Chapter 10 Managing Access Policies

Configuring the Service Selection Policy

Creating, Duplicating, and Editing Service Selection Rules

Create service selection rules to determine which access service processes incoming requests. The Default Rule provides a default access service in cases where no rules are matched or defined.

When you create rules, remember that the order of the rules is important. When ACS encounters a match as it processes the request of a client that tries to access the ACS network, all further processing stops and the associated result of that match is found. No further rules are considered after a match is found.

You can duplicate a service selection rule to create a new rule that is the same, or very similar to, an existing rule. The duplicate rule name is based on the original rule with parentheses to indicate duplication; for example, Rule-1(1). After duplication is complete, you access each rule (original and duplicated) separately. You cannot duplicate the Default rule.

You can edit all values of service selection rules; you can edit the specified access service in the Default rule.

Note To configure a simple policy to apply the same access service to all requests, see Configuring a Simple Service Selection Policy, page 10-6.

Before You Begin

Configure the conditions that you want to use in the service selection policy. See Managing Policy Conditions, page 9-1.

Note Identity-related attributes are not available as conditions in a service selection policy.

Create the access services that you want to use in the service selection policy. See Creating, Duplicating, and Editing Access Services, page 10-12. You do not need to configure policies in the access service before configuring the service selection policy.

Configure the types of conditions to use in the policy rules. See Customizing a Policy, page 10-4, for more information.

To create, duplicate, or edit a service selection policy rule:

Step 1 Select Access Policies > Service Selection Policy. If you:

Previously created a rule-based policy, the Rule-Based Service Selection Policy page appears with a list of configured rules.

Have not created a rule-based policy, the Simple Service Selection Policy page appears. Click Rule-Based.

Step 2 Do one of the following:

Click Create.

Check the check box next to the rule that you want to duplicate; then click Duplicate.

Click the rule name that you want to modify; or, check the check box next to the name and click Edit.

The Rule page appears.

Step 3 Enter or modify values:

User-defined rules—You can edit any value. Ensure that you include at least one condition. If you are duplicating a rule, you must change the rule name.

 

User Guide for Cisco Secure Access Control System 5.3

10-8

OL-24201-01

Page 272
Image 272
Cisco Systems OL-24201-01 manual Creating, Duplicating, and Editing Service Selection Rules, 10-8