06-22-2012 04:10 AM - edited 03-10-2019 07:13 PM
Hi All
Trying to work out how to get these access policies on ACS 5.3 to work
one after the other and other issues with access policies.
1, If i go to Access policies/Access services/Service selection rules
Then the rules seem to be hit from the top down.
However if you are not permitted in the top rule you just seem to be dropped
How can i make it so that if the first service selection rule is not matched
it goes to the next one.
2. On these policies i need to modify the authorisations using customize -
why cant i modify the customize results on these ?
i cant see how i can point these at a shell profile otherwise.
Steve
06-22-2012 05:01 AM
Not sure if your description is clear.
Access Service Selection Rules
It is evaluated top down. If there is a match on a certain rule the result will be applied which will be an access service
if there is no match you should move to the next Rule , there will be a comparison and if there is no match you keep going
untill you hit the default rule.
Customizing certain conidtions and results in the authorization policy depends on what you want to configure and have in your production.
Can you be more specific what is your issue?
In the meantime i recommend you to read more abotu the policy based model in ACS 5 which is detailed in the ACS user guide.
----------------------------------------------------------------------------
Don't forget to rate correct answers
06-22-2012 06:01 AM
Hi
What i want is to have a service selection policy consisting of a numbetr of rules
For instance
1. For admin access to all network devices
2. One for the service desk to only access lobby ambassador
Unfortunately if i hit the service desk rule first i get the following error -
TACACS+ requests can only be processed by Access Services that are of type Device Administration
and
Verify that the Service Selection Policy rules are correct
I have a rule called Default admin - but how do i know the access services
are of that type.
Steve
06-22-2012 06:09 AM
This means that the access policy that applies for the login is not of a device administration type, but rather network access, for example, a vpn user trying to authenticate to get access to the network.
Regards,
Jatin
06-22-2012 06:17 AM
Sorry if i seem a bit dense but how do you determine which acicess policy is a device admin type and which network
that is which exact setting - does it have to be using the default device admin service for instance...
06-22-2012 06:37 AM
Sir there are two default access services ( network and device admin )
ACS uses by default the protocol as condition to select certain access service.
If the protocol is Tacacs+ , certain service is selected
if it is RADIUS a nother one is selected.
If you need to be more granular just customize your conditions.
--------------------------------------------------------------------------------
Please Don't Forget to rate correct answer
06-22-2012 07:19 AM
TACACS+ requests can only be handled by access services with the Service Type set to "Device Administration". You need to check if this is what you have selected. User Selected Service Type
This would help you understanidng it.
http://www.ciscopress.com/articles/article.asp?p=1671906&seqNum=5
06-22-2012 07:43 AM
Hi
Thanks for the help by the way it is greatly appreciated !!
Well i have sorted that out now and the top 2 service
selection rules are both Device administration.
However when i try and access the device with a user who
is referenced in AD in the second rule down it doesn work
and i just hit the default on the authorisation of the first
rule .
Shouldnt i then hit the second service selection rule ?
Steve
06-22-2012 08:10 AM
Hi
Thanks for the link just had a read it seems to suggest that in the
service selection rules you need one service for TACACS and one for
Radius.
I was trying to have 2 services of TACACS - if not found in the first
Service then goes to the second - but thats not how it works - is it ?
Steve
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: