Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1736
Views
5
Helpful
2
Replies

ACS 5.2: Service Selection Rules - Jump to next rule?

Go to solution
Daryn Utesbayev
Level 1
Level 1

‎06-27-2013 03:06 AM - edited ‎03-10-2019 08:35 PM

Hi

I looked for on internet and i could not find a awnser. Please help me to solve my issue.

.

Questions:

Creating more complex access services and policies, I mean in server selection rules have a several access policies.  And each access policy has rules.  Example: the first access policy for engineer groups. Second the access policy for sales groups. etс. After creating policies with the same devices and locations groups, the second access policy doesn’t work. I put logs.

Why is not ACCCESS POLICY showing a group of Sales? It seems selection policy rules are looking at the group of engineer. I maybe It will not work. Because using the same devices, locations and protocol TACACS+. Is it possible to solve issue only with protocol TACACS+?

Received TACACS+ Authentication START  Request

Evaluating Service Selection Policy

Matched rule

Selected Access Service - engineer

Returned TACACS+ Authentication  Reply
Received TACACS+ Authentication CONTINUE  Request
Using previously selected Access  Service

Evaluating Identity Policy

Matched rule

Selected Identity Store - Internal  Users
Looking up User in Internal Users IDStore -  testsales
Found User in Internal Users  IDStore
TACACS+ will use the password prompt from global  TACACS+ configuration.
Returned TACACS+ Authentication  Reply
Received TACACS+ Authentication CONTINUE  Request
Using previously selected Access  Service

Evaluating Identity Policy

Matched rule

Selected Identity Store - Internal  Users
Looking up User in Internal Users IDStore -  testsales
Found User in Internal Users  IDStore

Authentication Passed

Evaluating Group Mapping Policy

Evaluating Exception Authorization  Policy

No rule was matched

Evaluating Authorization Policy

Matched Default Rule

Selected Shell Profile is  DenyAccess
Returned TACACS+ Authentication  Reply

Additional Details
Diagnostics ACS Configuration Changes
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Eduardo Aliaga
Level 4
Level 4

‎07-04-2013 09:49 PM

Hello. Service selection rules and authorization rules are like access-lists, they have multiple entries which are evaluated top-down, if the packet matches the first rule it wil never evaluate the second rule.

Most of the times the default service selection rule called "default device admin" is good as it is, and what you need to customize are the authorization rules.

Please post your rules to see what are you trying to achieve.

View solution in original post

2 Replies 2

Go to solution
Eduardo Aliaga
Level 4
Level 4

‎07-04-2013 09:49 PM

Hello. Service selection rules and authorization rules are like access-lists, they have multiple entries which are evaluated top-down, if the packet matches the first rule it wil never evaluate the second rule.

Most of the times the default service selection rule called "default device admin" is good as it is, and what you need to customize are the authorization rules.

Please post your rules to see what are you trying to achieve.

Go to solution
Daryn Utesbayev
Level 1
Level 1
In response to Eduardo Aliaga

‎07-23-2013 06:46 AM

Thank you for explaining!

0 Helpful
Customers Also Viewed These Support Documents