Home > Cisco > Control System > Cisco Acs 57 User Guide

Cisco Acs 57 User Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual Cisco Acs 57 User Guide. The Cisco manuals for Control System are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 21

    Page 21 1 Cisco Systems, Inc.www.cisco.com ACS 5.x Policy Model ACS 5.x is a policy-based access control system. The term policy model in ACS 5.x refers to the presentation of policy elements, objects, and rules to the policy administrator. ACS 5.x uses a rule-based policy model instead of the group-based model used in the 4.x versions. This section contains the following topics: Overview of the ACS 5.x Policy Model, page 1 Access Services, page 5 Service Selection Policy, page 11 Authorization Profiles... 
    1
Cisco Systems, Inc.www.cisco.com
 
ACS 5.x Policy Model
ACS 5.x is a policy-based access control system. The term policy model in ACS 5.x refers to the presentation of policy 
elements, objects, and rules to the policy administrator. ACS 5.x uses a rule-based policy model instead of the 
group-based model used in the 4.x versions.
This section contains the following topics:
Overview of the ACS 5.x Policy Model, page 1
Access Services, page 5
Service Selection Policy, page 11
Authorization Profiles...

    Page 22

    Page 22 2 ACS 5.x Policy Model Overview of the ACS 5.x Policy Model A policy is a set of rules that ACS 5.x uses to evaluate an access request and return a decision. For example, the set of rules in an: Authorization policy return the authorization decision for a given access request. Identity policy decide how to authenticate and acquire identity attributes for a given access request. ACS 5.x organizes the sequence of independent policies (a policy work flow) into an access service, which it uses to... 
    2
ACS 5.x Policy Model
 
Overview of the ACS 5.x Policy Model
A policy is a set of rules that ACS 5.x uses to evaluate an access request and return a decision. For example, the set of 
rules in an:
Authorization policy return the authorization decision for a given access request. 
Identity policy decide how to authenticate and acquire identity attributes for a given access request. 
ACS 5.x organizes the sequence of independent policies (a policy work flow) into an access service, which it uses to...

    Page 23

    Page 23 3 ACS 5.x Policy Model Overview of the ACS 5.x Policy Model Simple Policies You can configure all of your ACS policies as rule-based policies. However, in some cases, you can choose to configure a simple policy, which selects a single result to apply to all requests without conditions. For example, you can define a rule-based authentication policy with a set of rules for different conditions; or, if you want to use the internal database for all authentications, you can define a simple policy.... 
    3   
ACS 5.x Policy Model
Overview of the ACS 5.x Policy Model
Simple Policies
You can configure all of your ACS policies as rule-based policies. However, in some cases, you can choose to configure 
a simple policy, which selects a single result to apply to all requests without conditions. 
For example, you can define a rule-based authentication policy with a set of rules for different conditions; or, if you want 
to use the internal database for all authentications, you can define a simple policy....

    Page 24

    Page 24 4 ACS 5.x Policy Model Overview of the ACS 5.x Policy Model Table 4 on page 5 helps you determine whether each policy type can be configured as a simple policy. If you create and save a simple policy, and then change to a rule-based policy, the simple policy becomes the default rule of the rule-based policy. If you have saved a rule-based policy and then change to a simple policy, ACS automatically uses the default rule as the simple policy. Related Topic Types of Policies, page 4 Rule-Based... 
    4
ACS 5.x Policy Model
 
Overview of the ACS 5.x Policy Model
Table 4 on page 5 helps you determine whether each policy type can be configured as a simple policy. 
If you create and save a simple policy, and then change to a rule-based policy, the simple policy becomes the default 
rule of the rule-based policy. 
If you have saved a rule-based policy and then change to a simple policy, ACS automatically uses the default rule 
as the simple policy. 
Related Topic
Types of Policies, page 4
Rule-Based...

    Page 25

    Page 25 5 ACS 5.x Policy Model Access Services Access Services Access services are fundamental constructs in ACS 5.x that allow you to configure access policies for users and devices that connect to the network and for network administrators who administer network devices. In ACS 5.x, authentication and authorization requests are processed by access services. An access service consists of the following elements: Identity Policy—Specifies how the user should be authenticated and includes the allowed... 
    5   
ACS 5.x Policy Model
Access Services
Access Services
Access services are fundamental constructs in ACS 5.x that allow you to configure access policies for users and devices 
that connect to the network and for network administrators who administer network devices. 
In ACS 5.x, authentication and authorization requests are processed by access services. An access service consists of 
the following elements:
Identity Policy—Specifies how the user should be authenticated and includes the allowed...

