Cisco Systems OL-24201-01 manual Simple Policies, Rule-Based Policies, Types of Policies

Chapter 3 ACS 5.x Policy Model

Overview of the ACS 5.x Policy Model

Simple Policies

You can configure all of your ACS policies as rule-based policies. However, in some cases, you can choose to configure a simple policy, which selects a single result to apply to all requests without conditions.

For example, you can define a rule-based authentication policy with a set of rules for different conditions; or, if you want to use the internal database for all authentications, you can define a simple policy.

Table 3-3helps you determine whether each policy type can be configured as a simple policy.

•If you create and save a simple policy, and then change to a rule-based policy, the simple policy becomes the default rule of the rule-based policy.

•If you have saved a rule-based policy and then change to a simple policy, ACS automatically uses the default rule as the simple policy.

Related Topic

•Types of Policies, page 3-5

Rule-Based Policies

Rule-based policies have been introduced to overcome the challenges of identity-based policies. In earlier versions of ACS, although membership in a user group gives members access permissions, it also places certain restrictions on them.

When a user requests access, the user's credentials are authenticated using an identity store, and the user is associated with the appropriate user group. Because authorization is tied to user group, all members of a user group have the same access restrictions and permissions at all times.

With this type of policy (the simple policy), permissions are granted based on a user’s association with a particular user group. This is useful if the user’s identity is the only dominant condition. However, for users who need different permissions under different conditions, this policy does not work.

In ACS 5.x, you can create rules based on various conditions apart from identity. The user group no longer contains all of the information.

For example, if you want to grant an employee full access while working on campus, and restricted access while working remotely, you can do so using the rule-based policies in ACS 5.3.

You can base permissions on various conditions besides identity, and permissions are no longer associated with user groups. You can use session and environment attributes, such as access location, access type, health of the end station, date, time, and so on, to determine the type of access to be granted.

Authorization is now based on a set of rules:

If conditions then apply the respective permissions

With rule-based policies, conditions can consist of any combination of available session attributes, and permissions are defined in authorization profiles. You define these authorization profiles to include VLAN, downloadable ACLs, QoS settings, and RADIUS attributes.

User Guide for Cisco Secure Access Control System 5.3