Chapter 3 ACS 5.x Policy Model

Service Selection Policy

Column

Description

Status

You can define the status of a rule as enabled, disabled, or monitored:

Enabled—ACS evaluates an enabled rule, and when the rule conditions match the access request, ACS applies the rule result.

Disabled—The rule appears in the rule table, but ACS skips this rule and does not evaluate it.

Monitor Only—ACS evaluates a monitored rule. If the rule conditions match the access request, ACS creates a log record with information relating to the match.

 

ACS does not apply the result, and the processing continues to the following rules. Use this status

 

during a running-in period for a rule to see whether it is needed.

 

 

Name

Descriptive name. You can specify any name that describes the rule’s purpose. By default, ACS generates

 

rule name strings rule-number.

 

 

Conditions

 

 

 

Identity Group

In this example, this is matching against one of the internal identity groups.

 

 

NDG: Location

Location network device group. The two predefined NDGs are Location and Device Type.

 

 

Results

 

 

 

Shell Profile

Used for device administration-type policies and contains permissions for TACACS+ shell access request,

 

such as Cisco IOS privilege level.

 

 

Hit Counts

Displays the number of times a rule matched an incoming request since the last reset of the policy’s hit

 

counters. ACS counts hits for any monitored or enabled rule whose conditions all matched an incoming

 

request. Hit counts for:

Enabled rules reflect the matches that occur when ACS processes requests.

Monitored rules reflect the counts that would result for these rules if they were enabled when ACS processed the requests.

The primary server in an ACS deployment displays the hit counts, which represent the total matches for each rule across all servers in the deployment. On a secondary server, all hit counts in policy tables appear as zeroes.

The default rule specifies the policy result that ACS uses when no other rules exist, or when the attribute values in the access request do not match any rules.

ACS evaluates a set of rules in the first-match rule table by comparing the values of the attributes associated with the current access request with a set of conditions expressed in a rule.

If the attribute values do not match the conditions, ACS proceeds to the next rule in the rule table.

If the attribute values match the conditions, ACS applies the result that is specified for that rule, and ignores all remaining rules.

If the attribute values do not match any of the conditions, ACS applies the result that is specified for the policy default rule.

Related Topics

Policy Terminology, page 3-3

Policy Conditions, page 3-16

Policy Results, page 3-16

Exception Authorization Policy Rules, page 3-12

 

 

User Guide for Cisco Secure Access Control System 5.3

 

 

 

 

 

 

OL-24201-01

 

 

3-15

 

 

 

 

 

Page 57
Image 57
Cisco Systems OL-24201-01 manual Column Description, Related Topics