cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1961
Views
5
Helpful
2
Replies

ACS 5.2: Service Selection Rules - Jump to next rule?

Daryn Utesbayev
Level 1
Level 1

Hi

I looked for on internet and i could not find a awnser. Please help me to solve my issue.

.

Questions:

Creating more complex access services and policies, I mean in server selection rules have a several access policies.  And each access policy has rules.  Example: the first access policy for engineer groups. Second the access policy for sales groups. etс. After creating policies with the same devices and locations groups, the second access policy doesn’t work. I put logs.

Why is not ACCCESS POLICY showing a group of Sales? It seems selection policy rules are looking at the group of engineer. I maybe It will not work. Because using the same devices, locations and protocol TACACS+. Is it possible to solve issue only with protocol TACACS+?

Received TACACS+ Authentication START  Request

Evaluating Service Selection Policy

Matched rule

Selected Access Service - engineer

Returned TACACS+ Authentication  Reply
Received TACACS+ Authentication CONTINUE  Request
Using previously selected Access  Service

Evaluating Identity Policy

Matched rule

Selected Identity Store - Internal  Users
Looking up User in Internal Users IDStore -  testsales
Found User in Internal Users  IDStore
TACACS+ will use the password prompt from global  TACACS+ configuration.
Returned TACACS+ Authentication  Reply
Received TACACS+ Authentication CONTINUE  Request
Using previously selected Access  Service

Evaluating Identity Policy

Matched rule

Selected Identity Store - Internal  Users
Looking up User in Internal Users IDStore -  testsales
Found User in Internal Users  IDStore

Authentication Passed

Evaluating Group Mapping Policy

Evaluating Exception Authorization  Policy

No rule was matched

Evaluating Authorization Policy

Matched Default Rule

Selected Shell Profile is  DenyAccess
Returned TACACS+ Authentication  Reply

Additional Details

Diagnostics ACS Configuration Changes
1 Accepted Solution

Accepted Solutions

Eduardo Aliaga
Level 4
Level 4

Hello. Service selection rules and authorization rules are like access-lists, they have multiple entries which are evaluated top-down, if the packet matches the first rule it wil never evaluate the second rule.

Most of the times the default service selection rule called "default device admin" is good as it is, and what you need to customize are the authorization rules.

Please post your rules to see what are you trying to achieve.

View solution in original post

2 Replies 2

Eduardo Aliaga
Level 4
Level 4

Hello. Service selection rules and authorization rules are like access-lists, they have multiple entries which are evaluated top-down, if the packet matches the first rule it wil never evaluate the second rule.

Most of the times the default service selection rule called "default device admin" is good as it is, and what you need to customize are the authorization rules.

Please post your rules to see what are you trying to achieve.

Thank you for explaining!