User Guide for Cisco Secure Access Control System 5.4
Chapter10 Managing Access Policies
Configuring Access Services
Description Description of the access service.
Access Service Policy Structure
Based on service template Creates an access service containing policies based on a predefined template. This option is
available only for service creation.
Based on existing service Creates an access service containing policies based on an existing access service. The new access
service does not include the existing service’s policy rules. This option is available only for
service creation.To replicate a service, including its policy rules, duplicate an existing access
User selected service type Provides you the option to select the access service type. The available options are Network
Access, Device Administration, and External Proxy. The list of policies you can configure
depends on your choice of access service type.
User Selected Service Type—Network Access and Device Administration
Policy Structure
Identity Check to include an identity policy in the access service to define the identity store or stores that
ACS uses for authentication and attribute retrieval.
Group Mapping Check to include a group mapping policy in the access service to map groups and at tributes that
are retrieved from external identity stores to ACS identity groups.
Authorization Check to include an authorization policy in the access service to apply:
Authorization profiles for network access services.
Shell profiles and command sets for device administration services.
User Selected Service Type—External Proxy
External Proxy Servers—Select the set of external servers to be used fo r proxies. You can also determine the order in which these servers
are used.
Available External Proxy
List of available external RADIUS and TACACS+ servers. Select the external servers to be used
for proxy and move them to the Selected External Proxy Servers list.
Selected External Proxy
List of selected external proxy servers.
Advanced Options
Remote Accounting Check to enable remote accounting.
Local Accounting Check to enable local accounting.
Username Prefix\Suffix Stripping
Strip start of subject name
up to the first occurrence
of the separator
Check to strip the username from the prefix. For example, if the subject name is acme\smith and
the separator is \, the username becomes smith. The default separator is \.
Strip end of subject name
from the last occurrence
of the separator
Check to strip the username from the suffix. For example, if the subje ct name is
smith@acme.com and the separator is @, the username becomes smith. The default separator is
RADIUS Attributes—The RADIUS attributes are used for manipulating the inco ming attributes before sending them to the proxy server.
Add After you define a RADIUS attribute, click ADD to add it to the RADIUS attributes list.
Table10-6 Access Service Properties—General Page (continued)
Option Description