Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Some ACS5.3 issues

Hi All

Trying to work out how to get these access policies on ACS 5.3 to work

one after the other and other issues with access policies.

1, If i go to Access policies/Access services/Service selection rules

Then the rules seem to be hit from the top down.

However if you are not permitted in the top rule you just seem to be dropped

How can i make it so that if the first service selection rule is not matched

it goes to the next one.

2. On these policies i need to modify the authorisations using customize -

why cant i modify the customize results on these ?

i cant see how i can point these at a shell profile otherwise.


Everyone's tags (3)
Cisco Employee

Some ACS5.3 issues

Not sure if your description is clear.

Access Service Selection Rules

It is evaluated top down. If there is a match on a certain rule the result will be applied which will be an access service

if there is no match you should move to the next Rule , there will be a comparison and if there is no match you keep going

untill you hit the default rule.

Customizing certain conidtions and results in the authorization policy depends on what you want to configure and have in your production.

Can you be more specific what is your issue?

In the meantime i recommend you to read more abotu the policy based model in ACS 5 which is detailed in the ACS user guide.


Don't forget to rate correct answers

New Member

Some ACS5.3 issues


What i want is to have a service selection policy consisting of a numbetr of rules

For instance 

1. For admin access to all network devices

2. One for the service desk to only access lobby ambassador

Unfortunately if i hit the service desk rule first i get the following error -

TACACS+ requests can only be processed by Access Services that are of type Device Administration


Verify that the Service Selection Policy rules are correct

I have a rule called Default admin - but how do  i know the access services

are of that type.


Cisco Employee

Some ACS5.3 issues

This means that the access policy that applies for the login is not of a device administration type, but rather network access, for example,  a vpn user trying to authenticate to get access to the network.



~BR Jatin Katyal **Do rate helpful posts**
New Member

Some ACS5.3 issues

Sorry if i seem a bit dense but how do you determine which acicess policy is a device admin type and which network

that is which exact setting - does it have to be using the default device admin service for instance...

Cisco Employee

Some ACS5.3 issues

Sir there are two default access services ( network and device admin )

ACS uses by default the protocol as condition to select certain access service.

If the protocol is Tacacs+ , certain service is selected

if it is RADIUS a nother one is selected.

If you need to be more granular just customize your conditions.


Please Don't Forget to rate correct answer

Cisco Employee

Some ACS5.3 issues

TACACS+ requests can only be handled by access services with the Service Type set to "Device Administration". You need to check if this is what you have selected. User Selected Service Type

This would help you understanidng it.

~BR Jatin Katyal **Do rate helpful posts**
New Member

Some ACS5.3 issues


Thanks for the help by the way it is greatly appreciated !!

Well i have sorted that out now and the top 2 service

selection rules are both Device administration.

However when i try and access the device with a user who

is referenced in AD in the second rule down it doesn work

and i just hit the default on the authorisation of the first

rule .

Shouldnt i then hit the second service selection rule ?


New Member

Some ACS5.3 issues


Thanks for the link  just had a read it seems to suggest that in the

service selection rules you need one service for TACACS and one for


I was trying to have 2 services of TACACS - if not found in the first

Service then goes to the second - but thats not how it works - is it ?