Filter
Top Products
3-4
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 3 ACS 5.x Policy Model
Overview of the ACS 5.x Policy Model
Simple Policies
You can configure all of your ACS policies as rule-based policies. However, in some cases, you can
choose to configure a simple policy, which selects a single result to apply to all requests without
conditions.
For example, you can define a rule-based authentication policy with a set of rules for different
conditions; or, if you want to use the internal database for all authentications, you can define a simple
policy.
Table 3-3 helps you determine whether each policy type can be configured as a simple policy.
• If you create and save a simple policy, and then change to a rule-based policy, the simple policy
becomes the default rule of the rule-based policy.
• If you have saved a rule-based policy and then change to a simple policy, ACS automatically uses
the default rule as the simple policy.
Related Topic
• Types of Policies, page 3-5
Rule-Based Policies
Rule-based policies have been introduced to overcome the challenges of identity-based policies. In
earlier versions of ACS, although membership in a user group gives members access permissions, it also
places certain restrictions on them.
When a user requests access, the user's credentials are authenticated using an identity store, and the user
is associated with the appropriate user group. Because authorization is tied to user group, all members
of a user group have the same access restrictions and permissions at all times.
With this type of policy (the simple policy), permissions are granted based on a user’s association with
a particular user group. This is useful if the user’s identity is the only dominant condition. However, for
users who need different permissions under different conditions, this policy does not work.
In ACS 5.x, you can create rules based on various conditions apart from identity. The user group no
longer contains all of the information.
For example, if you want to grant an employee full access while working on campus, and restricted
access while working remotely, you can do so using the rule-based policies in ACS 5.3.
You can base permissions on various conditions besides identity, and permissions are no longer
associated with user groups. You can use session and environment attributes, such as access location,
access type, health of the end station, date, time, and so on, to determine the type of access to be granted.
Authorization is now based on a set of rules:
If conditions then apply the respective permissions
With rule-based policies, conditions can consist of any combination of available session attributes, and
permissions are defined in authorization profiles. You define these authorization profiles to include
VLAN, downloadable ACLs, QoS settings, and RADIUS attributes.