|
The CDAT expert interface allows the service-provider administrator to create and maintain the objects and attributes for services, service groups, users, user groups, roles, rules, and Node Route Processor (NRP) information. Before using the CDAT expert interface, read the following:
The CDAT expert interface consists of a set of windows that allow the objects representing services, subscribers, and policy roles and rules to be created and maintained. The following sections describe how to use the CDAT expert interface to define service, subscriber, and policy information:
In addition to creating services, subscribers, and other objects with CDAT, the SSG software must be correctly configured for the services that you create. For information on configuring services on the SSG, see the Service Selection Gateway documentation that is available on Cisco Connection Online.
As a simple example of the tasks that an administrator performs when using the CDAT interface, consider possible tasks in creating a user with a set of privileges to access certain resources.
Because the steps outlined below start from the very beginning and assume that no user groups, roles, or rules exist, the tasks may seem a bit complicated. After becoming familiar with RBAC and CDAT, these tasks become fairly intuitive. More importantly, this set of tasks is only performed oncewhen the directory objects are created for the first time.
The following example outlines the steps that you perform to create a user who is a subscriber to a set of "Gold" services. The steps for this task are as follows:
1. With the Services window, create one or more services (the Gold services that Gold subscribers can access).
2. With the User Groups window, create a user group (GoldSubscriberGroup) for the users who will be granted access to the Gold services.
3. With the Users window, create the user (Joan) and make the user a member of the user group GoldSubscriberGroup.
4. With the Roles window, create a role (GoldSubscriberRole). The role defines the privileges the members of the GoldSubscriberGroup have.
a. Define the role's privileges to include the rights to subscribe to and unsubscribe from Gold services.
b. Make the user group GoldSubscriberGroup a subject (occupant) of the role GoldSubscriberRole.
5. With the Rules window, create a rule (GoldSubscriberRule). The rule will grant, to a specified role (GoldSubscriberRole), the privileges for a set of resources. For a Gold subscriber, the set of resources includes the Gold services.
a. Specify the set of resources (the Gold services) that are defined for the rule.
b. Associate the role GoldSubscriberRole with the rule GoldSubscriberRule.
When you complete the preceding steps, the privileges to subscribe to or unsubscribe from the set of Gold services are granted to the user group GoldSubscriberGroup because it is a subject of the GoldSubscriberRole. The user Joan has the privileges defined by the GoldSubscriberRole because she is a member of the GoldSubscriberGroup. The GoldSubscriberRule is applied to the specified services (the Gold services) and it associates GoldSubscriberRole with these services.
The greatest benefit to using CDAT is that it allows for bulk administration of users. Because the preceding example started from the beginning and created all needed objects for granting a subscriber the privileges to access a set of services, the steps might seem a bit complicated.
However, once these objects (a user group, a role for the group, and a rule granting privileges to resources) are in place, creating a thousand or ten thousand additional subscribers who are members of the GoldSubscriberGroup is simple and involves two steps for each subscriber:
1. Create the userthe new subscriber.
2. Specify that the user is a member of the GoldSubscriberGroup.
In addition to granting access to resources, you can perform other service-provider administration tasks at the group level. For example, because you have already defined the underlying structure of user groups, roles, and rules, adding or removing resources (services) that group members can access, and modifying the set of privileges for group members can be accomplished at the user group level.
With RBAC and CDAT, no user-by-user access control modifications need to be made. Bulk administration of users, services, and privileges makes subscriber provisioning simple and fast.
This section provides some information about getting started with the CDAT expert interface:
For information on installing, configuring, and starting CDAT, see the Cisco Subscriber Edge Services Manager and Subscriber Policy Engine Installation and Configuration Guide.
Before logging in to CDAT, make sure that cookies are enabled in your browser. CDAT requires a browser that allows cookies.
To log in to CDAT for the first time, you need a user name and password. The administrator who logs in first needs administrative privileges to begin the work of setting up the objects and attributes for services, subscribers, policy roles and rules, and so forth.
The easiest way to create an administrator user account for CDAT is to use some DESS sample data that the SESM installation program copies onto the CDAT server machine when it installs the CDAT and DESS software. The DESS sample data creates users (including an administrator user), users groups, services, roles, and rules. The DESS sample data is located in the install_dir/dess-auth/schema/samples directory, and is contained in two files: DESSadmin.ldf and DESSusecasedata.ldf.
You must manually install the DESS sample data with a facility such as ldapmodify. For information on installing the DESS sample data, see the following file:
install_dir/dess-auth/schema/README.LDIFload.html
After the DESS sample data is successfully installed, you can use the DemoUser5 user name (password cisco) to log in to CDAT for the first time. The DemoUser5 account is an administrative account with Cisco_Dess_Supervisor and Cisco_Azn_Super privileges, which are appropriate for a superuser-type administrator. The Demo5User can access all objects in the Organization Unit and can perform all CDAT tasks: access, create, delete, and modify all objects and attributes. The Demo5User can create user accounts, roles, and rules for all users, including administrators, account managers, and publishers.
Note If your CDAT uses DemoUser5 and the other sample DESS objects, changing CDAT administrator passwords is a needed security precaution for production deployments of SESM and CDAT. |
Your first task after logging in for the first time as DemoUser5 should be to change the passwords associated with all CDAT administrator user accounts, including DemoUser3 and DemoUser5. CDAT administrator user accounts are members of user groups that occupy roles with administrative privileges (for example, Cisco_Dess_Supervisor, Cisco_Dess_Manage, and Cisco_Azn_Super). With CDAT, passwords must have at least one character.
The CDAT expert interface (Figure 2-1) allows you to create or update information for services, service groups, users, user groups, roles, rules, and NRPs.
In the CDAT expert interface, each object-management window contains these areas:
The bottom of the Object Details area contains a set of buttons. Figure 2-2 shows the buttons that appear at the bottom of the Users window.
