|
Table Of Contents
Strategies for Applying Attributes
Planning Attributes for Groups and Users
Using the Group Profile Feature Effectively
Parent Groups and Child Groups
What Attributes Do I Define for Individual Users?
What Attributes Do I Define for Group Profiles?
Can Group Attribute Values and User Attribute Values Conflict?
Using the Prohibit and Permit Options
Applying TACACS+ and RADIUS Attributes
Applying Qualification Attributes
Authorization in the CiscoSecure ACS (TACACS+ Only)
Sample Profiles and Attribute Assignments
Sample RADIUS Group Profile Configurations
Strategies for Applying Attributes
This chapter contains information about using the CiscoSecure Access Control Server (ACS) group profile feature and TACACS+ and RADIUS attributes to implement authentication and authorization services of network users through the CiscoSecure ACS.
Note For information on implementing the accounting feature of the CiscoSecure ACS, see the chapter " CiscoSecure ACS Accounting."
This chapter covers the following topics:
• Planning Attributes for Groups and Users
• Applying TACACS+ and RADIUS Attributes
• Sample Profiles and Attribute Assignments
Planning Attributes for Groups and Users
The group profile feature of the CiscoSecure ACS enables you to define a common set of authentication, authorization, and accounting (AAA) requirements for a large number of users.
You can assign a group profile a set of TACACS+ or RADIUS attribute values. These attribute values assigned to the group also apply to any user who is a member or who is added as a member of that group.
Using the Group Profile Feature Effectively
To configure the CiscoSecure ACS to manage large numbers and various types of users with complex AAA requirements, Cisco recommends that you use the features of the CiscoSecure Administrator advanced configuration program to create and configure group profiles. The group profile should contain all attributes that are not specific to the user. This usually means all attributes except for the password. Then you can use the Add a User page of the CiscoSecure Administrator to quickly create simple user profiles with password attributes and assign these user profiles to the appropriate group profile.
The features and attribute values defined for a particular group then apply to, or are inherited by, its member users.
Parent Groups and Child Groups
You can create a hierarchy of groups. Within a group profile, you can create child group profiles. Attribute values assigned to the parent group profile will be passed down as default values to the child group profiles.
Group Level Administration
A CiscoSecure system administrator can assign individual CiscoSecure users Group Administrator status. Group Administrator status enables individual users to administer any child group profiles and user profiles that are subordinate to their group but does not allow them to administer any groups or users that fall outside their group's hierarchy. Thus, the system administrator can parcel out the task of administering a large network to other individuals without granting each of them equal authority.
What Attributes Do I Define for Individual Users?
Cisco recommends that you assign individual users basic authentication attribute values that are unique to the user, those attributes that define username, password, password type, and web privilege. You can assign basic authentication attribute values to your users transparently, through the HTML-based CiscoSecure ACS Edit a User or Add a User pages in the CiscoSecure ACS web interface.
What Attributes Do I Define for Group Profiles?
Cisco recommends that you define Qualification-, Authorization-, and Accounting-related attributes at the group level.
Figure 8-1 illustrates the way these attributes are assigned to groups and users.
Figure 8-1 Group and User Attributes
In this example, the group profile named "Dial-In Users" is assigned the attribute-value pairs Frame-Protocol=PPP and Service-Type=Framed.
What are Absolute Attributes?
A subset of the TACACS+ and RADIUS attributes in the CiscoSecure ACS can be assigned absolute status at group profile level. An attribute value enabled for absolute status that has been assigned at group profile level, overrides any contending attribute values that may be assigned at a child group profile or member user profile level.
Within multi-level networks with possibly several levels of group administrators, absolute attributes enable a system administrator to set selected group attribute values that group administrators at lower levels cannot override.
Attributes that can be assigned absolute status will display an Absolute check box in the Attributes box of the CiscoSecure Administrator advanced configuration program. You can enable absolute status by selecting the check box. (See Figure 8-2.)
Figure 8-2 An Attribute Value Assigned Absolute Status
Can Group Attribute Values and User Attribute Values Conflict?
