Home > Articles > Security > Network Security

  • Print
  • + Share This
This chapter is from the book

This chapter is from the book

Access Policies

Before you start creating policies, it is important to understand how ACS applies a particular policy to a request and how many policies are available. ACS uses service selection rules and access services to decide on a policy to apply to a request.

Service Selection Rules

Service selection rules decide which access service to send an authentication or authorization request to. You can configure ACS to use a single access service to process all requests or use rules based on session conditions to send requests to different access services. In the case of a rule-based selection, ACS uses the first rule from the top that matches a request.

To further understand how this works, take a department store for example. A department store is divided into sections using product category (clothing, sporting goods, jewelry, and so on). An ACS configured to use a single access service is like the department store. All requests go to a single access service, which has different policies. The access service checks session conditions and applies the appropriate policy. Consider a grocery store for another example. A grocery store sells only groceries, but might have sections based on different categories (produce, meat, canned goods, and so on). An ACS configured for rule based service selection is similar to such a store. It will send different kinds of requests to different access services. Each access service equates to a specialized store. These access services will have different policies.

To further understand service selection rules and access services, consider another example. XYZ Inc. has five offices. Each office has routers terminating VPN connections. These routers are going to authenticate and authorize VPN sessions and administrative sessions to a single ACS. There are two ways to configure ACS for the organization:

  • Method 1: Configure ACS to send all requests to a single access service and configure two policies in the access service. One policy to process all administrative session requests via the TACACS+ protocol and the other to process all VPN session requests via the RADIUS protocol.
  • Method 2: Configure ACS to send all TACACS+ (administrative sessions) requests to one access service and to send all RADIUS (VPN sessions) request to another access service. Each access service can have one or more policies to process the requests.

Method 1 is easier to configure and maintain; however, it can get very complicated if different authentication or authorization methods need to be applied. For example, one site might need more stringent authorization for VPN sessions than other sites or administrators might need restricted access to remote devices. Further consider an organization with 100 sites and thousands of network devices. In such scenarios, policies will increase in the access service and soon become unmanageable. On the other hand, different access services will have a smaller number of policies and will be easier to manage.

Access Services

Access services are the most basic parts of ACS. They are sets of policies which process all authentication and authorization requests. Every authentication and authorization request has to match a policy in an access service before it is processed. As you already know, a request is sent to an access service by the service selection rules. When an access service receives a request, it checks policies in a top-down manner and applies the first policy that matches the session conditions.

Access services consist of the following types of policies:

  • Identity Policy: Specifies how the user should be authenticated and includes the allowed authentication protocols and the user repository to use for password validation. Identity policies can be simple or rule based. Simple policies apply a single policy to all requests. Rule-based policies use session conditions to choose rules for requests.
  • Group Mapping Policy: Specifies whether the user's ACS identity group should be dynamically established based on user attributes or group membership in external identity stores. The user's identity group can be used as part of its authorization. Chapter 5 covers group mapping in more detail.
  • Authorization Policy: Specifies the authorization rules for the user. Authorization policies can only be rule based.

ACS has two access services by default:

  • Default Device Admin: Service selection rules are configured to send all TACACS+ requests to this default access service.
  • Default Network Access: Service selection rules are configured to send all RADIUS requests to this default access service.

Creating an Access Service

Access services and their policies bring together different elements from ACS. Hence, before creating an access service, you should determine the network configuration and the degree of refinement that you want individual policies to have. Depending on that, you should add devices and users or user databases. You should also create different policy elements such as session conditions and authorization and permission elements. Ensuring that you have all the required components will save you from moving back and forth between different drawers in the menu.

To create an access service, follow these steps:

  • Step 1. Select Access Policies > Access Services.
  • The Access Services page appears.
  • Step 2. Click Create.
  • The Access Service General Properties page appears as shown in Figure 4-19.
    Figure 4-19

    Figure 4-19 General Properties of a New Access Service

  • Step 3. Enter a name. For this example, use Remote Access VPN.
  • Step 4. (optional) Enter a description.
  • Step 5. Select one of the following options for Access Service Policy Structure:

    • Based on service template: Creates an access service based on a predefined template. These templates are customized to use a specific condition type. To use this option, select the radio button next to it, and then click Select and select a template.
    • Based on existing service: Creates an access service containing policies based on an existing access service. The new access service does not include the existing service's policy rules. To use this option, select the radio button next to it, and click Select and select an existing access service.
    • User Selected Service Type: Provides you the option to select the access service type. The available options are Network Access, Device Administration, and RADIUS Proxy. The list of policies you can configure depends on your choice of access service type. To use this option, select the radio button next to it and select an access service type from the drop down box. Selecting this option will also display the option to enable or disable different policy types.

    For this example, select User Selected Service Type and select Network Access from the drop-down box. Select Identity and Authorization in the policy structure.

