Secure ACS 4.2 Authorization Profiles

Similar Messages

• Device filters not working in Secure ACS

  Hello,
  I'm having an issue witch Secure ACS 5.4.  I'vr gone through the process of adding:
  Location
  Device type
  Devices/device groups
  Users
  Authorization profiles
  device filters
  Access Services are up and running and we're using AD to authenticate.
  My device filters do not seem to be working.  The access services and service selection rules are in place along with the identity and authorization.  This is performing as expected but, when trying to add a device filter, it does not stop the test user from getting into every other device.  i have changed the order of the rules in identity and authorization and nothing seems to work.  Any ideas/suggestions??
  Thanks,
  RickC

  Works ok here.
  This:
  Results in this after checking the Filters box:
  The ability to filter on more than one column at a time is good. Need that back for sort too.
  SG

• ASA and ACS 5 multiple VPN profiles for one user

  Hi there
  I have a question about ACS 5.3 and ASA VPN profile authorization. I am not sure if it is possible to allow one single user for a set of VPN profiles on ASA, let's make an example:
  ACS 5.3 group hierarchy:
  - VPN users global
  -- VPN users A
  -- VPN users B
  ASA VPN profiles:
  - VPN profile A
  - VPN profile B
  - VPN profile Z
  VPN authorizations:
  1. VPN users global should have access to VPN profiles A, B and Z (here we create an authorization profile with no class an no lock attributes, so the group is allowed for all VPN profiles)
  2. VPN users A should have access to VPN profile A (here we create a authorization profile with class and lock attributes for profile A)
  3. VPN users B should have access to VPN profiles B and Z (is this possible and how does the authorization profile have to look like?)
  Thanks a lot in advance and best regards
  Dominic

  Hi Dominic,
  first of all, let's clarify that on the ASA you have tunnel-groups (named connection profiles in ASDM) and group-policies. These often, but not always, have a one-to-one mapping.
  The Tunnel-Group (TG) is either selected by the user (either from a drop down list or by entering a specifiv group-url), or automatically selected by a certificate map (i.e. based on a certain field in the user cert, the user is mapped to one TG or another). The TG mainly specifies what kind of authentication is used.
  The Group-Policy (GP) by default is the one specified in the TG, but it can be overridden by e.g. Radius.
  So from the ASA's standpoint itself your posibilities are rather limited: the ASA will just apply whatever group-policy you push from Radius (in IETF attribute 25 aka "Class"), and in addition it will deny access to a user if the TG he selected does not match the value of the group-lock attribute. Group-lock can only contain one TG name, so you cannot do something like "allow both B and Z".
  In other words you can not achieve your goal if the Radius server has a "static" set of attributes per user.
  However, as of ASA 8.4.3 the ASA now sends 2 vendor-specific attributes in the Access-Request:
  vendor ID = 3076, attribute 146 is "Tunnel Group Name" (string).
  vendor ID = 3076, attribute 150 is "Client Type" (integer)
  0 = No Client specified  1 = Cisco VPN Client (IKEv1)  2 = AnyConnect Client SSL VPN  3 = Clientless SSL VPN  4 = Cut-Through-Proxy  5 = L2TP/IPsec SSL VPN  6 = AnyConnect Client IPsec VPN (IKEv2)
  So if you can configure the Radius server to "dynamically" permit/deny access based on the TG attribute I suppose you could achieve what you want.
  If/how ACS can do this, I personally don't know; I suggest you ask in the AAA forum if you need help with that part.
  hth
  Herbert

• Query related to Authorization profile.

  Hi Professionals,
  Please help me out as I'm not a BASIS consultant but PP.....
  We've created Users profile and assigned them profiles that contain a particular bunch of Transaction codes module wise.
  Now we want to to create and assign such a Authorization profile to Users which will contain all Display transaction codes either related to all modules OR that particular module only say PP, MM, FI, CO etc.....
  For example
  MM03- Display material master
  CS03- Display material BOM
  CR03- Display work center
  ME53N- Display Purchase requisition etc.
  Is there any standard profile for that that are already provided by SAP? If it's there, how do we know that are related to what module?
  Suppose if we assign such profiles, what will be implications related to future and user discipline?
  Thanks & Regards,
  Abu Arbab

  Hi Abu, don't worry about being a PP consultant, most of us here are not Basis either, rather we focus on security.
  There are no standard roles delivered by SAP which give this.  There are standard SAP display roles but none will include all the display transactions for a module.
  What you should do is get each functional team to list the dispay transactions which are used by the business processes which they have configured.  There is no point in creating a display role with 500 transactions if the business processes only requires 30 transactions.  Access is more usually required for business processes rather than module so you would often need to combine your modular display roles to cover a single process.
  By building the roles to include the transactions you use rather than are available, you also avoid one of the mistakes often seen with using standard SAP roles - users having wider authorisations than they require to perform their job.