Conflicts among attribute values assigned to parent group profiles, child group profiles, and member user profiles are resolved differently, depending on whether the attribute values are absolute and whether they are TACACS+ or RADIUS attributes:
•If TACACS+ or RADIUS attribute values assigned to a group profile have absolute status enabled, those values override any contending attribute values set at a child group or user profile level.
•If a TACACS+ attribute value's absolute status is not enabled at the group profile level, it is overridden by any contending attribute value set at a child group or user profile level.
•If a RADIUS attribute value's absolute status is not enabled at the parent group level, then any contending attribute values set at a child group result in an unpredictable outcome. When defining RADIUS attribute values for a group and its member users, you must take care to avoid assigning the same attribute to both the user and group profiles.
Using the Prohibit and Permit Options
For TACACS+, you can override the availability of inherited service values by prefixing the keyword prohibit or permit to the service specification. Although default permissions exist, you can explicitly prohibit or enable particular services using the prohibit or permit keywords. The permit keyword allows specified services; the prohibit keyword disallows specified services. Using these keywords together, you can construct "everything except" configurations. For example, the following configuration allows access from all services except X.25:
default service = permit
prohibit service = x25
Applying TACACS+ and RADIUS Attributes
This section describes some classes of attributes that you can apply through the CiscoSecure Administrator advanced configuration program.
Applying Qualification Attributes
One technique you can use to ensure the security of your network is to qualify users when they attempt to log on or request a service. For example, you might know that your organization intends to employ several new people beginning on a particular date. Depending on your needs, you can immediately add these new users to the CiscoSecure ACS and specify that they cannot log on until a specified date.
You can use the Java-based CiscoSecure Administrator advanced configuration program to apply qualification attributes user profiles, group profiles, and services. If a qualification attribute is found, then its condition must be matched or the operation in progress will fail. The following defined qualification conditions are supported:
•expires—(TACACS+ only) No operation involving this entity can succeed after the date specified. You can apply this attribute to User and Group profiles and services through the CiscoSecure Administrator attributes window.
•time—(TACACS+ only) No operation involving this entity can succeed outside the specified time or day period. You can apply this attribute to User and Group profiles and services through the CiscoSecure Administrator attributes window.
•valid—(TACACS+ only) No operation involving this entity can succeed before the specified date. You can apply this attribute to User and Group profiles and services through the CiscoSecure Administrator attributes window.
•allow expression(s)—Permit operations involving this entity when performed from a port or network access server (NAS) combination that matches the specified regular expressions. When applied, this attribute sends a command of the following syntax to the client NAS:
allow "NAS-NAME" "Port" "Remote-Address"
Note Regular expressions only work for TACACS+. RADIUS only uses the NAS-NAME parameter.
•refuse expression(s)—Deny operations involving this entity when performed from a port or NAS combination that matches the specified regular expressions. When applied, this attribute sends a command of the following syntax to the client NAS.
refuse "NAS-NAME" "Port" "Remote-Address"
Note Regular expressions only work for TACACS+. RADIUS only uses the NAS-NAME parameter.
Authentication Attributes
Authentication attributes specify password strings, encryption methods, or methods of generating one-time passwords used by specific users for login.
Supported Password Types
The password keyword allows an extensible range of authentication methods, and you can install additional authentication methods by reconfiguring the CiscoSecure ACS.
CiscoSecure ACS software includes the following password or authentication method support:
•DES
•Clear
•No password
•File
•System
•SafeWord
•PAP
•CHAP
•ARAP
•S/Key
•CRYPTOCard
•SDI
Password Expiration
You can configure password attributes to expire. You set expiry_period in CSU.cfg. The until date of the clear text password is updated upon password change; however, PAP, CHAP, and other types of passwords are not updated.
Sample Password Expiration
For example, the DES-encrypted password shown in Figure 8-3 is valid from June 1, 1998 until December 31, 1998.
Figure 8-3 Password Expiration
Password Expiration Notification
In order for users to receive notification that their password has expired, you must use one of the following statements:
•config_expiry_period
•config_warning_period
Changing the password, either via the web or pressing enter at password prompt, invokes the expiry_period and warning_period statements in the CSU.cfg file.