  • Step 6. Click Next.
  • The Allowed Protocols properties page appears as shown in Figure 4-20.
    Figure 4-20

    Figure 4-20 Configuring Allowed Protocols in an Access Service

  • Step 7. This page enables you to select which authentication protocols will be allowed with this access service. PAP, CHAP, MS-CHAPv1, MS-CHAPv2 and various EAP protocols are available as options. You can also enable host lookup (required for machine authentication) from this page. For this example, deselect Process Host Lookup and select Allow PAP/ASCII and Allow MS-CHAPv2.
  • Step 8. Click Finish.
  • The access service will be saved and will appear as a menu item in the Access Services drawer. Below the menu item, selected policy types will be shown as submenu items. At this point, a prompt will give you an option to activate this service in the Service Selection Rules. For now, click No. The Access Services page will appear with the new access service listed in the table.

You are now ready to configure the identity rules and authorization rules for the new access service.

Configuring Identity Policy

As you already know, identity policies can be simple or rule-based. By default, identity policies are simple. When you select Identity under a new Access Service (Remote Access VPN for this example) in the Access Policies drawer, you will find that the Single result selection option is selected and Identity Source is DenyAccess.

If you want to configure a simple policy, follow these steps:

  • Step 1. Click Select next to Identity Source and select an identity store. You can select between certificate-based authentications or different password-based internal or external identity stores.
  • Step 2. (Optional) Click Advanced Options to display the fail-open options. Fail-open opens enable you to configure the behavior of ACS when authentication fails, the user is not found in an identity store, or there is a process failure. A process failure occurs when ACS is not able to verify the credentials, usually due to external factors such as a network failure between ACS and an external database. To understand the fail-open process, you have to remember that a device will fail over to a different AAA server if the primary server does not respond to a request. Each of the three fail-open options has three possible actions:
    • Reject: Sends an Access-Reject or Fail reply to the AAA client.
    • Drop: ACS drops the request, causing the AAA client to retry another fail over to another AAA server.
    • Continue: Causes ACS to try the next service or rule.
  • By default ACS will reject a request if authentication fails or a user is not found, and will drop a request if the process fails. Figure 4-21 shows this page with the default Advanced options.
    Figure 4-21

    Figure 4-21 Configuring a Simple Identity Policy

  • Step 3. Click Save Changes.

If you want to configure a rule-based identity policy, follow these steps:

  • Step 1. Select Rule based result selection from the Identity Properties page.
  • This will change the properties page to a rule-based table format shown in Figure 4-22.
    Figure 4-22

    Figure 4-22 The Identity Policy Page for a Rule-Based Configuration

  • Step 2. The rules of an Identity policy use session conditions to determine which identity store to use for a request. The session conditions available in the Rules Properties page need to be enabled from the Identity Properties page. Click Customize to open the Customize Conditions dialog box. Select the conditions that you want to use. For this example, deselect default conditions and select NDG:Routers (you created this NDG earlier in this chapter).
  • Step 3. Click Create.
  • The Identity Rule properties page appears as shown in Figure 4-23.
    Figure 4-23

    Figure 4-23 Configuring the Rules of an Identity Policy

  • Step 4. Enter a name. For this example, use Core Routers.
  • Step 5. Select a session condition. In this example, only NDG:Routers is available, so select it.
  • Step 6. Select an operator from the drop-down box next to the selected condition. The available operators change depending on the condition selected. These are logical operators that allow matching or not matching the user-provided argument with the selected condition. For this example, select in from the drop-down box.
  • Step 7. For some conditions, such as NDGs, you will see a Select button next to the condition. You can click this button to select the required element. For some conditions, you will get a drop-down box or a text box. For this example, click Select and select Core Routers NDG.
  • Step 8. In the Results section, you can select the identity source to be used for this rule. Click Select next to Identity Source and select an identity store. You can select between certificate-based authentications or different password-based internal or external identity stores. For this example, use Internal Users.
  • Step 9. (Optional) Click Advanced Options to display the fail-open options. Remember that by default, ACS will reject a request if authentication fails or a user is not found, and will drop a request if the process fails. For this example, leave them set to the default values.
  • Step 10. Click OK.
  • The rule will be saved and the Identity Policy page will appear with the rule listed in the table.
  • The rule you created will use the Internal Users identity store to authenticate requests that originate from any device in the Core Routers NDG. You can add more rules to use different identity stores for different session conditions.

Now that the identity policy is configured, you can configure the authorization policy to complete the access service.

Configuring Authorization Policy

As mentioned earlier, authorization policies are rule based only. You cannot configure a simple authorization policy, but you can configure a single rule that will match all requests coming to the access service.

ACS also provides a default authorization rule. The default rule is applied if no rules are defined in an authorization policy or if a request does not match any defined rules.

