Configuring Role-Based Access Control



Similar documents
Configuring Server Load Balancing

Enabling Remote Access to the ACE

Configuring Class Maps and Policy Maps

Configuring Server Load Balancing

Configuring Health Monitoring Using Health Probes

Configuring Network Address Translation

Troubleshooting the Firewall Services Module

Configuring Stickiness

Configuring the Firewall Management Interface

Troubleshooting the Firewall Services Module

Configuring Traffic Policies for Server Load Balancing

- The PIX OS Command-Line Interface -

Configuring SNMP CHAPTER7

Configuring System Message Logging

Configuring SSL Termination

Connecting to the Firewall Services Module and Managing the Configuration

Skills Assessment Student Training Exam

Configuring NetFlow Secure Event Logging (NSEL)

Server Load Balancing with SAP and ACE

Implementing Cisco IOS Network Security

Lab Configure Basic AP Security through IOS CLI

Scenario: IPsec Remote-Access VPN Configuration

Configuring Health Monitoring

Enhanced Password Security - Phase I

Backing Up and Restoring Data

Configuring SSH and Telnet

Lab Configure Cisco IOS Firewall CBAC

Cisco TelePresence Management Suite Redundancy

IINS Implementing Cisco Network Security 3.0 (IINS)

Firewall Stateful Inspection of ICMP

Securing Networks with PIX and ASA

Geschreven door Administrator woensdag 13 februari :37 - Laatst aangepast woensdag 13 februari :05

login timeout 30 access list ALL line 20 extended permit ip any any port 9053 interval 15 passdetect interval 30

Configuring Password Encryption

Enhanced Password Security - Phase I

Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials.

Cisco Application Networking Manager Version 2.0

Firewall Authentication Proxy for FTP and Telnet Sessions

Lab 8: Confi guring QoS

Cisco ASA. Administrators

Using LiveAction with Cisco Secure ACS (TACACS+ Server)

Applicazioni Telematiche

Lab Developing ACLs to Implement Firewall Rule Sets

Netgear ProSafe VPN firewall (FVS318 or FVM318) to Cisco PIX firewall

ICND IOS CLI Study Guide (CCENT)

Encrypted Preshared Key

Encrypted Preshared Key

Configuring Static and Dynamic NAT Translation

Scenario: Remote-Access VPN Configuration

Easy Performance Monitor

Easy Performance Monitor

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL I. VERSION 2.0

PT Activity: Configure Cisco Routers for Syslog, NTP, and SSH Operations

Lab Introduction to the Modular QoS Command-Line Interface

Configuring VIP and Virtual IP Interface Redundancy

A Model Design of Network Security for Private and Public Data Transmission

Configuring Password Encryption

How To: Configure a Cisco ASA 5505 for Video Conferencing

Router Lab Reference Guide

Call Flows for Simple IP Users

Configuring NTP. Information About NTP. NTP Overview. Send document comments to CHAPTER

Deployment Guide AX Series for Palo Alto Networks Firewall Load Balancing

Cisco Application Control Engine (ACE) Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers

How To Block On A Network With A Group Control On A Router On A Linux Box On A Pc Or Ip Access Group On A Pnet 2 On A 2G Router On An Ip Access-Group On A Ip Ip-Control On A Net

C H A P T E R Management Cisco SAFE Reference Guide OL

Lab 3.3 Configuring QoS with SDM

shortcut Tap into learning NOW! Visit for a complete list of Short Cuts. Your Short Cut to Knowledge

Cisco Nexus 5548UP. Switch Configuration Guide for Dell PS Series SANs. A Dell Deployment and Configuration Guide

Chapter 3 Using Access Control Lists (ACLs)

Easy Performance Monitor

You can specify IPv4 and IPv6 addresses while performing various tasks in this feature. The resource

Network Simulator Lab Study Plan

Comware versus Cisco IOS Command Guide

ROLE-BASED COMMAND-LINE INTERFACE ACCESS

Adding an Extended Access List

Configuring WCCP v2 with Websense Content Gateway the Web proxy for Web Security Gateway

1 Basic Configuration of Cisco 2600 Router. Basic Configuration Cisco 2600 Router

Configuring Basic Settings

same-security-traffic through show asdm sessions Commands

LAB Configuring NAT. Objective. Background/Preparation

Configuring RADIUS Server Support for Switch Services

Deployment Guide Microsoft IIS 7.0

Internetwork Expert s CCNA Security Bootcamp. IOS Firewall Feature Set. Firewall Design Overview

Objectives. Background. Required Resources. CCNA Security

Configuring System Message Logging

Telnet, Console and AUX Port Passwords on Cisco Routers Configuration Example

Configuring Basic Settings

DMH remote access. Table of Contents. Project : remote_access_dmh Date: 29/05/12 pg. 1

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD CCNA SECURITY. VERSION 1.0

CTS2134 Introduction to Networking. Module Network Security

Reference to common tasks

Lab Configuring PAT with SDM and Static NAT using Cisco IOS Commands

Brocade to Cisco Comparisons

Cisco ASA 5500 Series Adaptive Security Appliance 8.2 Software Release

Asheville-Buncombe Technical Community College Department of Networking Technology. Course Outline

8 steps to protect your Cisco router

CCNA Security. IINS v2.0 Implementing Cisco IOS Network Security ( )

Chapter 7 Configuring Trunk Groups and Dynamic Link Aggregation

ISE TACACS+ Configuration Guide for Cisco NX-OS Based Network Devices. Secure Access How-to User Series

Transcription:

