Filter
Top Products
5-11
Configuration Guide for Cisco Secure ACS 4.2
OL-14390-02
Chapter 5 Password Policy Configuration Scenario
Step 4: Configure Access Policy
Reject connections from listed IP
addresses
Restricts remote access to the web interface to IP addresses
outside of the specified IP Address Ranges.
IP filtering operates on the IP address received in an HTTP
request from a remote administrator's web browser. If the
browser is configured to use an HTTP proxy server or the
browser runs on a workstation behind a network device
performing network address translation, IP filtering applies only
to the IP address of the HTTP proxy server or the NAT device.
IP Address Ranges
The IP Address Ranges table contains ten rows for configuring
IP address ranges. The ranges are always inclusive; that is, the
range includes the Start and End IP addresses.
Use dotted-decimal format. The IP addresses that define a range
must differ only in the last octet (Class C format).
Start IP Address Defines the lowest included IP address in the specified range (up
to 16 characters).
End IP Address Defines the highest included IP address in the specified range (up
to 16 characters).
HTTP Configuration
HTTP Port Allocation
Allow any TCP ports to be used for
Administration HTTP Access
Enables ACS to use any valid TCP port for remote access to the
web interface.
Restrict Administration Sessions to
the following port range From Port
n to Port n
Restricts the ports that ACS can use for remote access to the web
interface. Use the boxes to specify the port range (up to five
digits per box). The range is always inclusive; that is, the range
includes the start and end port numbers. The size of the specified
range determines the maximum number of concurrent
administrative sessions.
ACS uses port 2002 to start all administrative sessions. Port 2002
does not need to be in the port range. Also, ACS does not allow
definition of an HTTP port range that consists only of port 2002.
The port range must consist of at least one port other than port
2002.
A firewall configured to permit HTTP traffic over the ACS
administrative port range must also permit HTTP traffic through
port 2002, because this is the port that a web browser must
address to initiate an administrative session.
We do not recommend allowing administration of ACS from
outside a firewall. If access to the web interface from outside a
firewall is necessary, keep the HTTP port range as narrow as
possible. A narrow range can help to prevent accidental
discovery of an active administrative port by unauthorized users.
An unauthorized user would have to impersonate, or “spoof,” the
IP address of a legitimate host to make use of the active
administrative session HTTP port.
Table 5-1 Access Policy Options (continued)
Option Description