Foundation Topics
Cisco Secure ACS for Windows
Cisco Secure ACS is a highly scalable, access control server that operates as a centralized RADIUS server or TACACS+ server system and controls the authentication, authorization, and accounting (AAA) of users who access corporate resources through a network.
Cisco Secure ACS for Windows provides authentication, authorization, and accounting services to network devices that function as AAA clients, such as a network access servers, PIX firewalls, and routers. The AAA client in Figure 9-1 represents any such device that provides AAA client func-tionality and uses one of the AAA protocols supported by Cisco Secure ACS.
Figure 9-1 A AAA Client Being Supported by a Cisco Secure ACS
Cisco Secure ACS supports a broad set of networking access products, including all Cisco IOS routers, VPN access products, voice-over-IP (VoIP) solutions, cable broadband access, content networks, wireless solutions, storage networks, and 802.1x-enabled Cisco Catalyst switches. It also supports third-party devices that can be configured with TACACS+ or RADIUS. Cisco Secure ACS treats all such devices as AAA clients.
Cisco Secure ACS centralizes access control and accounting. With Cisco Secure ACS, network administrators can quickly administer accounts and globally change levels of service offerings for entire groups of users. Although the external user database shown in Figure 9-1 is optional, support for many popular user repository implementations enables companies to put to use the working
User AAA Client
Cisco Secure ACS
External User Database
knowledge gained from and the investment already made in building their corporate user repositories such as Windows Active Directory.
To maintain reliability and security in your network, the AAA features of the Cisco Secure ACS application help you monitor and control the following:
■ Authentication—Who is logging in to the system
■ Authorization—Whether a particular user should be using the requested service
■ Accounting—What each user has been doing
The network access server directs all dial-in user access requests for authentication and authoriza-tion to Cisco Secure ACS using the TACACS+ or RADIUS protocol. If the user’s request is authen-ticated, Cisco Secure ACS sends the user’s authorizing attributes and the accounting function is then started. Figure 9-2 shows an overview of how Cisco Secure ACS for Windows works.
Figure 9-2 Cisco Secure ACS Overview
Authentication
Cisco Secure ACS supports a variety of user databases for authentication. It supports the Cisco Secure user database and the following external user databases:
■ Windows NT/2000 user database
■ Generic LDAP
■ Novell NetWare Directory Services (NDS)
Dial-In User NAS
Cisco Secure ACS for Windows 163
■ Open Database Connectivity (ODBC)-compliant relational databases
■ CRYPTOCard token server
■ SafeWord token server
■ PassGo token server
■ RSA SecureID token server
■ AXENT
■ LEAP proxy agent
■ Safeword
■ ActivCard token server
■ Vasco token server
You can configure Cisco Secure ACS to forward authentication of users to one or more external user databases, which means that different levels of security can be concurrently used with Cisco Secure ACS for different requirements. The basic user-to-network security level is Password Authentication Protocol (PAP). Although it represents the unencrypted security, PAP does offer convenience and simplicity for the client. PAP allows authentication against the Windows NT/2000 database. With this configuration, users need to log in only once.
CHAP allows a higher level of security than PAP for encrypting passwords when communicating from an end-user client to the AAA client. You can use CHAP with the Cisco Secure user database.
AppleTalk Remote Access Protocol (ARA Protocol) support is included to support Apple clients.
Cisco Secure ACS supports many common password protocols including EAP-CHAP, EAP-TLS, LEAP, ARA Protocol, ASCII/PAP, CHAP, MS-CHAP.
With Cisco Secure ACS you can choose whether and how you want to use password aging. Control for password aging may reside either in the Cisco Secure user database or in a Windows NT/2000 user database. Each password-aging mechanism differs as to requirements and setting configura-tions.
The password-aging feature controlled by the Cisco Secure user database enables you to force users to change their passwords under any of the following conditions:
■ After a specified number of days
■ After a specified number of logins
■ The first time a new user logs in
The Windows NT/2000-based password-aging feature enables you to control the following password-aging parameters:
■ Maximum password age in days
■ Minimum password age in days
The methods and functionality of Windows password aging differ according to whether you are using Windows NT or Windows 2000 and whether you use Active Directory (AD) or Security Accounts Manager (SAM).
