Chapter 3 ACS 5.x Policy Model

Access Services

Access Services

Access services are fundamental constructs in ACS 5.x that allow you to configure access policies for users and devices that connect to the network and for network administrators who administer network devices.

In ACS 5.x, authentication and authorization requests are processed by access services. An access service consists of the following elements:

Identity Policy—Specifies how the user should be authenticated and includes the allowed authentication protocols and the user repository to use for password validation.

Group Mapping Policy—Specifies if the user's ACS identity group should be dynamically established based on user attributes or group membership in external identity stores. The user's identity group can be used as part of their authorization.

Authorization Policy—Specifies the authorization rules for the user.

The access service is an independent set of policies used to process an access request.

The ACS administrator might choose to create multiple access services to allow clean separation and isolation for processing different kinds of access requests. ACS provides two default access services:

Default Device Admin—Used for TACACS+ based access to device CLI

Default Network Access—Used for RADIUS-based access to network connectivity

You can use the access services as is, modify them, or delete them as needed. You can also create additional access services.

The TACACS+ protocol separates authentication from authorization; ACS processes TACACS+ authentication and authorization requests separately. Table 3-4describes additional differences between RADIUS and TACACS+ access services.

Table 3-4

Differences Between RADIUS and TACACS+ Access Services

 

 

 

 

Policy Type

 

TACACS+

RADIUS

 

 

 

 

Identity

 

Optional1

Required

Group Mapping

 

Optional

Optional

 

 

 

 

Authorization

 

Optional1

Required

1. For TACACS+, you must select either Identity or Authorization.

For TACACS+, all policy types are optional; however, you must choose at least one policy type in a service. If you do not define an identity policy for TACACS+, ACS returns authentication failed for an authentication request.

Similarly, if you do not define an authorization policy and if ACS receives a session or command authorization request, it fails. For both RADIUS and TACACS+ access services, you can modify the service to add policies after creation.

Note Access services do not contain the service selection policy. Service selection rules are defined independently.

You can maintain and manage multiple access services; for example, for different use cases, networks, regions, or administrative domains. You configure a service selection policy, which is a set of service selection rules to direct each new access request to the appropriate access service.

User Guide for Cisco Secure Access Control System 5.3

3-6

OL-24201-01

 

 

Page 48
Image 48
Cisco Systems OL-24201-01 manual Access Services, Policy Type