08-10-2011 05:50 PM - edited 03-10-2019 06:17 PM
Can someone explain the differences between
Default Device admin
and
Default Network access
Solved! Go to Solution.
08-10-2011 10:02 PM
ACS 5.2 uses a policy based model for processing requests. When requests are received they are initially processed by the rules defined in the Service Selection rules. These are evaluated in a first match basis to decide which AccessService to use. Each AccessService contains within it an Identity policy, Group Mapping (optional for more advanced use cases) and Authorization. The Identity policy is similarlyy a first mactch policy that is used to determine the identity store, such as internal users or Active Directory, to be used to authenticate the user. [Note that the indetity policy may be defined to have "Single result selection" in which case same identity database is used for all requests]. The authorization policy is used to determine the authorzation results to be returned to the user. In the case of RADIUS request this returns a set of Authorization Profiles which is a set of RADIUS attributes and their values. In the case of TACACS+ requests this can return a shell profile (set of attributes) and/or command sets that determine the command authorization.
Upon installation and by default, the Service Selection Rules are configured so that all RADIUS requests are handled by the Default Network Access service and all TACACS+ requests handled by Default Device Admin. In both cases the Indentity and Authorization policy are defined to authentifcate against the internal database and permit access with no additional attributes retrurned. So upon installation, all that is required to do to get requests processed is defined a corresponding user and network device and then processing should complete.
These default definitions allow you to get started quicked and then modify settings to evolve the policies to meet the organization needs
08-10-2011 10:02 PM
ACS 5.2 uses a policy based model for processing requests. When requests are received they are initially processed by the rules defined in the Service Selection rules. These are evaluated in a first match basis to decide which AccessService to use. Each AccessService contains within it an Identity policy, Group Mapping (optional for more advanced use cases) and Authorization. The Identity policy is similarlyy a first mactch policy that is used to determine the identity store, such as internal users or Active Directory, to be used to authenticate the user. [Note that the indetity policy may be defined to have "Single result selection" in which case same identity database is used for all requests]. The authorization policy is used to determine the authorzation results to be returned to the user. In the case of RADIUS request this returns a set of Authorization Profiles which is a set of RADIUS attributes and their values. In the case of TACACS+ requests this can return a shell profile (set of attributes) and/or command sets that determine the command authorization.
Upon installation and by default, the Service Selection Rules are configured so that all RADIUS requests are handled by the Default Network Access service and all TACACS+ requests handled by Default Device Admin. In both cases the Indentity and Authorization policy are defined to authentifcate against the internal database and permit access with no additional attributes retrurned. So upon installation, all that is required to do to get requests processed is defined a corresponding user and network device and then processing should complete.
These default definitions allow you to get started quicked and then modify settings to evolve the policies to meet the organization needs
08-10-2011 10:57 PM
Thanks for the explanation. That makes sense as I only use Tacacs and I only changed the device admin setup and my iOS devices are working (wish I could say the same for junos)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide