User groups are an easy way to implement control of user and administrative activity on your network without the tedious task of assigning numerous common rights to each individual user. The group-level configuration of ACS has multiple configuration areas, each of which is discussed in the following sections. Modifying User GroupsWhen you select the Group Setup tab, the main frame of ACS changes to the Select screen. From this screen, you have the ability to choose from and modify a total of 500 user groups. The zero group is the default group. This is where users are added when you do not specify a group assignment in the user setup. You also see the number of users that are currently members of the group. In more advanced configurations, you configure group mappings for external databases, so your group configurations are very important to you. By selecting the Users in Group button, you change the right ACS frame to display the users that are assigned to the group. If you want to assign special settings to users of that group, you can simply select the user by clicking on the username, and it takes you to the User Setup page for that individual user. The next option that you can use from the Group Setup Select screen is the Edit Settings button. This takes you to the configuration area for whatever group is selected in the drop-down list of groups. The final option that is selectable from this Group Setup Select screen is the Rename Group option. By selecting this button, you can rename the group that is selected in the drop-down list of groups. To begin your configuration of user groups, follow these steps to rename a group and edit that group's settings:
You have now been placed in Group Setup configuration for the group named FirstUsers. You can choose to scroll through the group settings by using the scroll bar on the right-hand side of the center frame, or you can quickly jump to the main settings areas by selecting the configuration area from the Jump To list, as seen in Figure 8-2. Figure 8-2. Using the Jump To ListYou can use this list to jump to Access Restrictions, IP Address Assignment, TACACS+, and a few others, depending on your interface configuration and RADIUS protocols that have been enabled. You begin your configuration by enabling additional group settings. Follow these steps to enable advanced group settings:
You have just enabled more configuration options in the Group Setup section. To verify this, follow these steps:
Configuring Voice over IP SupportIn ACS, you can configure Voice over IP groups. These groups are most likely kept separate from groups with configurations that have actual user-access restrictions in them. This is mainly because a Voice over IP group is going to authenticate with only a username. If this were a Voice over IP group that you were going to configure, you would place a check mark in the Voice over IP Support box. Users of a Voice over IP group authenticate with only a username, which is usually the telephone number of each device for each phone call or session. This option enables a NULL password for all members of this group. This option disables ACS from performing password checking on this group as well as some of other configuration parameters that are available when password authentication takes place. Voice over IP users need enter only the user ID, not a password to authenticate. In this case, the "user" is the phone itself. The person that uses the phone does not even know they are authenticating. If you are not using Voice over IP in your network, this option is not necessary. To disable this option from view in Interface Configuration, follow these steps:
This removes the Voice-over-IP Support from view in Group Configuration. Configuring Time-of-Day Access SettingsNotice that the Default Time-of-Day access settings section is grayed out in the interface when you return to the Edit page of the FirstUsers group. It is visible, but cannot be changed. This option controls access hours. Use the grid to configure the desired access hours. To change the grid, follow these simple steps:
To make the Time-of-Day grid visible in these sections, follow these steps:
A new Time-of-Day grid is then visible under the TACACS+ settings, as seen in Figure 8-5. Figure 8-5. TACACS+ Time-of-Day RestrictionsYou can manipulate service hours for TACACS+ just as you did for access hours. Don't forget that you must select Submit + Restart for your changes to take place. |