Cisco Systems OL-24201-01

9-2

User Guide for Cisco Secure Access Control System 5.3

OL-24201-01

Chapter 9 Managing Policy Elements

Managing Policy Conditions

You can map users and hosts to identity groups by using the group mapping policy. You can include

identity groups in conditions to configure common policy conditions for all users in the group. For

more information about creating identity groups, see Managing Identity Attributes, page 8-7.

•Network Device Groups (NDGs)—Devices issuing requests are included in one or more of up to 12

device hierarchies. You can include hierarchy elements in policy conditions. For more information

about creating NDGs, see Network Device Groups, page 7-2.

•Date and Time Conditions—You can create named conditions that define specific time intervals

across specific days of the week. You can also associate expiry dates with date and time conditions.

A date and time condition is a condition that takes the current date and time and effectively returns

either true or false to indicate whether or not the condition is met. There are two components within

the date and time condition:

–

Enable Duration—You have the option to limit the duration during which the condition is

enabled by specifying an optional start time, end time, or both. This component allows you to

create rules with limited time durations that effectively expire.

If the condition is not enabled, then this component of the date and time condition returns false.

–

Time Intervals—On the ACS web interface, you see a grid of time that shows the days of the

week and the hours within each day. Each cell in the grid represents one hour. You can either

set or clear the cells.

If the date and time when a request is processed falls at a time when the corresponding time

interval is set, then this component of the date and time condition returns true.

Both components of the date and time condition are considered while processing a request. The date

and time condition is evaluated as true only if both components return a true value.

•Network Conditions—You can create filters of the following types to restrict access to the network:

–

End Station Filters—Based on end stations that initiate and terminate the connection. End

stations may be identified by IP address, MAC address, calling line identification (CLI), or

dialed number identification service (DNIS) fields obtained from the request.

–

Network Device Filters—Based on the AAA client that processes the request. A network device

can be identified by its IP address, by the device name that is defined in the network device

repository, or by the NDG.

–

Device Port Filters—Network device definition might be supplemented by the device port that

the end station is associated with.

Each network device condition defines a list of objects that can then be included in policy

conditions, resulting in a set of definitions that are matched against those presented in the request.

The operator that you use in the condition can be either match, in which case the value presented

must match at least one entry within the network condition, or no matches, in which case it should

not match any entry in the set of objects that is present in the filter.

You can include Protocol and Identity attributes in a condition by defining them in custom conditions or

in compound conditions.

You define compound conditions in the policy rule properties page and not as a separate named

condition. See Configuring Compound Conditions, page 10-40.

Custom conditions and Date and Time conditions are called session conditions.

This section contains the following topics:

•Creating, Duplicating, and Editing a Date and Time Condition, page 9-3

•Creating, Duplicating, and Editing a Custom Session Condition, page 9-5