    Page 26

    Page 26 6 ACS 5.x Policy Model Access Services You can use the access services as is, modify them, or delete them as needed. You can also create additional access services. The TACACS+ protocol separates authentication from authorization; ACS processes TACACS+ authentication and authorization requests separately. Table 5 on page 6 describes additional differences between RADIUS and TACACS+ access services. For TACACS+, all policy types are optional; however, you must choose at least one policy type in a... 
    6
ACS 5.x Policy Model
 
Access Services
You can use the access services as is, modify them, or delete them as needed. You can also create additional access 
services.
The TACACS+ protocol separates authentication from authorization; ACS processes TACACS+ authentication and 
authorization requests separately. Table 5 on page 6 describes additional differences between RADIUS and TACACS+ 
access services.
For TACACS+, all policy types are optional; however, you must choose at least one policy type in a...

    Page 27

    Page 27 7 ACS 5.x Policy Model Access Services If ACS 5.7 receives a RADIUS request that it determines is a host lookup (for example, the RADIUS service-type attribute is equal to call-check), it applies Access Service C, which authenticates according to Identity Policy C. It then applies a session authorization profile according to Session Authorization Policy C. This service handles all host lookup requests (also known as MAC Auth Bypass requests). Access Service B handles other RADIUS requests. This... 
    7   
ACS 5.x Policy Model
Access Services
If ACS 5.7 receives a RADIUS request that it determines is a host lookup (for example, the RADIUS service-type attribute 
is equal to call-check), it applies Access Service C, which authenticates according to Identity Policy C. It then applies a 
session authorization profile according to Session Authorization Policy C. This service handles all host lookup requests 
(also known as MAC Auth Bypass requests). 
Access Service B handles other RADIUS requests. This...

    Page 28

    Page 28 8 ACS 5.x Policy Model Access Services When the first response arrives from any of the remote RADIUS or TACACS+ servers in the list, the proxy service processes it. If the response is valid, ACS sends the response back to the NAS. Table 8 on page 8 lists the differences in RADIUS proxy service between ACS 4.2 and 5.7 releases. ACS can simultaneously act as a proxy server to multiple external RADIUS and TACACS+ servers. For ACS to act as a proxy server, you must configure a RADIUS or TACACS+ proxy... 
    8
ACS 5.x Policy Model
 
Access Services
When the first response arrives from any of the remote RADIUS or TACACS+ servers in the list, the proxy service 
processes it. If the response is valid, ACS sends the response back to the NAS.
Table 8 on page 8 lists the differences in RADIUS proxy service between ACS 4.2 and 5.7 releases.
ACS can simultaneously act as a proxy server to multiple external RADIUS and TACACS+ servers. For ACS to act as a 
proxy server, you must configure a RADIUS or TACACS+ proxy...

    Page 29

    Page 29 9 ACS 5.x Policy Model Access Services Certificate Authentication Profile—Contains information about the structure and content of the certificate, and specifically maps certificate attribute to internal username. For certificate-based authentication, you must select a certificate authentication profile. For certificate based requests, the entity which identifies itself with a certificate holds the private key that correlates to the public key stored in the certificate. The certificate... 
    9   
ACS 5.x Policy Model
Access Services
Certificate Authentication Profile—Contains information about the structure and content of the certificate, and 
specifically maps certificate attribute to internal username. For certificate-based authentication, you must select a 
certificate authentication profile.
For certificate based requests, the entity which identifies itself with a certificate holds the private key that correlates 
to the public key stored in the certificate. The certificate...

    Page 30

    Page 30 10 ACS 5.x Policy Model Access Services Continue—ACS continues processing to the next defined policy in the service. The Authentication Status system attribute retains the result of the identity policy processing. If you select to continue policy processing in the case of a failure, this attribute can be referred to as a condition in subsequent policy processing to distinguish cases in which identity policy processing did not succeed. Because of restrictions on the underlying protocol being used,... 
    10
ACS 5.x Policy Model
 
Access Services
Continue—ACS continues processing to the next defined policy in the service.
The Authentication Status system attribute retains the result of the identity policy processing. If you select to continue 
policy processing in the case of a failure, this attribute can be referred to as a condition in subsequent policy processing 
to distinguish cases in which identity policy processing did not succeed.
Because of restrictions on the underlying protocol being used,...
    Start reading Cisco Acs 57 User Guide

    Related Manuals for Cisco Acs 57 User Guide

    All Cisco manuals