5 CHAPTER This chapter describes how to configure role-based access control (RBAC) on the Cisco Application Control Engine (ACE) module. This chapter contains the following sections: Information About Role-Based Access Control Configuring RBAC Configuration Example for Configuring RBAC Where to Go Next Information About Role-Based Access Control After reading this chapter, you should have a basic understanding of how the ACE provides security administration by using role-based access control (RBAC) and how to configure a server maintenance user with permission to access a subset of your network. One of the most challenging problems in managing large networks is the complexity of security administration. The ACE allows you to determine the commands and resources available to each user through RBAC by associating users with domains and roles. A domain is a collection of physical and virtual network resources such as real servers and virtual servers. User roles determine user privileges, such as the commands that the user can enter and the actions the user can perform in a particular context. The ACE provides a number of predefined roles; context administrators can create new roles. The ACE provides the following predefined roles, which you cannot delete or modify: Admin If created in the Admin context, has complete access to, and control over, all contexts, domains, roles, users, resources, and objects in the entire ACE. If created in a user context, gives a user complete access to and control over all policies, roles, domains, server farms, real servers, and other objects in that context. Network Admin Has complete access to and control over the following features: Interfaces Routing Connection parameters Network Address Translation (NAT) 5-1

Information About Role-Based Access Control Chapter 5 VIPs Network-Monitor Has access to all show commands and to the changeto command. If you do not explicitly assign a role to a user with the username command, this is the default role. Security-Admin Has complete access to and control over the following security-related features within a context: ACLs Application inspection Connection parameters Interfaces Authentication, authorization, and accounting (AAA) NAT Server-Appln-Maintenance Has complete access to and control over the following features: Real servers Server farms Load balancing Server-Maintenance Can perform real server maintenance, monitoring, and debugging for the following features: Real servers Modify permission Server farms Debug permission VIPs Debug permission Probes Debug permission Load balancing Debug permission Create permission SLB-Admin Has complete access to and control over the following ACE features within a context: Real servers Server farms VIPs Probes Load balancing (Layer 3/4 and Layer 7) NAT Interfaces 5-2

Chapter 5 Configuring RBAC SSL-Admin Can administer all SSL features: SSL Create permission PKI Create permission Interfaces Modify permission Create permission Create permission This chapter describes how to create a domain and a user, and how to associate the user with a predefined role and the new domain. For more information on advanced virtualization configuration, such as restricting user access, predefined roles and how to define a custom role, and creating a domain, see the Virtualization Guide, Cisco ACE Application Control Engine. Configuring RBAC Procedure Step 1 Step 2 Step 3 Step 4 Step 5 Command changeto context host1/admin# changeto VC_WEB host1/vc_web# config host1/vc_web# config host1/vc_web(config)# domain name host1/vc_web(config)# domain DOMAIN1 host1/vc_web(config-domain)# add-object all host1/vc_web(config-domain)# add-object all exit host1/vc_web(config-domain)# exit host1/vc_web(config)# Purpose Changes to the correct context if necessary. Check the CLI prompt to verify that you are operating in the VC_WEB context. Enters configuration mode. Creates a domain for the context. Allocates all configuration objects in the VC_WEB context to the domain. Exits domain configuration mode. 5-3

Configuration Example for Configuring RBAC Chapter 5 Step 6 Step 7 Step 8 Step 9 Command username user password 5 password role name1 domain name2 host1/vc_web(config)# username USER1 password 5 $1$vAN9gQDI$MmbmjQgJPj45lxbtzXPpB1 role Server-Maintenance domain DOMAIN1 host1/vc_web(config)# exit exit host1/vc_web(config)# exit host1/vc_web# show running-config role show running config domain Examples: host1/vc_web# show running-config role host1/vc_web# show running-config domain copy running-config startup-config host1/vc_web# copy running-config startup-config Purpose Configures new user USER1, and assigns the predefined role SLB-Admin and the domain DOMAIN1 to USER1 The 5 parameter for the password keyword requires that you enter an MD5 hash-encrypted password. You can obtain an MD5 hash password by first entering the username command with the 0 parameter and a clear-text password (for example, MYPASSWORD). Next, enter the show running-config command and copy the user s encrypted password from the running-configuration file. Enter the username command again using the 5 parameter and the encrypted password. Exits configuration mode. Displays the user and domain configurations. (Optional) Copies the running configuration to the startup configuration. Configuration Example for Configuring RBAC The following example shows how to configure RBAC. The commands that you have configured in this chapter are shown in bold text. switch/vc_web(config)# do show running config Generating configuration... access-list INBOUND line 8 extended permit ip any any class-map type management match-any REMOTE_ACCESS description Remote access traffic match 2 match protocol ssh any 3 match protocol telnet any 4 match protocol icmp any policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY class REMOTE_ACCESS permit service-policy input REMOTE_MGMT_ALLOW_POLICY 5-4

Chapter 5 Where to Go Next interface vlan 400 description Client connectivity on VLAN 400 ip address 10.10.40.1 255.255.255.0 access-group input INBOUND no shutdown interface vlan 500 description Server connectivity on VLAN 500 ip address 10.10.50.1 255.255.255.0 no shutdown ip route 0.0.0.0 0.0.0.0 172.25.91.1 domain DOMAIN1 add-object all username USER1 password 5 $1$vAN9gQDI$MmbmjQgJPj45lxbtzXPpB1 role Server-Maintenance domain DOMAIN1 Where to Go Next In this chapter, you have created a user to perform a limited number of functions on a subset of your network. In the next chapter, you will create a virtual server for server load balancing. 5-5

Where to Go Next Chapter 5 5-6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information