Home > Cisco > Control System > Cisco Acs 57 User Guide

Cisco Acs 57 User Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual Cisco Acs 57 User Guide. The Cisco manuals for Control System are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 31

    Page 31 11 ACS 5.x Policy Model Service Selection Policy a.If ACS designated any command set as Commandset-DenyAlways, ACS denies the command. b.If there is no Commandset-DenyAlways, ACS permits the command if any command set is Commandset-Permit; otherwise, ACS denies the command. Related Topics Policy Terminology, page 2 Authorization Profiles for Network Access, page 15 Exception Authorization Policy Rules A common real-world problem is that, in day-to-day operations, you often need to grant policy... 
    11   
ACS 5.x Policy Model
Service Selection Policy
a.If ACS designated any command set as Commandset-DenyAlways, ACS denies the command.
b.If there is no Commandset-DenyAlways, ACS permits the command if any command set is Commandset-Permit; 
otherwise, ACS denies the command.
Related Topics
Policy Terminology, page 2
Authorization Profiles for Network Access, page 15
Exception Authorization Policy Rules
A common real-world problem is that, in day-to-day operations, you often need to grant policy...

    Page 32

    Page 32 12 ACS 5.x Policy Model Service Selection Policy Rules-Based Service Selection In the rules-based service selection mode, ACS decides which access service to use based on various configurable options. Some of them are: AAA Protocol—The protocol used for the request, TACACS+ or RADIUS. Request Attributes—RADIUS or TACACS+ attributes in the request. Date and Time—The date and time ACS receives the request. Network Device Group—The network device group that the AAA client belongs to. ACS Server—The... 
    12
ACS 5.x Policy Model
 
Service Selection Policy
Rules-Based Service Selection
In the rules-based service selection mode, ACS decides which access service to use based on various configurable 
options. Some of them are:
AAA Protocol—The protocol used for the request, TACACS+ or RADIUS.
Request Attributes—RADIUS or TACACS+ attributes in the request.
Date and Time—The date and time ACS receives the request.
Network Device Group—The network device group that the AAA client belongs to.
ACS Server—The...

    Page 33

    Page 33 13 ACS 5.x Policy Model Service Selection Policy Guest Access—For users accessing guest wireless networks. In this example, instead of creating the network access policy for 802.1x, agentless devices, and guest access in one access service, the policy is divided into three access services. First-Match Rule Tables ACS 5.7 provides policy decisions by using first-match rule tables to evaluate a set of rules. Rule tables contain conditions and results. Conditions can be either simple or compound.... 
    13   
ACS 5.x Policy Model
Service Selection Policy
Guest Access—For users accessing guest wireless networks.
In this example, instead of creating the network access policy for 802.1x, agentless devices, and guest access in one 
access service, the policy is divided into three access services.
First-Match Rule Tables
ACS 5.7 provides policy decisions by using first-match rule tables to evaluate a set of rules. Rule tables contain 
conditions and results. Conditions can be either simple or compound....

    Page 34

    Page 34 14 ACS 5.x Policy Model Service Selection Policy The default rule specifies the policy result that ACS uses when no other rules exist, or when the attribute values in the access request do not match any rules. ACS evaluates a set of rules in the first-match rule table by comparing the values of the attributes associated with the current access request with a set of conditions expressed in a rule. If the attribute values do not match the conditions, ACS proceeds to the next rule in the rule table.... 
    14
ACS 5.x Policy Model
 
Service Selection Policy
The default rule specifies the policy result that ACS uses when no other rules exist, or when the attribute values in the 
access request do not match any rules.
ACS evaluates a set of rules in the first-match rule table by comparing the values of the attributes associated with the 
current access request with a set of conditions expressed in a rule. 
If the attribute values do not match the conditions, ACS proceeds to the next rule in the rule table....

