Issue an Autocommand—Sample Configuration

To configure a group profile for Simple Async Shell that will issue an autocommand:

Note NAS support requirements—Be sure to have your Cisco NAS set for AAA and to enable Authorization EXEC.

Sample RADIUS Group Profile Configurations

Groups can use more than one protocol; for example, ISDN from home and Frame Relay from a branch office, as long as the profiles are the same except for the protocol. The NAS the group dials in to is a determining factor for which protocol is used.

Simple Asynchronous PPP Group Profile—Sample Configuration

Table 8-2 Simple Asynchronous PPP Group Profile
	Attributes		Value
	Reply Attributes
2	User-Service-Type	2	Framed-User (enumeration)
1	Framed-Protocol		PPP (enumeration)
	Checked Items
2	Password		dialup (actual password)

Note NAS support requirements—Be sure to have your Cisco NAS set for AAA, modem access, and PPP encapsulation.

Simple ISDN Group Profile—Sample Configuration

Table 8-3 Simple ISDN Group Profile
	Attributes		Value
	Reply Attributes
2	User-Service-Type	2	Framed-User (enumeration)
1	Framed-Protocol		PPP (enumeration)
	Checked Items
2	Password		isdnuser (actual password)

Note NAS support requirements—Be sure to have your Cisco NAS set for AAA service, PPP encapsulation, and ISDN.

Simple Asynchronous SLIP Group Profile—Sample Configuration

Table 8-4 Simple Asynchronous SLIP Group Profile
	Attributes		Value
	Reply Attributes
2	User-Service-Type	2	Login-User (enumeration)
1	Framed-Protocol		SLIP (enumeration)
	Checked Items
2	Password		dialupslip (actual password)

Simple Asynchronous Telnet Shell Group Profile—Sample Configuration

Follow these general steps to configure a minimum profile for an Asynchronous Telnet Shell group profile:

Table 8-5 Simple Asynchronous Telnet Shell Group Profile
	Attributes		Value
	Reply Attributes
2	User-Service-Type	2	Shell-User (enumeration)
	Checked Items
2	Password		dialupshell (actual password)

Note NAS support requirements—Be sure to have your Cisco NAS set for AAA, with login, tty lines, and modem access.

Simple Asynchronous Telnet Group Profile—Sample Configuration

Follow these general steps to configure a minimum profile for an Asynchronous Telnet group profile:

Table 8-6 Simple Asynchronous Telnet Group Profile
	Attributes		Value
	Reply Attributes
2	User-Service-Type	2	Login-User (enumeration)
14	Login-Host		200.200.200.210 (ipaddrs)
15	Login-Service	0	Telnet (enumeration)
16	Login-TCP-Por	23	(port ID-integer)
	Checked Items
2	Password		dialuptelnet (actual password)

Note NAS support requirements—Be sure to have your Cisco NAS set for login and modem access. Use this profile for autologin to a different host.

NAS Address and NAS Port Filtering Profile—Sample Configuration

The system administrator can use the Java-based CiscoSecure Administrator advanced configuration program to enable the Filter attributes: Allow and Refuse. The Allow and Refuse attributes enable the system administrator to allow or refuse users or groups of users access to specific TTY ports or ranges of TTY ports on specific NASes.

Note When specifying the NAS IP addresses and TTY port numbers, the administrator should follow regular expressions, the UNIX standard pattern matching syntax conventions.

Step 1

In the Java-based CiscoSecure Administrator advanced configuration program, select the user or group whose NAS and port access you want to filter and click the Profile icon.

Step 3

Click the Filter icon and in the Permission menu, select either Allow or Refuse and click Apply.

Table 8-7 Filter Tab Fields
Field	Description
NAS	The IP Address or the FQDN of the NAS to which you want to allow or refuse access. Standard UNIX regular expression pattern matching syntax conventions apply. For example: To specify access to the NAS at IP address 10.8.1.176, enter: ^10\.8\.1\.176$
Port	The port on the specified NAS through which you want to allow or refuse access. Standard UNIX regular expression pattern matching syntax conventions apply. For example: To specify access through TTY ports, tty0, tty1, tty2,tty3, enter: ^tty[0-3]$
Remote Address (optional)	Remote IP addresses through which you can allow or refuse access to the target NAS whose IP address or FQDN you specified in the NAS field. Standard UNIX regular expression pattern matching syntax conventions apply. For example: To specify access to the target NAS through remote IP address 10.98.12.180, enter: ^10\.98\.12\.180$

Step 5

Repeat Step 2 through Step 4 for any other filter you want to specify.

Step 6

When you have specified all the filters to apply to this profile, click Submit.

•

The Allow filter attributes enable user boscotam to log in and run shell sessions on the NAS at IP address 10.8.1.176 through TTY ports tty0-tty10, and tty21-tty30.

•

The Refuse filter attributes block user boscotam from running shell sessions at IP address 10.8.1.176 through TTY ports tty11-tty20, or through any TTY ports on the NASes located at IP address 171.68.118.238, or at apps_comm1.xyz.zcorp.com.

Note The standard UNIX pattern characters, ^, \, and $ are inserted in this example to prevent misinterpretation of the IP addresses and TTY port ranges. For example, if the \ character were not inserted before the periods in the IP addresses, then under standard UNIX pattern matching, the periods would be interpreted as wildcard characters, thus enabling user boscotam to run shell sessions not only on the NAS at 10.8.1.176, but also at addresses not necessarily intended.

Caller ID Profile—Sample Configuration

If your phone line and equipment support caller ID, TACACS+ and RADIUS support for caller ID allows you to base profiles on the calling number, rather than the username being passed. Identifying users by their telephone number is especially useful for accounting purposes because you can directly bill charges according to the calling number.

Step 1

Create a new user profile and enter a designated telephone number instead of a username.

Step 2

Edit the $BASEDIR/config/CSU.cfg file. Verify that the following settings and values are entered:

In this case, if a user dials in to the NAS, the NAS passes the user's information including "rem_addr (5551212)" to the CiscoSecure ACS. The CiscoSecure ACS first attempts to authenticate the user based on the username field, but in this case, the user is not in the CiscoSecure database. However, because the user profile contains the caller ID, the CiscoSecure ACS uses the rem_addr (5551212) to index into the database.

Table Of Contents