topic ACS 5.2: Service Selection Rules - Jump to next rule? in Network Access Control https://community.cisco.com/t5/network-access-control/acs-5-2-service-selection-rules-jump-to-next-rule/m-p/2236213#M126307 <HTML><HEAD></HEAD><BODY><P>Thank you for explaining!</P></BODY></HTML> Tue, 23 Jul 2013 13:46:15 GMT Daryn Utesbayev 2013-07-23T13:46:15Z ACS 5.2: Service Selection Rules - Jump to next rule? https://community.cisco.com/t5/network-access-control/acs-5-2-service-selection-rules-jump-to-next-rule/m-p/2236211#M126305 <P style="margin: 0cm; margin-bottom: .0001pt;">Hi</P><P></P><P> I looked for on internet and i could not find a awnser. Please help me to solve my issue.</P><P style="margin: 0cm 0cm 0.0001pt;">.</P><P></P><P style="margin: 0cm; margin-bottom: .0001pt;">Questions:</P><P></P><P style="margin: 0cm; margin-bottom: .0001pt;">Creating more complex access services and policies, I mean in server selection rules have a several access policies.&nbsp; And each access policy has rules.&nbsp; Example: the first access policy for engineer groups. Second the access policy for sales groups. etс. After creating policies with the same devices and locations groups, the second access policy doesn’t work. I put logs.</P><P></P><P style="margin: 0cm 0cm 0.0001pt;">Why is not ACCCESS POLICY showing a group of Sales? It seems selection policy rules are looking at the group of engineer. I maybe It will not work. Because using the same devices, locations and protocol TACACS+. Is it possible to solve issue only with protocol TACACS+? </P><P></P><P></P><P></P><TABLE id="__TOC_2" style="border-bottom: #808080 1px solid; border-left: #808080 1px solid; margin: 10pt 0pt 0pt; width: 100%; border-collapse: collapse; font-family: sans-serif; empty-cells: show; font-size: small; border-top: #e3e3e3 1px; border-right: #808080 1px solid;"><TBODY><TR align="left" style="border-bottom: #8499a2 thin; border-left: #8499a2 thin solid; padding-bottom: 1pt; background-color: #f5f9fd; padding-left: 2pt; padding-right: 2pt; color: #000000; border-top: #8499a2 thin; font-weight: normal; border-right: #8499a2 thin solid; padding-top: 1pt;"><TD style="padding-bottom: 2pt; padding-left: 4pt; padding-right: 4pt; padding-top: 2pt;"><DIV style="margin-top: 0pt;">Received TACACS+ Authentication START&nbsp; Request</DIV></TD></TR><TR align="left" style="border-bottom: #8499a2 thin; border-left: #8499a2 thin solid; padding-bottom: 1pt; background-color: #ebebeb; font-style: normal; padding-left: 2pt; padding-right: 2pt; color: #000000; border-top: #8499a2 thin; font-weight: normal; border-right: #8499a2 thin solid; text-decoration: underline; padding-top: 1pt;"><TD style="padding-bottom: 2pt; padding-left: 4pt; padding-right: 4pt; padding-top: 2pt;"><P style="margin-top: 0pt;">Evaluating Service Selection Policy</P></TD></TR><TR align="left" style="border-bottom: #8499a2 thin; border-left: #8499a2 thin solid; padding-bottom: 1pt; background-color: #f5f9fd; padding-left: 2pt; padding-right: 2pt; color: #000000; border-top: #8499a2 thin; font-weight: normal; border-right: #8499a2 thin solid; padding-top: 1pt;"><TD style="padding-bottom: 2pt; padding-left: 4pt; padding-right: 4pt; padding-top: 2pt;"><P style="margin-top: 0pt;">Matched rule</P></TD></TR><TR align="left" style="border-bottom: #8499a2 thin; border-left: #8499a2 thin solid; padding-bottom: 1pt; background-color: #f5f9fd; padding-left: 2pt; padding-right: 2pt; color: #000000; border-top: #8499a2 thin; font-weight: normal; border-right: #8499a2 thin solid; padding-top: 1pt;"><TD style="padding-bottom: 2pt; padding-left: 4pt; padding-right: 4pt; padding-top: 2pt;"><P style="margin-top: 0pt;">Selected Access Service - engineer</P></TD></TR><TR align="left" style="border-bottom: #8499a2 thin; border-left: #8499a2 thin solid; padding-bottom: 1pt; background-color: #f5f9fd; padding-left: 2pt; padding-right: 2pt; color: #000000; border-top: #8499a2 thin; font-weight: normal; border-right: #8499a2 thin solid; padding-top: 1pt;"><TD style="padding-bottom: 2pt; padding-left: 4pt; padding-right: 4pt; padding-top: 2pt;"><DIV style="margin-top: 0pt;">Returned TACACS+ Authentication&nbsp; Reply</DIV></TD></TR><TR align="left" style="border-bottom: #8499a2 thin; border-left: #8499a2 thin solid; padding-bottom: 1pt; background-color: #f5f9fd; padding-left: 2pt; padding-right: 2pt; color: #000000; border-top: #8499a2 thin; font-weight: normal; border-right: #8499a2 thin solid; padding-top: 1pt;"><TD style="padding-bottom: 2pt; padding-left: 4pt; padding-right: 4pt; padding-top: 2pt;"><DIV style="margin-top: 0pt;">Received TACACS+ Authentication CONTINUE&nbsp; Request</DIV></TD></TR><TR align="left" style="border-bottom: #8499a2 thin; border-left: #8499a2 thin solid; padding-bottom: 1pt; background-color: #f5f9fd; padding-left: 2pt; padding-right: 2pt; color: #000000; border-top: #8499a2 thin; font-weight: normal; border-right: #8499a2 thin solid; padding-top: 1pt;"><TD style="padding-bottom: 2pt; padding-left: 4pt; padding-right: 4pt; padding-top: 2pt;"><DIV style="margin-top: 0pt;">Using previously selected Access&nbsp; Service</DIV></TD></TR><TR align="left" style="border-bottom: #8499a2 thin; border-left: #8499a2 thin solid; padding-bottom: 1pt; background-color: #ebebeb; font-style: normal; padding-left: 2pt; padding-right: 2pt; color: #000000; border-top: #8499a2 thin; font-weight: normal; border-right: #8499a2 thin solid; text-decoration: underline; padding-top: 1pt;"><TD style="padding-bottom: 2pt; padding-left: 4pt; padding-right: 4pt; padding-top: 2pt;"><P style="margin-top: 0pt;">Evaluating Identity Policy</P></TD></TR><TR align="left" style="border-bottom: #8499a2 thin; border-left: #8499a2 thin solid; padding-bottom: 1pt; background-color: #f5f9fd; padding-left: 2pt; padding-right: 2pt; color: #000000; border-top: #8499a2 thin; font-weight: normal; border-right: #8499a2 thin solid; padding-top: 1pt;"><TD style="padding-bottom: 2pt; padding-left: 4pt; padding-right: 4pt; padding-top: 2pt;"><P style="margin-top: 0pt;">Matched rule</P></TD></TR><TR align="left" style="border-bottom: #8499a2 thin; border-left: #8499a2 thin solid; padding-bottom: 1pt; background-color: #f5f9fd; padding-left: 2pt; padding-right: 2pt; color: #000000; border-top: #8499a2 thin; font-weight: normal; border-right: #8499a2 thin solid; padding-top: 1pt;"><TD style="padding-bottom: 2pt; padding-left: 4pt; padding-right: 4pt; padding-top: 2pt;"><DIV