topic Some ACS5.3 issues in Network Access Control

Some ACS5.3 issues

steve switzer — Mon, 11 Mar 2019 02:13:24 GMT

Hi All

Trying to work out how to get these access policies on ACS 5.3 to work

one after the other and other issues with access policies.

1, If i go to Access policies/Access services/Service selection rules

Then the rules seem to be hit from the top down.

However if you are not permitted in the top rule you just seem to be dropped

How can i make it so that if the first service selection rule is not matched

it goes to the next one.

2. On these policies i need to modify the authorisations using customize -

why cant i modify the customize results on these ?

i cant see how i can point these at a shell profile otherwise.

Steve

Some ACS5.3 issues

maldehne — Fri, 22 Jun 2012 12:01:33 GMT

Not sure if your description is clear.

Access Service Selection Rules

It is evaluated top down. If there is a match on a certain rule the result will be applied which will be an access service

if there is no match you should move to the next Rule , there will be a comparison and if there is no match you keep going

untill you hit the default rule.

Customizing certain conidtions and results in the authorization policy depends on what you want to configure and have in your production.

Can you be more specific what is your issue?

In the meantime i recommend you to read more abotu the policy based model in ACS 5 which is detailed in the ACS user guide.

----------------------------------------------------------------------------

Don't forget to rate correct answers

Some ACS5.3 issues

steve switzer — Fri, 22 Jun 2012 13:01:22 GMT

What i want is to have a service selection policy consisting of a numbetr of rules

For instance

1. For admin access to all network devices

2. One for the service desk to only access lobby ambassador

Unfortunately if i hit the service desk rule first i get the following error -

TACACS+ requests can only be processed by Access Services that are of type Device Administration

and

Verify that the Service Selection Policy rules are correct

I have a rule called Default admin - but how do i know the access services

are of that type.

Steve

Some ACS5.3 issues

Jatin Katyal — Fri, 22 Jun 2012 13:09:26 GMT

This means that the access policy that applies for the login is not of a device administration type, but rather network access, for example, a vpn user trying to authenticate to get access to the network.

Regards,

Jatin

Some ACS5.3 issues

steve switzer — Fri, 22 Jun 2012 13:17:51 GMT

Sorry if i seem a bit dense but how do you determine which acicess policy is a device admin type and which network

that is which exact setting - does it have to be using the default device admin service for instance...

Some ACS5.3 issues

maldehne — Fri, 22 Jun 2012 13:37:21 GMT

Sir there are two default access services ( network and device admin )

ACS uses by default the protocol as condition to select certain access service.

If the protocol is Tacacs+ , certain service is selected

if it is RADIUS a nother one is selected.

If you need to be more granular just customize your conditions.

--------------------------------------------------------------------------------

Please Don't Forget to rate correct answer

Some ACS5.3 issues

Jatin Katyal — Fri, 22 Jun 2012 14:19:30 GMT

TACACS+ requests can only be handled by access services with the Service Type set to "Device Administration". You need to check if this is what you have selected. User Selected Service Type

This would help you understanidng it.

http://www.ciscopress.com/articles/article.asp?p=1671906&seqNum=5

Some ACS5.3 issues

steve switzer — Fri, 22 Jun 2012 14:43:32 GMT

Thanks for the help by the way it is greatly appreciated !!

Well i have sorted that out now and the top 2 service

selection rules are both Device administration.

However when i try and access the device with a user who

is referenced in AD in the second rule down it doesn work

and i just hit the default on the authorisation of the first

rule .

Shouldnt i then hit the second service selection rule ?

Steve

Some ACS5.3 issues

steve switzer — Fri, 22 Jun 2012 15:10:56 GMT

Thanks for the link just had a read it seems to suggest that in the

service selection rules you need one service for TACACS and one for

Radius.

I was trying to have 2 services of TACACS - if not found in the first

Service then goes to the second - but thats not how it works - is it ?

Steve