Home > Cisco > Control System > Cisco Acs 5x User Guide

Cisco Acs 5x User Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual Cisco Acs 5x User Guide. The Cisco manuals for Control System are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 51

    Page 51 3-9 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Access Services ACS can simultaneously act as a proxy server to multiple external RADIUS and TACACS+ servers. For ACS to act as a proxy server, you must configure a RADIUS or TACACS+ proxy service in ACS. See Configuring General Access Service Properties, page 10-13 for information on how to configure a RADIUS proxy service. For more information on proxying RADIUS and TACACS+ requests, see... 
    3-9
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 3      ACS 5.x Policy Model
  Access Services
ACS can simultaneously act as a proxy server to multiple external RADIUS and TACACS+ servers. For 
ACS to act as a proxy server, you must configure a RADIUS or TACACS+ proxy service in ACS. See 
Configuring General Access Service Properties, page 10-13 for information on how to configure a 
RADIUS proxy service.
For more information on proxying RADIUS and TACACS+ requests, see...

    Page 52

    Page 52 3-10 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Access Services Identity Sequence—Sequences of the identity databases. The sequence is used for authentication and, if specified, an additional sequence is used to retrieve only attributes. You can select multiple identity methods as the result of the identity policy. You define the identity methods in an identity sequence object, and the methods included within the sequence may be of any type.... 
    3-10
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 3      ACS 5.x Policy Model
  Access Services
Identity Sequence—Sequences of the identity databases. The sequence is used for authentication 
and, if specified, an additional sequence is used to retrieve only attributes. You can select multiple 
identity methods as the result of the identity policy. You define the identity methods in an identity 
sequence object, and the methods included within the sequence may be of any type....

    Page 53

    Page 53 3-11 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Access Services Group Mapping Policy The identity group mapping policy is a standard policy. Conditions can be based on attributes or groups retrieved from the external attribute stores only, or from certificates, and the result is an identity group within the identity group hierarchy. If the identity policy accesses the internal user or host identity store, then the identity group is set... 
    3-11
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 3      ACS 5.x Policy Model
  Access Services
Group Mapping Policy
The identity group mapping policy is a standard policy. Conditions can be based on attributes or groups 
retrieved from the external attribute stores only, or from certificates, and the result is an identity group 
within the identity group hierarchy.
If the identity policy accesses the internal user or host identity store, then the identity group is set...

    Page 54

    Page 54 3-12 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Service Selection Policy Related Topics Policy Terminology, page 3-3 Authorization Profiles for Network Access, page 3-16 Exception Authorization Policy Rules A common real-world problem is that, in day-to-day operations, you often need to grant policy waivers or policy exceptions. A specific user might need special access for a short period of time; or, a user might require some additional user... 
    3-12
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 3      ACS 5.x Policy Model
  Service Selection Policy
Related Topics
Policy Terminology, page 3-3
Authorization Profiles for Network Access, page 3-16
Exception Authorization Policy Rules
A common real-world problem is that, in day-to-day operations, you often need to grant policy waivers 
or policy exceptions. A specific user might need special access for a short period of time; or, a user might 
require some additional user...

    Page 55

    Page 55 3-13 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Service Selection Policy Rules-Based Service Selection In the rules-based service selection mode, ACS decides which access service to use based on various configurable options. Some of them are: AAA Protocol—The protocol used for the request, TACACS+ or RADIUS. Request Attributes—RADIUS or TACACS+ attributes in the request. Date and Time—The date and time ACS receives the request. Network Device... 
    3-13
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 3      ACS 5.x Policy Model
  Service Selection Policy
Rules-Based Service Selection
In the rules-based service selection mode, ACS decides which access service to use based on various 
configurable options. Some of them are:
AAA Protocol—The protocol used for the request, TACACS+ or RADIUS.
Request Attributes—RADIUS or TACACS+ attributes in the request.
Date and Time—The date and time ACS receives the request.
Network Device...

    Page 56

    Page 56 3-14 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Service Selection Policy In this example, instead of creating the network access policy for 802.1x, agentless devices, and guest access in one access service, the policy is divided into three access services. First-Match Rule Tables ACS 5.3 provides policy decisions by using first-match rule tables to evaluate a set of rules. Rule tables contain conditions and results. Conditions can be either... 
    3-14
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 3      ACS 5.x Policy Model
  Service Selection Policy
In this example, instead of creating the network access policy for 802.1x, agentless devices, and guest 
access in one access service, the policy is divided into three access services.
First-Match Rule Tables
ACS 5.3 provides policy decisions by using first-match rule tables to evaluate a set of rules. Rule tables 
contain conditions and results. Conditions can be either...

    Page 57

    Page 57 3-15 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Service Selection Policy The default rule specifies the policy result that ACS uses when no other rules exist, or when the attribute values in the access request do not match any rules. ACS evaluates a set of rules in the first-match rule table by comparing the values of the attributes associated with the current access request with a set of conditions expressed in a rule. If the attribute... 
    3-15
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 3      ACS 5.x Policy Model
  Service Selection Policy
The default rule specifies the policy result that ACS uses when no other rules exist, or when the attribute 
values in the access request do not match any rules.
ACS evaluates a set of rules in the first-match rule table by comparing the values of the attributes 
associated with the current access request with a set of conditions expressed in a rule. 
If the attribute...

    Page 58

    Page 58 3-16 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Authorization Profiles for Network Access Policy Conditions You can define simple conditions in rule tables based on attributes in: Customizable conditions—You can create custom conditions based on protocol dictionaries and identity dictionaries that ACS knows about. You define custom conditions in a policy rule page; you cannot define them as separate condition objects. Standard conditions—You... 
    3-16
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 3      ACS 5.x Policy Model
  Authorization Profiles for Network Access
Policy Conditions
You can define simple conditions in rule tables based on attributes in: 
Customizable conditions—You can create custom conditions based on protocol dictionaries and 
identity dictionaries that ACS knows about. You define custom conditions in a policy rule page; you 
cannot define them as separate condition objects.
Standard conditions—You...

    Page 59

    Page 59 3-17 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Policies and Identity Attributes You can define multiple authorization profiles as a network access policy result. In this way, you maintain a smaller number of authorization profiles, because you can use the authorization profiles in combination as rule results, rather than maintaining all the combinations themselves in individual profiles. Processing Rules with Multiple Authorization... 
    3-17
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 3      ACS 5.x Policy Model
  Policies and Identity Attributes
You can define multiple authorization profiles as a network access policy result. In this way, you 
maintain a smaller number of authorization profiles, because you can use the authorization profiles in 
combination as rule results, rather than maintaining all the combinations themselves in individual 
profiles.
Processing Rules with Multiple Authorization...

    Page 60

    Page 60 3-18 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 3 ACS 5.x Policy Model Policies and Network Device Groups Related Topics Managing Users and Identity Stores, page 8-1 Policy Terminology, page 3-3 Types of Policies, page 3-5 Policies and Network Device Groups You can reference Network device groups (NDGs) as policy conditions. When the ACS receives a request for a device, the NDGs associated with that device are retrieved and compared against those in the policy... 
    3-18
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 3      ACS 5.x Policy Model
  Policies and Network Device Groups
Related Topics
Managing Users and Identity Stores, page 8-1
Policy Terminology, page 3-3
Types of Policies, page 3-5
Policies and Network Device Groups
You can reference Network device groups (NDGs) as policy conditions. When the ACS receives a 
request for a device, the NDGs associated with that device are retrieved and compared against those in 
the policy...
    Start reading Cisco Acs 5x User Guide

    Related Manuals for Cisco Acs 5x User Guide

    All Cisco manuals