Chapter 10 Managing Access Policies

Configuring Access Service Policies

Configuring Access Service Policies

You configure access service policies after you create the access service:

Viewing Identity Policies, page 10-21

Configuring Identity Policy Rule Properties, page 10-24

Configuring a Group Mapping Policy, page 10-26

Configuring a Session Authorization Policy for Network Access, page 10-29

Configuring a Session Authorization Policy for Network Access, page 10-29

Configuring Shell/Command Authorization Policies for Device Administration, page 10-34

You can configure simple policies to apply to the same result to all incoming requests; or, you can create rule-based policies.

Note If you create and save a simple policy, and then change to a rule-based policy, the simple policy becomes the default rule of the rule-based policy. If you have saved a rule-based policy and then change to a simple policy, you will lose all your rules except for the default rule. ACS automatically uses the default rule as the simple policy.

Before you begin to configure policy rules, you must:

Configure the policy conditions and results. See Managing Policy Conditions, page 9-1.

Select the types of conditions and results that the policy rules apply. See Customizing a Policy, page 10-4.

For information about configuring policy rules, see:

Creating Policy Rules, page 10-37

Duplicating a Rule, page 10-38

Editing Policy Rules, page 10-38

Deleting Policy Rules, page 10-39

Viewing Identity Policies

The identity policy in an access service defines the identity source that ACS uses for authentication and attribute retrieval. ACS can use the retrieved attributes in subsequent policies.

The identity source for:

Password-based authentication can be a single identity store, or an identity store sequence.

Certificate-based authentication can be a certificate authentication profile, or an identity store sequence.

An identity store sequence defines the sequence that is used for authentication and an optional additional sequence to retrieve attributes. See Configuring Identity Store Sequences, page 8-74.

If you created an access service that includes an identity policy, you can configure and modify this policy. You can configure a simple policy, which applies the same identity source for authentication of all requests; or, you can configure a rule-based identity policy.

 

 

User Guide for Cisco Secure Access Control System 5.3

 

 

 

 

 

 

OL-24201-01

 

 

10-21

 

 

 

 

 

Page 285
Image 285
Cisco Systems OL-24201-01 manual Configuring Access Service Policies, Viewing Identity Policies, 10-21