Cisco Systems CSACS3415K9 Manual De Usuario
4-25
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
Chapter 4 Common Scenarios Using ACS
ACS and Cisco Security Group Access
Devices consider only the SGT value; the name and description of a security group are a management
convenience and are not conveyed to the devices. Therefore, changing the name or description of the
security group does not affect the generation ID of an SGT.
convenience and are not conveyed to the devices. Therefore, changing the name or description of the
security group does not affect the generation ID of an SGT.
To create a security group:
Step 1
Choose Policy Elements > Authorizations and Permissions > Network Access > Security Groups
and click Create.
and click Create.
Step 2
Fill in the fields as described in the
.
Tip
When you edit a security group, the security group tag and the generation ID are visible.
Step 3
Click Submit.
Creating SGACLs
Security Group Access Control Lists (SGACLs) are similar to standard IP-based ACLs, in that you can
specify whether to allow or deny communications down to the transport protocol; for example, TCP,
User Datagram Protocol (UDP), and the ports; FTP; or Secure Shell Protocol (SSH).
specify whether to allow or deny communications down to the transport protocol; for example, TCP,
User Datagram Protocol (UDP), and the ports; FTP; or Secure Shell Protocol (SSH).
You can create SGACLs that can be applied to communications between security groups. You apply
Security Group Access policy administration in ACS by configuring these SGACLs to the intersection
of source and destination security groups through a customizable Egress matrix view, or individual
source and destination security group pairs.
Security Group Access policy administration in ACS by configuring these SGACLs to the intersection
of source and destination security groups through a customizable Egress matrix view, or individual
source and destination security group pairs.
To create an SGACL:
Step 1
Choose Policy Elements > Authorizations and Permissions > Named Permissions Objects >
Security Group ACLs. then click Create.
Security Group ACLs. then click Create.
Step 2
Fill in the fields as described in the
.
Step 3
Click Submit.
Configuring an NDAC Policy
The Network Device Admission Control (NDAC) policy defines which security group is sent to the
device. When you configure the NDAC policy, you create rules with previously defined conditions, for
example, NDGs.
device. When you configure the NDAC policy, you create rules with previously defined conditions, for
example, NDGs.
The NDAC policy is a single service, and it contains a single policy with one or more rules. Since the
same policy is used for setting responses for authentication, peer authorization, and environment
requests, the same SGT is returned for all request types when they apply to the same device.
same policy is used for setting responses for authentication, peer authorization, and environment
requests, the same SGT is returned for all request types when they apply to the same device.
Note
You cannot add the NDAC policy as a service in the service selection policy; however, the NDAC policy
is automatically applied to Security Group Access devices.
is automatically applied to Security Group Access devices.