Chapter 3 ACS 5.x Policy Model

Overview of the ACS 5.x Policy Model

Policy Terminology

 

Table 3-2describes the rule-based policy terminology.

Table 3-2

Rule-Based Policy Terminology

 

 

 

Term

 

Description

 

 

 

Access service

 

Sequential set of policies used to process access requests. ACS 5.x allows you to define multiple

 

 

access services to support multiple, independent, and isolated sets of policies on a single ACS

 

 

system.

 

 

There are two default access services: one for device administration (TACACS+ based access to the

 

 

device shell or CLI) and one for network access (RADIUS-based access to network connectivity).

 

 

 

Policy element

 

Global, shared object that defines policy conditions (for example, time and date, or custom

 

 

conditions based on user-selected attributes) and permissions (for example, authorization profiles).

 

 

The policy elements are referenced when you create policy rules.

 

 

Authorization profile

Basic permissions container for a RADIUS-based network access service, which is where you define

 

 

all permissions to be granted for a network access request.

 

 

VLANs, ACLs, URL redirects, session timeout or reauthorization timers, or any other RADIUS

 

 

attributes to be returned in a response, are defined in the authorization profile.

 

 

 

Shell profile

 

Basic permissions container for TACACS+ based device administration policy. This is where you

 

 

define permissions to be granted for a shell access request.

 

 

IOS privilege level, session timeout, and so on are defined in the shell profile.

 

 

 

Command set

 

Contains the set of permitted commands for TACACS+ based, per-command authorization.

 

 

 

Policy

 

Set of rules that are used to reach a specific policy decision. For example, how to authenticate and

 

 

what authorization to grant. For any policies that have a default rule, a policy is a first-match rules

 

 

table with a default rule for any request which does not match any user-created rules.

 

 

 

Identity policy

 

ACS 5.3 policy for choosing how to authenticate and acquire identity attributes for a given request.

 

 

ACS 5.3 allows two types of identity policies: a simple, static policy, or a rules-based policy for

 

 

more complex situations.

 

 

Identity group mapping

Optional policy for mapping identity information collected from identity stores (for example, group

policy

 

memberships and user attributes) to a single ACS identity group.

 

 

This can help you normalize identity information and map requests to a single identity group, which

 

 

is just a tag or an identity classification. The identity group can be used as a condition in

 

 

authorization policy, if desired.

 

 

Authorization policy

ACS 5.3 policy for assigning authorization attributes for access requests. Authorization policy

 

 

selects a single rule and populates the response with the contents of the authorization profiles

 

 

referenced as the result of the rule.

 

 

 

Exception policy

 

Special option for authorization policy, which allows you to define separately the set of conditions

 

 

and authorization results for authorization policy exceptions and waivers. If defined, the exception

 

 

policy is checked before the main (standard) authorization policy.

 

 

 

Default rule

 

Catchall rule in ACS 5.3 policies. You can edit this rule to specify a default result or authorization

 

 

action, and it serves as the policy decision in cases where a given request fails to match the

 

 

conditions specified in any user-created rule.

 

 

 

User Guide for Cisco Secure Access Control System 5.3

 

OL-24201-01

3-3

 

 

 

Page 45
Image 45
Cisco Systems OL-24201-01 manual Policy Terminology, Term Description