• ISE - Authorization Profile issue

  I'm running a trial of ISE and I'm attempting to create the authorization profile with the following settings:
  Name: Posture_Remediation
  Access Type: Access_Accept
  Common Tools:
  Posture Discovery, Enabled
  Posture Discovery, ACL ACL-POSTURE-REDIRECT
  The documentation says Common Tools, but in the screen shot it shows Common Tasks which is accurate to my install. Doc: http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bba10d.shtml#topic19
  The issue is that I do not see a Posture Discovery option in the Common Tasks area. Can I add these the attributes using the Advanced Attributes settings or is there something I need to enable to display the Posture Discovery option within Common Tasks?
  Any help would be appriceated.
  Andrew

  Hello Andrew,
  As per your query i can suggest you-
  Creating a New Authorization Policy
  Use this procedure to create a new authorization policy.
  To create a new authorization policy, complete the following steps:
  Step 1 Choose Policy > Authorization > Standard.
  Step 2 Click to select either Insert New Rule Above or Insert New Rule Below.
  A new policy entry appears in the position you designated in the Standard panel of the Authorization Policy window.
  Step 3 Enter values for the following authorization policy fields:
  •Rule Name—You need to define a rule name for the new policy.
  •Identity Groups—Choose a name for the identity group that you want associated with the policy.
  –Click + ("plus" sign) next to the word "Any" to display a drop-down list of group choices, or choose Any for the policy for this identity group to include all users.
  •Condition(s)—Choose the types of conditions or attributes for the identity group associated with the policy. Click + next to Condition(s) to display the following list of condition and attribute choices that you can configure:
  –Select a Condition Name option from the drop-down list (Simple Conditions, Compound Conditions, or Time and Date Conditions) as needed.
  –Select one of the Attribute options as needed. This displays a list of dictionaries that contain specific attributes related to the dictionary type.
  When you select an attribute, you can define it as Equals, Not Equals, or Matches using a pull-down list of operator options, and select an AND or OR directive using a pull-down directive option.
  For more information please refer to the link -
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_authz_polprfls.html

• ACS v5.5 authorization rules 320 limit

  I am about embark on a large service provider ACS migration / installation and I suspect I am going to need more than 320 authorization rules, which is the limit stated in ACS v5.5 release notes.
  Is the limit for the maximum number of rules for an Access Service, or for the ACS totally?

  The limitation is for total acs
  http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-5/release/notes/acs_55_rn.html#90057
  Table 13 Limitations in ACS Deployments
  Object Type
  ACS System Limits
  ACS Instances
  22
  Hosts
  150,000
  Identity Groups
  1,000
  Active Directory Group Retrieval
  1,500
  Network Devices
  100,000
  Network Device Groups
  12
  Device Hierarchies
  6
  All Locations
  10,000
  All Device Types
  350
  Services
  25
  Authorization Rules
  320
  Conditions
  8
  Authorization Profile
  600
  Service Selection Policy (SSP)
  50
  Network Conditions (NARs)
  3,000
  ACS Admins
  50
  9 static roles
  dACLs
  600 dACL with 100 ACEs each

• Cisco Secure ACS

  Hi all,
  With the Base license, a Cisco Secure ACS 5.6 appliance or software virtual machine can support the deployment of up to 500 network access devices (NADs) such as routers and switches. These are not authentication, authorization, and accounting (AAA) clients. The number of network devices is based on the number of unique IP addresses that are configured.
  So, when i have 1 firewall for vpn gateway, and using acs as an aaa server, how much network access device which is counted ? 1 or as many as vpn client connected to the firewall ?
  500 network access device means concurrent connection or not ?