The buttons shown in Figure 2-2 perform the following actions:
Some other considerations that you should be aware of when using the CDAT expert interface are:
All objects created with CDAT share the same name space. You cannot create a CDAT object (service, service group, user, user group, role, rule, or NRP) using the same name as an object of any of these types that already exists. If you try to create an object using a name already in use, CDAT displays a message that the object already exists and asks you to choose a new name.
When a user logs into CDAT, the objects that CDAT displays and the objects and attributes that the user can create, delete, and modify are directly related to the user groups that the CDAT user is a member of and to the following:
As an example, assume a user does not have Cisco_Azn_Super privilege for managing roles and rules. If this user logs in, CDAT does not display any roles or rules in the Roles and Rules windows. To see and manage roles and rules using CDAT, this user must a member of a user group that has Cisco_Azn_Super privilege and must have access to the resources of the container Organization Unit under which the roles and rules reside.
CDAT and the DESS/AUTH software store the user password in Secure Hash Standard encrypted form. After a password is defined for a user account, CDAT displays each password field as a 25-character string, regardless of the length of the defined password. The password encryption does not allow the user or the CDAT administrator to clear the password. Once a password exists, attempting to enter an empty string for the password results in an exception. No update of the password occurs.
When a subaccount is created, the initial password is set to the user name for the subaccount. The password fields in CDAT display a 25-character string because the password is stored in an encrypted form.
Some of the attributes that are in effect for a user or service profile are affected by inheritance.
When you define a service, service group, user, or user group, you can specify some attribute values at both the group level and the individual member level. When certain attribute values are specified at the user group or service group level, they are inherited by individual users and services that are group members. Table 2-1 lists the CDAT inheritable attributes.
When a value for an inheritable attribute is specified for an individual user or service, that value takes precedence over a value that is specified at the group level or container level.
For example, you can specify Idle Timeout and Session Timeout values for a service and for a service group.
To simplify the use of inheritable user and user group attributes, you should define user attributes at the individual user level only when an attribute is specific to the user. You should define all other attributes at the group level. Individual group members then inherit the group value.
Configuration attributes affect the behavior of the CDAT web application (for example, the port number where the web server listens for HTTP requests for CDAT). The configuration attributes also allow you to configure CDAT logging, debugging, and the management console.
Configuration attributes that affect the behavior of CDAT are defined in the cdat.jetty.xml file located in the install_dir/jetty/config directory, and the cdat.xml file located in the install_dir/cdat/config directory. Configuration attributes in the cdat.xml file include:
The CDAT management console is password protected. The management console's password is defined by the AuthInfo attribute in the cdat.xml file. In a production deployment, changing this password is a common-sense security precaution.
For detailed information on the CDAT configuration files and attributes, see the Cisco Subscriber Edge Services Manager and Subscriber Policy Engine Installation and Configuration Guide.
Many of the attributes that you define when creating a new service with CDAT are used by the Service Selection Gateway (SSG). The SSG connects the subscriber to the service or provides status information. The SSG is the enforcement point for authentication and service-specific policies such as session timeout, idle timeout, next-hop table, and other Internet Protocol (IP) attributes. The SSG also sends messages to the Cisco SESM web application regarding authentication failures or changes in the state of the SSG as a result of enforcement decisions (such as session timeout).
The following sections provide information on some of the SSG functionality that you can configure when creating a new service with CDAT.
When creating a new service with CDAT, you specify one of these service classes:
When a subscriber selects a proxy service, there is another user name and password prompt. After authentication, the service is accessible until the user logs out from the service, logs out from the Cisco SESM web application, or is timed out.
The SSG uses IOS access control lists (ACLs) to prevent users, services, and passthrough traffic from accessing specific IP addresses and ports. The ACLs can be configured for services and users by means of Cisco AV pairs.
When users are accessing multiple services, the SSG must determine the services for which the packets are destined. To do this, the SSG uses an algorithm to create a service access order list. This list is stored in the user's host object and contains services that are currently open and the order in which they are searched.
The algorithm that creates this list orders the open services based on the size of the network. Network size is determined by the subnet mask of the Service Route attribute (specified with Service routes box in Services window). A subnet that contains more hosts implies a larger network. If networks are the same size, the services will be listed in the order in which they were last accessed.
When creating services, be sure to define as small a network as possible. If there is overlapping address space, packets might be forwarded to the wrong service.
The Next hop gateway attribute in a service profile specifies the next hop key for a service. Each SSG uses its own next-hop table that associates this key with an actual IP address. Note that this attribute overrides the IP routing table for packets destined to a service. With CDAT, you use the NRPs window to create a next hop gateway table. For information on creating a next-hop table with CDAT, see "Creating and Updating NRP Information" section.
For information on downloading a next hop gateway table with the ssg next-hop command, see the Cisco 6400 Command Reference.
When the SSG receives a DNS request, it performs domain name matching using the Domain Name attribute from the service profiles of the currently logged-in services. For each service, you specify the Domain Name attribute in the Domain names box in the Services window.
The SSG can be configured to work with a single DNS server, or two servers in a fault-tolerant configuration. Based on an internal algorithm, DNS requests will be switched to the secondary server if the primary server begins to perform poorly or fails.
The Session Timeout and Idle Timeout attributes can be used in either a user or service profile. In a user profile, the attribute applies to the user's session. In a service profile, the attribute individually applies to each service connection.
In a dial-up networking or bridged (non-PPP) network environment, a user might disconnect from the NAS and release the IP address without using the SESM web application to log out from the SSG. If this happens, the SSG will continue to allow traffic to pass from that IP address, and this might be a problem if the IP address is obtained by another user.
The SSG provides two mechanisms to prevent this problem:
For each service, you specify an access mode in the Access mode box in the Services window. SSG services can be configured for concurrent or sequential access. Concurrent access allows users to log on to this service while simultaneously connected to other services. Sequential access requires that the user log out of all other services before accessing a service configured for sequential access.