style="margin-top: 0pt;">Selected Identity Store - Internal&nbsp; Users</DIV></TD></TR><TR align="left" style="border-bottom: #8499a2 thin; border-left: #8499a2 thin solid; padding-bottom: 1pt; background-color: #f5f9fd; padding-left: 2pt; padding-right: 2pt; color: #000000; border-top: #8499a2 thin; font-weight: normal; border-right: #8499a2 thin solid; padding-top: 1pt;"><TD style="padding-bottom: 2pt; padding-left: 4pt; padding-right: 4pt; padding-top: 2pt;"><DIV style="margin-top: 0pt;">Looking up User in Internal Users IDStore -&nbsp; testsales</DIV></TD></TR><TR align="left" style="border-bottom: #8499a2 thin; border-left: #8499a2 thin solid; padding-bottom: 1pt; background-color: #f5f9fd; padding-left: 2pt; padding-right: 2pt; color: #000000; border-top: #8499a2 thin; font-weight: normal; border-right: #8499a2 thin solid; padding-top: 1pt;"><TD style="padding-bottom: 2pt; padding-left: 4pt; padding-right: 4pt; padding-top: 2pt;"><DIV style="margin-top: 0pt;">Found User in Internal Users&nbsp; IDStore</DIV></TD></TR><TR align="left" style="border-bottom: #8499a2 thin; border-left: #8499a2 thin solid; padding-bottom: 1pt; background-color: #f5f9fd; padding-left: 2pt; padding-right: 2pt; color: #000000; border-top: #8499a2 thin; font-weight: normal; border-right: #8499a2 thin solid; padding-top: 1pt;"><TD style="padding-bottom: 2pt; padding-left: 4pt; padding-right: 4pt; padding-top: 2pt;"><DIV style="margin-top: 0pt;">TACACS+ will use the password prompt from global&nbsp; TACACS+ configuration.</DIV></TD></TR><TR align="left" style="border-bottom: #8499a2 thin; border-left: #8499a2 thin solid; padding-bottom: 1pt; background-color: #f5f9fd; padding-left: 2pt; padding-right: 2pt; color: #000000; border-top: #8499a2 thin; font-weight: normal; border-right: #8499a2 thin solid; padding-top: 1pt;"><TD style="padding-bottom: 2pt; padding-left: 4pt; padding-right: 4pt; padding-top: 2pt;"><DIV style="margin-top: 0pt;">Returned TACACS+ Authentication&nbsp; Reply</DIV></TD></TR><TR align="left" style="border-bottom: #8499a2 thin; border-left: #8499a2 thin solid; padding-bottom: 1pt; background-color: #f5f9fd; padding-left: 2pt; padding-right: 2pt; color: #000000; border-top: #8499a2 thin; font-weight: normal; border-right: #8499a2 thin solid; padding-top: 1pt;"><TD style="padding-bottom: 2pt; padding-left: 4pt; padding-right: 4pt; padding-top: 2pt;"><DIV style="margin-top: 0pt;">Received TACACS+ Authentication CONTINUE&nbsp; Request</DIV></TD></TR><TR align="left" style="border-bottom: #8499a2 thin; border-left: #8499a2 thin solid; padding-bottom: 1pt; background-color: #f5f9fd; padding-left: 2pt; padding-right: 2pt; color: #000000; border-top: #8499a2 thin; font-weight: normal; border-right: #8499a2 thin solid; padding-top: 1pt;"><TD style="padding-bottom: 2pt; padding-left: 4pt; padding-right: 4pt; padding-top: 2pt;"><DIV style="margin-top: 0pt;">Using previously selected Access&nbsp; Service</DIV></TD></TR><TR align="left" style="border-bottom: #8499a2 thin; border-left: #8499a2 thin solid; padding-bottom: 1pt; background-color: #ebebeb; font-style: normal; padding-left: 2pt; padding-right: 2pt; color: #000000; border-top: #8499a2 thin; font-weight: normal; border-right: #8499a2 thin solid; text-decoration: underline; padding-top: 1pt;"><TD style="padding-bottom: 2pt; padding-left: 4pt; padding-right: 4pt; padding-top: 2pt;"><P style="margin-top: 0pt;">Evaluating Identity Policy</P></TD></TR><TR align="left" style="border-bottom: #8499a2 thin; border-left: #8499a2 thin solid; padding-bottom: 1pt; background-color: #f5f9fd; padding-left: 2pt; padding-right: 2pt; color: #000000; border-top: #8499a2 thin; font-weight: normal; border-right: #8499a2 thin solid; padding-top: 1pt;"><TD style="padding-bottom: 2pt; padding-left: 4pt; padding-right: 4pt; padding-top: 2pt;"><P style="margin-top: 0pt;">Matched rule</P></TD></TR><TR align="left" style="border-bottom: #8499a2 thin; border-left: #8499a2 thin solid; padding-bottom: 1pt; background-color: #f5f9fd; padding-left: 2pt; padding-right: 2pt; color: #000000; border-top: #8499a2 thin; font-weight: normal; border-right: #8499a2 thin solid; padding-top: 1pt;"><TD style="padding-bottom: 2pt; padding-left: 4pt; padding-right: 4pt; padding-top: 2pt;"><DIV style="margin-top: 0pt;">Selected Identity Store - Internal&nbsp; Users</DIV></TD></TR><TR align="left" style="border-bottom: #8499a2 thin; border-left: #8499a2 thin solid; padding-bottom: 1pt; background-color: #f5f9fd; padding-left: 2pt; padding-right: 2pt; color: #000000; border-top: #8499a2 thin; font-weight: normal; border-right: #8499a2 thin solid; padding-top: 1pt;"><TD style="padding-bottom: 2pt; padding-left: 4pt; padding-right: 4pt; padding-top: 2pt;"><DIV style="margin-top: 0pt;">Looking up User in Internal Users IDStore -&nbsp; testsales</DIV></TD></TR><TR align="left" style="border-bottom: #8499a2 thin; border-left: #8499a2 thin solid; padding-bottom: 1pt; background-color: #f5f9fd; padding-left: 2pt; padding-right: 2pt; color: #000000; border-top: #8499a2 thin; font-weight: normal; border-right: #8499a2 thin solid; padding-top: 1pt;"><TD style="padding-bottom: 2pt; padding-left: 4pt; padding-right: 4pt; padding-top: 2pt;"><DIV style="margin-top: 0pt;">Found User in Internal Users&nbsp; IDStore</DIV></TD></TR><TR align="left" style="border-bottom: #8499a2 thin; border-left: #8499a2 thin solid; padding-bottom: 1pt; background-color: #f5f9fd; padding-left: 2pt; padding-right: 2pt; color: #000000; border-top: #8499a2 thin; font-weight: normal; border-right: #8499a2 thin solid; padding-top: 1pt;"><TD style="padding-bottom: 2pt; padding-left: 4pt; padding-right: 4pt; padding-top: 2pt;"><P style="margin-top: 0pt;">Authentication Passed</P></TD></TR><TR align="left" style="border-bottom: #8499a2 thin; border-left: #8499a2 thin solid; padding-bottom: 1pt; background-color: #ebebeb; font-style: normal; padding-left: 2pt; padding-right: 2pt; color: #000000; border-top: #8499a2 thin; font-weight: normal; border-right: #8499a2 thin solid; text-decoration: underline; padding-top: 1pt;"><TD style="padding-bottom: 2pt; padding-left: 4pt; padding-right: 4pt; padding-top: 2pt;"><P style="margin-top: 0pt;">Evaluating Group Mapping Policy</P></TD></TR><TR align="left" style="border-bottom: #8499a2 thin; border-left: #8499a2 thin solid; padding-bottom: 1pt; background-color: #ebebeb; font-style: normal; padding-left: 2pt; padding-right: 2pt; color: #000000; border-top: #8499a2 thin; font-weight: normal; border-right: #8499a2 thin solid; text-decoration: underline; padding-top: 1pt;"><TD style="padding-bottom: 2pt; padding-left: 4pt; padding-right: 4pt; padding-top: 2pt;"><DIV style="margin-top: 0pt;">Evaluating Exception Authorization&nbsp; Policy</DIV></TD></TR><TR align="left" style="border-bottom: #8499a2 thin; border-left: #8499a2 thin solid; padding-bottom: 1pt; background-color: #f5f9fd; padding-left: 2pt; padding-right: 2pt; color: #000000; border-top: #8499a2 thin; font-weight: normal; border-right: #8499a2 thin solid; padding-top: 1pt;"><TD style="padding-bottom: 2pt; padding-left: 4pt; padding-right: 4pt; padding-top: 2pt;"><P style="margin-top: 0pt;">No rule was matched</P></TD></TR><TR align="left" style="border-bottom: #8499a2 thin; border-left: #8499a2 thin solid; padding-bottom: 1pt; background-color: #ebebeb; font-style: normal; padding-left: 2pt; padding-right: 2pt; color: #000000; border-top: #8499a2 thin; font-weight: normal; border-right: #8499a2 thin solid; text-decoration: underline; padding-top: 1pt;"><TD style="padding-bottom: 2pt; padding-left: 4pt; padding-right: 4pt; padding-top: 2pt;"><P style="margin-top: 0pt;">Evaluating Authorization Policy</P></TD></TR><TR align="left" style="border-bottom: #8499a2 thin; border-left: #8499a2 thin solid; padding-bottom: 1pt; background-color: #f5f9fd; padding-left: 2pt; padding-right: 2pt; color: #000000; border-top: #8499a2 thin; font-weight: normal; border-right: #8499a2 thin solid; padding-top: 1pt;"><TD style="padding-bottom: 2pt; padding-left: 4pt; padding-right: 4pt; padding-top: 2pt;"><P style="margin-top: 0pt;">Matched Default Rule</P></TD></TR><TR align="left" style="border-bottom: #8499a2 thin; border-left: #8499a2 thin solid; padding-bottom: 1pt; background-color: #f5f9fd; padding-left: 2pt; padding-right: 2pt; color: #000000; border-top: #8499a2 thin; font-weight: normal; border-right: #8499a2 thin solid; padding-top: 1pt;"><TD style="padding-bottom: 2pt; padding-left: 4pt; padding-right: 4pt; padding-top: 2pt;"><DIV style="margin-top: 0pt;">Selected Shell Profile is&nbsp; DenyAccess</DIV></TD></TR><TR align="left" style="border-bottom: #8499a2 thin; border-left: #8499a2 thin solid; padding-bottom: 1pt; background-color: #f5f9fd; padding-left: 2pt; padding-right: 2pt; color: #000000; border-top: #8499a2 thin; font-weight: normal; border-right: #8499a2 thin solid; padding-top: 1pt;"><TD style="padding-bottom: 2pt; padding-left: 4pt; padding-right: 4pt; padding-top: 2pt;"><DIV style="margin-top: 0pt;">Returned TACACS+ Authentication&nbsp; Reply</DIV></TD></TR></TBODY></TABLE><P></P><TABLE id="__TOC_3" style="border-bottom: #808080 1px solid; border-left: #808080 1px solid; margin: 10pt 0pt 0pt; width: 100%; border-collapse: collapse; font-family: sans-serif; empty-cells: show; font-size: small; border-top: #e3e3e3 1px; border-right: #808080 1px solid;"><TBODY><TR align="left" style="text-transform: none; font-family: arial; color: #000000; font-size: 10pt; font-weight: bold;"><TH align="center" style="border-bottom: #8499a2 1px solid; border-left: #8499a2 1px solid; background-color: #d9e3e9; padding-left: 2pt; padding-right: 2pt; font-family: arial; font-size: 10pt; border-top: #8499a2 1px solid; font-weight: normal; border-right: #ffffff 1px solid; padding-top: 1pt;"><P id="AUTOGENBOOKMARK_44">Additional Details</P></TH> </TR><TR align="left" style="border-bottom: #8499a2 thin; border-left: #8499a2 thin solid; padding-bottom: 1pt; background-color: #f5f9fd; padding-left: 2pt; padding-right: 2pt; color: #000000; border-top: #8499a2 thin; font-weight: normal; border-right: #8499a2 thin solid; padding-top: 1pt;"><TD style="padding-bottom: 2pt; padding-left: 4pt; padding-right: 4pt; padding-top: 2pt;"><A _jive_internal="true" href="/avreports/servlet/GenericRedirector?command=submit&amp;__requesttype=immediate&amp;invokeSubmit=true&amp;__executableName=/home/dutesbayev/AAA_Protocol/AAA_Diagnostics.rptdesign&amp;rptAcsSessionId=alma-acs-1/153065421/3828&amp;rptDay=06/28/2013 12:52:26.283 PM&amp;rptSeverity=DEBUG&amp;rptDiagnosticTimeRange=custom&amp;__locale=en_US&amp;iportalID=VPHHTISSRYQ&amp;__masterpage=false&amp;__newWindow=false" id="AUTOGENBOOKMARK_45" name="AUTOGENBOOKMARK_45" rel="nofollow" style="display: block;" target="_self">Diagnostics</A> <A _jive_internal="true" href="/avreports/servlet/GenericRedirector?command=submit&amp;__requesttype=immediate&amp;invokeSubmit=true&amp;__executableName=/home/dutesbayev/ACS_Instance/ACS_Configuration_Audit.rptdesign&amp;rptTimeRange=custom&amp;rptEndDate=06/28/2013 12:52:26.283 PM&amp;rptStartDate=06/28/2013 12:52:26.283 PM&amp;__locale=en_US&amp;iportalID=VPHHTISSRYQ&amp;__masterpage=false&amp;__newWindow=false" id="AUTOGENBOOKMARK_46" name="AUTOGENBOOKMARK_46" rel="nofollow" style="display: block; padding-top: 1pt;" target="_self">ACS Configuration Changes</A></TD></TR></TBODY></TABLE> Mon, 11 Mar 2019 03:35:30 GMT https://community.cisco.com/t5/network-access-control/acs-5-2-service-selection-rules-jump-to-next-rule/m-p/2236211#M126305 Daryn Utesbayev 2019-03-11T03:35:30Z ACS 5.2: Service Selection Rules - Jump to next rule? https://community.cisco.com/t5/network-access-control/acs-5-2-service-selection-rules-jump-to-next-rule/m-p/2236212#M126306 <HTML><HEAD></HEAD><BODY><P>Hello. Service selection rules and authorization rules are like access-lists, they have multiple entries which are evaluated top-down, if the packet matches the first rule it wil never evaluate the second rule.</P><P></P><P>Most of the times the default service selection rule called "default device admin" is good as it is, and what you need to customize are the authorization rules.</P><P></P><P>Please post your rules to see what are you trying to achieve.</P></BODY></HTML> Fri, 05 Jul 2013 04:49:37 GMT https://community.cisco.com/t5/network-access-control/acs-5-2-service-selection-rules-jump-to-next-rule/m-p/2236212#M126306 Eduardo Aliaga 2013-07-05T04:49:37Z ACS 5.2: Service Selection Rules - Jump to next rule? https://community.cisco.com/t5/network-access-control/acs-5-2-service-selection-rules-jump-to-next-rule/m-p/2236213#M126307 <HTML><HEAD></HEAD><BODY><P>Thank you for explaining!</P></BODY></HTML> Tue, 23 Jul 2013 13:46:15 GMT https://community.cisco.com/t5/network-access-control/acs-5-2-service-selection-rules-jump-to-next-rule/m-p/2236213#M126307 Daryn Utesbayev 2013-07-23T13:46:15Z