Rule Name Condition Result | Cisco Systems OL-24201-01 guide

Chapter 3 ACS 5.x Policy Model

Access Services

Table 3-5describes an example of a set of access services.

Table 3-5	Access Service List

		Access Service B	Access Service C
Access Service A		for Access to 802.1X Agentless	for Access from 802.1X Wired and
for Device Administration		Hosts	Wireless Devices

Identity Policy A		Identity Policy B	Identity Policy C

Shell/Command Authorization		Session Authorization Policy B	Session Authorization Policy C
Policy A

Table 3-6describes a service selection policy.

Table 3-6	Service Selection Policy

Rule Name		Condition	Result

DevAdmin		protocol = TACACS+	Access Service A

Agentless		Host Lookup = True	Access Service C

Default		—	Access Service B

If ACS 5.3 receives a TACACS+ access request, it applies Access Service A, which authenticates the request according to Identity Policy A. It then applies authorizations and permissions according to the shell/command authorization policy. This service handles all TACACS+ requests.

If ACS 5.3 receives a RADIUS request that it determines is a host lookup (for example, the RADIUS service-type attribute is equal to call-check), it applies Access Service C, which authenticates according to Identity Policy C. It then applies a session authorization profile according to Session Authorization Policy C. This service handles all host lookup requests (also known as MAC Auth Bypass requests).

Access Service B handles other RADIUS requests. This access service authenticates according to Identity Policy B and applies Session Authorization Policy B. This service handles all RADIUS requests except for host lookups, which are handled by the previous rule.

Access Service Templates

ACS contains predefined access services that you can use as a template when creating a new service. When you choose an access service template, ACS creates an access service that contains a set of policies, each with a customized set of conditions.

You can change the structure of the access service by adding or removing a policy from the service, and you can change the structure of a policy by modifying the set of policy conditions. See Configuring Access Services Templates, page 10-19, for a list of the access service templates and descriptions.

RADIUS and TACACS+ Proxy Services

ACS 5.3 can function as a RADIUS, RADIUS proxy or TACACS+ proxy server.

•As a RADIUS proxy server, ACS receives authentication and accounting requests from the NAS and forwards the requests to the external RADIUS server.

•As a TACACS+ proxy server, ACS receives authentication, authorization and accounting requests from the NAS and forwards the requests to the external TACACS+ server.

User Guide for Cisco Secure Access Control System 5.3

	OL-24201-01	3-7

Cisco Systems OL-24201-01 manual Access Service B Access Service C Access Service a

Models: OL-24201-01

Access Service B

Access Service C

Access Service A

for Device Administration

Hosts

Wireless Devices

Rule Name

Condition

Result

Access Service Templates

RADIUS and TACACS+ Proxy Services