Cisco Systems CSACS3415K9 Working with Administrative Access Control

16-14

User Guide for Cisco Secure Access Control System 5.4

OL-26225-01

Chapter16 Managing System Ad ministrators

Working with Administrative Access Control

Step1 Choose System Administration > Administrators > Settings > Access.

The IP Addresses Filtering page appears.

Step2 Click Reject connections from listed IP addresses radio button.

The IP Range(s) area appears.

Step3 Click Create in the IP Range(s) area.

A new window appears.

Step4 Enter the IP address of the machine that you do not want to access ACS remotely. Enter a subnet mask

for an entire IP address range.

Step5 Click OK.

The IP Range(s) area is populated with the IP addresses. Repeat Step 3 to add other IP addresses or

ranges that you want to reject.

Step6 Click Submit.

Note It is possible to reject connection from all IP addresses. You cannot reset this condition t hrough the ACS

web interface. However, you can use the following CLI command:

acs reset-password

Refer to the CLI Reference Guide for Cisco Secure Access Control System 5.4 for more information.

Working with Administrative Access Control

ACS 5.4 introduces a new service type called the Administrative Access Control (AAC) service. The

AAC service handles the authentications and authorization of the ACS administrators.

The enhanced AAC web interface includes:

•Policy-based authentication and authorization

•Authentication against an external database is feasible by:

–

Password type on administrator accounts in the Internal Administrators ID store.

–

Configuring the identity policy (the authentication policy) against an external database.

This AAC service is automatically created at the time of insta llation. You cannot remove or add a new

AAC service. AAC is not available under the service selection policy and is automatically selected upon

administrator login.

The AAC service identifies a set of policies for administrator login. The policies that are provided within

the AAC service are these:

•The Administrator identity policy determines the identity database that is used to authenticate the

administrator and also retrieves attributes for the administrator that may be used in subsequent

authorization policy.

•The Administrator authorization policy determines the role of the administrator for the session in

ACS. The assigned role determines the permission of the administrator. Each role has a predefined

list of permissions, and it can be viewed in the roles page.