4-27
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
Chapter4 Common Scenarios Using ACS
ACS and Cisco Security Group Access
Step7 Click Finish.
Creating an Endpoint Admission Control Policy
After you create a service, you configure the endpoint admission control poli cy. The endpoint admission
control policy returns an SGT to the endpoint and an authorization profile. You can create multiple
policies and configure the Default Rule policy. The defaults are Deny Access and the Unknown security
group.
To add a session authorization policy for an access service:
Step1 Choose Access Policies > Access Services > service > Authorization.
Step2 Configure an Authorization Policy. See Configuring a Session Authorization Policy for Network Access,
page 10-30.
Step3 Fill in the fields in the Network Access Authorization Rule Properties page.
The Default Rule provides a default rule when no rules match or there are no rules defined. The default
for the Default Rule result is Deny Access, which denies access to the network. The security group tag
is Unknown.
You can modify the security group when creating the session authorization policy for Security Group
Access.
Step4 Click OK.
Step5 Choose Access Policies > Service Selection Policy to choose which services to include in the endpoint
policy. See Configuring the Service Selection Policy, page10-5, for more information.
Step6 Fill in the fields in the Service Select Policy pages.
Step7 Click Save Changes.
Creating an Egress Policy
The Egress policy (sometimes called SGACL policy) determines which SGACL to apply at the Egress
points of the network based on the source and destination SGT. The Egress p olicy is represented in a
matrix, where the X and Y axis represent the destination and source SGT, respectively, and each cell
contains the set of SGACLs to apply at the intersection of these two SGTs.
Any security group can take the role of a source SGT, if an endpoint (or Security Group Access device)
that carries this SGT sends the packet. Any security group can take the role of a destination SGT, if the
packet is targeting an endpoint (or Security Group Access device) that carries this SGT. Therefore, the
Egress matrix lists all of the existing security groups on both axes, making it a Cartesian product of the
SGT set with itself (SGT x SGT).
The first row (topmost) of the matrix contains the column headers, which display the destination SGT.
The first column (far left) contains the row titles, with the source SG displayed. At the intersection of
these axes lies the origin cell (top left) that contains the titles of the axes, namely, Destination and
Source.
All other cells are internal matrix cells that contain the defined SGACL. The rows and columns are
ordered alphabetically according to the SGT names. Each SGACL can contain 200 ACEs.