Chapter 3 ACS 5.x Policy Model

Policies and Network Device Groups

Related Topics

Managing Users and Identity Stores, page 8-1

Policy Terminology, page 3-3

Types of Policies, page 3-5

Policies and Network Device Groups

You can reference Network device groups (NDGs) as policy conditions. When the ACS receives a request for a device, the NDGs associated with that device are retrieved and compared against those in the policy table. With this method, you can group multiple devices and assign them the same policies. For example, you can group all devices in a specific location together and assign to them the same policy.

When ACS receives a request from a network device to access the network, it searches the network device repository to find an entry with a matching IP address. When a request arrives from a device that ACS identified using the IP address, ACS retrieves all NDGs associated with the device.

Related Topics

Managing Users and Identity Stores, page 8-1

Policy Terminology, page 3-3

Types of Policies, page 3-5

Example of a Rule-Based Policy

The following example illustrates how you can use policy elements to create policy rules.

A company divides its network into two regions, East and West, with network operations engineers at each site. They want to create an access policy that allows engineers:

Full access to the network devices in their region.

Read-only access to devices outside their region. You can use the ACS 5.3 policy model to:

Define East and West network device groups, and map network devices to the appropriate group.

Define East and West identity groups, and map users (network engineers) to the appropriate group.

Define Full Access and Read Only authorization profiles.

Define Rules that allow each identity group full access or read-only access, depending on the network device group location.

Previously, you had to create two user groups, one for each location of engineers, each with separate definitions for permissions, and so on. This definition would not provide the same amount of flexibility and granularity as in the rule-based model.

 

User Guide for Cisco Secure Access Control System 5.3

3-18

OL-24201-01

Page 60
Image 60
Cisco Systems OL-24201-01 manual Policies and Network Device Groups, Example of a Rule-Based Policy