For a warning message to display, the user's profile must have either the "Expires" attribute specified, or the password must have the "until" date specified in the _password_ section of the profile. There must not be a "from" date.
Incrementing the Expiration Date When Password Changes
When a user's password is changed through the CiscoSecure Administrator GUI, the new expiration date is incremented by the value of the RADIUS Attribute 208 (Password-Lifetime), if Attribute 21 (Password-Expiration) and Attribute 208 are present.
Password Behavior by RADIUS Servers
If the RADIUS sub-profile has a password, the server will use that password. If it does not, the RADIUS server will supply one according to the rules specified in Table 8-1.
Password Expiration with RADIUS Servers
CiscoSecure ACS supports the password expiration attribute (Ascend attribute 21) compatible with Ascend RADIUS servers. The RADIUS server checks the RADIUS sub-profile first. If it finds an expired password, it stops checking. If the password was chosen from the RADIUS profile section, the time limit for the chosen password entry is applied. See the previous section "Password Behavior by RADIUS Servers" to find which password is applied.
Enabling Users to Change their Personal Passwords
Users can change their own CLEAR, CHAP, or PAP passwords if they have the appropriate privilege levels.
To enable users to change their own passwords, you must enable Privilege = Web and assign a privilege level in their user profiles. (See "Quick Editing a User Profile" in the chapter, "Simple User and ACS Management" or "Assigning Access Control Privilege Levels" in the chapter, "Advanced Group and User Management," for details.) Additionally, you must provide the users with the URL of the web-based interface for the CiscoSecure ACS.
When users change their own passwords, they must supply as few as 6 and as many as 13 characters. Of those characters, at least 1 number and 1 letter are required.
Assigning a New Privilege Level for Changing your Password via TACACS+
To assign a new minimum privilege level for changing your own password through the NAS via TACACS+, add or modify the following statement in the CSU.cfg file:
number config_priv_level_for_own_chpass=1;
Restart the access control server.
The CiscoSecure ACS software checks passwords when they are changed to make sure that easily guessed or deciphered passwords are not used.
Authorization in the CiscoSecure ACS (TACACS+ Only)
You can establish global default settings for the name of the NAS and port of the caller, as well as set them up for individual services, commands, and protocols. System Administrators can also set time-of-day and day-of-week restrictions, allowing them to control access to highly contended or expensive resources during periods of demand. For example, if you are using the TACACS+ protocol, you can use a declaration that allows the Telnet command to be used at any time on weekends and outside normal office hours.
The CiscoSecure ACS software also allows for multiple declarations of the same service, protocol, or command. Because each declaration can include different attributes and qualifications, administrators can place restrictions on users that take effect only at certain times or under certain conditions.
Authorization Attribute-Value Pairs
This section provides a list of service attributes and the corresponding protocol values. It also provides an example of how to set a service attribute.
The CiscoSecure ACS supports all four service attributes available to dial-in users:
•service=arap
•service=shell (for exec startup, as well as for command authorizations)
•service=ppp
•service=slip
After the NAS has authorized the user for a specified service, the CiscoSecure ACS returns a list of attribute-value pairs appropriate for that service to the NAS. For each service, several attribute-value pairs are generally available depending on the configurability of the service.
To view the available attribute pairs, use the Java-based CiscoSecure ACS Administrator advanced configuration program to toggle between the Profile window and Options menu to specify attributes. For example, to view the attribute-value pairs for PPP, you would perform the following steps while in the CiscoSecure ACS Administrator and operating with administrator privileges:
Step 1 For a specified user, select Service - PPP from the Options menu and click Apply.
Step 2 While Service - PPP is selected under Profile, select Protocol and click Apply.
Step 3 Cascade the Service - PPP icon under Profile to view the Protocol icon.
Step 4 From the upper portion of the Profile window, click the Protocol icon.
Step 5 From the lower portion of the Profile window, click the Protocol tab. You see the available protocols, which are described in the following section.
Note The authorization attribute-value pairs documented here are supported by NASs running Cisco IOS Release 10.3(3) or greater, except where noted.
