Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACS 5.2: Service Selection Rules - Jump to next rule?

Hi

I looked for on internet and i could not find a awnser. Please help me to solve my issue.

.

Questions:

Creating more complex access services and policies, I mean in server selection rules have a several access policies.  And each access policy has rules.  Example: the first access policy for engineer groups. Second the access policy for sales groups. etс. After creating policies with the same devices and locations groups, the second access policy doesn’t work. I put logs.

Why is not ACCCESS POLICY showing a group of Sales? It seems selection policy rules are looking at the group of engineer. I maybe It will not work. Because using the same devices, locations and protocol TACACS+. Is it possible to solve issue only with protocol TACACS+?

Received TACACS+ Authentication START  Request

Evaluating Service Selection Policy

Matched rule

Selected Access Service - engineer

Returned TACACS+ Authentication  Reply
Received TACACS+ Authentication CONTINUE  Request
Using previously selected Access  Service

Evaluating Identity Policy

Matched rule

Selected Identity Store - Internal  Users
Looking up User in Internal Users IDStore -  testsales
Found User in Internal Users  IDStore
TACACS+ will use the password prompt from global  TACACS+ configuration.
Returned TACACS+ Authentication  Reply
Received TACACS+ Authentication CONTINUE  Request
Using previously selected Access  Service

Evaluating Identity Policy

Matched rule

Selected Identity Store - Internal  Users
Looking up User in Internal Users IDStore -  testsales
Found User in Internal Users  IDStore

Authentication Passed

Evaluating Group Mapping Policy

Evaluating Exception Authorization  Policy

No rule was matched

Evaluating Authorization Policy

Matched Default Rule

Selected Shell Profile is  DenyAccess
Returned TACACS+ Authentication  Reply

Additional Details

Diagnostics ACS Configuration Changes
1 ACCEPTED SOLUTION

Accepted Solutions

ACS 5.2: Service Selection Rules - Jump to next rule?

Hello. Service selection rules and authorization rules are like access-lists, they have multiple entries which are evaluated top-down, if the packet matches the first rule it wil never evaluate the second rule.

Most of the times the default service selection rule called "default device admin" is good as it is, and what you need to customize are the authorization rules.

Please post your rules to see what are you trying to achieve.

2 REPLIES

ACS 5.2: Service Selection Rules - Jump to next rule?

Hello. Service selection rules and authorization rules are like access-lists, they have multiple entries which are evaluated top-down, if the packet matches the first rule it wil never evaluate the second rule.

Most of the times the default service selection rule called "default device admin" is good as it is, and what you need to customize are the authorization rules.

Please post your rules to see what are you trying to achieve.

New Member

ACS 5.2: Service Selection Rules - Jump to next rule?

Thank you for explaining!

928
Views
5
Helpful
2
Replies