Chapter 9 Managing Policy Elements

Managing Policy Conditions

You can map users and hosts to identity groups by using the group mapping policy. You can include identity groups in conditions to configure common policy conditions for all users in the group. For more information about creating identity groups, see Managing Identity Attributes, page 8-7.

Network Device Groups (NDGs)—Devices issuing requests are included in one or more of up to 12 device hierarchies. You can include hierarchy elements in policy conditions. For more information about creating NDGs, see Network Device Groups, page 7-2.

Date and Time Conditions—You can create named conditions that define specific time intervals across specific days of the week. You can also associate expiry dates with date and time conditions.

A date and time condition is a condition that takes the current date and time and effectively returns either true or false to indicate whether or not the condition is met. There are two components within the date and time condition:

Enable Duration—You have the option to limit the duration during which the condition is enabled by specifying an optional start time, end time, or both. This component allows you to create rules with limited time durations that effectively expire.

If the condition is not enabled, then this component of the date and time condition returns false.

Time Intervals—On the ACS web interface, you see a grid of time that shows the days of the week and the hours within each day. Each cell in the grid represents one hour. You can either set or clear the cells.

If the date and time when a request is processed falls at a time when the corresponding time interval is set, then this component of the date and time condition returns true.

Both components of the date and time condition are considered while processing a request. The date and time condition is evaluated as true only if both components return a true value.

Network Conditions—You can create filters of the following types to restrict access to the network:

End Station Filters—Based on end stations that initiate and terminate the connection. End stations may be identified by IP address, MAC address, calling line identification (CLI), or dialed number identification service (DNIS) fields obtained from the request.

Network Device Filters—Based on the AAA client that processes the request. A network device can be identified by its IP address, by the device name that is defined in the network device repository, or by the NDG.

Device Port Filters—Network device definition might be supplemented by the device port that the end station is associated with.

Each network device condition defines a list of objects that can then be included in policy conditions, resulting in a set of definitions that are matched against those presented in the request.

The operator that you use in the condition can be either match, in which case the value presented must match at least one entry within the network condition, or no matches, in which case it should not match any entry in the set of objects that is present in the filter.

You can include Protocol and Identity attributes in a condition by defining them in custom conditions or in compound conditions.

You define compound conditions in the policy rule properties page and not as a separate named condition. See Configuring Compound Conditions, page 10-40.

Custom conditions and Date and Time conditions are called session conditions.

This section contains the following topics:

Creating, Duplicating, and Editing a Date and Time Condition, page 9-3

Creating, Duplicating, and Editing a Custom Session Condition, page 9-5

User Guide for Cisco Secure Access Control System 5.3

9-2

OL-24201-01

 

 

Page 232
Image 232
Cisco Systems OL-24201-01 manual Managing Policy Elements Managing Policy Conditions