Authorization
Cisco Secure ACS can send user profile policies to a AAA client to determine the network services the user can access. You can configure authorization to give different users and groups different levels of service. For example, standard dialup users might not have the same access privileges as premium customers and users. You can also differentiate by levels of security, access times, and services.
The Cisco Secure ACS access-restrictions feature enables you to permit or deny logins based on time of day and day of week. For example, you could create a group for temporary accounts that can be disabled on specified dates. This would make it possible for a service provider to offer a 14-day free trial. The same authorization could be used to create a temporary account for a consultant with login permission limited to Monday through Friday, 9 a.m. to 5 p.m.
You can restrict users to a service or combination of services such as PPP, ARA, or Serial Line Internet Protocol (SLIP), or EXEC. After a service is selected, you can restrict Layer 2 and Layer 3 protocols, such as IP and IPX, and you can apply individual access lists. Access lists on a per-user or per-group basis can restrict users from reaching parts of the network where critical information is stored or prevent them from using certain services such as FTP or SNMP.
Cisco Secure ACS can provide information to the network device for a specific user to configure a secure tunnel through a public network such as the Internet. The information can be for the access server (such as the home gateway for that user) or for the home gateway router to validate the user at the customer premises. In either case, Cisco Secure ACS can be used for each end of the virtual private dialup network (VPDN).
Additional authorization-related features of Cisco Secure ACS features include the following:
■ Group administration of users, with support for up to 500 groups
■ The capability to map a user from an external user database to a specific Cisco Secure ACS group
Administration 165
■ Restricting access by time-of-day and day-of-week access
■ Support for VoIP, including configurable logging of accounting data
■ Disabling an account after a number of failed attempts, specified by the administrator
■ Disabling an account on a specific date
■ Restricting network access based on remote address caller line identification (CLID) and dialed number identification service (DNIS)
■ Per-user and per-group TACACS+ or RADIUS attributes
■ Define usage quotas by duration or total number based on daily, monthly, or weekly periods
Accounting
AAA clients use the accounting functions provided by the RADIUS and TACACS+ protocols to communicate relevant data for each user session to the AAA server for recording. Cisco Secure ACS writes accounting records to a comma-separated value (CSV) log file or ODBC database, depending on your configuration. You can easily import these logs into popular database and spreadsheet appli-cations for billing, security audits, and report generation. You can generate the following types of accounting:
■ Administrative accounting—Lists commands entered on a network device with TACACS+
command authorization enabled
■ RADIUS accounting—Lists when sessions stop and start; records AAA client messages with username; provides CLID information; records the duration of each session
■ TACACS+ Accounting—Lists when sessions start and stop; records AAA client messages with username; provides CLID information; records the duration of each session
The Cisco Secure ACS provides the following accounting features:
■ Configurable supplementary user ID fields for capturing additional information in logs
■ Centralized logging, allowing several Cisco Secure ACS servers to forward their accounting data to a remote Cisco Secure ACS server
■ Customizable logs, enabling you to capture as much information as needed
Administration
The web administration interface is platform independent so that it can configure, maintain, and protect its AAA functionality. Almost all the configuration of the Cisco ACS server is done via the web interface post installation. The HTML interface enables you to easily modify Cisco Secure ACS configuration from any connection on your LAN or WAN.
The administration interface primarily uses HTML, along with some Java functions, to enhance ease of use. This design keeps the interface responsive and straightforward. The inclusion of Java re-quires that the browser used for administrative sessions supports Java.
Through the web interface, you can do the following:
■ View and edit user and group information
■ Restart services
■ Add remote administrators
■ View reports from anywhere on the network
■ Back up the system
■ Change AAA client information
The Cisco Secure ACS provides the following administrative capabilities:
■ Define different privileges per administrator
■ Log administrator activities
■ View a list of logged-in users
■ Restore Cisco Secure ACS configuration, user accounts, and group profiles from a backup file
■ CSMon service, providing monitoring, notification, logging, and limited automated failure response
■ Replication of Cisco Secure user database components to other Cisco Secure ACS servers
■ Automatic configuration of users, groups, network devices, and custom RADIUS vendor-specific attributes (VSAs)
■ Scheduled and on-demand Cisco Secure ACS system backups