|
Table Of Contents
Advanced Group and User Management
Starting the Advanced Configuration Program
Creating a User Profile in Advanced Configuration Mode
Assigning TACACS+ Attributes to a Group or User Profile
Assigning RADIUS Attributes to a Group or User Profile
RADIUS Attributes Used in User Profiles
Fully Enabling the RADIUS-Cisco11.3 Dictionary
Assigning Access Control Privilege Levels
Copying a Group or User Profile
Displaying a Profile in Text Format
Interpreting a User Profile in Text Format
Displaying a System Summary and Expired Passwords
Editing the unknown_user Default Profile
Uses of the unknown_user Profile
Logging Off the CiscoSecure Administrator Interface
Advanced Group and User Management
This chapter contains the instructions for advanced configuration of group and user profiles.
The CiscoSecure Administrator advanced configuration program enables you to carry out more advanced and specialized operations: creating user groups and direct assignment of TACACS+ and RADIUS attributes to customize user and group session parameters in more detail than is possible in the CiscoSecure Access Control Server (ACS) web interface mode.
This chapter covers the following topics:
• Starting the Advanced Configuration Program
• Creating a User Profile in Advanced Configuration Mode
• Assigning TACACS+ Attributes to a Group or User Profile
• Assigning RADIUS Attributes to a Group or User Profile
• Assigning Access Control Privilege Levels
• Copying a Group or User Profile
• Displaying a Profile in Text Format
• Displaying a System Summary and Expired Passwords
• Deleting a Profile Attribute
• Editing the unknown_user Default Profile
• Logging Off the CiscoSecure Administrator Interface
Note All changes made using the Administrator program are reflected in the database, and all changes made to the database are visible on the Administrator program, after you have refreshed it.
Starting the Advanced Configuration Program
You can start the Java-based CiscoSecure Administrator advanced configuration program from any of the CiscoSecure ACS Administrator web pages.
In the CiscoSecure ACS web menu bar of the CiscoSecure ACS web interface, click Advanced and then click Advanced again. The Java-based CiscoSecure Administrator advanced configuration program appears. It might require a few minutes to load.
Note For security reasons, the use of the Refresh button in Internet Explorer and the Shift + Reload feature in Netscape are not supported in the Advanced Administrator interface.
Figure 5-1 The CiscoSecure Administrator Advanced Configuration Program
Creating a Group Profile
Use the CiscoSecure Administrator advanced configuration program to create and configure group profiles. Cisco recommends creating group profiles to configure detailed authentication, authorization, and accounting requirements for large numbers of similar users. After the group profile is defined, you can use the CiscoSecure ACS Add a User web page to quickly add simple user profiles to the group profile. The advanced requirements you configured for the group will apply to each member user.
To create a group profile:
Step 1 In the CiscoSecure Administrator advanced configuration program, locate and deselect the Browse check box in the Navigator pane of the tabbed Members page. This displays the Create New Profile icon.
Step 2 In the Navigator pane, do one of the following:
•If you want to create a group profile with no parent, locate and click the [Root] folder icon.
•If you want to create your group profile as the child of another group profile, locate the group that you want to be the parent and click on it.
If the group that you want to be the parent is itself a child group, first click on its parent group's folder to display it.
Step 3 Click Create New Profile to display the New Profile dialog box.
Step 4 Select the Group check box, enter the name of the group you want to create, and click OK. The new group appears in the tree.
Step 5 After you create the group profile, assign specific TACACS+ or RADIUS attributes to configure specific authentication, authorization, and accounting properties, as follows:
•If you want to assign TACACS+ attributes to the profile, see the "Assigning TACACS+ Attributes to a Group or User Profile" section for details.
•If you want to assign RADIUS attributes to the profile, see the "Assigning RADIUS Attributes to a Group or User Profile" section for details.
Figure 5-2 Creating a Group Profile
Creating a User Profile in Advanced Configuration Mode
You can also use the CiscoSecure Administrator advanced configuration mode to create and configure a user profile. You might do this to customize the user profile's authorization and accounting related attributes in more detail than is possible through the Quick User Add page.
To create a user profile:
Step 1 In the CiscoSecure Administrator advanced configuration program, locate and deselect Browse in the Navigator pane of the tabbed Members page. This displays the Create New Profile icon.
Step 2 In the Navigator pane, do one of the following:
•Locate and click the group to which the user will belong.
•If you do not want the user to belong to a group, click the [Root] folder icon.
Step 3 Click Create Profile to display the New Profile dialog box.
Step 4 Make sure the Group check box is deselected.
