CHAPTER
3-1
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
3
ACS 5.x Policy Model
ACS 5.x is a policy-based access control system. The term policy model in ACS 5.x refers to the
presentation of policy elements, objects, and rules to the policy administrator. ACS 5.x uses a rule-based
policy model instead of the group-based model used in the 4.x versions.
This section contains the following topics:
• Overview of the ACS 5.x Policy Model, page 3-1
• Access Services, page 3-6
• Service Selection Policy, page 3-12
• Authorization Profiles for Network Access, page 3-16
• Policies and Identity Attributes, page 3-17
• Policies and Network Device Groups, page 3-18
• Example of a Rule-Based Policy, page 3-18
• Flows for Configuring Services and Policies, page 3-19
Note See Functionality Mapping from ACS 4.x to ACS 5.4, page 2-5 for a mapping of ACS 4.x concepts to
ACS 5.4.
Overview of the ACS 5.x Policy Model
The ACS 5.x rule-based policy model provides more powerful and flexible access control than is
possible with the older group-based approach.
In the older group-based model, a group defines policy because it contains and ties together three types
of information:
• Identity information—This information can be based on membership in AD or LDAP groups or a
static assignment for internal ACS users.
• Other restrictions or conditions—Time restrictions, device restrictions, and so on.
• Permissions—VLANs or Cisco IOS privilege levels.
The ACS 5.x policy model is based on rules of the form:
If condition then result