•protocol=lcp—Used with service=ppp. The lower layer of Point-to-Point Protocol (PPP), always brought up before IP, Internetwork Packet Exchange (IPX), or another protocol capable of running under PPP is brought up.
•protocol=ip—Used with service=ppp and service=slip to indicate which protocol layer is being authorized.
•protocol=ipx—Used with service=ppp to indicate which protocol layer is being authorized.
•protocol=atalk—Used with service=ppp or service=arap.
•protocol=vpdn—Used with service=ppp to set up VPDN tunneling communication with remote NAS sites.
•protocol=unknown—Used for undefined or unsupported conditions. The use of this pairing should not occur under normal circumstances.
•cmd (EXEC)—Used with service=shell and cmd=NULL. If the value of cmd is NULL; for example, the attribute-value pair is cmd*, then this is an authorization request for starting an EXEC command.
If cmd has a value other than NULL, this is a command authorization request. It contains the name of the command being authorized. When applied, this attribute issues a NAS command such as the following:
cmd=telnet
•acl (ARAP, EXEC)—Used with service=arap and service=shell. For AppleTalk Remote Access Protocol (ARAP) this contains an access-list number. For EXEC authorization, acl contains an access-class number. When applied, this attribute issues a NAS command such as the following:
set acl=2
•inacl (PPP/IP)—Used with service=ppp, service=SLIP and protocol=ip. This attribute-value pair contains an inbound IP access list for SLIP or PPP/IP, for example, inacl=3.
The access list must be preconfigured on the Cisco NAS. Per-user access lists do not currently work with Integrated Services Digital Network (ISDN) interfaces.
•outacl (PPP/IP, PPP/IPX)—This attribute-value pair contains an IP or IPX output access-list number for SLIP, PPP/IP, or PPP/IPX connections. When applied, this attribute issues a NAS command such as the following:
set outacl=4
The access list must be preconfigured on the Cisco NAS. Per-user access lists do not currently work with ISDN interfaces. PPP/IPX is supported only in Cisco IOS Release 11.1 and greater.
•addr (SLIP, PPP/IP)—The IP address of the remote host should be assigned when using a SLIP or PPP/IP connection. When applied, this attribute issues a NAS command such as the following:
set addr=1.2.3.4
•routing (SLIP, PPP/IP)—Used with service=slip, service=ppp, and protocol=ip. Equivalent in function to the routing flag in SLIP and PPP commands. Can either be true or false.
•timeout (supported in Cisco IOS Release 11.0 and greater, ARAP, EXEC)
Used with service=arap. The number of minutes before an ARA session disconnects—for example, timeout=120.
When applied, this attribute issues a NAS command such as the following:
set timeout=60
•autocmd (EXEC)—Used with service=shell and cmd=NULL. Specifies a command to be automatically executed at EXEC startup—for example, autocmd=telnet server1.far.com.
When applied, this attribute issues a NAS command such as the following:
set autocmd="telnet gem.com"
•noescape (EXEC)—Used with service=shell and cmd=NULL. Specifies noescape (users cannot use the escape character), equivalent to the noescape option in the username configuration command. Can be either true or false—for example, noescape=true.
When applied, this attribute issues a NAS command such as the following:
set noescape=true
•nohangup (EXEC)—Used with service=shell and cmd=NULL. Specifies a nohangup option, equivalent to the option for the username command. Can be either true or false, for example—nohangup=false.
When applied, this attribute issues a NAS command such as the following:
set nohangup=true
•priv-lvl (EXEC)—Used with service=shell and cmd=NULL. Specifies the privilege level for a command authorization. Can be any number from 0 to 15—for example, priv-lvl=15.
•zonelist (ARAP)—Used with service=arap. An AppleTalk zonelist for ARAP equivalent to the line configuration command ARAP zonelist. Specifies an AppleTalk zonelist for the ARA protocol—for example, zonelist=8.
When applied, this attribute issues a NAS command such as the following:
set zonelist=5
•addr-pool (supported in Cisco IOS Release 11.0 and greater, PPP/IP, SLIP)—Used with service=ppp and protocol=ip. Specifies the name of a local address pool from which to get the address of the remote host.