Concurrent access is recommended for most services. Sequential access is ideal for services for which security is important, such as corporate intranet access, or for which there is a possibility of overlapping address space.
To create a service or update the attributes of an existing service, use the Services window (Figure 2-3).
When you first create a service, you click New Service and specify the following:
Name of the service. This attribute is used for accounting purposes. If the service does not have a description specified (the Description attribute), an SESM web application uses the specified name in the subscriber's service list when icons are not used for services in the list.
Allowed values: A text string.
Indicates whether the service is a passthrough service, proxy service, or tunnel service.
For information on service classes, see the "Service Classes" section.
For a new or existing service, you can specify the following attributes:
Defines whether the user is able to log on to this service while simultaneously connected to other services (concurrent) or whether the user cannot access any other services while using this service (sequential).
Gives a description of the service. An SESM web application (for example, New World Service Provider) uses this description in the subscriber's service list when icons are not used for services in the list.
Allowed values: A text string.
Specifies the next-hop key for this service. Each SSG uses its own next-hop gateway table that associates this key with an actual IP address. For information on the next-hop gateway table, see the "Next Hop Gateway" section and the "Creating and Updating NRP Information" section.
Allowed values: A text string with the next hop key.
Specifies one or more domain names that get DNS resolution from the DNS server(s) specified in Primary DNS servers and Secondary DNS servers. For information on domain name matching, see the "DNS Redirection" section.
Allowed values: One or more domain names, each on a separate line.
Example: cisco.com
cisco-sales.com
Primary DNS servers (Required)
Specifies the primary DNS server for this service.
Allowed values: An IP address in dotted-decimal notation.
Secondary DNS servers (Optional)
Specifies the secondary DNS server for this service. If primary and secondary servers are specified, the SSG sends DNS requests to the primary DNS server until performance is diminished or it fails (failover). It then sends DNS requests to the secondary DNS server.
Allowed values: An IP address in dotted-decimal notation.
Specifies the IP address and subnet mask of the networks or the hosts where the service is located. There can be multiple service routes for a service. For more information, see the "Service Access Order" section.
Allowed values: An IP address and subnet mask, separated by a semicolon. If more than one IP address and subnet mask are specified, you enter each service route on a separate line.
An Internet service is typically specified as 0.0.0.0;0.0.0.0 in the service profile.
Example: 192.168.1.128;255.255.255.240
Specifies the level of service.
Allowed values: Currently, this attribute must be Outbound.
Gives the URL for this service. Depending on whether the SESM web application uses frames, the URL can appear in the address bar in a new browser window. When you enter the service URL, an H or U character must precede the URL. For example:
If the SESM web application does not use frames, H and U have the same effect: When the subscriber selects the service, it is displayed in a new browser window, and the specified URL appears in the new window's address bar.
If the SESM web application does use frames, the behavior is as follows:
Allowed values: A fully qualified URL preceded by the character H or U.
Example: Uhttp://www.BestVideo.com
IP Pool Name (Optional for PPP)
Specifies the name of the address pool from which to get the IP address for the service. If a service is defined as a primary service, the service must have the name of an address pool defined. For information on address pools and primary services, see the "Primary Service and Address Pool for a PPP Subscriber" section.
Allowed values: A text string.
For a proxy service, you specify the following attributes that provide information for the RADIUS server that the Service Selection Gateway (SSG) uses to authenticate access to this proxy service:
RADIUS server IP address (Required for a proxy service)
Specifies the IP address of the RADIUS server.
Allowed values: An IP address in dotted-decimal notation.
RADIUS server authentication port (Required for a proxy service)
Specifies the RADIUS server port number for authentication requests.
Allowed values: A UDP port number.
RADIUS server accounting port (Required for a proxy service)
Specifies the RADIUS server port number for accounting requests.
Allowed values: A UDP port number.
RADIUS shared secret (Required for a proxy service)
Specifies the secret key that the RADIUS server shares with proxy clients. The key must match the shared secret on the RADIUS server.
Allowed values: The shared secret key.
For a Layer 2 Tunnel Protocol (L2TP) tunnel service and virtual private dial network (VPDN), you specify the following attributes. For information on configuring L2TP and configuring the L2TP network server (LNS), see the Cisco 6400 Feature Guide.
Tunnel identifier (Required for a tunnel service)
Specifies the name of the tunnel. The name must match the tunnel ID specified in the L2TP network server VPDN group.
Allowed values: A tunnel ID (name).
Tunnel IP address (Required for a tunnel service)
Specifies the IP address of the home gateways (LNSs) to receive the L2TP connection.
Allowed values: An IP address in dotted-decimal notation.
Tunnel password (Required for a tunnel service)
Specifies the secret (password) used for L2TP tunnel authentication.
Allowed values: The secret (password).
Tunnel password confirmation (Required for a tunnel service)
Specifies the secret (password) used for L2TP tunnel authentication. Used by CDAT to ensure that the password was correctly entered.
Allowed values: The secret (password) that was entered in the preceding Tunnel password box.
Tunnel type (Required for a tunnel service)
Specifies that the tunnel type is L2TP. With an SESM tunnel service, the value must be l2tp.
Allowed values: l2tp to indicate an L2TP tunnel type. The value is case sensitive.
Example: l2tp (The first character is the lowercase letter l.)
CDAT displays the service groups that are currently defined. You indicate whether this service is a member of a service group by checking or unchecking the checkbox for the service group.
Cisco attribute-value pairs (Cisco AV pairs) can appear as part of the service profile.
Note Cisco AV pairs can be specified at the service and the service group level. Service and service group AV pairs are cumulative. The set that applies to a service are all AV pairs specified for the service and all AV pairs specified for any service groups of which the service is a member. Therefore, a common-sense strategy is to specify AV pairs at the individual service level and not at the service-group level. |
With CDAT, the most common format for each AV pair is as follows:
For use with Cisco SESM and CDAT, the preceding format has these elements:
In the AV pair format, spaces are not allowed around the colon (:
) and equal sign (=
) characters. In some cases, spaces are allowed between items within value. For example, spaces separate some of the parts of an access control list:
Table 2-2 lists the Cisco AV pairs that are supported by the Cisco SESM and SSG software for service profiles when DESS/AUTH is used.
