3-13
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
Chapter3 ACS 5.x Policy Model
Service Selection Policy
Rules-Based Service Selection
In the rules-based service selection mode, ACS decides which access service to use based on various
configurable options. Some of them are:
AAA Protocol—The protocol used for the request, TACACS+ or RADIUS.
Request Attributes—RADIUS or TACACS+ attributes in the request.
Date and Time—The date and time ACS receives the request.
Network Device Group—The network device group that the AAA client belongs to.
ACS Server—The ACS server that receives this request.
AAA Client—The AAA client that sent the request.
Network condition objects—The network conditions can be based on
End Station—End stations that initiate and terminate connections.
Device—The AAA client that processes the request.
Device Port—In addition to the device, this condition also checks for the port to which the end
station is associated with.
For more information on policy conditions, see Managing Policy Conditions, page9-1.
ACS comes preconfigured with two default access services: Default Device Admin and Default Network
Access. The rules-based service selection mode is configured to us e the AAA protocol as the selection
criterion and hence when a TACACS+ request comes in, the Default Device Admin service is used and
when a RADIUS request comes in, the Default Network Access service is used.
Access Services and Service Selection Scenarios
ACS allows an organization to manage its identity and access control requirements for multiple
scenarios, such as wired, wireless, remote VPN, and device administration. The access services play a
major role in supporting these different scenarios.
Access services allow the creation of distinct and separate network access policies to address the unique
policy requirements of different network access scenarios. With distinct policies for different scenarios,
you can better manage your organization's network.
For example, the default access services for device administration and network access reflect the typical
distinction in policy that is required for network administrato rs accessing network devices and an
organization's staff accessing the company’s network.
However, you can create multiple access services to distinguish the different administrative domains. For
example, wireless access in the Asia Pacific regions can be admi nistered by a different team than the one
that manages wireless access for European users. This situation calls for the following access services:
APAC-wireless—Access service for wireless users in the Asia Pacific region.
Europe-wireless—Access service for wireless users in the European countries.
You can create additional access services to reduce complexity in policies within a single access service
by creating the complex policy among multiple access services. For example, if a large organization
wishes to deploy 802.1x network access, it can have the following access services:
802.1x—For machine, user password, and certificate-based authentication for permanent staff.
Agentless Devices—For devices that do not have an EAP supplicant, such as phones and printers.
Guest Access—For users accessing guest wireless networks.