Note The attribute-value pair "addr-pool" works in conjunction with local pooling. It specifies the name of a local pool (which needs to be preconfigured on the NAS).
Use the ip-local pool IOS configuration command to declare local pools, such as those on the NAS, as follows:
ip address-pool local
ip local pool moo 1.0.0.1 1.0.0.10
ip local pool baz 2.0.0.1 2.0.0.20
int bri0
peer default_ip
You can indicate from which address pool you want to get this remote node's address. As shown in Figure 8-4, you can use the TACACS+ protocol to return addr-pool=moo or set addr-pool=baz.
Figure 8-4 Address Pool Example
•route (supported in Cisco IOS Release 11.1 or greater, PPP/IP, SLIP)—This attribute-value pair specifies a route to be applied to an interface.
During network authorization, the "route" attribute can be used to specify a per-user static route, to be installed by means of TACACS+. Cisco IOS Release 11.2(4)F and greater support more than one route attribute.
The daemon-side declaration is as follows:
service=ppp protocol=ip {
set route = "<dst_addr> <mask> [ <gateway> ]"}
This indicates a temporary static route that is to be applied. The parameters <dst_address>, <mask> and [<gateway>] are expected to be in the usual dotted-decimal notation, with meanings that are the same as the familiar ip route configuration command on a NAS.
If the gateway is omitted, the peer's address is interpreted as the gateway.
The route is expunged after the connection terminates.
•callback-rotary (supported in Cisco IOS Release 11.1 and greater, valid for ARAP, EXEC, SLIP or PPP)—The number of a rotary group (from 0 to 100, inclusive) to use for callback. When applied, this attribute issues a NAS command such as the following:
set callback-rotary=34
•callback-dialstring (supported in Cisco IOS Release 11.1 and greater, valid for ARAP, EXEC, SLIP or PPP)—Sets the telephone number for a callback.When applied, this attribute issues a NAS command such as the following:
set callback-dialstring=408-555-1212
•callback-line (supported in Cisco IOS Release 11.1 and greater, valid for ARAP, EXEC, SLIP or PPP). When applied, this attribute issues a NAS command such as the following:
set callback-line = 1
•nocallback-verify—The number of a tty line to use for callback, for example, nocallback-verify (supported in Cisco IOS Release 11.1 or greater, valid for ARAP, EXEC, SLIP or PPP). Indicates that no callback verification is required. The only valid value for this parameter is the digit 1. When applied, this attribute issues a NAS command such as the following:
set nocallback-verify=1
•idletime (supported in Cisco IOS Release 11.1 and greater, EXEC)—Sets a value, in minutes, after which an idle session will be terminated.
Note The idletime attribute does not work for PPP.
•tunnel-id (supported in Cisco IOS Release 11.2 and greater, PPP/Virtual Private Dialup Network [VPDN] )—This attribute-value pair specifies the username that will be used to authenticate the tunnel over which the individual user multiplex-ID will be projected. This is analogous to the "NAS name" in the vpdn outgoing command.
•ip-addresses (supported in Cisco IOS Release 11.2 and greater, PPP/VPDN)—This is a space-separated list of possible IP addresses that can be used for the endpoint of the tunnel. Must be wrapped in double quotation marks.
Authorization for RADIUS
With the RADIUS protocol, authentication and authorization are not separate. See "RADIUS Attribute-Value Pairs and Dictionary Management," for more information on authorization attributes for RADIUS.
Sample Profiles and Attribute Assignments
The following section shows sample configurations for group profiles assigned TACACS+ and RADIUS attributes.
Sample TACACS+ Group Profiles
This section shows how to configure some sample profiles for TACACS+ groups.
PPP Dial-Up Connection: IP-Only Group Profile or Simple ISDN Group Profile—Sample Configuration
To configure a profile for a group using a PPP dial-up connection using IP or an ISDN connection:
Step 1 Add a new group: tacgroup1.
Step 2 Add a CHAP or PAP password to the profile.
•Password = chap mypass1 or Password = pap mypass1
Step 3 Add SERVICE=PPP to the profile.
