10-22
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
Chapter10 Managing Access Policies
Configuring Access Service Policies
Configuring Access Service Policies
You configure access service policies after you create the access service:
Viewing Identity Policies, page10-22
Configuring Identity Policy Rule Properties, page10-25
Configuring a Group Mapping Policy, page 10-27
Configuring a Session Authorization Policy for Network Access, page 10-30
Configuring a Session Authorization Policy for Network Access, page 10-30
Configuring Shell/Command Authorization Policies for Device Administration, page10-35
You can configure simple policies to apply to the same result to all incoming requests; or, you can create
rule-based policies.
Note If you create and save a simple policy, and then change to a rule-based policy, the simple policy becomes
the default rule of the rule-based policy. If you have saved a rule-based policy and then change to a
simple policy, you will lose all your rules except for the default rule. ACS automatically uses the default
rule as the simple policy.
Before you begin to configure policy rules, you must:
Configure the policy conditions and results. See Managing Policy Conditions, page9 -1.
Select the types of conditions and results that the policy rules apply. See Customizing a Policy,
page 10-4.
For information about configuring policy rules, see:
Creating Policy Rules, page 10-38
Duplicating a Rule, page 10-39
Editing Policy Rules, page10-39
Deleting Policy Rules, page10-40

Viewing Identity Policies

The identity policy in an access service defines the identity source that ACS uses for authentication and
attribute retrieval. ACS can use the retrieved attributes in subsequent policies.
The identity source for:
Password-based authentication can be a single identity store, or an identity store sequence.
Certificate-based authentication can be a certificate authentication profile, or an identity store
sequence.
An identity store sequence defines the sequence that is used for authentication and an optional additional
sequence to retrieve attributes. See Configuring Identity Store Sequences, page8-77.
If you created an access service that includes an identity policy, you can configure and modify this
policy. You can configure a simple policy, which applies the same identity source for authentication of
all requests; or, you can configure a rule-based identity policy.