Filter
Top Products
4-27
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
Chapter 4 Common Scenarios Using ACS
ACS and Cisco Security Group Access
Step 7 Click Finish.
Creating an Endpoint Admission Control Policy
After you create a service, you configure the endpoint admission control policy. The endpoint admission
control policy returns an SGT to the endpoint and an authorization profile. You can create multiple
policies and configure the Default Rule policy. The defaults are Deny Access and the Unknown
security
group.
To add a session authorization policy for an access service:
Step 1 Choose Access Policies > Access Services > service > Authorization.
Step 2 Configure an Authorization Policy. See Configuring a Session Authorization Policy for Network Access,
page 10-30.
Step 3 Fill in the fields in the Network Access Authorization Rule Properties page.
The Default Rule provides a default rule when no rules match or there are no rules defined. The default
for the Default Rule result is Deny Access, which denies access to the network. The security group tag
is Unknown.
You can modify the security group when creating the session authorization policy for Security Group
Access.
Step 4 Click OK.
Step 5 Choose Access Policies > Service Selection Policy to choose which services to include in the endpoint
policy. See Configuring the Service Selection Policy, page 10-5, for more information.
Step 6 Fill in the fields in the Service Select Policy pages.
Step 7 Click Save Changes.
Creating an Egress Policy
The Egress policy (sometimes called SGACL policy) determines which SGACL to apply at the Egress
points of the network based on the source and destination SGT. The Egress policy is represented in a
matrix, where the X and Y axis represent the destination and source SGT, respectively, and each cell
contains the set of SGACLs to apply at the intersection of these two SGTs.
Any security group can take the role of a source SGT, if an endpoint (or Security Group Access device)
that carries this SGT sends the packet. Any security group can take the role of a destination SGT, if the
packet is targeting an endpoint (or Security Group Access device) that carries this SGT. Therefore, the
Egress matrix lists all of the existing security groups on both axes, making it a Cartesian product of the
SGT set with itself (SGT x SGT).
The first row (topmost) of the matrix contains the column headers, which display the destination SGT.
The first column (far left) contains the row titles, with the source SG displayed. At the intersection of
these axes lies the origin cell (top left) that contains the titles of the axes, namely, Destination and
Source.
All other cells are internal matrix cells that contain the defined SGACL. The rows and columns are
ordered alphabetically according to the SGT names. Each SGACL can contain 200 ACEs.