Step 4 Add the following protocol set(s) under SERVICE=PPP:
•Service=ppp
Protocol = lcp
default attribute = permit
•Protocol = ip
default attribute = permit
Step 5 Add the IPX protocol if needed:
•Protocol = ipx
default attribute = permit
Note NAS support requirements—Be sure to have your Cisco network access server (NAS) set for AAA, modem access, PPP encapsulation, and the CHAP or PAP authentication method.
Simple Async SLIP Group Profile—Sample Configuration
To configure a Simple Async SLIP group profile:
Step 1 Add a new group: tacgroup2.
Step 2 Add a CLEAR password to the profile.
•Password = clear mypass2
Step 3 Add SERVICE=SLIP to the profile.
Step 4 Add the following Protocol Set under SERVICE=PPP:
•Service=slip
default attribute = permit
Note NAS support requirements—Be sure to have your Cisco NAS set for AAA, modem access, and SLIP encapsulation.
Simple Async Shell Group Profile—Sample Configuration
To configure a Simple Async Shell group profile:
Step 1 Add a new group: tacgroup3.
Step 2 Add a CLEAR password to the profile.
•Password = clear mypass3
Step 3 Add SERVICE=SHELL to the profile.
Step 4 Add the following protocol set under SERVICE=PPP:
•Service=shell
default attribute = permit
Note NAS support requirements—Be sure to have your Cisco NAS set for AAA with login.
Simple Async Shell Group Profile to Issue an Autocommand—Sample Configuration
To configure a group profile for Simple Async Shell that will issue an autocommand:
Step 1 Add a new group: tacgroup4.
Step 2 Add a CLEAR password to the profile.
Step 3 Add SERVICE=SHELL to the profile.
Step 4 Add the following protocol set(s) under SERVICE=PPP:
•Password = clear mypass4
•Service=shell
default attribute = permit
set autocommand = "telnet 200.200.83.12"
Note NAS support requirements—Be sure to have your Cisco NAS set for AAA and to enable Authorization EXEC.
Sample RADIUS Group Profile Configurations
This section contains sample configurations of profiles for RADIUS groups.
Groups can use more than one protocol; for example, ISDN from home and Frame Relay from a branch office, as long as the profiles are the same except for the protocol. The NAS the group dials in to is a determining factor for which protocol is used.
Simple Asynchronous PPP Group Profile—Sample Configuration
To configure a Simple Asynchronous PPP group profile:
Step 1 Add a new group: ciscoasync.
Step 2 Add a RADIUS dictionary to the profile: RADIUS-Cisco.
Step 3 Add the Reply Attributes and Checked Items in Table 8-2.
Note NAS support requirements—Be sure to have your Cisco NAS set for AAA, modem access, and PPP encapsulation.
Simple ISDN Group Profile—Sample Configuration
To configure a Simple ISDN group profile:
Step 1 Add a new group: ciscoisdn.
Step 2 Add a RADIUS dictionary to the profile: RADIUS-Cisco.
Step 3 Add the reply attributes and checked items in Table 8-3.
Note NAS support requirements—Be sure to have your Cisco NAS set for AAA service, PPP encapsulation, and ISDN.
Simple Asynchronous SLIP Group Profile—Sample Configuration
To configure a minimum profile for an Async SLIP group profile:
Step 1 Add a new group: ciscoslip.
Step 2 Add a RADIUS dictionary to the profile: RADIUS-Cisco.
Step 3 Add the reply attributes and checked items in Table 8-4
.
Simple Asynchronous Telnet Shell Group Profile—Sample Configuration
Follow these general steps to configure a minimum profile for an Asynchronous Telnet Shell group profile:
Step 1 Add a new group: ciscoshell.
Step 2 Add a RADIUS dictionary to the profile: RADIUS-Cisco.
Step 3 Add the reply attributes and checked items in Table 8-5.
Table 8-5 Simple Asynchronous Telnet Shell Group Profile
Attributes Value Reply Attributes2
User-Service-Type
2
Shell-User (enumeration)
Checked Items2
Password
dialupshell (actual password)
Note NAS support requirements—Be sure to have your Cisco NAS set for AAA, with login, tty lines, and modem access.
