Configuring Role-Based Access Control

Similar documents
Configuring Route Health Injection

Configuring SSL Security

Role Configuration Mode Commands

Configuring Bridged Mode

Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide

Overview. ACE Appliance Device Manager Overview CHAPTER

Bridging Traffic CHAPTER3

Enabling Remote Access to the ACE

Configuring SSL Termination

Configuring Virtual Servers

Configuring Role-Based Access Control

Quick Start Guide, Cisco ACE 4700 Series Application Control Engine Appliance

Configuring Role-Based Access Control

AAA and the Local Database

Chapter 10 Configure Clientless Remote Access SSL VPNs Using ASDM

Using the Command-Line Interface

Configuring Stickiness

Configuring Traffic Policies for Server Load Balancing

Upgrading the Cisco APIC-EM Deployment

Using the Command-Line Interface

Configuring Real Servers and Server Farms

Upgrading the Cisco APIC-EM Deployment

Chapter 10 Configure Clientless Remote Access SSL VPNs Using ASDM

Chapter 10 Configure AnyConnect Remote Access SSL VPN Using ASDM

Chapter 10 - Configure ASA Basic Settings and Firewall using ASDM

Configuring Real Servers and Server Farms

Using Homepage. Information About Homepage CHAPTER

Configuring End-to-End SSL

Role-Based Access Configuration

Using Homepage. Information About Hompage CHAPTER

Configuring Traffic Policies for Server Load Balancing

Configuring Cisco ACE for Load Balancing Cisco Identity Service Engine (ISE)

Exam Actual. Higher Quality. Better Service! QUESTION & ANSWER

Using Application Template Definitions

Configuring User Accounts and RBAC

Managing GSS User Accounts Through a TACACS+ Server

Examples of Cisco APE Scenarios

Using Configuration Building Blocks

Configuring Switch Security

Using ANM With Virtual Data Centers

Using Configuration Building Blocks

Configuring Traffic Policies

Logging In and Setting Up

CCNA 1 Chapter 2 v5.0 Exam Answers 2013

Configuring Traffic Policies for Server Load Balancing

Cisco NAC Profiler UI User Administration

Configuring the Management Interface and Security

Administration of Cisco WLC

Configuring Real Servers and Server Farms

Configuring TACACS+ About TACACS+

Configuring Cisco Prime NAM

Configuring Management Access

Configuring User Accounts and RBAC

CCNA 1 Chapter 2 v5.0 Exam Answers %

CISCO EXAM QUESTIONS & ANSWERS

Deploying Cisco ASA Firewall Solutions (FIREWALL v1.0)

Configuring User Accounts and RBAC

Network security session 9-2 Router Security. Network II

TACACS Device Access Control with Cisco Active Network Abstraction

PT Activity: Configure AAA Authentication on Cisco Routers

Release Note for the Cisco 4700 Series Application Control Engine Appliance

Configuring TACACS+ Finding Feature Information. Prerequisites for TACACS+

Cisco CISCO Securing Networks with ASA Advanced. Practice Test. Version

Configuration of Cisco ACS 5.2 Radius authentication with comware v7 switches 2

Managing the ACE Software

Managing GSS User Accounts Through a TACACS+ Server

Configuring Authentication, Authorization, and Accounting

Lab 7 Configuring Basic Router Settings with IOS CLI

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

Using the Command-Line Interface

Configuration Example: TACACS Administrator Access to Converged Access Wireless LAN Controllers

Configuring TACACS+ Information About TACACS+ Send document comments to CHAPTER

UniNets CCNA Security LAB MANUAL UNiNets CCNA Cisco Certified Network Associate Security LAB MANUAL UniNets CCNA LAB MANUAL

Discovering Network Devices

Command-Line Interface (CLI) Basics

Book Heading. 2 Configurating Static Routing. 7 Router Security VLAN Network Router Security Network Infrastructure Design

Overview of the Cisco NCS Command-Line Interface

Configuring Local Authentication

Configuring the Catena Solution

Getting Started Using Cisco License Manager

Cisco IOS Login Enhancements-Login Block

Administration of Cisco WLC

ASACAMP - ASA Lab Camp (5316)

Getting Started. Getting Started with Your Platform Model. Factory Default Configurations CHAPTER

Configuring Traffic Interception

Exam Name: Implementing Cisco Edge Network Security Solutions

Configuring Network Address Translation

Packet Tracer - Configure and Verify a Site-to-Site IPsec VPN Using CLI

Managing GSS User Accounts Through a TACACS+ Server

Using the Command-Line Interface

Deployment Guide AX Series with Oracle E-Business Suite 12

Lab Configuring an ISR with SDM Express

Configuring System Message Logging

Cisco ACE Application Control Engine Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers

Implementing Cisco Network Security (IINS) 3.0

User and System Administration

Configuring SNMP. Information About SNMP CHAPTER

Lab - Troubleshooting ACL Configuration and Placement Topology

Managing the Cisco APIC-EM and Applications

1.1 Configuring HQ Router as Remote Access Group VPN Server

Transcription:

