Chapter 10 Managing Access Policies

Configuring Access Service Policies

Table 10-20 Network Access Authorization Exception Policy Page

Option

Status

Name

Description

Rule statuses are:

Enabled—The rule is active.

Disabled—ACS does not apply the results of the rule.

Monitor—The rule is active, but ACS does not apply the results of the rule. Results such as hit count are written to the log, and the log entry includes an identification that the rule is monitor only. The monitor option is especially useful for watching the results of a new rule.

Name of the rule.

Conditions

Identity Group

Name of the internal identity group to which this is matching against.

 

 

 

NDG:name

 

Network device group. The two predefined NDGs are Location and Device Type.

 

 

 

Condition Name

 

Conditions that define the scope of the rule. To change the types of conditions that the rule uses, click

 

 

the Customize button. You must have previously defined the conditions that you want to use.

 

 

 

Results

 

Displays the authorization profile that will be applied when the corresponding rule is matched.

 

 

When you enable the Security Group Access feature, you can customize rule results; a rule can

 

 

determine the access permission of an endpoint, the security group of that endpoint, or both. The

 

 

columns that appear reflect the customization settings.

 

 

Hit Count

Number of times that the rule is matched. Click the Hit Count button to refresh and reset this column.

 

 

Customize button

Opens the Customize page in which you choose the types of conditions to use in policy rules. A new

 

 

Conditions column appears in the Policy page for each condition that you add. You do not need to use

 

 

the same set of conditions as in the corresponding authorization policy.

 

 

When you enable the Security Group Access feature, you can also choose the set of rule results; only

 

 

session authorization profiles, only security groups, or both.

 

 

 

 

 

 

 

 

 

Caution If you remove a condition type after defining rules, you will lose any conditions that you

 

 

 

 

 

configured for that condition type.

 

 

 

 

 

 

 

 

Hit Count button

 

Opens a window that enables you to reset and refresh the Hit Count display in the Policy page. See

 

 

Displaying Hit Counts, page 10-10.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

To configure rules, see:

Creating Policy Rules, page 10-37

Duplicating a Rule, page 10-38

Editing Policy Rules, page 10-38

Deleting Policy Rules, page 10-39

Related Topics

Configuring a Session Authorization Policy for Network Access, page 10-29

Configuring Shell/Command Authorization Policies for Device Administration, page 10-34

 

User Guide for Cisco Secure Access Control System 5.3

10-36

OL-24201-01

Page 299 Page 301
Page 300
Image 300
Cisco Systems OL-24201-01 manual Condition Name, 10-36
Page 299 Page 301
Top Page Image Contents