Cisco Systems CSACS3415K9 Manual Do Utilizador
10-26
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
Chapter 10 Managing Access Policies
Configuring Access Service Policies
Table 10-11
Identity Rule Properties Page
Option
Description
General
Rule Name
Name of the rule. If you are duplicating a rule, you must enter a unique name as a minimum configuration;
all other fields are optional.
all other fields are optional.
Rule Status
Rule statuses are:
•
Enabled—The rule is active.
•
Disabled—ACS does not apply the results of the rule.
•
Monitor—The rule is active, but ACS does not apply the results of the rule. Results such as hit count
are written to the log, and the log entry includes an identification that the rule is monitor only. The
Monitor option is especially useful for watching the results of a new rule.
are written to the log, and the log entry includes an identification that the rule is monitor only. The
Monitor option is especially useful for watching the results of a new rule.
Conditions
conditions
Conditions that you can configure for the rule. By default the compound condition appears. You can
change the conditions that appear by using the Customize button in the Policy page.
change the conditions that appear by using the Customize button in the Policy page.
The default value for each condition is ANY. To change the value for a condition, check the condition check
box, then specify the value.
box, then specify the value.
If you check Compound Condition, an expression builder appears in the conditions frame. For more
information, see
information, see
Results
Identity Source
Identity source to apply to requests. The default is Deny Access. For:
•
Password-based authentication, choose a single identity store, or an identity store sequence.
•
Certificate-based authentication, choose a certificate authentication profile, or an identity store
sequence.
sequence.
The identity store sequence defines the sequence that is used for authentication and attribute retrieval and
an optional sequence to retrieve additional attributes. See
an optional sequence to retrieve additional attributes. See
.
Advanced
options
options
Specifies whether to reject or drop the request, or continue with authentication for these options:
•
If authentication failed—Default is reject.
•
If user not found—Default is reject.
•
If process failed—Default is drop.
Owing to restrictions on the underlying protocol, ACS cannot always continue processing when the
Continue option is chosen. ACS can continue when authentication fails for PAP/ASCII, EAP-TLS or Host
Lookup.
Continue option is chosen. ACS can continue when authentication fails for PAP/ASCII, EAP-TLS or Host
Lookup.
For all other authentication protocols, the request is dropped even if you choose the Continue option.