Cisco Systems CSACS3415K9 Manual Do Utilizador
10-23
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
Chapter 10 Managing Access Policies
Configuring Access Service Policies
In the rule-based policy, each rule contains one or more conditions and a result, which is the identity
source to use for authentication. You can create, duplicate, edit, and delete rules within the identity
policy; and you can enable and disable them.
source to use for authentication. You can create, duplicate, edit, and delete rules within the identity
policy; and you can enable and disable them.
Caution
If you switch between the simple policy and the rule-based policy pages, you will lose your previously
saved policy.
saved policy.
To configure a simple identity policy:
Step 1
Select Access Policies > Access Services > service > Identity, where service is the name of the access
service.
service.
By default, the Simple Identity Policy page appears with the fields described in
:
Step 2
Select an identity source for authentication; or, choose Deny Access.
You can configure additional advanced options. See
Step 3
Click Save Changes to save the policy.
Table 10-9
Simple Identity Policy Page
Option
Description
Policy type
Defines the type of policy to configure:
•
Simple—Specifies the result to apply to all requests.
•
Rule-based—Configure rules to apply different results, depending on the request.
If you switch between policy types, you will lose your previously saved policy configuration.
Identity Source
Identity source to apply to all requests. The default is Deny Access. For:
•
Password-based authentication, choose a single identity store, or an identity store sequence.
•
Certificate-based authentication, choose a certificate authentication profile, or an identity
store sequence.
store sequence.
The identity store sequence defines the sequence that is used for authentication and an optional
additional sequence to retrieve attributes. See
additional sequence to retrieve attributes. See
.
Advanced options
Specifies whether to reject or drop the request, or continue with authentication for these options:
•
If authentication failed—Default is reject.
•
If user not found—Default is reject.
•
If process failed—Default is drop.
Owing to restrictions on the underlying protocol, ACS cannot always continue processing when
the Continue option is chosen. ACS can continue when authentication fails for PAP/ASCII,
EAP-TLS, or Host Lookup.
the Continue option is chosen. ACS can continue when authentication fails for PAP/ASCII,
EAP-TLS, or Host Lookup.
For all other authentication protocols, the request will be dropped even if you choose the Continue
option.
option.