  ACS is based on the number of NADs (Network Access Devices) like switches, routers, ASAs, etc. So in your example, your Firewall will consume 1 license regardless of the total number of VPN sessions. 
  With ISE, the licenses are based on the total number of endpoints. So in your example, each VPN session will take a license. 
  I hope this helps!
  Thank you for rating helpful posts!

• Create Display Authorization Profile for SAP Transaction SPRO (IMG).

  Dear All,
  In my current implementation project there is an requirement to create display authorization profile for SPRO. I have tried a lot but was not able to do so.
  Any one is having an experience in creating display profile for SPRO (IMG) ? If any one has worked on this issue then please guide me.
  Thanks,
  Avinash

  Hi
  This is security related question. I am not security expert.
  But you can check this, Include the following authorization objects in the profile and assign this profile to the target user.
  S_IMG_ACTV
  S_PROJECT
  S_PROJ_AUT
  S_PRO_AUTH
  and assign activity = 03 (Display).
  Hoipe it helps.
  regards
  Srinivas

• Talent Management (EhP4) - cannot find structural authorization profiles

  Hi All,<br/><br/>
  I have looked in 3 different SAP ECC6.0 EhP4 system for the Talent Management structural authorization profiles stated in the IMG documentation and on the help.sap.com website. The profiles are:<br/><br/>
  TMS_PROFILE<br/>
  TMS_ALL<br/>
  TMS_MAN_PROF<br/><br/>
  There are also several "sub" profiles for TMS_PROFILE.<br/><br/>
  To take an example from help.sap.com on their Authorizations page (http://help.sap.com/erp2005_ehp_04/helpdata/en/7b/6f92413c3a2e7be10000000a1550b0/content.htm ), the SAP_TMC_SUPER_TALENT_MANA_SPEC clearly indicates the TMS_ALL structural authorization profile is in the standard system:<br/><br/>
  Authorizations for talent management superusers<br/><br/>
  For more information, see Talent Management Superuser.<br/><br/>
  The structural authorization profile TMS_ALL is also available as a template for the Talent Management Superuser.<br/><br/>
  For more information, see Customizing for Talent Management and Talent Development under Basic Settings ® Authorizations in Talent Management ® Define Structural Authorizations.<br/><br/>
  So... does anybody know anything about these and where I can find them? Do they require some form of activation outside of the standard switch activations for Talent Management? I've looked in several tcodes (SU01,PCFG, OOSP etc) for them but no luck.<br/><br/>
  Any help gratefully received and points will be awarded for helpful answers and solutions!<br/><br/>
  Best regards,<br/><br/>
  Luke

  Hey Luke:
  Could you do me a favor and look in client 000 (the SAP delivered client)?  You generally need a basis person for this activity, and I can't find one now on my own end to confirm my theory.  However I'm pretty sure if you went to OOSP in client 000, you'd see those profiles.  They were either never copied over from 000 or your security friends deleted all the profiles that are SAP delivered in the clients you're looking at.
  I could talk for a super boring amount of time about the security concept of "SAP delivers too much access with their roles so we don't use them" that a good number of security teams use - but that's a story for a different day.
  Take a peek in 000 and let me know what you see.  If they're there, you can always have your basis chums copy them over to your clients that you want them in (presumably your security config client).
  Thanks,
  Chris

• Authorization profile

  Hi all,
  I am new to security. i have got some questions.
  what is a profile?
  with profile what system does?what is its necessity
  can anybody give me the guides for security.
  Regards,
  R.Suganya

  Hallo.
  To grant the access rights of a authorisation to a user, you must assign the user to the role (or tho a profile, but sap recommend to a role). You can assign users using either the Profile Generator or user administration. Based on the transactions and reports selected for each role, the Profile Generator automatically determines all authorization objects required for performing the functions specified, and creates the corresponding authorization profile (in pfcg, with object evaluation of SU24).
  Authorizations are assigned using profiles in the form of roles, which are
  entered into the user master record.
  There is a difference between Authorization and authorizatzion profiles generated: Authorization profile contains authorizations for different authorization objects, authorization objects contain different authorization controlled in the Transaction.
  You create profile in pfcg after having saved the Rolle with his own authorization.
  pfcg --> role create - role model and save - profile generate.
  su02 --> see authorisation in profile.
  Alberto