    Page 35

    Page 35 15 ACS 5.x Policy Model Authorization Profiles for Network Access Exception Authorization Policy Rules, page 11 Policy Conditions You can define simple conditions in rule tables based on attributes in: Customizable conditions—You can create custom conditions based on protocol dictionaries and identity dictionaries that ACS knows about. You define custom conditions in a policy rule page; you cannot define them as separate condition objects. Standard conditions—You can use standard conditions,... 
    15   
ACS 5.x Policy Model
Authorization Profiles for Network Access
Exception Authorization Policy Rules, page 11
Policy Conditions
You can define simple conditions in rule tables based on attributes in: 
Customizable conditions—You can create custom conditions based on protocol dictionaries and identity dictionaries 
that ACS knows about. You define custom conditions in a policy rule page; you cannot define them as separate 
condition objects.
Standard conditions—You can use standard conditions,...

    Page 36

    Page 36 16 ACS 5.x Policy Model Policies and Identity Attributes You can define multiple authorization profiles as a network access policy result. In this way, you maintain a smaller number of authorization profiles, because you can use the authorization profiles in combination as rule results, rather than maintaining all the combinations themselves in individual profiles. Processing Rules with Multiple Authorization Profiles A session authorization policy can contain rules with multiple authorization... 
    16
ACS 5.x Policy Model
 
Policies and Identity Attributes
You can define multiple authorization profiles as a network access policy result. In this way, you maintain a smaller 
number of authorization profiles, because you can use the authorization profiles in combination as rule results, rather than 
maintaining all the combinations themselves in individual profiles.
Processing Rules with Multiple Authorization Profiles
A session authorization policy can contain rules with multiple authorization...

    Page 37

    Page 37 17 ACS 5.x Policy Model Policies and Network Device Groups Policies and Network Device Groups You can reference Network device groups (NDGs) as policy conditions. When the ACS receives a request for a device, the NDGs associated with that device are retrieved and compared against those in the policy table. With this method, you can group multiple devices and assign them the same policies. For example, you can group all devices in a specific location together and assign to them the same policy. When... 
    17   
ACS 5.x Policy Model
Policies and Network Device Groups
Policies and Network Device Groups
You can reference Network device groups (NDGs) as policy conditions. When the ACS receives a request for a device, 
the NDGs associated with that device are retrieved and compared against those in the policy table. With this method, 
you can group multiple devices and assign them the same policies. For example, you can group all devices in a specific 
location together and assign to them the same policy.
When...

    Page 38

    Page 38 18 ACS 5.x Policy Model Flows for Configuring Services and Policies Figure 2 Sample Rule-Based Policy Each row in the policy table represents a single rule. Each rule, except for the last Default rule, contains two conditions, ID Group and Location, and a result, Authorization Profile. ID Group is an identity-based classification and Location is a nonidentity condition. The authorization profiles contain permissions for a session. The ID Group, Location, and Authorization Profile are the policy... 
    18
ACS 5.x Policy Model
 
Flows for Configuring Services and Policies
Figure 2 Sample Rule-Based Policy
Each row in the policy table represents a single rule. 
Each rule, except for the last Default rule, contains two conditions, ID Group and Location, and a result, Authorization 
Profile. ID Group is an identity-based classification and Location is a nonidentity condition. The authorization profiles 
contain permissions for a session.
The ID Group, Location, and Authorization Profile are the policy...

    Page 39

    Page 39 19 ACS 5.x Policy Model Flows for Configuring Services and Policies Related Topics Policy Terminology, page 2 Policy Conditions, page 15 Policy Results, page 15 Policies and Identity Attributes, page 16 Table 10 Steps to Configure Services and Policies Step ActionDrawer in Web Interface 1.Define policy results: Authorizations and permissions for device administration—Shell profiles or command sets. Authorizations and permissions for network access—Authorization profile. See: Creating,... 
    19   
ACS 5.x Policy Model
Flows for Configuring Services and Policies
Related Topics
Policy Terminology, page 2
Policy Conditions, page 15
Policy Results, page 15
Policies and Identity Attributes, page 16
Table 10 Steps to Configure Services and Policies
Step ActionDrawer in Web Interface
1.Define policy results:
Authorizations and permissions for device administration—Shell profiles 
or command sets.
Authorizations and permissions for network access—Authorization profile.
See: 
Creating,...

    Page 40

    Page 40 20 ACS 5.x Policy Model Flows for Configuring Services and Policies 
    20
ACS 5.x Policy Model
 
Flows for Configuring Services and Policies
    Start reading Cisco Acs 57 User Guide

    Related Manuals for Cisco Acs 57 User Guide

    All Cisco manuals