Step 5 Enter the name of the user you want to create and click OK. The new user appears in the tree.
Step 6 After you create the user profile, assign specific TACACS+ or RADIUS attributes to configure specific authentication, authorization and accounting properties as follows:
•To assign TACACS+ profiles to the user profile, see the "Assigning TACACS+ Attributes to a Group or User Profile" section for details.
•To assign RADIUS profiles to the user profile, see the "Assigning RADIUS Attributes to a Group or User Profile" section for details.
Assigning TACACS+ Attributes to a Group or User Profile
To assign specific TACACS+ services and attributes to a group or user profile:
Step 1 In the CiscoSecure Administrator advanced configuration program, click the icon for the group or user profile in the tree that is displayed in the Navigator pane of the tabbed Members page.
Step 2 If necessary, in the Profile pane, click the Profile icon to expand it.
A list or dialog box that contains attributes applicable to the selected profile or service appears in the window at the bottom right of the screen. The information in this window changes depending on what you have selected in the Profile pane.
Step 3 Click the service or protocol that you want to add and click Apply.
The service is added to the profile.
Step 4 Enter or select the necessary text in the Attribute window. Valid entries are explained in "Strategies for Applying Attributes."
Note If you are assigning an attribute value at the group profile level, and the attribute you are specifying displays an Absolute check box, you can select that check box to assign the value absolute status. A value assigned absolute status cannot be overridden by any contending values assigned at subordinate group profile or user profile levels.
Step 5 Repeat step 1 through step 4 for each additional service or protocol to add.
Step 6 When you have finished making all your changes, click Submit.
Refer to the Common TACACS+ Attributes for a listing of the most frequently used TACACS+ protocols and services.
Figure 5-3 Assigning TACACS+ Attributes to a Profile
Common TACACS+ Attributes
If necessary, use Table 5-1 as a guide when assigning TACACS+ attributes to a user or group profile.
Table 5-1 TACACS+ Attributes
Attribute Definition Valueservice
Indicates that this is an authorization request for starting a primary service.
slip, ppp, arap, shell
protocol
Network protocol that is a subset of the service. This attribute must be specified when the service is PPP1 to indicate that a protocol is being brought up as a secondary service.
lcp, ip, ipx, atalk, vines, unknown
cmd
Indicates the command name for a shell command that is to be run.
NULL = shell itself
cmd-arg
Indicates an argument for the shell command that is to be run. Multiple cmd-arg attributes can be specified and are order dependent.
acl (access control list)
ASCII number representing a connection access list. Used only when service = shell and cmd = NULL.
inacl
ASCII number for an interface input access list.
outacl
ASCII number for an interface output access list.
zonelist
Numeric zonelist value. Applicable to AppleTalk only.
addr
Network address.
addr-pool
Name of an address pool from which the NAS2 should assign an address.
routing
Specifies whether routing information is to be propagated to and accepted from this interface.
Boolean value
route
Indicates a route that is to be applied to this interface. Values must be of the form:
dst_address mask routing_addr
If routing_addr is missing, the current interface will be used.
timeout
Sets a value, in minutes, after which a session is terminated. Does not work for PPP. A value of zero indicates no timeout. This is NOT available on Cisco IOS Release 11.0, but is available on Cisco IOS Release 11.1 and 11.2. Used for ARAP3 .
0 - nn where
0 = no timeout
idletime
Sets a value, in minutes, after which an idle session is terminated. Does not work for PPP. A value of zero indicates no timeout. This is NOT available on Cisco IOS Release 11.0, but is available on Cisco IOS Releases 11.1 and 11.2.
0 - nn where
0 = no timeout
autocmd
Auto-command to run. Used only when service = shell and cmd = NULL.
noescape
Prevents user from using an escape character. Used only when service=shell and cmd=NULL.
Boolean
nohangup
Do no disconnect after an automatic command. Used only when service=shell and cmd=NULL.
Boolean
priv_lvl
Privilege level to be assigned.
1 - 15
callback-dialstring
Number the NAS will call back.
NULL = dialstring
callback-line
Line the NAS uses to call back the user.
callback-rotary
Rotary number to use for a callback.
nocallback-verify
Indicates a connection doesn't require authentication after callback.
1
1 PPP = Point-to-Point Protocol.
2 NAS = network access server.
3 ARAP = Appletalk Remote Access Protocol.
Assigning RADIUS Attributes to a Group or User Profile
To assign specific RADIUS attributes to a group or user profile:
Step 1 Assign a RADIUS dictionary to the group profile:
a. On the Members page of the CiscoSecure Administrator advanced configuration program, click the group or user icon, then click the Profile icon in the Profiles pane to display the Options menu in the Attributes pane.
b. In the Options menu, click the name of the RADIUS dictionary you want the group or user to use; for example, RADIUS - Cisco. Then click Apply.
