Since Cisco Secure ACS 5.X is based on a rule-based policy model, you can configure Policies (rules) based on a particular “condition” & apply a “result” if that condition is matched. In ACS terms, these conditions & results are called Policy Elements which constitute a Policy i.e. a Time based Access Restriction policy to allow VPN users access only on Weekend would have Weekend (Sat/Sun) as a Condition to match & apply an Authorization Profile to a user to grant them network/resource access.
We would focus on “Session Conditions” i.e. Date and Time conditions to define specific time/date on which you wish to grant access. Date and Time Conditions would be based on current date & time so it’s important to have NTP/time-zone configured correctly on ACS 5.X appliance. Configuring NTP is covered in detail here
Based on aforementioned Session Conditions, we would apply an action to it i.e. in ACS terms, it would be a result applied to match a condition in a policy. You can configure results under ‘Authorization & permissions‘. Results(action) could be any of following :
- Authorization Profiles
- Shell Profiles
- Command Sets
- Downloadable ACLs
We would discuss Authorization Profile for underlying scenario. Shell Profiles, Commands Sets & Downloadable ACLs are covered in extensive detail here.
Scenario Requirement :
Based on the previous knowledge, let’s assume your company wants to grant access to a particular Extranet partner only on Weekends. Extranet partners should NOT be able to VPN into your network on Weekdays & should only be allowed to access Extranet Servers .
Solution Components :
So, you would dissect the requirement into following configuration items on ACS 5.X
User Identity : User who would be granted access can be either in Internal ACS Identity Store (User database) or External Identity Store e.g. Active Directory / LDAP etc.
Time&Date : User would be granted access only on Weekends i.e Saturday / Sunday
Authorization Profile : User would be able to access certain services i.e. Only Extranet Servers in this case. You can configure ACS 5.X to push certain cisco-av-pair attributes which would also access only to desired services/servers.
So, your configuration in ACS 5.X would be as follows [ Click on Snapshot to enlarge Image ] :
1. Configure a Date/Time Session Condition [ Weekend Only ]
Navigate to Policy Elements -> Date & Time
& here is the condition just created.
2. Configure an Authorization Profile with required attributes set.
Under Authorization & Permissions tab
Configuring Authorization Profiles ( & cisco-av-pair attributes )for Remote Access VPN / EzVPN / WebVPN / AnyConnectVPN etc. is covered extensively in Cisco Secure ACS 5.X Scenario-based deployment guide.
3. Create an Authorization Rule under Default Network Access Service
Tie all components together in an Authorization Rule
Based on set of conditions defined above, here is the resulting rule.
Hence, access is granted to user based on time/day based session conditions.
Session Conditions can also be based on Custom Conditions or Network Conditions i.e End Station Filters, Device Filters, Device Port Filters . More on this later!