https://community.cisco.com/t5/network-access-control/acs-5-2-access-services/m-p/1788430#M232179 <HTML><HEAD></HEAD><BODY><P> ACS 5.2 uses a policy based model for processing requests. When requests are received they are initially processed by the rules defined in the Service Selection rules. These are evaluated in a first match basis to decide which AccessService to use. Each AccessService contains within it an Identity policy, Group Mapping (optional for more advanced use cases) and Authorization. The Identity policy is similarlyy a first mactch policy that is used to determine the identity store, such as internal users or Active Directory, to be used to authenticate the user. [Note that the indetity policy may be defined to have "Single result selection" in which case same&nbsp; identity database is used for all requests]. The authorization policy is used to determine the authorzation results to be returned to the user. In the case of RADIUS request this returns a set of Authorization Profiles which is a set of RADIUS attributes and their values. In the case of TACACS+ requests this can return a shell profile (set of attributes) and/or command sets that determine the command authorization.</P><P></P><P>Upon installation and by default, the Service Selection Rules are configured so that all RADIUS requests are handled by the Default Network Access service and all TACACS+ requests handled by Default Device Admin. In both cases the Indentity and Authorization policy are defined to authentifcate against the internal database and permit access with no additional attributes retrurned. So upon installation, all that is required to do to get requests processed is defined a corresponding user and network device and then processing should complete.</P><P></P><P>These default definitions allow you to get started quicked and then modify settings to evolve the policies to meet the organization needs</P></BODY></HTML> Thu, 11 Aug 2011 05:02:42 GMT jrabinow 2011-08-11T05:02:42Z https://community.cisco.com/t5/network-access-control/acs-5-2-access-services/m-p/1788429#M232173 <P>Can someone explain the differences between</P><P></P><P>Default Device admin</P><P>and</P><P>Default Network access</P><P></P><P><IMG src="https://community.cisco.com/legacyfs/online/legacy/6/4/7/56746-Screen%20Shot%202011-08-10%20at%205.49.19%20PM.png" alt="Screen Shot 2011-08-10 at 5.49.19 PM.png" class="jive-image" /></P> Mon, 11 Mar 2019 01:17:57 GMT https://community.cisco.com/t5/network-access-control/acs-5-2-access-services/m-p/1788429#M232173 justins 2019-03-11T01:17:57Z https://community.cisco.com/t5/network-access-control/acs-5-2-access-services/m-p/1788430#M232179 <HTML><HEAD></HEAD><BODY><P> ACS 5.2 uses a policy based model for processing requests. When requests are received they are initially processed by the rules defined in the Service Selection rules. These are evaluated in a first match basis to decide which AccessService to use. Each AccessService contains within it an Identity policy, Group Mapping (optional for more advanced use cases) and Authorization. The Identity policy is similarlyy a first mactch policy that is used to determine the identity store, such as internal users or Active Directory, to be used to authenticate the user. [Note that the indetity policy may be defined to have "Single result selection" in which case same&nbsp; identity database is used for all requests]. The authorization policy is used to determine the authorzation results to be returned to the user. In the case of RADIUS request this returns a set of Authorization Profiles which is a set of RADIUS attributes and their values. In the case of TACACS+ requests this can return a shell profile (set of attributes) and/or command sets that determine the command authorization.</P><P></P><P>Upon installation and by default, the Service Selection Rules are configured so that all RADIUS requests are handled by the Default Network Access service and all TACACS+ requests handled by Default Device Admin. In both cases the Indentity and Authorization policy are defined to authentifcate against the internal database and permit access with no additional attributes retrurned. So upon installation, all that is required to do to get requests processed is defined a corresponding user and network device and then processing should complete.</P><P></P><P>These default definitions allow you to get started quicked and then modify settings to evolve the policies to meet the organization needs</P></BODY></HTML> Thu, 11 Aug 2011 05:02:42 GMT https://community.cisco.com/t5/network-access-control/acs-5-2-access-services/m-p/1788430#M232179 jrabinow 2011-08-11T05:02:42Z https://community.cisco.com/t5/network-access-control/acs-5-2-access-services/m-p/1788431#M232196 <HTML><HEAD></HEAD><BODY><P>Thanks for the explanation. That makes sense as I only use Tacacs and I only changed the device admin setup and my iOS devices are working (wish I could say the same for junos)</P></BODY></HTML> Thu, 11 Aug 2011 05:57:28 GMT https://community.cisco.com/t5/network-access-control/acs-5-2-access-services/m-p/1788431#M232196 justins 2011-08-11T05:57:28Z