Figure 5-4 Assigning a RADIUS Dictionary to a Group or User
Step 2 Add the required Check Items and Reply Attributes to the RADIUS profile:
Note Check items are the attributes required for authentication, such as user ID and password. Reply Attributes are the attributes sent to the NAS after the profile has passed the authentication procedure, such as Framed-Protocol. For lists and explanations of Check Items and Reply Attributes, see the chapter "RADIUS Attribute-Value Pairs and Dictionary Management" in the CiscoSecure ACS 2.3 for UNIX Reference Guide.
a. In the Profile window, click the RADIUS - dictionaryname folder icon. (You might need to click the profile's + symbol to expand the RADIUS folder.) The Check Items and Reply Attributes options appear in the Attribute Group window.
b. To use one or more of these attributes, click the attribute(s) you want to use, then click Apply. You can add more than one attribute at a time.
c. Click the + symbol for the RADIUS - dictionaryname to expand the folder.
Note If you select the RADIUS-Cisco11.3 option, make sure Cisco IOS Release 11.3.3(T) or later is installed on your connecting NASes and add new command lines to your NAS configurations. See the "Fully Enabling the RADIUS-Cisco11.3 Dictionary" section.
Step 3 Specify values for added Check Items and Reply Attributes:
a. Click Check Items and/or Reply Attributes. A list of applicable Check Items and Reply Attributes values appears in the lower right window. Click the + symbol to expand the folder.
b. Click the values you want to assign, then click Apply. For more information on the values, see the chapter "RADIUS Attribute-Value Pairs and Dictionary Management" in the CiscoSecure ACS 2.3 for UNIX Reference Guide.
Note If you are assigning an attribute value at the group profile level, and the attribute you are specifying displays an Absolute check box, you can select that check box to assign the value absolute status. A value assigned absolute status cannot be overridden by any contending values assigned at subordinate group profile or user profile levels.
c. When you have finished making changes, click Submit.
Caution For the RADIUS protocol, inheritance is additive as opposed to hierarchical inheritance, like TACACS+. For example, if you assign the same reply attributes to both the user and group profiles, authorization will fail because the NAS will be sent twice the number of attributes and will not be able to make sense of the reply attributes. Be careful not to assign the same check item or reply attribute to both the group and user profiles.
Figure 5-5 Assigning Check Items and Reply Attributes to a RADIUS Profile
Step 4 To use one or more of these attributes, click the attribute(s) you want to use, then click Apply. You can add more than one attribute at a time.
For more information on specific RADIUS attributes, see the "RADIUS Attributes Used in User Profiles" section.
RADIUS Attributes Used in User Profiles
Table 5-2 lists the RADIUS attributes that are most commonly used in user profiles. This list is not an exhaustive list of the attributes supported by all vendors such as Ascend, Cisco, and Livingston and does not include any accounting attributes. This table only attempts to list the standard RADIUS attributes that are meaningful for use in a user profile. The table gives a description of each attribute and an explanation of how the attribute might be used in a user profile. Wherever applicable, special information is provided on Cisco's support for the attribute in current versions of Cisco IOS software.
Caution Care should be taken when using any attributes besides User-Password as Check Items in a user profile. Unless all Check Items match the information that is sent by the NAS exactly, authentication will fail.
Fully Enabling the RADIUS-Cisco11.3 Dictionary
The RADIUS-Cisco11.3 dictionary includes Cisco's set of vendor-proprietary extended RADIUS attributes. To take full advantage of this version, configure the associated NAS as follows:
•Make sure that Cisco IOS Release 11.3.3(T) or later is installed on the NAS.
•Replace the radius-server host hostname | ip-address command line with the following command line in the NAS configuration:
radius-server host hostname|ip-address non-standard
Where hostname | ip-address is the FQDN or IP address of the CiscoSecure ACS assigned to this NAS.
•Add the following command line to the NAS configuration:
radius-server configurenas
For a description of the vendor-proprietary attributes themselves, see "RADIUS Vendor-Proprietary Attributes," in the appendix "RADIUS Attributes" in the document Security Configuration Guide, accessible at the Cisco documentation web site at the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed /113ed_cr/secur_c/scprt6/index.htm
Assigning Access Control Privilege Levels
The superuser administrator can use the web privilege= attribute to assign a level of access control privilege to CiscoSecure users.
