Filter
Top Products
4-3
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 4 Common Scenarios Using ACS
Overview of Device Administration
If a command is matched to a command set, the corresponding permit or deny setting for the command
is retrieved. If multiple results are found in the rules that are matched, they are consolidated and a single
permit or deny result for the command is returned, as described in these conditions:
• If an explicit deny-always setting exists in any command set, the command is denied.
• If no explicit deny-always setting exists in a command set, and any command set returns a permit
result, the command is permitted.
• If either of the previous two conditions are not met, the command is denied.
You configure the permit and deny settings in the device administration rule table. You configure policy
elements within a device administration rule table as conditions that are or not met. The rule table maps
specific request conditions to device administration results through a matching process. The result of
rule table processing is a shell profile or a command set, dependent on the type of request.
Session administration requests have a shell profile result, which contains values of attributes that are
used in session provisioning. Command authorization requests have a command authorization result,
which contains a list of command sets that are used to validate commands and arguments.
This model allows you to configure the administrator levels to have specific device administration
capabilities. For example, you can assign a user the Network Device Administrator role which provides
full access to device administration functions, while a Read Only Admin cannot perform administrative
functions.
Session Administration
The following steps describe the flow for an administrator to establish a session (the ability to
communicate) with a network device:
1. An administrator accesses a network device.
2. The network device sends a RADIUS or TACACS+ access request to ACS.
3. ACS uses an identity store (external LDAP, Active Directory, RSA, RADIUS Identity Server, or
internal ACS identity store) to validate the administrator’s credentials.
4. The RADIUS or TACACS+ response (accept or reject) is sent to the network device. The accept
response also contains the administrator’s maximum privilege level, which determines the level of
administrator access for the duration of the session.
To configure a session administration policy (device administration rule table) to permit communication:
Step 1 Configure the TACACS+ protocol global settings and user authentication option. See Configuring
TACACS+ Settings, page 18-1.
Step 2 Configure network resources. See Network Devices and AAA Clients, page 7-5.
Step 3 Configure the users and identity stores. See Managing Internal Identity Stores, page 8-4 or Managing
External Identity Stores, page 8-22.
Step 4 Configure shell profiles according to your needs. See Creating, Duplicating, and Editing a Shell Profile
for Device Administration, page 9-23.