Cisco Systems OL-24201-01 manual Column Description, Related Topics

Chapter 3 ACS 5.x Policy Model

Service Selection Policy

•Enabled—ACS evaluates an enabled rule, and when the rule conditions match the access request, ACS applies the rule result.

•Disabled—The rule appears in the rule table, but ACS skips this rule and does not evaluate it.

•Monitor Only—ACS evaluates a monitored rule. If the rule conditions match the access request, ACS creates a log record with information relating to the match.

•Enabled rules reflect the matches that occur when ACS processes requests.

•Monitored rules reflect the counts that would result for these rules if they were enabled when ACS processed the requests.

The primary server in an ACS deployment displays the hit counts, which represent the total matches for each rule across all servers in the deployment. On a secondary server, all hit counts in policy tables appear as zeroes.

The default rule specifies the policy result that ACS uses when no other rules exist, or when the attribute values in the access request do not match any rules.

ACS evaluates a set of rules in the first-match rule table by comparing the values of the attributes associated with the current access request with a set of conditions expressed in a rule.

•If the attribute values do not match the conditions, ACS proceeds to the next rule in the rule table.

•If the attribute values match the conditions, ACS applies the result that is specified for that rule, and ignores all remaining rules.

•If the attribute values do not match any of the conditions, ACS applies the result that is specified for the policy default rule.

Related Topics

•Policy Terminology, page 3-3

•Policy Conditions, page 3-16

•Policy Results, page 3-16

•Exception Authorization Policy Rules, page 3-12