Group-Level Configuration of ACS

User groups are an easy way to implement control of user and administrative activity on your network without the tedious task of assigning numerous common rights to each individual user. The group-level configuration of ACS has multiple configuration areas, each of which is discussed in the following sections.

Modifying User Groups

When you select the Group Setup tab, the main frame of ACS changes to the Select screen. From this screen, you have the ability to choose from and modify a total of 500 user groups. The zero group is the default group. This is where users are added when you do not specify a group assignment in the user setup. You also see the number of users that are currently members of the group. In more advanced configurations, you configure group mappings for external databases, so your group configurations are very important to you.

By selecting the Users in Group button, you change the right ACS frame to display the users that are assigned to the group. If you want to assign special settings to users of that group, you can simply select the user by clicking on the username, and it takes you to the User Setup page for that individual user.

The next option that you can use from the Group Setup Select screen is the Edit Settings button. This takes you to the configuration area for whatever group is selected in the drop-down list of groups.

The final option that is selectable from this Group Setup Select screen is the Rename Group option. By selecting this button, you can rename the group that is selected in the drop-down list of groups.

To begin your configuration of user groups, follow these steps to rename a group and edit that group's settings:

Step 1.	In the Group drop-down list, select 1:Group 1.
Step 2.	Select the button labeled Rename Group. Your screen should resemble Figure 8-1. Figure 8-1. Rename Group
Step 3.	Enter the new name for this group, and then select the Submit button.
Step 4.	Now, your newly named group should appear in the Group drop-down menu. Select Edit Settings.

You have now been placed in Group Setup configuration for the group named FirstUsers. You can choose to scroll through the group settings by using the scroll bar on the right-hand side of the center frame, or you can quickly jump to the main settings areas by selecting the configuration area from the Jump To list, as seen in Figure 8-2.

Figure 8-2. Using the Jump To List

You can use this list to jump to Access Restrictions, IP Address Assignment, TACACS+, and a few others, depending on your interface configuration and RADIUS protocols that have been enabled.

You begin your configuration by enabling additional group settings. Follow these steps to enable advanced group settings:

You have just enabled more configuration options in the Group Setup section. To verify this, follow these steps:

Step 1.	Go to the FirstUsers group that you created.
Step 2.	Select the arrow to display the Jump To menu.
Step 3.	Now select the Access Restrictions section in the Jump To list, as shown in Figure 8-3. Figure 8-3. Viewing Changes in the Group Setup

Configuring Voice over IP Support

In ACS, you can configure Voice over IP groups. These groups are most likely kept separate from groups with configurations that have actual user-access restrictions in them. This is mainly because a Voice over IP group is going to authenticate with only a username. If this were a Voice over IP group that you were going to configure, you would place a check mark in the Voice over IP Support box. Users of a Voice over IP group authenticate with only a username, which is usually the telephone number of each device for each phone call or session. This option enables a NULL password for all members of this group. This option disables ACS from performing password checking on this group as well as some of other configuration parameters that are available when password authentication takes place. Voice over IP users need enter only the user ID, not a password to authenticate. In this case, the "user" is the phone itself. The person that uses the phone does not even know they are authenticating.

If you are not using Voice over IP in your network, this option is not necessary. To disable this option from view in Interface Configuration, follow these steps:

This removes the Voice-over-IP Support from view in Group Configuration.

Configuring Time-of-Day Access Settings

Notice that the Default Time-of-Day access settings section is grayed out in the interface when you return to the Edit page of the FirstUsers group. It is visible, but cannot be changed. This option controls access hours. Use the grid to configure the desired access hours.

To change the grid, follow these simple steps:

Step 1.

Place a check mark in the box next to Set as Default Access Times. This then allows you to modify the grid. The grid also changes from a gray color to a green color. A green box is for allowing access, and a white box is for denying access.

Step 2.

To change the colors of a box, click it. Figure 8-4 demonstrates access hours set for Monday through Friday from 6:00 a.m. to 6:00 p.m. Also, access to the network has been denied on the weekends. For these settings to take place, the Submit + Restart button must be selected. Figure 8-4. Time-of-Day Access Restrictions You can scroll through the Group Setup page and note that the only Time-of-Day access restrictions are at the Access Restrictions area. You can actually set Time-of-Day access restrictions for TACACS+ PPP configuration and TACACS+ Shell configuration.

To make the Time-of-Day grid visible in these sections, follow these steps:

A new Time-of-Day grid is then visible under the TACACS+ settings, as seen in Figure 8-5.

Figure 8-5. TACACS+ Time-of-Day Restrictions

You can manipulate service hours for TACACS+ just as you did for access hours. Don't forget that you must select Submit + Restart for your changes to take place.