cisco acs 5.2 can not select default access policy to deny access if rules are not matched

Posted on 2011-05-11
Last Modified: 2012-05-11
I have 3 policies on Cisco acs 5.2.
1 - allow users in the vpn AD group to have access if protocol = RADIUS and device type = ASA service = VPN
2 - allow users in the domain to have access if protocol = RADIUS service = default network access
3 - allow access if protocol = TACACS service = default device admin

on the bottom of the access policy - Service selection policy screen
There is an option for  Default policy If no rules defined or no enabled rule matches  deny access.
There is a check box  beside this option.  
I cannot check this box.  How do I enable this to prevent users that do not match the rules above from gaining access.
Question by:schristo
    LVL 2

    Accepted Solution


    I think you need to understand how ACS 5.x works.

    The authentication will check the access selection rule, once on the rule will check the identity policy and finally will check the authorization rules.

    If you want to restrict based on AD group or any other condition that have to be done on the authorization rules saying that if you match this xxx AD group allow access if not match the default.

    I always suggest to have the default in deny access and that can be done by clicking default.

    Erick Delgado
    ACS specialist.
    LVL 67

    Expert Comment

    This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    How can you create a game plan that lets you focus on special projects instead of running from cubicle to cubicle every day and feeling like you’ve accomplished nothing? Try these strategies for prioritizing your tasks, offloading what you can, and …
    As a long-time IT Professional, the most important skill I have developed and consider to be my most valuable tool is Effective Troubleshooting. Step through my problem-solving procedure in this 10-step guide adapted from The Universal Troubleshooti…
    Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now