Step 1 In the CiscoSecure Administrator advanced configuration program, click the user whose access control privilege you want to assign, then click the Profile icon in the Profiles pane.
Step 2 In the options menu, click web privilege and select one of the following values.
•0—Denies the specified user any access control privileges, even the ability to change the user's CiscoSecure password.
•1—Grants the specified user access to the CSUser web page. This page allows CiscoSecure users to change their personal CiscoSecure password. For details on how they can do this, see "User-Level Functions (Changing a Password)" in "Basic User and ACS Management."
•12—Grants the specified user group administrator privileges.
•15—Grants the specified user system administrator privileges.
Note If you select any web privilege option other than 0, you must also specify a password. To satisfy the web privilege password requirement, a single blank space is minimally acceptable.
Step 3 Click Apply and then click Submit.
Copying a Group or User Profile
Use the Copy a Profile button to add a group or user whose profile is a duplicate of an existing username or group profile:
Step 1 In the Members tabbed page of the CiscoSecure Administrator advanced configuration program, click the group or user to be copied.
Step 2 Click the Copy a Profile button.
Figure 5-6 Copy a Profile Button
Step 3 When prompted, enter the new group name or username.
Step 4 Click OK.
Step 5 The new group name or username appears in the tree.
Finding a Group or User
To find a group or user profile:
Step 1 In the Members page of the CiscoSecure Administrator advanced configuration program, click the Find a Group or User button.
Figure 5-7 Find a Group or User Button
Step 2 Enter the name of the group or user to search for in the Group or User Name field.
The profile of the group or user you selected is placed in a temporary folder that appears at the top of the list of users. Use this folder as a "shortcut" to the groups or users to work with during this session.
Note The temporary folder appears for this session only.
Step 3 Repeat Step 2 as many times as necessary for the groups or users to work with during this session.
Displaying a Profile in Text Format
To display a group or user profile in text format, go to the Members tab of the CiscoSecure Administrator advanced configuration program, select the user or group profile whose text format you want to display, and click the Display a Profile button.
Figure 5-8 Display a Profile Button
Information similar to that shown in Figure 5-9 will display.
Figure 5-9 CiscoSecure Profile Window
The information displayed is the same information as that shown in the Profile window, but it is shown in CiscoSecure ACS 1.0 format.
Interpreting a User Profile in Text Format
The text format is a representation of the actual data that is stored in the RDBMS. Reading the text format of a user or group profile is a quick way of understanding the TACACS+ or RADIUS-based attributes of a user profile.
In the following example user profile, configured through the Java-based CiscoSecure Advanced configuration program, the text format indicates that the user ga_simpson:
•Is assigned the password "sesame1" to start an EXEC session on the NAS.
•If the NAS has command authorization enabled, then the only two commands that user ga_simpson can use are show version and telnet 10.6.8.11.
user = ga_simpson {
password = clear "sesame1"
service = shell {
cmd = show {
permit version
}
cmd = telnet {
permit "10\.6\.8\.11"
}
}
}
The curly braces { } in the above expression enclose either:
•Parameters specified for the attribute and value preceding them, for example:
cmd = telnet {
permit "10\.6\.8\.11"
}
•Attributes embedded within a higher level attribute, for example:
service = shell {
cmd = show {
permit version
}
cmd = telnet {
permit "10\.6\.8\.11"
}
}
Note For a thorough description of CiscoSecure profile syntax, consult the online document titled, CiscoSecure Syntax Guide and Sample Profiles, accessed through the Help menu option in the CiscoSecure ACS Administrator web pages.
Displaying a System Summary and Expired Passwords
To display a summary of the system's statistics, go to the Members tab of the CiscoSecure Administrator advanced configuration program and click the Display System Summary and Expired Passwords button. You can also click this button to display users with expired passwords by password type.
Figure 5-10 Display System Summary and Expired Passwords Button
The CiscoSecure Properties window opens. To view the system summary, click the Summary Statistics tab. (See Figure 5-11.)
Figure 5-11 CiscoSecure Summary Statistics Window
To view expired passwords, click the Expired Passwords tab. (See Figure 5-12.)
Figure 5-12 CiscoSecure Expired Passwords Window
Moving a Profile
Use the Move a Profile button to move a group or user to a different or new group. This is useful, for example, to change an employee from one department to another.
To move a profile:
Step 1 Go to the Members tab of the CiscoSecure Administrator advanced configuration program.
Step 2 Click the group or user to be moved.
Step 3 Click Move a Profile.
