3-15
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
Chapter3 ACS 5.x Policy Model
Service Selection Policy
The default rule specifies the policy result that ACS uses when no other rules exist, or when the attribute
values in the access request do not match any rules.
ACS evaluates a set of rules in the first-match rule table by comparing the values of the attributes
associated with the current access request with a set of conditions expressed in a rule.
If the attribute values do not match the conditions, ACS proceeds to the next rule in the rule table.
If the attribute values match the conditions, ACS applies the result that is specified for that rule, and
ignores all remaining rules.
If the attribute values do not match any of the conditions, ACS applies the result that is specified for
the policy default rule.
Related Topics
Policy Terminology, page3-3
Policy Conditions, page 3-16
Policy Results, page 3-16
Exception Authorization Policy Rules, page3-12
Column Description
Status You can define the status of a rule as enabled, disabled, or monitored:
Enabled—ACS evaluates an enabled rule, and when the rule conditions match the access request,
ACS applies the rule result.
Disabled—The rule appears in the rule table, but ACS skips this rule and does not evaluate it.
Monitor Only—ACS evaluates a monitored rule. If the rule conditions match the access request, ACS
creates a log record with information relating to the match.
ACS does not apply the result, and the processing continues to the following rules. Use this status
during a running-in period for a rule to see whether it is needed.
Name Descriptive name. You can specify any name that describes the rule’s purpose. By default, ACS generates
rule name strings rule-number.
Conditions
Identity Group In this example, this is matching against one of the internal identity groups.
NDG: Location Location network device group. The two predefined NDGs are Location and Device Type.
Results
Shell Profile Used for device administration-type policies and contains permissions for TACACS+ shell access request,
such as Cisco IOS privilege level.
Hit Counts Displays the number of times a rule matched an incoming request since the last reset of the policy’s hit
counters. ACS counts hits for any monitored or enabled rule whose condi tions all matched an incoming
request. Hit counts for:
Enabled rules reflect the matches that occur when ACS processes requests.
Monitored rules reflect the counts that would result for these rules if they were enabled when ACS
processed the requests.
The primary server in an ACS deployment displays the hit counts, which represent the total matches for
each rule across all servers in the deployment. On a secondary server, all hit counts in policy tables appear
as zeroes.