Cisco Systems CSACS3415K9 Manual Do Utilizador
10-9
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
Chapter 10 Managing Access Policies
Configuring the Service Selection Policy
•
The Default Rule—You can change only the access service.
See
for field descriptions:
Step 4
Click OK.
The Service Selection Policy page appears with the rule that you configured.
Step 5
Click Save Changes.
Related Topics
•
•
Table 10-3
Service Selection Rule Properties Page
Option
Description
General
Name
Name of the rule. If you are duplicating a rule, you must enter a unique name as a minimum configuration;
all other fields are optional.
all other fields are optional.
Status
Rule statuses are:
•
Enabled—The rule is active.
•
Disabled—ACS does not apply the results of the rule.
•
Monitor Only—The rule is active but ACS does not apply the results of the rule. Results such as hit
count are written to the log, and the log entry includes an identification that the rule is monitor only.
The Monitor option is especially useful for watching the results of a new rule.
count are written to the log, and the log entry includes an identification that the rule is monitor only.
The Monitor option is especially useful for watching the results of a new rule.
Conditions
conditions
Conditions that you can configure for the rule.
By default, the compound condition appears. Click Customize in the Policy page to change the conditions
that appear.
that appear.
The default value for each condition is ANY. To change the value for a condition, check the condition check
box, then specify the value.
box, then specify the value.
If you check Compound Condition, an expression builder appears in the conditions frame. For more
information, see
information, see
.
Note
The Service selection policy, which contains a compound condition with TACACS+ username,
does not work consistently. The policy works only when the first TACACS+ authentication request
contains a username. If the first packet does not have the username and when ACS requests NAS
for the username, the TACACS+ username condition is not matched. Therefore, the request meets
the default deny access condition and fails to meet the proper access service.
does not work consistently. The policy works only when the first TACACS+ authentication request
contains a username. If the first packet does not have the username and when ACS requests NAS
for the username, the TACACS+ username condition is not matched. Therefore, the request meets
the default deny access condition and fails to meet the proper access service.
Results
Service
Name of the access service that runs as a result of the evaluation of the rule.