Local Generic RADIUS Attributes (Optional)
One or more RADIUS attributes and values that apply to the service but that do not appear in the fields of the Services window. For information on RADIUS attributes, see RFC 2865.
Allowed values: A RADIUS attribute number and a value in the form 99:value, where 99 is the RADIUS attribute number. If more than one RADIUS attribute and value are specified, enter each attribute-value pair on a separate line.
Specifies the maximum time, in seconds, that a session or connection can remain idle before it is disconnected. The default is no timeout.
Allowed values: A number of seconds.
Note When a non-PPP user, such as in a bridged networking environment, disconnects from a service without logging off, the connection remains open and the user will be able to reaccess the service without going through the logon procedure. This is because no direct connection (PPP) exists between the subscriber and the SSG. To prevent non-PPP users from being logged on to services indefinitely, be sure to configure the Session-Timeout and/or Idle-Timeout attributes. |
Specifies the maximum time, in seconds, that a host or service object can remain active in any one session. The default is no timeout.
Allowed values: A number of seconds.
CDAT displays the policy rules that are currently defined. You can indicate whether this service is a resource associated with a rule by checking or unchecking the checkbox for the rule. For information on rules, see the "Creating and Updating Rules" section.
To create a service group or update the attributes of an existing service group, use the Service Groups window (Figure 2-4). When creating a service group, you can make a service a member of the group by choosing the group in the Service Group Is member section of the Services window.
When you first create a service group, you click New Service Group and specify the following:
Allowed values: A text string.
For a new or existing service group, you can specify the following attributes:
Gives a description of the service group.
Allowed values: A text string.
Example: A group of services for Gold subscribers.
Mutually Exclusive Connection Group
Indicates whether the service group is a mutually-exclusive connection group in which the subscriber can connect to only one service in the group at any one time.
Mutually Exclusive Subscription Group
Indicates whether the service group is a mutually-exclusive subscription group in which the subscriber can subscribe to only one service in the group at any one time.
Local Cisco AV Pairs (Optional)
Cisco attribute-value pairs (Cisco AV pairs) can appear as part of the service group profile. The Cisco AV pairs that are supported by the Cisco SESM and SSG software for service groups are the same as for services. For information on this set of AV pairs, see Table 2-2.
Note Cisco AV pairs can be specified at the service and the service group level. Service and service group AV pairs are cumulative. The set that applies to a service are all AV pairs specified for the service and all AV pairs specified for any service groups of which the service is a member. Therefore, a common-sense strategy is to specify AV pairs at the individual service level and not at the service-group level. |
Local Generic RADIUS Attributes (Optional)
One or more RADIUS attributes and values that apply to all services in the group but that do not appear in the fields of the Service Groups window. For information on RADIUS attributes, see RFC 2865.
Allowed values: A RADIUS attribute number and a value in the form 99:value, where 99 is the RADIUS attribute number. If more than one RADIUS attribute and value are specified, enter each attribute-value pair on a separate line.
Specifies the maximum time, in seconds, that a session or connection for services in the service group can remain idle before it is disconnected. The default is no timeout.
Allowed values: A number of seconds.
Note When a non-PPP user, such as in a bridged networking environment, disconnects from a service without logging off, the connection remains open and the user will be able to reaccess the service without going through the logon procedure. This is because no direct connection (PPP) exists between the subscriber and the SSG. To prevent non-PPP users from being logged on to services indefinitely, be sure to configure the Session-Timeout and/or Idle-Timeout attributes. |
Specifies the maximum time, in seconds, that a host or service object for services in the service group can remain active in any one session. The default is no timeout.
Allowed values: A number of seconds.
CDAT displays the policy rules that are currently defined. You can indicate whether this service group is a resource associated with a rule by checking or unchecking the checkbox for the rule. For information on rules, see the "Creating and Updating Rules" section.
In CDAT, a user can be any one of the following:
For each category of user, the CDAT administrator creates an account for the user with the Users window. In addition, the CDAT administrator must create one or more user groups for each category of user because roles and privileges are specified for user groups, not individual users.
For the CDAT administrator, creating a user who has access to resources (services or objects and attributes in the LDAP directory) involves these steps:
1. Create a user group with the User Groups window.
2. Create a role with the Roles window and make the user group a subject (occupant) of the role. The role defines the privileges that user group members have.
3. Create a rule with the Rules window and associate the role with the rule. The rule will grant the privileges associated with specified roles to a set of resources defined in the rule. For a subscriber, the set of resources includes one or more services.
4. Create the user with the Users window and make the user a member of one or more user groups.
Creating user groups, roles, and rules is usually done once when the initial set of objects is being defined. Once these objects are defined, creating a user who actually has access to resources typically requires only Step 4.
When you define a user account for a subscriber to connect through a PPP connection, you can also define a primary service for the subscriber.
A user account for a PPP subscriber can have one primary service from which the SSG software determines an IP address range (sometimes called a local address pool). The user receives a primary IP address from this address range. This primary-service addressing mechanism allows the subscriber's IP address to be associated with a primary service, which is usually the subscriber's Internet service. If the subscriber switches to another ISP (primary service), the IP address range from which subscriber's address is obtained changes to the address pool of the new ISP.
The IP Pool Name attribute specifies the name of a local address pool. On the NAS, the deployer must use the ip local pool command to define the range of addresses for the local address pool.
As an example of the primary-service addressing mechanism, assume the following:
With the preceding conditions in place, the IP address for the user whose primary service is Internet-Blue is taken from the local pool of addresses defined on the NAS for the local address pool Blue.
CDAT allows you to define a primary service at the user and user group level. In addition, you can also define a local address pool at the user and user group level. The precedence for these definitions is as follows (item 1 having the highest precedence):
1. Pool name in the Users window
2. Primary Service in the Users window
3. Pool name in the User Groups window
4. Primary Service in the User Groups window
Note When a Pool name and Primary Service are specified in the Users or User Groups window, this local address pool name takes precedence over any pool name defined for the user's primary service (IP Pool Name in the Services window). |
To create a subscriber or administrator account or to update information in an existing subscriber or administrator account, use the Users window (Figure 2-5).
After a subscriber account is created, you can use the Create subaccount button (at the bottom of the Users window) to create a subaccount. The attributes that define a subaccount are identical to the attributes for a parent account.
When you first create a user, you click New User and specify the following:
If the user has subaccounts, CDAT displays the following:
Shows subaccounts that have been created for this user account. This is a read-only field.
For a new or existing user, you can specify the following attributes:
The first set of boxes in the Users window specifies information about the user. The user information is derived from the X.500 user schema for use with LDAP. The following attributes appear in the user-information block:
Note A password must contain at least one character (letter or number). |
Local Cisco AV Pairs (Optional and for Subscribers Only)
Cisco attribute-value pairs (Cisco AV pairs) can appear as part of the user profile. The Cisco AV pairs that are supported by the Cisco SESM and CDAT software for user profiles are for upstream access control lists and downstream access control lists.
Note Cisco AV pairs can be specified at the user and the user group level. User and user group AV pairs are cumulative. The set that applies to a user are all AV pairs specified for the user and all AV pairs specified for any user groups of which the user is a member. |
An upstream access control list is defined with the inacl AV pair and specifies an access control list to be applied to upstream traffic coming from the user. A downstream access control list is defined with the outacl AV pair and specifies an access control list to be applied to downstream traffic going to the user. Either type of access control list can be an IOS standard access control list or an extended access control list. The syntax for these AV pairs is as follows:
There can be multiple instances of upstream and downstream access control lists within user profiles. Use one AV pair attribute for each access control list statement. Multiple attributes can be used for the same ACL. Multiple attributes will be downloaded according to the number specified and executed in that order.
Local Generic RADIUS Attributes (Optional)
One or more RADIUS attributes and values that apply to the user but that do not appear in the fields of the Users window. For example, the Users window does not have a field for a Calling-Station-Id (RADIUS attribute number 31). A Calling-Station-Id for a Mobile Subscriber ISDN (MSISDN) is required in the subscriber profile for 3-key authentication. For information on RADIUS attributes, see RFC 2865.
Allowed values: A RADIUS attribute number and a value in the form 99:value, where 99 is the RADIUS attribute number. If more than one RADIUS attribute and value are specified, enter each attribute-value pair on a separate line.
Idle Timeout (Optional and for Subscribers Only)
Specifies the maximum time, in seconds, that a session or connection can remain idle before it is disconnected. The default is no timeout.
Allowed values: A number of seconds.
Note When a non-PPP user, such as in a bridged networking environment, disconnects from a service without logging off, the connection remains open and the user will be able to reaccess the service without going through the logon procedure. This is because no direct connection (PPP) exists between the subscriber and the SSG. To prevent non-PPP users from being logged on to services indefinitely, be sure to configure the Session-Timeout and/or Idle-Timeout attributes. |
Session Timeout (Optional and for Subscribers Only)
Specifies the maximum time, in seconds, that a host or service object can remain active in any one session. The default is no timeout.
Allowed values: A number of seconds.
CDAT displays the user groups that are currently defined. You can indicate whether the user is a member of a user group by checking or unchecking the checkbox for the group. For information on user groups, see the "User Groups Window" section.
Indicates whether the user account is currently enabled for authentication purposes when logging on to an SESM web portal. A subscriber with an enabled account can log on to an SESM web portal.
Home URL (For Subscribers Only)
Gives the home URL for this user's preferred Internet home page when the subscriber logs on to SESM. As shown in the following examples, when you enter the home URL, an H or U character must precede the URL. The H or U character control whether an SESM web application displays the home page in a new browser window.
If an SESM web application does not use frames, H and U have the same effect: When the subscriber logs on to SESM, the home page is displayed in a new browser window.
If an SESM web application does use frames, the behavior is as follows when the subscriber logs on to SESM:
Allowed values: A fully qualified URL preceded by the character H or U.
Example: Uhttp://www.MyHomePage.com
Unlimited Sub-Accounts (Subscribers Only)
Indicates whether the number of subaccounts for this user is unlimited. By default, Unlimited Sub-Accounts is checked and the user can create an unlimited number of subaccounts.
Note If you uncheck Unlimited Sub-Accounts and specify no value for Maximum Number of Sub-Accounts, the value for subaccount-creation limits defined at the user-group level takes effect. |
Maximum Number of Sub-Accounts (Optional and for Subscribers Only)
Specifies the number of subaccounts allowed for this user.
Allowed values: The value 0 or a positive number for the subaccount-creation limit.
Block Inheritance (For Subscribers Only)
Indicates whether subaccounts created by this user inherit service subscriptions from this user account (the parent account) or the container.
Enable Single Sign-On (Optional and for PPP Subscribers Only)
Indicates whether the single sign-on feature applies to the user. With single sign-on enabled, the Cisco SESM web application queries the SSG for the existence of a PPP connection for the IP address of any request to the Cisco SESM. The Cisco SESM web application does not require additional authentication at the Cisco SESM if a PPP connection already exists. The Enable Single Sign-On box applies only to PPP users. For non-PPP users, choosing Enable Single Sign-On has no effect.
Pool name (Optional and for PPP Subscribers Only)
Specifies the name of a local address pool (IP address range) for the user. The user receives a primary IP address from this address range. For information on local address pools, see the "Primary Service and Address Pool for a PPP Subscriber" section.
Allowed values: A text string for a local address pool name.
