Support User Manuals

Cisco Systems OL-24201-01 Camera Accessories User Manual

Open as PDF

of 650

10-22

User Guide for Cisco Secure Access Control System 5.3

OL-24201-01

Chapter 10 Managing Access Policies

Configuring Access Service Policies

In the rule-based policy, each rule contains one or more conditions and a result, which is the identity

source to use for authentication. You can create, duplicate, edit, and delete rules within the identity

policy; and you can enable and disable them.

Caution If you switch between the simple policy and the rule-based policy pages, you will lose your previously

saved policy.

To configure a simple identity policy:

Step 1 Select Access Policies > Access Services > service > Identity, where service is the name of the access

service.

By default, the Simple Identity Policy page appears with the fields described in Table 10-9:

Step 2 Select an identity source for authentication; or, choose Deny Access.

You can configure additional advanced options. See Configuring Identity Policy Rule Properties,

page 10-24.

Step 3 Click Save Changes to save the policy.

Table 10-9 Simple Identity Policy Page

Option Description

Policy type Defines the type of policy to configure:

• Simple—Specifies the result to apply to all requests.

• Rule-based—Configure rules to apply different results, depending on the request.

If you switch between policy types, you will lose your previously saved policy configuration.

Identity Source Identity source to apply to all requests. The default is Deny Access. For:

• Password-based authentication, choose a single identity store, or an identity store sequence.

• Certificate-based authentication, choose a certificate authentication profile, or an identity

store sequence.

The identity store sequence defines the sequence that is used for authentication and an optional

additional sequence to retrieve attributes. See Configuring Identity Store Sequences, page 8-74.

Advanced options Specifies whether to reject or drop the request, or continue with authentication for these options:

• If authentication failed—Default is reject.

• If user not found—Default is reject.

• If process failed—Default is drop.

Owing to restrictions on the underlying protocol, ACS cannot always continue processing when

the Continue option is chosen. ACS can continue when authentication fails for PAP/ASCII,

EAP-TLS, or Host Lookup.

For all other authentication protocols, the request will be dropped even if you choose the Continue

option.

previous next