Cisco Systems OL-24201-01 manual Conditions, 10-9

Option

Description

Name

Status

Name of the rule. If you are duplicating a rule, you must enter a unique name as a minimum configuration; all other fields are optional.

Rule statuses are:

•Enabled—The rule is active.

•Disabled—ACS does not apply the results of the rule.

•Monitor Only—The rule is active but ACS does not apply the results of the rule. Results such as hit count are written to the log, and the log entry includes an identification that the rule is monitor only. The Monitor option is especially useful for watching the results of a new rule.

conditions

Conditions that you can configure for the rule.

By default, the compound condition appears. Click Customize in the Policy page to change the conditions that appear.

The default value for each condition is ANY. To change the value for a condition, check the condition check box, then specify the value.

If you check Compound Condition, an expression builder appears in the conditions frame. For more information, see Configuring Compound Conditions, page 10-40.

Note The Service selection policy, which contains a compound condition with TACACS+ username, does not work consistently. The policy works only when the first TACACS+ authentication request contains a username. If the first packet does not have the username and when ACS requests NAS for the username, the TACACS+ username condition is not matched. Therefore, the request meets the default deny access condition and fails to meet the proper access service.

Service

Name of the access service that runs as a result of the evaluation of the rule.