Chapter 10 Managing Access Policies

Configuring Access Service Policies

Table 10-19 Device Administration Authorization Exception Policy Page

Option

Status

Name

Description

Rule statuses are:

Enabled—The rule is active.

Disabled—ACS does not apply the results of the rule.

Monitor—The rule is active, but ACS does not apply the results of the rule. Results such as hit count are written to the log, and the log entry includes an identification that the rule is monitor only. The monitor option is especially useful for watching the results of a new rule.

Name of the rule.

Conditions

Identity Group

Name of the internal identity group to which this is matching against.

 

 

 

 

NDG:name

Network device group. The two predefined NDGs are Location and Device Type.

 

 

 

 

Condition

Conditions that define the scope of the rule. To change the types of conditions that the rule uses, click

 

 

the Customize button. You must have previously defined the conditions that you want to use.

 

 

 

 

Results

Displays the shell profile and command sets that will be applied when the corresponding rule is

 

 

matched.

 

 

You can customize rule results; a rule can determine the shell profile, the command sets, or both. The

 

 

columns that appear reflect the customization settings.

 

 

 

 

Hit Count

Number of times that the rule is matched. Click the Hit Count button to refresh and reset this column.

 

 

 

 

Customize button

Opens the Customize page in which you choose the types of conditions to use in policy rules. A new

 

 

Conditions column appears in the Policy page for each condition that you add. You do not need to use

 

 

the same set of conditions and results as in the corresponding authorization policy.

 

 

 

 

 

 

 

 

Caution If you remove a condition type after defining rules, you will lose any conditions that you

 

 

 

 

 

configured for that condition type.

 

 

 

 

 

 

 

 

Hit Count button

Opens a window that enables you to reset and refresh the Hit Count display in the Policy page. See

 

 

Displaying Hit Counts, page 10-10.

 

 

 

 

 

 

 

Configuring Shell/Command Authorization Policies for Device Administration

When you create an access service and select a service policy structure for Device Administration, ACS automatically creates a shell/command authorization policy. You can then create and modify policy rules.

The web interface supports the creation of multiple command sets for device administration. With this capability, you can maintain a smaller number of basic command sets. You can then choose the command sets in combination as rule results, rather than maintaining all the combinations themselves in individual command sets.

You can also create an authorization policy with an exception policy, which can override the standard policy results. See Configuring Authorization Exception Policies, page 10-35.

For information about how ACS processes rules with multiple command sets, see Processing Rules with Multiple Command Sets, page 3-11.

 

User Guide for Cisco Secure Access Control System 5.3

10-34

OL-24201-01

Page 297 Page 299
Page 298
Image 298
Cisco Systems OL-24201-01 manual Condition, 10-34
Page 297 Page 299
Top Page Image Contents