Primary Service (Optional and for PPP Subscribers Only)
Specifies the name of a primary service for this user. For information on primary services and local address pools, see the "Primary Service and Address Pool for a PPP Subscriber" section.
Allowed values: A text string for a primary service name.
Service Filters (Optional and for Subscribers Only)
Specifies the list of services that are blocked (that is, not inherited) for this subscriber account and for all subaccounts below this subscriber account. For example, this attribute might be used to block services to which children should not be granted access.
Note When a subaccount inherits service filters, the service names do not appear in the Service Filters box of the subaccount but are applied by the DESS/AUTH software at run time. |
Allowed values: One or more text strings for service names. Multiple services appear on separate lines. Service group names are not allowed.
Example: Gambling Service
Banking
TCP Redirection Attributes (Optional and for Subscribers Only)
One or more RADIUS vendor-specific attributes related to TCP redirection. For information on TCP redirection, see the Cisco Subscriber Edge Services Manager and Subscriber Policy Engine Installation and Configuration Guide.
Allowed values: Table 2-3 describes the allowed vendor-specific attributes.
If more than one attribute is specified in the TCP Redirection Attributes box, enter each attribute on a separate line.
Example: RIRedirectServers;12;OnlineEducation
RS
For each service to which the user can subscribe, CDAT displays one of the following subscription scopes:
If CDAT does not display a service in the Users window, the user does not have the privileges needed to subscribe to the service. For each service to which the user has access, you can specify the following information:
Subscribe (For Subscribers Only)
Indicates whether the user is subscribed to the service.
Note If the subscriber has been given subscription privileges by the administrator, the subscriber can then use the SESM account-management pages to subscribe to or unsubscribe from the service if desired. |
Auto-logon (For Subscribers Only)
Indicates whether the user is automatically logged on to the service. With an auto-logon service, when a subscriber enters a user name and password to log on to the SESM web application, the subscriber is also automatically logged on to this service with the user name and password that were used to log into the SESM web application.
A user group is a set of users. With CDAT, individual userssubscribers, publishers, account managers, and administratorsmust be associated with one or more user groups in order to get access to resources. After creating a user group, you can make a user a member of the group by choosing the group in the User Group Is member section of the Users window.
Privileges are granted to a user group through a role. The resources to which the user group has access are defined in a rule. With RBAC, both privileges and access to resources are managed at the group level. For example, a user group made up of subscribers can be given access at the group level to a new service.
For inheritable user and user group attributes, you should define user attributes at the individual user level only when an attribute is specific to the user. You should define all other attributes at the group level. Individual group members then inherit the group value. For more information on inheritable attributes, see the "Attribute Values and Inheritance" section.
To create a new user group or update the attributes of an existing user group, use the User Groups window (Figure 2-6).
When you first create a service group, you click New Service Group and specify the following:
Allowed values: A text string.
Example: Gold Subscribers Group
For a new or existing user group, you can specify the following attributes:
Gives a description of the user group. The description is for informational purposes to help administrators identify the purpose of this user group.
Allowed values: A text string.
CDAT displays the roles that are currently defined. You can indicate whether the user group is an occupant of a role by checking or unchecking the checkbox for the role. For information on roles, see the "Roles Window" section.
CDAT displays the roles that are currently defined. You currently do not use the Blocked Roles attribute at the user-group level.
Local Cisco AV Pairs (Optional and for Subscriber Groups Only)
Cisco attribute-value pairs (Cisco AV pairs) can appear as part of the user group profile. The Cisco AV pairs that are supported by the Cisco SESM and CDAT software for user groups are for upstream access control lists and downstream access control lists. For information on these access control lists, see the "Upstream and Downstream Access Control Lists" section.
Note Cisco AV pairs can be specified at the user and the user group level. User and user group AV pairs are cumulative. The set that applies to a user are all AV pairs specified for the user and all AV pairs specified for any user groups of which the user is a member. |
Local Generic RADIUS Attributes (Optional)
One or more RADIUS attributes and values that apply to the user group but that do not appear in the fields of the User Groups window. For information on RADIUS attributes, see RFC 2865.
Allowed values: A RADIUS attribute number and a value in the form 99:value, where 99 is the RADIUS attribute number. If more than one RADIUS attribute and value are specified, enter each attribute-value pair on a separate line.
Idle Timeout (Optional and for Subscriber Groups Only)
Specifies the maximum time, in seconds, that a session or connection can remain idle before it is disconnected. The default is no timeout.
Allowed values: A number of seconds.
Note When a non-PPP user, such as in a bridged networking environment, disconnects from a service without logging off, the connection remains open and the user will be able to reaccess the service without going through the logon procedure. This is because no direct connection (PPP) exists between the subscriber and the SSG. To prevent non-PPP users from being logged on to services indefinitely, be sure to configure the Session-Timeout and/or Idle-Timeout attributes. |
Session Timeout (Optional and for Subscriber Groups Only)
Specifies the maximum time, in seconds, that a host or service object can remain active in any one session. The default is no timeout.
Allowed values: A number of seconds.
Account Enabled (For Subscriber Groups Only)
Indicates whether the user accounts for group members are currently enabled for authentication purposes when logging on to an SESM web portal. A user with an enabled account can log on to an SESM web portal.
Home URL (For Subscriber Groups Only)
Gives the home URL for the group member's preferred Internet home page when the subscriber logs on to SESM. As shown in the following examples, when you enter the home URL, an H or U character must precede the URL. The H or U character control whether an SESM web application displays the home page in a new browser window.
If an SESM web application does not use frames, H and U have the same effect: When the subscriber logs on to SESM, the home page is displayed in a new browser window.
If an SESM web application does use frames, the behavior is as follows when the subscriber logs on to SESM:
Allowed values: A fully qualified URL preceded by the character H or U.