• Generate authorization profile with RSSM

  Hi,
  I have a problem with the central User Management.
  We have the Central User Management in a CRM-System.
  1) In BW we generate an authorization profile with the transaction RSSM. Automatically the system assign the profile to an user.
  2)When we additionally assign a BW-role from Central User Management (CRM-System) to the same user, the authorization profile which is generated in BW (Transaction RSSM) is deleted.
  Unfortunately we can not forego to the functionalty in rssm.
  Thanks for any ideas in advance

  THX for your answers,
  I have twist and turn this problem and I see no way around it. It seems like it going to be a lot of configuration in ACS but it is only for one time. It better to do that job with the installation rather than troubleshoot every time the PC administrators type the wrong vlan name.
  As Bastien wrote in his answer:
  "so basically create an internal group, add user to this group, and create an access-policy that match this group and apply an authorization profile with the vlan you want"
  Thx again for your input.
  ///A.hed

• Create Authorization Profile Manually

  Dear Experts,
  I want to know the Tcode through which I can create Authorization Profile.
  I know that through PFCG we can create a Role and from there we can generate a Profile, But how can i create a profile without creating a Role.
  I think this is possible because the Profile : SAP_ALL does not have a role.
  Regards

  >
  Mishra.Manas wrote:
  >
  Tcode through which I can create Authorization Profile
  >
  > It's actually the task of a SOX or Security Consultant. If you have rights to acess SU02 you can do it.
  > Go to Profiles------>Create.
  > Here you can create a profile without a role being generated.
  It is nothing to do with a SOX consultant unless that person is also a security administrator.

• Exporting Authorization Profile

  Hi All,
  In IDES ECC 6.0 there is a user Authorization Profile "IDES_USER", is there a way that i can export and import this profile in my ECC 6.0.
  please help and get poits...
  Zeeshan

  Hi Zeeshan,
  I would like to just say only one thing: It is not a good idea moving a object between two systems with different releases.
  This is security profile onlyso may not do any damage but dont try it for other objects. 
  Also coming back to your topic. Uplaod download of profiles is not possible. I am talking about profiles and not roles in my opnion.
  Transportation could have been a solution but may not work because of differences in TP release of IDES ECC6.0 and ECC6.0 systems.
  Best option is to manually create the profile.
  Wait for other comments though.
  Regards.
  Ruchit.
  Message was edited by:
          Ruchit Khushu

• Cisco Secure ACS license question.

  On the Cisco ACS server under the internal identity stores… is “users” and “host” counted against the "base server license" or “network device license”?          

  Guess you are running ACS 5.x
  With  the Base license, Cisco Secure ACS 5.3 appliances or software virtual  machines can support deployments of up to 500 network devices  (authentication, authorization, and accounting [AAA] clients). The  number of network devices is based on how many unique IP addresses are  configured. This is not a limit for each individual appliance or  instance, but a deployment-wide limit that applies to a set of ACS  instances (primary and secondary) that are configured for replication.
  The  optional Large Deployment add-on license allows a deployment to support  more than 500 network devices. Only one Large Deployment license is  required per deployment as it is shared by all instances.
  For more info:
  http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps5698/ps6767/ps9911/product_bulletin_c25-689829.html
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• Secure ACS Intermittent

  Hi,
  We are using Cisco Secure ACS and for the past week, our switch and router logins are really really intermittent. Most of the time, even if we are into the console already and issue a command, "authorization failed" will appear then just keep pressing up and enter then the command will be accepted. Any idea why is this happening? Thank you very much.

  hi,
  with acs 3.1 we had the problem that we reached the maximum of 40 single connections ! (Message in the package.cab : "maximum 40 single connection are busy")
  we increased the maximum "MaxSessions" in the Registry from 40 (hex 28) to 200 (hex C8 )
  Look at
  [HKEY_LOCAL_MACHINE\SOFTWARE\Cisco\CiscoAAAv3.1\CSTacacs]
  "BaseDir"="\\CSTacacs"
  "Version"="3.1(1.27)"
  "Port"=dword:00000031
  "PacketSize"=dword:00000400
  "MaxSessions"=dword:00000028
  "LocalSecret"="secret_value"
  "SingleConnect"=dword:00000001
  "ProxyOn"=dword:00000001
  "ProxyRetries"=dword:00000001
  "ChPassEnabled"=dword:00000000
  "ChPassFastReplicate"=dword:00000000
  "CHPassDisabledMessage"="Chpass is currently disabled."
  "PackDump"=dword:00000001
  regards
  alex