Filter
Top Products
3-18
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 3 ACS 5.x Policy Model
Policies and Network Device Groups
Related Topics
• Managing Users and Identity Stores, page 8-1
• Policy Terminology, page 3-3
• Types of Policies, page 3-5
Policies and Network Device Groups
You can reference Network device groups (NDGs) as policy conditions. When the ACS receives a
request for a device, the NDGs associated with that device are retrieved and compared against those in
the policy table. With this method, you can group multiple devices and assign them the same policies.
For example, you can group all devices in a specific location together and assign to them the same policy.
When ACS receives a request from a network device to access the network, it searches the network
device repository to find an entry with a matching IP address. When a request arrives from a device that
ACS identified using the IP address, ACS retrieves all NDGs associated with the device.
Related Topics
• Managing Users and Identity Stores, page 8-1
• Policy Terminology, page 3-3
• Types of Policies, page 3-5
Example of a Rule-Based Policy
The following example illustrates how you can use policy elements to create policy rules.
A company divides its network into two regions, East and West, with network operations engineers at
each site. They want to create an access policy that allows engineers:
• Full access to the network devices in their region.
• Read-only access to devices outside their region.
You can use the ACS 5.3 policy model to:
• Define East and West network device groups, and map network devices to the appropriate group.
• Define East and West identity groups, and map users (network engineers) to the appropriate group.
• Define Full Access and Read Only authorization profiles.
• Define Rules that allow each identity group full access or read-only access, depending on the
network device group location.
Previously, you had to create two user groups, one for each location of engineers, each with separate
definitions for permissions, and so on. This definition would not provide the same amount of flexibility
and granularity as in the rule-based model.