Example: Uhttp://www.MyHomePage.com
Unlimited Sub-Accounts (Subscriber Groups Only)
Indicates whether the number of subaccounts for users in the group is unlimited. By default, Unlimited Sub-Accounts is checked, and the user has the ability to create an unlimited number of subaccounts.
Maximum Number of Sub-Accounts (Optional and for Subscriber Groups Only)
Specifies the number of subaccounts allowed for this user in the group.
Allowed values: The value 0 or a positive number for the subaccount-creation limit.
Block Inheritance (Not Currently Used)
Not used and ignored if chosen.
Enable Single Sign-On (For PPP Subscriber Groups Only)
Indicates whether the single sign-on feature applies to the users. With single sign-on enabled, the Cisco SESM web application queries the SSG for the existence of a PPP connection for the IP address of any request to the Cisco SESM. The Cisco SESM web application does not require additional authentication at the Cisco SESM if a PPP connection already exists. The Enable Single Sign-On box applies only to PPP users. For non-PPP users, choosing Enable Single Sign-On has no effect.
Pool name (Optional and for PPP Subscriber Groups Only)
Specifies the name of a local address pool (IP address range) for users in the group. For information on local address pools, see the "Primary Service and Address Pool for a PPP Subscriber" section.
Allowed values: A text string for a local address pool name.
Primary Service (Optional and for PPP Subscriber Groups Only)
Specifies the name of a primary service for users in the group. For information on primary services and local address pools, see the "Primary Service and Address Pool for a PPP Subscriber" section.
Allowed values: A text string for a primary service name.
Service Filters (Optional and for Subscriber Groups Only)
Specifies the list of services that are blocked (that is, not inherited) for group member accounts and for all subaccounts below these member accounts. For example, this attribute might be used to block services to which children should not be granted access.
Note When a subaccount inherits service filters, the service names do not appear in the CDAT Services window but are applied by the DESS/AUTH software at run time. |
Allowed values: One or more text strings for service names. Multiple services appear on separate lines. Service group names are not allowed.
Example: Gambling Service
Banking
TCP Redirection Attributes (Optional and for Subscriber Groups Only)
One or more RADIUS vendor-specific attributes related to TCP redirection. For information on TCP redirection, see the Cisco Subscriber Edge Services Manager and Subscriber Policy Engine Installation and Configuration Guide.
Allowed values: Table 2-3 describes the allowed vendor-specific attributes. If more than one attribute is specified in the TCP Redirection Attributes box, enter each attribute on a separate line.
Example: RIRedirectServers;12;OnlineEducation
RS
For each service to which the user group can subscribe, CDAT displays a subscription scope:
If CDAT does not display a service in the User Groups window, the user group does not have the privileges needed to subscribe to the service.
For each available service, you can specify the following information:
Subscribe (For Subscriber Groups Only)
Indicates whether the user group is subscribed to the service.
Note If the user group of subscribers has been given subscription privileges by the service-provider administrator, the subscriber can then use the SESM account-management pages to subscribe to or unsubscribe from the service if desired. |
Auto-logon (For Subscriber Groups Only)
Indicates whether the members of the user group are automatically logged on to the service. With an auto-logon service, when a subscriber enters a user name and password to log on to the SESM web application, the subscriber is also automatically logged on to this service with the user name and password that were used to log into the SESM web application.
In the RBAC model, a role is a collection of associated privileges. With CDAT, a user group may be assigned to multiple roles. In the context of Cisco SESM and CDAT, user groups fall into the following general categories:
With RBAC and CDAT, the underlying directory and DESS/AUTH software determines the roles for a given user in these ways:
For a subaccount, roles are inherited from the parent account as determined in the preceding ways. Service filters that are defined for the parent account also apply to the subaccount.
If the RBAC objects were installed when the DESS software was installed, a set of predefined roles will be displayed in the list of roles. For information on the predefined roles, see "Predefined Roles and Rules."
This section provides two examples of subscriber roles and the privileges that you might grant to a subscriber.
For a subscriber who requires self-care privileges (managing account attributes such as passwords and addresses) and subaccount-creation privileges, you can use the privilege Cisco_Dess_Manage and as role occupant specify the dynamic subject Self. The dynamic subject Self defines the role occupant when the accessed resource name is the same as the subject name in the submitted privilege token. The dynamic subject Self allows a subscriber to be a role occupant only for objects and attributes that are related to the specific user account.
The predefined role SELF_MANAGE_ROLE provides an example of how you can define privileges for subscriber self-care and subaccount creation with the privilege Cisco_Dess_Manage and the dynamic subject Self. The predefined roles are optionally installed with the RBAC objects as part of the DESS software installation.
In the associated rule SELF_MANAGE_RULE that defines resources for SELF_MANAGE_ROLE, the resources are specified as the container that holds the SESM/CDAT objects. In this way, a subscriber who is a member of a group occupying the SELF_MANAGE_ROLE has access to all objects and attributes that are related to this specific subscriber account.
Roles for subscribers can require that you create two or more roles that are associated with specific privileges. As an example, consider an SESM deployment that allows only the parent user account (not the subaccount users) to create subaccounts. This model could be implemented with two distinct roles: one role for the parent user and one role for the subaccount user.
As an example of this model, assume that the parent user group is GoldSubscriberParent and is associated with a GoldSubscriberParentRole having these privileges:
The subaccount user group is GoldSubscriberSubaccount and is associated with a GoldSubscriberSubaccountRole having all of the preceding privileges except for Cisco_Dess_CreateSubAccount and Cisco_Dess_DeleteSubaccount. Not granting these two privileges to the subaccount role makes it impossible for the subaccount user to create or delete a subaccount.
To create a new role or update the attributes of an existing role, use the Roles window (Figure 2-7).
When you first create a role, you click New Role and specify the following:
Allowed values: A text string.
For a new or existing role, you can specify the following:
Gives a description of the role. The description is for informational purposes to help administrators when using this role.
Allowed values: A text string.
