Option Description, 10-22 | Cisco Systems OL-24201-01 instruction

Chapter 10 Managing Access Policies

Configuring Access Service Policies

In the rule-based policy, each rule contains one or more conditions and a result, which is the identity source to use for authentication. You can create, duplicate, edit, and delete rules within the identity policy; and you can enable and disable them.

Caution If you switch between the simple policy and the rule-based policy pages, you will lose your previously saved policy.

To configure a simple identity policy:

Step 1 Select Access Policies > Access Services > service > Identity, where service is the name of the access service.

By default, the Simple Identity Policy page appears with the fields described in Table 10-9:

Table 10-9 Simple Identity Policy Page

Option	Description
Policy type	Defines the type of policy to configure:
	• Simple—Specifies the result to apply to all requests.
	• Rule-based—Configure rules to apply different results, depending on the request.
	If you switch between policy types, you will lose your previously saved policy configuration.

Identity Source	Identity source to apply to all requests. The default is Deny Access. For:

•Password-based authentication, choose a single identity store, or an identity store sequence.

•Certificate-based authentication, choose a certificate authentication profile, or an identity store sequence.

	The identity store sequence defines the sequence that is used for authentication and an optional
	additional sequence to retrieve attributes. See Configuring Identity Store Sequences, page 8-74.

Advanced options	Specifies whether to reject or drop the request, or continue with authentication for these options:
	• If authentication failed—Default is reject.
	• If user not found—Default is reject.
	• If process failed—Default is drop.
	Owing to restrictions on the underlying protocol, ACS cannot always continue processing when
	the Continue option is chosen. ACS can continue when authentication fails for PAP/ASCII,
	EAP-TLS, or Host Lookup.
	For all other authentication protocols, the request will be dropped even if you choose the Continue
	option.

Step 2	Select an identity source for authentication; or, choose Deny Access.
	You can configure additional advanced options. See Configuring Identity Policy Rule Properties,
	page 10-24.
Step 3	Click Save Changes to save the policy.

	User Guide for Cisco Secure Access Control System 5.3
10-22	OL-24201-01

Cisco Systems OL-24201-01 manual Option Description, 10-22

Models: OL-24201-01

Option

Description

User Guide for Cisco Secure Access Control System 5.3

10-22

OL-24201-01