5 CHAPTER This chapter describes how to configure role-based access control (RBAC) on the Cisco 4700 Series Application Control Engine (ACE) appliance. It describes how to create a domain and a user, and how to associate the user with a predefined role and the new domain. This chapter contains the following sections: Information About Role-Based Access Control Configuring RBAC Configuration Example for Configuring RBAC Where to Go Next Information About Role-Based Access Control After reading this chapter, you should have a basic understanding of how the ACE appliance provides security administration by using RBAC and how to configure a server maintenance user with permission to access a subset of your network. One of the most challenging problems in managing large networks is the complexity of security administration. The ACE appliance allows you to determine the commands and resources available to each user through RBAC. In RBAC, users are associated with domains and roles. A domain is a collection of physical and virtual network resources such as real servers and virtual servers. User roles determine a user's privileges, such as the commands that the user can enter and the actions the user can perform in a particular context. The ACE provides a number of predefined roles. In addition, administrators in any context can define new roles. The ACE provides the following predefined roles, which you cannot delete or modify: Admin If created in the Admin context, has complete access to, and control over, all contexts, domains, roles, users, resources, and objects in the entire ACE. If created in a user context, gives a user complete access to and control over all policies, roles, domains, server farms, real servers, and other objects in that context. Network Admin Has complete access to and control over the following features: Interfaces Routing Connection parameters 5-1

Information About Role-Based Access Control Chapter 5 Network Address Translation (NAT) VIPs Network-Monitor Has access to all show commands and to the changeto and exec commands. If you do not explicitly assign a role to a user with the username command, this is the default role. Security-Admin Has complete access to and control over the following security-related features within a context: ACLs Application inspection Connection parameters Interfaces Authentication and accounting (AAA) NAT Server-Appln-Maintenance Has complete access to and control over the following features: Real servers Server farms Load balancing Server-Maintenance Can perform real server maintenance, monitoring, and debugging for the following features: Real servers Modify permission Server farms Debug permission VIPs Debug permission Probes Debug permission Load balancing Debug permission Create permission Create permission SLB-Admin Has complete access to and control over the following ACE features within a context: Real servers Server farms VIPs 5-2

Chapter 5 Configuring RBAC Probes Load balancing (Layer 3/4 and Layer 7) NAT Interfaces SSL-Admin Can administer all SSL features: SSL Create permission PKI Create permission Interfaces Modify permission Create permission Create permission Configuring RBAC To create a domain and a user, and associate the user with a predefined role and the new domain, you can use either the ACE Device Manager user interface (GUI) or the CLI. Configuring RBAC Using the Device Manager GUI Configuring RBAC Using the CLI For more information on advanced virtualization configuration, such as restricting user access, predefined roles and how to define a custom role, and creating a domain, see the Virtualization Guide, Cisco ACE Application Control Engine. Configuring RBAC Using the Device Manager GUI In this procedure, you use the GUI to create a domain that includes the user context that you created in Chapter 3, Creating a Virtual Context and then create a server maintenance user, user1, to manage those servers. Configure this RBAC setup using the GUI by following these steps: Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Choose VC_web. Choose Admin > Role-Based Access Control > Domains. The Domains pane appears. Click Add (+) to add a new domain. The New Domain window appears. Enter Domain1 for the Name. Check the All Objects check box. Click Deploy Now to create a domain that includes all objects in context VC_web. Choose Role-Based Access Control > Users to create a user. The Users pane appears. Click Add (+). The User window appears. 5-3

Configuring RBAC Chapter 5 Step 9 Step 10 Step 11 Step 12 Enter the following user attributes. Leave the remaining attributes blank or with the default values. Name: user1 Password: MYPASSWORD Confirm: MYPASSWORD Role: Server-Maintenance Choose Domain1 and click the right-arrow button. Domain1 is moved from Available to the Selected list. Choose default-domain and click the left-arrow button. Default-domain is removed from the Selected list. Associate the new user user1 with the role Server-Maintenance and the domain Domain1 by clicking Deploy Now. The new user is added to the Users pane. Configuring RBAC Using the CLI Configure RBAC using the CLI by following these steps: Step 1 Step 2 Step 3 Step 4 Step 5 Verify that you are operating in the desired context by checking the CLI prompt. If necessary, change to the correct context. host1/admin# changeto VC_web host1/vc_web# Enter configuration mode. host1/vc_web# Config host1/vc_web(config)# Create a domain for the context. host1/vc_web(config)# domain Domain1 host1/vc_web(config-domain)# Allocate all objects in the VC_web context to the domain. host1/vc_web(config-domain)# add-object all host1/vc_web(config-domain)# exit host1/vc_web(config)# Configure new user user1, and assign the predefined role TECHNICIAN and the domain Domain1 to the user. host1/vc_web(config)# username user1 password 5 MYPASSWORD role TECHNICIAN domain Domain1 Note The parameter 5 for password is for an MD5-hashed strong encryption password. Use 0 for a clear text password. host1/vc_web(config)# exit Step 6 Display the user and domain configurations. host1/vc_web# show running-config role host1/vc_web# show running-config domain 5-4

Chapter 5 Configuration Example for Configuring RBAC Configuration Example for Configuring RBAC The following example shows how to configure RBAC. The commands that you have configured in this chapter are shown in bold text. switch/vc_web(config)# do show running config Generating configuration... access-list INBOUND line 8 extended permit ip any any class-map type management match-any REMOTE_ACCESS description Remote access traffic match 2 match protocol ssh any 3 match protocol telnet any 4 match protocol icmp any policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY class REMOTE_ACCESS permit service-policy input REMOTE_MGMT_ALLOW_POLICY interface vlan 400 description Client connectivity on VLAN 400 ip address 10.10.40.1 255.255.255.0 access-group input INBOUND no shutdown interface vlan 500 description Server connectivity on VLAN 500 ip address 10.10.50.1 255.255.255.0 no shutdown ip route 0.0.0.0 0.0.0.0 172.25.91.1 domain DOMAIN1 add-object all username USER1 password 5 $1$vAN9gQDI$MmbmjQgJPj45lxbtzXPpB1 role Server-Maintenance domain DOMAIN1 Where to Go Next In this chapter, you have created a user to perform a limited number of functions on a subset of your network. Next, you will create a virtual server for server load balancing. 5-5

Where to Go Next Chapter 5 5-6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback