Solved: ACS 5.2 Access Services

justins · ‎08-10-2011

Can someone explain the differences between

Default Device admin

and

Default Network access

jrabinow · ‎08-10-2011

ACS 5.2 uses a policy based model for processing requests. When requests are received they are initially processed by the rules defined in the Service Selection rules. These are evaluated in a first match basis to decide which AccessService to use. Each AccessService contains within it an Identity policy, Group Mapping (optional for more advanced use cases) and Authorization. The Identity policy is similarlyy a first mactch policy that is used to determine the identity store, such as internal users or Active Directory, to be used to authenticate the user. [Note that the indetity policy may be defined to have "Single result selection" in which case same identity database is used for all requests]. The authorization policy is used to determine the authorzation results to be returned to the user. In the case of RADIUS request this returns a set of Authorization Profiles which is a set of RADIUS attributes and their values. In the case of TACACS+ requests this can return a shell profile (set of attributes) and/or command sets that determine the command authorization.

Upon installation and by default, the Service Selection Rules are configured so that all RADIUS requests are handled by the Default Network Access service and all TACACS+ requests handled by Default Device Admin. In both cases the Indentity and Authorization policy are defined to authentifcate against the internal database and permit access with no additional attributes retrurned. So upon installation, all that is required to do to get requests processed is defined a corresponding user and network device and then processing should complete.

These default definitions allow you to get started quicked and then modify settings to evolve the policies to meet the organization needs

View solution in original post

jrabinow · ‎08-10-2011

ACS 5.2 uses a policy based model for processing requests. When requests are received they are initially processed by the rules defined in the Service Selection rules. These are evaluated in a first match basis to decide which AccessService to use. Each AccessService contains within it an Identity policy, Group Mapping (optional for more advanced use cases) and Authorization. The Identity policy is similarlyy a first mactch policy that is used to determine the identity store, such as internal users or Active Directory, to be used to authenticate the user. [Note that the indetity policy may be defined to have "Single result selection" in which case same identity database is used for all requests]. The authorization policy is used to determine the authorzation results to be returned to the user. In the case of RADIUS request this returns a set of Authorization Profiles which is a set of RADIUS attributes and their values. In the case of TACACS+ requests this can return a shell profile (set of attributes) and/or command sets that determine the command authorization.

Upon installation and by default, the Service Selection Rules are configured so that all RADIUS requests are handled by the Default Network Access service and all TACACS+ requests handled by Default Device Admin. In both cases the Indentity and Authorization policy are defined to authentifcate against the internal database and permit access with no additional attributes retrurned. So upon installation, all that is required to do to get requests processed is defined a corresponding user and network device and then processing should complete.

These default definitions allow you to get started quicked and then modify settings to evolve the policies to meet the organization needs

justins · ‎08-10-2011

Thanks for the explanation. That makes sense as I only use Tacacs and I only changed the device admin setup and my iOS devices are working (wish I could say the same for junos)