10-29
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 10 Managing Access Policies
Configuring Access Service Policies

Configuring a Session Authorization Policy for Network Access

When you create an access service for network access authorization, it creates a Session Authorization
policy. You can then add and modify rules to this policy to determine the access permissions for the client
session.
You can create a standalone authorization policy for an access service, which is a standard first-match
rule table. You can also create an authorization policy with an exception policy. See Configuring
Authorization Exception Policies, page 10-35. When a request matches an exception rule, the policy
exception rule result is always applied.
The rules can contain any conditions and multiple results:
Authorization profile—Defines the user-defined attributes and, optionally, the downloadable ACL
that the Access-Accept message should return.
Security Group Tag (SGT)—If you have installed Cisco Security Group Access, the authorization
rules can define which SGT to apply to the request.
For information about how ACS processes rules with multiple authorization profiles, see Processing
Rules with Multiple Authorization Profiles, page 3-17.
To configure an authorization policy, see these topics:
Creating Policy Rules, page 10-37
Duplicating a Rule, page 10-38
Editing Policy Rules, page 10-38
Deleting Policy Rules, page 10-39
For information about creating an authorization policy for:
Host Lookup requests, see ACS and Cisco Security Group Access, page 4-23.
Security Group Access support, see Creating an Endpoint Admission Control Policy, page 4-27.
Step 1 Select Access Policies > Access Services > service > Authorization.
Step 2 Complete the fields as described in Table 10-15: