Some ACS5.3 issues

Unanswered Question
Jun 22nd, 2012
User Badges:

Hi All

Trying to work out how to get these access policies on ACS 5.3 to work

one after the other and other issues with access policies.

1, If i go to Access policies/Access services/Service selection rules

Then the rules seem to be hit from the top down.

However if you are not permitted in the top rule you just seem to be dropped

How can i make it so that if the first service selection rule is not matched

it goes to the next one.

2. On these policies i need to modify the authorisations using customize -

why cant i modify the customize results on these ?

i cant see how i can point these at a shell profile otherwise.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
maldehne Fri, 06/22/2012 - 05:01
User Badges:
  • Cisco Employee,

Not sure if your description is clear.

Access Service Selection Rules

It is evaluated top down. If there is a match on a certain rule the result will be applied which will be an access service

if there is no match you should move to the next Rule , there will be a comparison and if there is no match you keep going

untill you hit the default rule.

Customizing certain conidtions and results in the authorization policy depends on what you want to configure and have in your production.

Can you be more specific what is your issue?

In the meantime i recommend you to read more abotu the policy based model in ACS 5 which is detailed in the ACS user guide.


Don't forget to rate correct answers

steve switzer Fri, 06/22/2012 - 06:01
User Badges:


What i want is to have a service selection policy consisting of a numbetr of rules

For instance 

1. For admin access to all network devices

2. One for the service desk to only access lobby ambassador

Unfortunately if i hit the service desk rule first i get the following error -

TACACS+ requests can only be processed by Access Services that are of type Device Administration


Verify that the Service Selection Policy rules are correct

I have a rule called Default admin - but how do  i know the access services

are of that type.


Jatin Katyal Fri, 06/22/2012 - 06:09
User Badges:
  • Cisco Employee,

This means that the access policy that applies for the login is not of a device administration type, but rather network access, for example,  a vpn user trying to authenticate to get access to the network.



steve switzer Fri, 06/22/2012 - 06:17
User Badges:

Sorry if i seem a bit dense but how do you determine which acicess policy is a device admin type and which network

that is which exact setting - does it have to be using the default device admin service for instance...

maldehne Fri, 06/22/2012 - 06:37
User Badges:
  • Cisco Employee,

Sir there are two default access services ( network and device admin )

ACS uses by default the protocol as condition to select certain access service.

If the protocol is Tacacs+ , certain service is selected

if it is RADIUS a nother one is selected.

If you need to be more granular just customize your conditions.


Please Don't Forget to rate correct answer

steve switzer Fri, 06/22/2012 - 07:43
User Badges:


Thanks for the help by the way it is greatly appreciated !!

Well i have sorted that out now and the top 2 service

selection rules are both Device administration.

However when i try and access the device with a user who

is referenced in AD in the second rule down it doesn work

and i just hit the default on the authorisation of the first

rule .

Shouldnt i then hit the second service selection rule ?


steve switzer Fri, 06/22/2012 - 08:10
User Badges:


Thanks for the link  just had a read it seems to suggest that in the

service selection rules you need one service for TACACS and one for


I was trying to have 2 services of TACACS - if not found in the first

Service then goes to the second - but thats not how it works - is it ?



This Discussion