Filter
Top Products
4-27
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 4 Common Scenarios Using ACS
ACS and Cisco Security Group Access
Step 5 Click Next.
The Access Services Properties page appears.
Step 6 In the Authentication Protocols area, check the relevant protocols for your access service.
Step 7 Click Finish.
Creating an Endpoint Admission Control Policy
After you create a service, you configure the endpoint admission control policy. The endpoint admission
control policy returns an SGT to the endpoint and an authorization profile. You can create multiple
policies and configure the Default Rule policy. The defaults are Deny Access and the Unknown
security
group.
To add a session authorization policy for an access service:
Step 1 Choose Access Policies > Access Services > service > Authorization.
Step 2 Configure an Authorization Policy. See Configuring a Session Authorization Policy for Network Access,
page 10-29.
Step 3 Fill in the fields in the Network Access Authorization Rule Properties page.
The Default Rule provides a default rule when no rules match or there are no rules defined. The default
for the Default Rule result is Deny Access, which denies access to the network. The security group tag
is Unknown.
You can modify the security group when creating the session authorization policy for Security Group
Access.
Step 4 Click OK.
Step 5 Choose Access Policies > Service Selection Policy to choose which services to include in the endpoint
policy. See Configuring the Service Selection Policy, page 10-5, for more information.
Step 6 Fill in the fields in the Service Select Policy pages.
Step 7 Click Save Changes.
Creating an Egress Policy
The Egress policy (sometimes called SGACL policy) determines which SGACL to apply at the Egress
points of the network based on the source and destination SGT. The Egress policy is represented in a
matrix, where the X and Y axis represent the destination and source SGT, respectively, and each cell
contains the set of SGACLs to apply at the intersection of these two SGTs.
Any security group can take the role of a source SGT, if an endpoint (or Security Group Access device)
that carries this SGT sends the packet. Any security group can take the role of a destination SGT, if the
packet is targeting an endpoint (or Security Group Access device) that carries this SGT. Therefore, the
Egress matrix lists all of the existing security groups on both axes, making it a Cartesian product of the
SGT set with itself (SGT x SGT).