Simple Asynchronous Telnet Group Profile—Sample Configuration
Follow these general steps to configure a minimum profile for an Asynchronous Telnet group profile:
Step 1 Add a new group: ciscotelnet.
Step 2 Add a RADIUS dictionary to the profile: RADIUS-Cisco.
Step 3 Add the reply attributes and checked items in Table 8-6.
Note NAS support requirements—Be sure to have your Cisco NAS set for login and modem access. Use this profile for autologin to a different host.
NAS Address and NAS Port Filtering Profile—Sample Configuration
The system administrator can use the Java-based CiscoSecure Administrator advanced configuration program to enable the Filter attributes: Allow and Refuse. The Allow and Refuse attributes enable the system administrator to allow or refuse users or groups of users access to specific TTY ports or ranges of TTY ports on specific NASes.
Note When specifying the NAS IP addresses and TTY port numbers, the administrator should follow regular expressions, the UNIX standard pattern matching syntax conventions.
Step 1 In the Java-based CiscoSecure Administrator advanced configuration program, select the user or group whose NAS and port access you want to filter and click the Profile icon.
Step 2 In the Options menu, click Filter and click Apply.
Step 3 Click the Filter icon and in the Permission menu, select either Allow or Refuse and click Apply.
Step 4 Click the Filter tab and fill out the following fields:
Step 5 Repeat Step 2 through Step 4 for any other filter you want to specify.
Step 6 When you have specified all the filters to apply to this profile, click Submit.
In the following NAS filtering profile example:
•The Allow filter attributes enable user boscotam to log in and run shell sessions on the NAS at IP address 10.8.1.176 through TTY ports tty0-tty10, and tty21-tty30.
•The Refuse filter attributes block user boscotam from running shell sessions at IP address 10.8.1.176 through TTY ports tty11-tty20, or through any TTY ports on the NASes located at IP address 171.68.118.238, or at apps_comm1.xyz.zcorp.com.
user = boscotam {
service = shell {
default cmd = permit
default attribute = permit
{
profile_id = 137
profile_cycle = 1
password = clear "*************"
allow "^10\.8\.1\.176$" "tty([0-9]|10)$"
allow "^10\.8\.1\.176$" "tty(2[1-9]|30)$"
refuse "^10\.8\.1\.176$" "tty(1[1-9]|20)$"
refuse "^171\.68\.118\.238$" ".*"
refuse "apps-comm1\.xyz\.zcorp\.com" ".*"
}
Note The standard UNIX pattern characters, ^, \, and $ are inserted in this example to prevent misinterpretation of the IP addresses and TTY port ranges. For example, if the \ character were not inserted before the periods in the IP addresses, then under standard UNIX pattern matching, the periods would be interpreted as wildcard characters, thus enabling user boscotam to run shell sessions not only on the NAS at 10.8.1.176, but also at addresses not necessarily intended.
Caller ID Profile—Sample Configuration
If your phone line and equipment support caller ID, TACACS+ and RADIUS support for caller ID allows you to base profiles on the calling number, rather than the username being passed. Identifying users by their telephone number is especially useful for accounting purposes because you can directly bill charges according to the calling number.
To configure support for caller ID:
Step 1 Create a new user profile and enter a designated telephone number instead of a username.
The following example shows a user profile configured for caller ID:
user = 5551212
password = chap01
Step 2 Edit the $BASEDIR/config/CSU.cfg file. Verify that the following settings and values are entered:
config_callerid_enable = 1
config_defaultuser_enable = 1
In this case, if a user dials in to the NAS, the NAS passes the user's information including "rem_addr (5551212)" to the CiscoSecure ACS. The CiscoSecure ACS first attempts to authenticate the user based on the username field, but in this case, the user is not in the CiscoSecure database. However, because the user profile contains the caller ID, the CiscoSecure ACS uses the rem_addr (5551212) to index into the database.
Posted: Wed Feb 16 09:51:21 PST 2005
All contents are Copyright © 1992--2005 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.