Cisco Systems CSACS3415K9 Manual De Usuario
4-3
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
Chapter 4 Common Scenarios Using ACS
Overview of Device Administration
If a command is matched to a command set, the corresponding permit or deny setting for the command
is retrieved. If multiple results are found in the rules that are matched, they are consolidated and a single
permit or deny result for the command is returned, as described in these conditions:
is retrieved. If multiple results are found in the rules that are matched, they are consolidated and a single
permit or deny result for the command is returned, as described in these conditions:
•
If an explicit deny-always setting exists in any command set, the command is denied.
•
If no explicit deny-always setting exists in a command set, and any command set returns a permit
result, the command is permitted.
result, the command is permitted.
•
If either of the previous two conditions are not met, the command is denied.
You configure the permit and deny settings in the device administration rule table. You configure policy
elements within a device administration rule table as conditions that are or not met. The rule table maps
specific request conditions to device administration results through a matching process. The result of
rule table processing is a shell profile or a command set, dependent on the type of request.
elements within a device administration rule table as conditions that are or not met. The rule table maps
specific request conditions to device administration results through a matching process. The result of
rule table processing is a shell profile or a command set, dependent on the type of request.
Session administration requests have a shell profile result, which contains values of attributes that are
used in session provisioning. Command authorization requests have a command authorization result,
which contains a list of command sets that are used to validate commands and arguments.
used in session provisioning. Command authorization requests have a command authorization result,
which contains a list of command sets that are used to validate commands and arguments.
This model allows you to configure the administrator levels to have specific device administration
capabilities. For example, you can assign a user the Network Device Administrator role which provides
full access to device administration functions, while a Read Only Admin cannot perform administrative
functions.
capabilities. For example, you can assign a user the Network Device Administrator role which provides
full access to device administration functions, while a Read Only Admin cannot perform administrative
functions.
Session Administration
The following steps describe the flow for an administrator to establish a session (the ability to
communicate) with a network device:
communicate) with a network device:
1.
An administrator accesses a network device.
2.
The network device sends a RADIUS or TACACS+ access request to ACS.
3.
ACS uses an identity store (external LDAP, Active Directory, RSA, RADIUS Identity Server, or
internal ACS identity store) to validate the administrator’s credentials.
internal ACS identity store) to validate the administrator’s credentials.
4.
The RADIUS or TACACS+ response (accept or reject) is sent to the network device. The accept
response also contains the administrator’s maximum privilege level, which determines the level of
administrator access for the duration of the session.
response also contains the administrator’s maximum privilege level, which determines the level of
administrator access for the duration of the session.
To configure a session administration policy (device administration rule table) to permit communication:
Step 1
Configure the TACACS+ protocol global settings and user authentication option. See
.
Step 2
Configure network resources. See
.
Step 3
Configure the users and identity stores. See
Step 4
Configure shell profiles according to your needs. See