Figure 5-13 Move a Profile Button
Step 4 Enter the name of the destination group. The group name or user icon moves from its current group to the new one.
Note The moved group or user will inherit the attributes of the group to which it is moved.
Unlocking a Profile
Use the Unlock a Profile button to unlock a record that became locked inadvertently. When a profile is locked, a keyhole icon displays next to the group's folder icon. Profiles are locked when they are being updated; however, it is possible to have a locked record that is not in use, such as when the computer is rebooted while updating a profile.
To unlock a profile:
Step 1 Go to the Members tab of the CiscoSecure Administrator advanced configuration program.
Step 2 Click the locked profile.
Step 3 Click Unlock a Profile. The keyhole icon disappears.
Figure 5-14 Unlock a Profile Button
Deleting a Profile Attribute
To delete a profile attribute from a group or user profile:
Step 1 Go to the Members tab of the CiscoSecure Administrator advanced configuration program.
Step 2 Click the icon for the applicable group or user in the tree that is displayed in the Navigator (left) window.
Step 3 In the Profile window, click whatever services or attributes you require to expand the directory structure until you see the attribute you want to delete.
Step 4 Click the applicable attribute.
Step 5 Click the Delete a Profile Attribute (minus sign) button at the top of the Profile window.
Figure 5-15 Delete a Profile Attribute Button
Step 6 Repeat Step 2 through Step 5 for each additional attribute to delete.
Step 7 When you have finished making changes, click Submit.
Editing the unknown_user Default Profile
The CiscoSecure ACS unknown_user default profile feature enables access to users not specified (unknown) in the CiscoSecure database. The unknown_user profile can support unknown users requesting authentication via both the TACACS+ and RADIUS protocol.
When you install the CiscoSecure ACS, the unknown_user profile is empty, but you can edit it to provide a default profile for non-CiscoSecure users dialing in to a supported NAS.
Edit the unkown_user default profile as follows:
Step 1 Start the CiscoSecure Administrator advanced configuration program.
Step 2 Click the Members tab.
Step 3 Deselect Browse.
Step 4 Select the unknown_user profile in the Navigator pane and click the Profile icon in the Profile pane to view the unknown_user profile configuration.
You can edit the unknown_user profile like any other user profile. See the section " Creating a User Profile in Advanced Configuration Mode" earlier in this chapter for details on assigning attributes through the CiscoSecure Administrator advanced configuration program.
Uses of the unknown_user Profile
The effect that this unknown_user profile has on unknown users dialing in to the network varies depending on how the client NAS is configured. For example, the unknown_user profile shown in Figure 5-16 is not configured for RADIUS and therefore does not allow any access to unknown users who are communicating with CiscoSecure via NASes enabled for RADIUS protocol only.
Figure 5-16 Customized unknown_user Profile Configuration
For TACACS+ the default unknown_user profile shown in Figure 5-16 authenticates any users who are configured in the UNIX authentication system on which the ACS is running.
The concept of the Default Profile is useful if you already have a large number of users defined in another authentication system, such as the UNIX /etc/passwd and /etc/shadow files or a Security Dynamics, Inc. ACE Server.
The unknown_user profile enables you to grant users specified in these other authentication systems immediate access to the network without having to respecify them in CiscoSecure database. For example, the following default profile might be used to authorize a shell on the NAS via RADIUS for users who are configured in an ACE Server but not yet specified in the CiscoSecure database:
unknown_user = {
radius = Cisco {
check_items = {
2 = sdi
}
reply_attributes = {
6 = 6
}
}
}
Additionally, the unknown_user profile can be used to grant guest access to the network for unknown users. The following unknown_user profile might be used to allow guests to log in without a password via TACACS+:
unknown_user = {
password = no_password
service = shell {
}
}
If there is no unknown_user profile declared, then users not declared in the CiscoSecure database cannot be authenticated or authorized to use any service when dialing in to the CiscoSecure ACS client NASes.
Note The attribute values assigned to the unknown_user profile never apply to users who are already configured with a CiscoSecure user profile.
Logging Off the CiscoSecure Administrator Interface
To exit the Administrator program, click Logoff.
•If you are on any CiscoSecure ACS web page, the Logoff button is in the options bar at the top of the page.
•If you are in the Java-based CiscoSecure Administrator advanced configuration program, the Logoff button is located under the CiscoSecure Administrator banner.
Note If you are using Netscape and you want to log out of the Java-based CiscoSecure Administrator advanced configuration program, the program might require several minutes to shut down.
Posted: Wed Feb 16 10:24:59 PST 2005
All contents are Copyright © 1992--2005 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.