Filter
Top Products
3-6
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 3 ACS 5.x Policy Model
Access Services
Access Services
Access services are fundamental constructs in ACS 5.x that allow you to configure access policies for
users and devices that connect to the network and for network administrators who administer network
devices.
In ACS 5.x, authentication and authorization requests are processed by access services. An access
service consists of the following elements:
• Identity Policy—Specifies how the user should be authenticated and includes the allowed
authentication protocols and the user repository to use for password validation.
• Group Mapping Policy—Specifies if the user's ACS identity group should be dynamically
established based on user attributes or group membership in external identity stores. The user's
identity group can be used as part of their authorization.
• Authorization Policy—Specifies the authorization rules for the user.
The access service is an independent set of policies used to process an access request.
The ACS administrator might choose to create multiple access services to allow clean separation and
isolation for processing different kinds of access requests. ACS provides two default access services:
• Default Device Admin—Used for TACACS+ based access to device CLI
• Default Network Access—Used for RADIUS-based access to network connectivity
You can use the access services as is, modify them, or delete them as needed. You can also create
additional access services.
The TACACS+ protocol separates authentication from authorization; ACS processes TACACS+
authentication and authorization requests separately. Table 3-4 describes additional differences between
RADIUS and TACACS+ access services.
For TACACS+, all policy types are optional; however, you must choose at least one policy type in a
service. If you do not define an identity policy for TACACS+, ACS returns authentication failed for an
authentication request.
Similarly, if you do not define an authorization policy and if ACS receives a session or command
authorization request, it fails. For both RADIUS and TACACS+ access services, you can modify the
service to add policies after creation.
Note Access services do not contain the service selection policy. Service selection rules are defined
independently.
You can maintain and manage multiple access services; for example, for different use cases, networks,
regions, or administrative domains. You configure a service selection policy, which is a set of service
selection rules to direct each new access request to the appropriate access service.
Table 3-4 Differences Between RADIUS and TACACS+ Access Services
Policy Type TACACS+ RADIUS
Identity Optional
1
1. For TACACS+, you must select either Identity or Authorization.
Required
Group Mapping Optional Optional
Authorization Optional
1
Required