Filter
Top Products
3-3
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 3 ACS 5.x Policy Model
Overview of the ACS 5.x Policy Model
Policy Terminology
Table 3-2 describes the rule-based policy terminology.
Table 3-2 Rule-Based Policy Terminology
Term Description
Access service Sequential set of policies used to process access requests. ACS 5.x allows you to define multiple
access services to support multiple, independent, and isolated sets of policies on a single ACS
system.
There are two default access services: one for device administration (TACACS+ based access to the
device shell or CLI) and one for network access (RADIUS-based access to network connectivity).
Policy element Global, shared object that defines policy conditions (for example, time and date, or custom
conditions based on user-selected attributes) and permissions (for example, authorization profiles).
The policy elements are referenced when you create policy rules.
Authorization profile Basic permissions container for a RADIUS-based network access service, which is where you define
all permissions to be granted for a network access request.
VLANs, ACLs, URL redirects, session timeout or reauthorization timers, or any other RADIUS
attributes to be returned in a response, are defined in the authorization profile.
Shell profile Basic permissions container for TACACS+ based device administration policy. This is where you
define permissions to be granted for a shell access request.
IOS privilege level, session timeout, and so on are defined in the shell profile.
Command set Contains the set of permitted commands for TACACS+ based, per-command authorization.
Policy Set of rules that are used to reach a specific policy decision. For example, how to authenticate and
what authorization to grant. For any policies that have a default rule, a policy is a first-match rules
table with a default rule for any request which does not match any user-created rules.
Identity policy ACS 5.3 policy for choosing how to authenticate and acquire identity attributes for a given request.
ACS 5.3 allows two types of identity policies: a simple, static policy, or a rules-based policy for
more complex situations.
Identity group mapping
policy
Optional policy for mapping identity information collected from identity stores (for example, group
memberships and user attributes) to a single ACS identity group.
This can help you normalize identity information and map requests to a single identity group, which
is just a tag or an identity classification. The identity group can be used as a condition in
authorization policy, if desired.
Authorization policy ACS 5.3 policy for assigning authorization attributes for access requests. Authorization policy
selects a single rule and populates the response with the contents of the authorization profiles
referenced as the result of the rule.
Exception policy Special option for authorization policy, which allows you to define separately the set of conditions
and authorization results for authorization policy exceptions and waivers. If defined, the exception
policy is checked before the main (standard) authorization policy.
Default rule Catchall rule in ACS 5.3 policies. You can edit this rule to specify a default result or authorization
action, and it serves as the policy decision in cases where a given request fails to match the
conditions specified in any user-created rule.