C H A P T E R 3

ACS 5.x Policy Model

ACS 5.x is a policy-based access control system. The term policy model in ACS 5.x refers to the presentation of policy elements, objects, and rules to the policy administrator. ACS 5.x uses a rule-based policy model instead of the group-based model used in the 4.x versions.

This section contains the following topics:

Overview of the ACS 5.x Policy Model, page 3-1

Access Services, page 3-6

Service Selection Policy, page 3-12

Authorization Profiles for Network Access, page 3-16

Policies and Identity Attributes, page 3-17

Policies and Network Device Groups, page 3-18

Example of a Rule-Based Policy, page 3-18

Flows for Configuring Services and Policies, page 3-19

Note See Functionality Mapping from ACS 4.x to ACS 5.3, page 2-5for a mapping of ACS 4.x concepts to ACS 5.3.

Overview of the ACS 5.x Policy Model

The ACS 5.x rule-based policy model provides more powerful and flexible access control than is possible with the older group-based approach.

In the older group-based model, a group defines policy because it contains and ties together three types of information:

Identity information—This information can be based on membership in AD or LDAP groups or a static assignment for internal ACS users.

Other restrictions or conditions—Time restrictions, device restrictions, and so on.

Permissions—VLANs or Cisco IOS privilege levels.

The ACS 5.x policy model is based on rules of the form:

If condition then result

User Guide for Cisco Secure Access Control System 5.3

 

OL-24201-01

3-1

 

 

 

Page 43
Image 43
Cisco Systems OL-24201-01 manual Overview of the ACS 5.x Policy Model