Cisco Systems CSACS3415K9 Manual De Usuario
16-21
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
Chapter 16 Managing System Administrators
Working with Administrative Access Control
Administrator Login Process
When an administrator logs in to the ACS web interface, ACS 5.4 performs the authentication as given
below.
below.
If an administrator account is configured as a recovery account in the administrator internal identity
store, then ACS bypasses the identity and authorization policies, authenticates the administrator against
the administrator internal identity store, and assigns the role statically. If an administrator account is not
a recovery account, then ACS proceeds with policy-based authentication.
store, then ACS bypasses the identity and authorization policies, authenticates the administrator against
the administrator internal identity store, and assigns the role statically. If an administrator account is not
a recovery account, then ACS proceeds with policy-based authentication.
As a part of policy-based authentication, ACS fetches the AAC service with identity policy and
authorization policy configuration. ACS evaluates the identity policy and gets the identity store as a
result. If the identity policy result is the administrator internal identity store, then ACS evaluates the
password type and retrieves the identity store as the result.
authorization policy configuration. ACS evaluates the identity policy and gets the identity store as a
result. If the identity policy result is the administrator internal identity store, then ACS evaluates the
password type and retrieves the identity store as the result.
ACS authenticates the administrator against the selected identity store, and retrieves the user groups and
user attributes, if the administrator account is configured in an external identity store.
user attributes, if the administrator account is configured in an external identity store.
If the administrator account is configured in the internal identity store, and it has a static role assignment,
then ACS extracts the list of administrator roles.
then ACS extracts the list of administrator roles.
If the administrator account is configured in an external or internal identity store and has a dynamic role
assignment, ACS evaluates the authorization policy, gets a list of administrator roles, and uses it
dynamically, or gets Deny Access as the result.
assignment, ACS evaluates the authorization policy, gets a list of administrator roles, and uses it
dynamically, or gets Deny Access as the result.
Based on the selected role, ACS authenticates and manages the administrator access restrictions and
authentications. If Deny Access is the result of the evaluation, then ACS denies access to the
administrator and logs the reason for failure in the customer logs.
authentications. If Deny Access is the result of the evaluation, then ACS denies access to the
administrator and logs the reason for failure in the customer logs.
Table 16-12
Administrators Authorization Rule Properties Page
Option
Description
General
Name
Name of the rule. If you are duplicating a rule, you must enter a unique name as a minimum configuration;
all other fields are optional.
all other fields are optional.
Status
Rule statuses are as follows:
•
Enabled—The rule is active.
•
Disabled—ACS does not apply the results of the rule.
•
Monitor—The rule is active, but ACS does not apply the results of the rule. Results such as hit count
are written to the log, and the log entry includes an identification that the rule is monitor-only. The
monitor option is especially useful for viewing watching the results of a new rule.
are written to the log, and the log entry includes an identification that the rule is monitor-only. The
monitor option is especially useful for viewing watching the results of a new rule.
Conditions
conditions
These are conditions that you can configure for the rule. By default the compound condition appears. You
can change the conditions that appear by using the Customize button in the Policy page.
can change the conditions that appear by using the Customize button in the Policy page.
The default value for each condition is ANY. To change the value for a condition, check the condition check
box, then specify the value.
box, then specify the value.
If you check Compound Condition, an expression builder appears in the conditions frame. For more
information, see
information, see
.
Results
Roles
Roles to apply for the rule.