Cisco Systems OL-24201-01 Camera Accessories User Manual


 
3-7
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 3 ACS 5.x Policy Model
Access Services
Table 3-5 describes an example of a set of access services.
Table 3-6 describes a service selection policy.
If ACS 5.3 receives a TACACS+ access request, it applies Access Service A, which authenticates the
request according to Identity Policy A. It then applies authorizations and permissions according to the
shell/command authorization policy. This service handles all TACACS+ requests.
If ACS 5.3 receives a RADIUS request that it determines is a host lookup (for example, the RADIUS
service-type attribute is equal to call-check), it applies Access Service C, which authenticates according
to Identity Policy C. It then applies a session authorization profile according to Session Authorization
Policy C. This service handles all host lookup requests (also known as MAC Auth Bypass requests).
Access Service B handles other RADIUS requests. This access service authenticates according to
Identity Policy B and applies Session Authorization Policy B. This service handles all RADIUS requests
except for host lookups, which are handled by the previous rule.
Access Service Templates
ACS contains predefined access services that you can use as a template when creating a new service.
When you choose an access service template, ACS creates an access service that contains a set of
policies, each with a customized set of conditions.
You can change the structure of the access service by adding or removing a policy from the service, and
you can change the structure of a policy by modifying the set of policy conditions. See Configuring
Access Services Templates, page 10-19, for a list of the access service templates and descriptions.
RADIUS and TACACS+ Proxy Services
ACS 5.3 can function as a RADIUS, RADIUS proxy or TACACS+ proxy server.
As a RADIUS proxy server, ACS receives authentication and accounting requests from the NAS and
forwards the requests to the external RADIUS server.
As a TACACS+ proxy server, ACS receives authentication, authorization and accounting requests
from the NAS and forwards the requests to the external TACACS+ server.
Table 3-5 Access Service List
Access Service A
for Device Administration
Access Service B
for Access to 802.1X Agentless
Hosts
Access Service C
for Access from 802.1X Wired and
Wireless Devices
Identity Policy A Identity Policy B Identity Policy C
Shell/Command Authorization
Policy A
Session Authorization Policy B Session Authorization Policy C
Table 3-6 Service Selection Policy
Rule Name Condition Result
DevAdmin protocol = TACACS+ Access Service A
Agentless Host Lookup = True Access Service C
Default Access Service B