Authorization Rules Allowing Specific Services

Per-group setup

Command authorization

• Unmatched Security Appliance commands

• Unlisted arguments

- Permit

© 2005 Cisco Systems, Inc. All rights reserved

SNPA v4.0—7-44

The security appliance aaa authorization command defines which traffic flows to authorize. Clicking the Group Setup button, then selecting the Per Group Command Authorization radio button in the Cisco Secure ACS enables the administrator to permit or deny specific security appliance commands and arguments at the group level. For example, the Executive group might have FTP and HTTP access to all 172.26.26.0/24 servers. The Human Resources group might have FTP and HTTP access to server 172.26.26.50 only. The Per Group Command Authorization option enables the administrator to define authorization for commands, such as FTP, Telnet, and HTTP. It also enables the administrator to define authorization for arguments, such as server IP addresses.

To set TACACS+ authorization on a command-by-command basis, select Per Group Command Authorization, then select from the following options:

■ Unmatched Cisco IOS commands: To determine how Cisco Secure ACS handles commands that the administrator did not specify in this section, you can choose to either permit or deny, as applicable.

■ Command: You can select the Command check box and type the command in the field below it.

■ Arguments: For each argument of the command, you can specify whether the argument is to be permitted or denied.

■ Unlisted arguments: To permit only those arguments listed, select the Deny option. To allow users to issue all arguments not specifically listed, select the Permit option.

In the example in the figure, a member of a group is authorized to access any IP address via FTP. Complete the following steps to add authorization rules for this specific service in Cisco Secure ACS:

Step 45 Click Group Setup from the navigation bar. The Group Setup window opens.

Step 46 Scroll down to the Shell Command Authorization Set area under the TACAS+ settings section.

Step 47 Select Per Group Command Authorization, which enables the administrator to permit or deny specific command and arguments at the group level.

Step 48 Select Deny, which is found under Unmatched Cisco IOS commands. Deny allows only group members to issue FTP commands.

Step 49 Select Command.

Step 50 In the command field, enter FTP, the allowable service.

Step 51 Leave the Arguments field blank.

Step 52 Select Permit, which is found under Unlisted arguments, to permit the arguments that are not listed.

Step 53 Click Submit to add more rules; click Submit + Restart when you are finished.

Was this article helpful?

0 0

Post a comment