Indicates dynamic subjects that will be role occupants. Dynamic subjects are users whose role occupancy is determined at run time. For example, the dynamic subject Self can be granted privileges at run time to objects whose creator name matches the login name specified when the user logs in to SESM or CDAT.
Dynamic subjects are as follows:
Indicates the user groups that are occupants of this role. The user groups displayed were created with the User Groups window.
Indicates those privileges that are associated with this role. Table 2-4 shows the privileges that can be chosen. In the table, the Who Is Granted? column indicates the category of user group that is typically granted this privilege and contains one or more of these types:
Table 2-4 uses the term DESS objects for all objects that can be created with CDAT other than roles and rules. Services, service groups, users, user groups, and NRPs are DESS objects. Roles and rules are AUTH objects. Cisco_Dess_* privileges pertain to DESS objects. Cisco_Azn_* privileges pertain to AUTH objects.
When you use Table 2-4 to determine the privileges typically granted to a specific role, it might not be clear at first glance why a category of user groups such as administrators or subscribers is not explicitly granted certain privileges. Be aware that certain privileges may be implicitly granted by other privileges.
For example, Cisco_Dess_Supervisor (manage any DESS object) is a privilege that an administrator role is typically granted. If an administrator role has been explicitly defined to have Cisco_Dess_Supervisor privilege, you do not need to explicitly grant Cisco_Dess_Create (and many other privileges) to that role because many administrative privileges are implicit in Cisco_Dess_Supervisor.
A rule defines the set of conditions under which a role is associated with one or more resources. User groups can be made occupants of one or more roles. In this way, an administrator can define the resources that can be accessed by members of a user group.
If the RBAC objects were installed when the DESS software was installed, CDAT displays a set of predefined rules in the list of rules. For information on the predefined rules, see "Predefined Roles and Rules."
To create a new rule or update the attributes of an existing rule, use the Rules window (Figure 2-8).
When you first create a rule, you click New Rule and specify the following:
Allowed values: A text string.
For a new or existing rule, you can specify the following:
Indicates the state of the rule: Enabled, Disabled, or Debug. This attribute is not currently used. A rule is always enabled.
Gives a description of the rule. The description is for informational purposes to help administrators when using this rule.
Allowed values: A text string.
Specifies a keyword that helps an administrator locate the policy objects applicable to them.
Allowed values: Currently, the keyword CISCO_AZN
indicates authorization policies and is the only keyword used.
The condition for a rule specifies whether the set of actions associated with the rule should be executed or not. The boxes under Condition give the three elements of the rule's condition:
The preceding condition is the only condition currently used with Cisco SESM and CDAT. This condition always evaluates to true. Therefore, the privileges granted by the roles can be exercised. The roles chosen in Affected Roles determine the set of roles to which the rule applies.
Specifies a variable for the condition: an attribute that should be matched when evaluating the condition.
Allowed values: Currently, ResourceClass
is the only variable used.
Specifies an operator for the condition.
Allowed values: Currently, the ==
operator is the only operator used.
Specifies a value against which the variable is to be compared when evaluating the condition.
Allowed values: Currently, the value top
is the only value used.
Indicates the resources (services, service groups, or containers) that will be associated with the rule. The services and service groups that CDAT displays were created with, respectively, the Services and Service Groups windows. The containers that CDAT displays were created with the object management facility used for the LDAP directory.
For each role, indicates whether the role is associated with the rule.
CDAT allows creation of NRP-related information in an NRP object. Currently, NRP-related information is for a next-hop table.
Because multiple NRP-SSGs might access services from different networks, each service profile can specify a next-hop key, which is a string identifier, rather than an actual IP address. For each service, use the Services window's Next hop gateway box to specify the next-hop key for the service.
For each NRP-SSG to determine the IP address associated with the next-hop key, each NRP-SSG downloads its own next-hop table that associates keys with IP addresses. In the NRPs window, you use the Next Hop Table box to define the entries in the next-hop table for each NRP-SSG. The name of the next-hop table is the name that you give when you click New NRP.
To create and download a next-hop table that an NRP-SSG can use to access services from different networks, do the following:
Step 2 For each NRP-SSG, use CDAT to create a next-hop table.
a. In the NRPs window, click New NRP to create a next-hop table for the NRP, and specify the name for the next-hop table in the Name box. With CDAT, the next-hop table takes its name from the name of the NRP.
b. In the Next Hop Table box, define the entries in the next-hop table for the NRP-SSG. For example:
Step 3 On the RADIUS/DESS Proxy (RDP) server, specify the next-hop table password that will be used to access the next-hop table. The next-hop table password is specified in the \rdp\config\rdp.xml file:
By default, the password is nexthopcisco.
Step 4 On each NRP-SSG, use the following command to download the appropriate next-hop table:
ssg next-hop download next-hop_table_name next-hop_table_password
In the preceding command, next-hop_table_name is the name you specified when creating the next-hop table (Step 2a). The next-hop_table_password is the password that is defined in the rdp.xml file (Step 3). For information on the ssg next-hop command, see the Cisco 6400 Command Reference.
To create or update information for an NRP, use the NRPs window (Figure 2-9) Currently, the only information you can create is a next-hop table.
The NRPs window allows you to create a next-hop table. When you first create a next-hop table, you click New NRP and specify the following:
Name of the NRP. The next-hop table takes its name from the name that you specify for the NRP object.
Allowed values: A text string.
For a new or existing next-hop table, you can specify the following:
Specifies a key and an IP address for each entry in the next-hop table.
Allowed values: A key and an IP address, separated by an equal sign. Each next-hop table entry is on a separate line:
In the preceding entry, key is the key for the service specified with CDAT in the Next hop gateway box of the Services window. The ip_address is IP address of the next hop for this service.
Local Cisco AV Pairs (Not Currently Used)
Idle Timeout (Not Currently Used)
Session Timeout (Not Currently Used)
Posted: Fri Jan 10 21:14:33 PST 2003
All contents are Copyright © 1992--2002 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.