To configure a rule, follow these steps:

  • Step 1. Select Access Policies > Access Service you want to change > Authorization. For this example, select Authorization under Remote Access VPN.
  • The Authorization Policy page appears.
  • Step 2. Rules of an authorization policy use session conditions to determine which authorization and permissions to use for a request. The session conditions available in the Rules Properties page need to be enabled from the Authorization Policy page. Click Customize to open the Customize Conditions dialog box. Select the conditions that you want to use. For this example, deselect default conditions and select Identity Group.
  • Step 3. If the authorization policy for a TACACS+-based access service is being configured, then along with available session conditions, you will need to select available results in the Customize dialog box. Results can be shell profiles or command sets. For this example, you will not have an option to select results because the access service is RADIUS-based. Authorization Profile is the only result available with such access services.
  • Step 4. Click Create.
  • The Authorization Rule properties page appears as shown in Figure 4-24.
    Figure 4-24

    Figure 4-24 Creating the Rules of an Authorization Policy

  • Step 5. Enter a name. For this example, use Admins.
  • Step 6. Select a session condition. For this example, select Identity Group.
  • Step 7. Select an operator from the drop-down box next to the selected condition. The available operators change depending on the condition selected. These are logical operators that allow matching or not matching a user-provided argument with the selected condition. For our example, select in from the drop-down box.
  • Step 8. For some conditions, such as Identity Group, you will see a Select button next to the condition. You can click this button to select the required element. For some conditions your will get a drop-down box or a text box. For this example, click Select and select the Admin group you created earlier.
  • Step 9. Authorization profiles require you to select a result. Results can be authorization profiles, shell profiles, or command sets depending on the access service. Click Select next to the result that you want to configure and select a policy element. For this example, select the Permit Access authorization profile, which is available by default.
  • Step 10. Click OK.
  • The rule will be saved and the Authorization Policy page will appear with the new rule listed in the table.

You have created your first authorization rule, which permits access if the user belongs to the Admin Identity group.

Now that the access service configuration is complete, you will need to create a service selection rule so that this service is used.

Creating Service Selection Rules

As you know, service selection rules decide which access service to apply to a request. By default ACS is configured for rule-based service selection. Two rules are present by default. The first rule, named Rule-1, sends all RADIUS requests to the Default Network Access service and the second rule, named Rule-2, sends all TACACS+ requests to the Default Device Admin service. To configure ACS to use the Remote Access VPN service that you created, you need to add a new rule for service selection. You have the following choices in this situation:

  • Edit Rule-1 to send all requests to the Remote Access VPN service
  • Delete Rule-1 and create a new rule
  • Create a new rule above Rule-1 that is specific to the Remote Access VPN service

For this example, create a new rule above Rule-1. To do so, follow these steps:

  • Step 1. Select Access Policies > Access Services > Service Selection Rules.
  • The Service Selection Policy page appears.
  • Step 2. The session conditions available in a service selection rule properties page can be customized from this page. Click Customize and select the required conditions. For this example, select NDG:Location and Protocol.
  • Step 3. Select Rule-1 and click the down arrow on the Create button.
  • Step 4. Select Create Above.
  • The Service Selection Rules properties page appears as shown in Figure 4-25.
    Figure 4-25

    Figure 4-25 Creating a Service Selection Rule

  • Step 5. Enter a name. For this example, use San Jose VPN.
  • Step 6. Select the conditions that define the rule. For this example, select Protocol and NDG:Location.
  • Step 7. Select an operator from the drop-down box next to the selected condition. The available operators change depending on the condition selected. These are logical operators that allow matching or not matching a user-provided argument with the selected condition. For this example, select match for Protocol and in for NDG:Location.
  • Step 8. For some conditions, such as NDG:Location, you will see a Select button next to the condition. You can click this button to select the required element. For some conditions, you will get a drop-down box or a text box. For this example, click Select and select San Jose for NDG:Location and RADIUS for Protocol. If you have not created the San Jose group, select the All Locations option for NDG:Location.
  • Step 9. The result of a service selection rule is an access service or DenyAccess. You can use the drop-down box to select the result for the rule. For this example, select Remote Access VPN from the drop-down box.
  • Step 10. Click Ok.
  • The rule will be saved and the Service Selection Policy page will appear with the new rule listed above Rule-1 in the table.

The rule you created will send RADIUS requests originating from devices in the San Jose NDG or All Locations NDG to the Remote Access VPN access service which you created earlier. The access service and policies that you created in the previous sections will authenticate RADIUS requests originating from a device in the Core Routers NDG using the Internal User identity store. If authentication is successful and the user belongs to the Admin identity group, the access will be permitted. Further chapters will help you create more complex access services and policies. The examples in this chapter are used to explain the basic process of creating policies and rules.

  • + Share This
  • 🔖 Save To Your Account