Foundation Topics
Cisco Secure ACS for Windows
Cisco Secure ACS is a highly scalable, access control server that operates as a centralized RADIUS server or TACACS+ server system and controls the authentication, authorization, and accounting (AAA) of users who access corporate resources through a network.
Cisco Secure ACS for Windows provides authentication, authorization, and accounting services to network devices that function as AAA clients, such as a network access servers, PIX firewalls, and routers. The AAA client in Figure 9-1 represents any such device that provides AAA client func- tionality and uses one of the AAA protocols supported by Cisco Secure ACS.
Figure 9-1 A AAA Client Being Supported by a Cisco Secure ACS
Cisco Secure ACS supports a broad set of networking access products, including all Cisco IOS routers, VPN access products, voice-over-IP (VoIP) solutions, cable broadband access, content networks, wireless solutions, storage networks, and 802.1x-enabled Cisco Catalyst switches. It also supports third-party devices that can be configured with TACACS+ or RADIUS. Cisco Secure ACS treats all such devices as AAA clients.
Cisco Secure ACS centralizes access control and accounting. With Cisco Secure ACS, network administrators can quickly administer accounts and globally change levels of service offerings for entire groups of users. Although the external user database shown in Figure 9-1 is optional, support for many popular user repository implementations enables companies to put to use the working
User AAA Client
Cisco Secure ACS
knowledge gained from and the investment already made in building their corporate user repositories such as Windows Active Directory.
To maintain reliability and security in your network, the AAA features of the Cisco Secure ACS application help you monitor and control the following:
■ Authentication—Who is logging in to the system
■ Authorization—Whether a particular user should be using the requested service
■ Accounting—What each user has been doing
The network access server directs all dial-in user access requests for authentication and authoriza- tion to Cisco Secure ACS using the TACACS+ or RADIUS protocol. If the user’s request is authen- ticated, Cisco Secure ACS sends the user’s authorizing attributes and the accounting function is then started. Figure 9-2 shows an overview of how Cisco Secure ACS for Windows works.
Figure 9-2 Cisco Secure ACS Overview
Authentication
Cisco Secure ACS supports a variety of user databases for authentication. It supports the Cisco Secure user database and the following external user databases:
■ Windows NT/2000 user database ■ Generic LDAP
■ Novell NetWare Directory Services (NDS)
Dial-In User NAS
Authentication Request Username and Password
Authentication Confirmation Authorization Information TACAS or RADIUS Services Authentication Authorization Accounting The Windows 2000/NT user repository does not authenticate the user to
permit dial in. Windows NT/ 2000 User Database
Cisco Secure ACS for Windows 163
■ Open Database Connectivity (ODBC)-compliant relational databases ■ CRYPTOCard token server
■ SafeWord token server ■ PassGo token server ■ RSA SecureID token server
■ AXENT
■ LEAP proxy agent ■ Safeword
■ ActivCard token server ■ Vasco token server
You can configure Cisco Secure ACS to forward authentication of users to one or more external user databases, which means that different levels of security can be concurrently used with Cisco Secure ACS for different requirements. The basic user-to-network security level is Password Authentication Protocol (PAP). Although it represents the unencrypted security, PAP does offer convenience and simplicity for the client. PAP allows authentication against the Windows NT/2000 database. With this configuration, users need to log in only once.
CHAP allows a higher level of security than PAP for encrypting passwords when communicating from an end-user client to the AAA client. You can use CHAP with the Cisco Secure user database. AppleTalk Remote Access Protocol (ARA Protocol) support is included to support Apple clients. Cisco Secure ACS supports many common password protocols including EAP-CHAP, EAP-TLS, LEAP, ARA Protocol, ASCII/PAP, CHAP, MS-CHAP.
With Cisco Secure ACS you can choose whether and how you want to use password aging. Control for password aging may reside either in the Cisco Secure user database or in a Windows NT/2000 user database. Each password-aging mechanism differs as to requirements and setting configura- tions.
The password-aging feature controlled by the Cisco Secure user database enables you to force users to change their passwords under any of the following conditions:
■ After a specified number of days ■ After a specified number of logins ■ The first time a new user logs in
The Windows NT/2000-based password-aging feature enables you to control the following password-aging parameters:
■ Maximum password age in days ■ Minimum password age in days
The methods and functionality of Windows password aging differ according to whether you are using Windows NT or Windows 2000 and whether you use Active Directory (AD) or Security Accounts Manager (SAM).
Authorization
Cisco Secure ACS can send user profile policies to a AAA client to determine the network services the user can access. You can configure authorization to give different users and groups different levels of service. For example, standard dialup users might not have the same access privileges as premium customers and users. You can also differentiate by levels of security, access times, and services.
The Cisco Secure ACS access-restrictions feature enables you to permit or deny logins based on time of day and day of week. For example, you could create a group for temporary accounts that can be disabled on specified dates. This would make it possible for a service provider to offer a 14-day free trial. The same authorization could be used to create a temporary account for a consultant with login permission limited to Monday through Friday, 9 a.m. to 5 p.m.
You can restrict users to a service or combination of services such as PPP, ARA, or Serial Line Internet Protocol (SLIP), or EXEC. After a service is selected, you can restrict Layer 2 and Layer 3 protocols, such as IP and IPX, and you can apply individual access lists. Access lists on a per-user or per-group basis can restrict users from reaching parts of the network where critical information is stored or prevent them from using certain services such as FTP or SNMP.
Cisco Secure ACS can provide information to the network device for a specific user to configure a secure tunnel through a public network such as the Internet. The information can be for the access server (such as the home gateway for that user) or for the home gateway router to validate the user at the customer premises. In either case, Cisco Secure ACS can be used for each end of the virtual private dialup network (VPDN).
Additional authorization-related features of Cisco Secure ACS features include the following: ■ Group administration of users, with support for up to 500 groups
■ The capability to map a user from an external user database to a specific Cisco Secure ACS group