CCSP Self-Study: Advanced AAA Security for Cisco Router Networks
- Cisco Secure ACS Introduction
- Installing Cisco Secure ACS 3.0 for Windows 2000/NT Servers
- Administering and Troubleshooting Cisco Secure ACS for Windows
- TACACS+ Overview
- RADIUS Overview
- Kerberos Overview
- Chapter Summary
- Cisco IOS Commands Presented in This Chapter
- Chapter Review Questions
- Case Study
Upon completion of this chapter, you will be able to perform the following tasks:
Describe the Features and Architecture of Cisco Secure ACS 3.0 for Windows 2000/NT Servers (Cisco Secure ACS for Windows)
Configure Cisco Secure ACS for Windows to Perform AAA Functions
Describe the Features and Architecture of Cisco Secure ACS 2.3 for UNIX
Configure the Perimeter Router to Enable AAA Processes to Use a TACACS Remote Service
This chapter covers Cisco Secure ACS 3.0 for Windows 2000/NT Servers (Cisco Secure ACS for Windows) and Cisco Secure ACS for UNIX (Solaris). The Windows 2000 version has the most coverage in this chapter. The configuration of the Windows 2000 product is covered as a high-level overview. This chapter also covers the security services of TACACS+, RADIUS, and Kerberos.
This chapter includes the following topics:
Introduction to Cisco Secure ACS for Windows
Product overview: Cisco Secure ACS for Windows
Product overview: Cisco Secure ACS for UNIX (Solaris)
Installing Cisco Secure ACS for Windows
Administering and troubleshooting Cisco Secure ACS for Windows
TACACS+ overview and configuration
RADIUS configuration overview
Cisco Secure ACS Introduction
This section presents an introduction to the Cisco Secure ACS offerings shown in Figure 3-1, including the following products:
Cisco Secure ACS for Windows
Cisco Secure ACS for UNIX
The next three sections discuss each of the Cisco Secure ACS product offerings.
Figure 3-1 Cisco Secure ACS Servers
Cisco Secure ACS for Windows
Cisco Secure ACS for Windows is a network security software application that helps you control access to the campus network, dial-in access, and the Internet. Cisco Secure ACS for Windows operates as Windows NT or Windows 2000 services and controls authentication, authorization, and accounting (AAA) of users accessing the network.
This section presents an overview of the product and prepares you to install and configure Cisco Secure ACS for Windows.
Cisco Secure ACS for Windows provides AAA services to network devices that function as AAA clients, such as routers, network access servers, PIX Firewalls, and VPN 3000 Concentrators. An AAA client is any device that provides AAA client functionality and uses one of the AAA protocols supported by Cisco Secure ACS for Windows. It also supports third-party devices that can be configured to use TACACS+ or RADIUS protocols. Cisco Secure ACS for Windows treats all such devices as AAA clients. Cisco Secure ACS for Windows uses the TACACS+ and RADIUS protocols to provide AAA services that ensure a secure environment.
Cisco Secure ACS for Windows helps to centralize access control and accounting, in addition to router and switch access management. With Cisco Secure ACS for Windows, network administrators can quickly administer accounts and globally change levels of service offerings for entire groups of users. Although the use of an external user database is optional, support for many popular user repository implementations enables companies to use the working knowledge gained from and the investment already made in building the corporate user repositories.
Cisco Secure ACS for Windows is an easy-to-use ACS that is simple to install and administer. It runs on the popular Windows NT Server 4.0 (SP5 or 6) or 2000 Server (SP 1 or 2) Microsoft operating systems. The Cisco Secure ACS for Windows administration interface is viewed using supported web browsers, making it easy to administer.
Cisco Secure ACS for Windows authenticates usernames and passwords against the Windows NT or Windows 2000 user database, the Cisco Secure ACS for Windows database, a token server database, or Novell NetWare Directory Service (NDS).
Different levels of security can be used with Cisco Secure ACS for Windows for different requirements. The basic user-to-network security level is Password Authentication Protocol (PAP). Although it does not represent the highest form of encrypted security, PAP does offer convenience and simplicity for the client. PAP allows authentication against the Windows NT or Windows 2000 database. With this configuration, users need to log in only a single time. Challenge Handshake Authentication Protocol (CHAP) allows a higher level of security for encrypting passwords when communicating from a client to the network access server. You can use CHAP with the Cisco Secure ACS for Windows user database. Microsoft CHAP (MS-CHAP) is a version of CHAP that was developed by Microsoft to work more closely with the Microsoft Windows operating system.
PAP, CHAP, and MS-CHAP are authentication protocols that are used to encrypt passwords. However, each protocol provides a different level of security:
PAPUses clear-text passwords and is the least sophisticated authentication protocol. If you are using the Windows NT or Windows 2000 user database to authenticate users, you must use PAP password encryption.
CHAPUses a challenge-response mechanism with one-way encryption on the response. CHAP lets Cisco Secure ACS for Windows negotiate downward from the most secure to the least secure encryption mechanism, and it protects passwords transmitted in the process. CHAP passwords are reusable. If you are using the Cisco Secure ACS for Windows user database for authentication, you can use either PAP or CHAP.
MS-CHAPCisco Secure ACS for Windows supports MS-CHAP for user authentication. The differences between MS-CHAP and standard CHAP follow:
The MS-CHAP response packet is in a format that is compatible with Microsoft Windows and LAN Manager 2.x. The MS-CHAP format does not require the authenticator to store a clear-text or reversibly encrypted password.
MS-CHAP provides an authenticator-controlled authentication retry mechanism.
MS-CHAP version 2 provides additional failure codes in the Failure Packet Message field.
Cisco Secure ACS for Windows, depicted in Figure 3-2, has the following general features:
Simultaneous TACACS+ and RADIUS support between Cisco Secure ACS for Windows and the NAS or perimeter router
Windows NT or Windows 2000 user database support:
Leverages and consolidates Windows NT or Windows 2000 username and password management
Enables single login to network and Windows NT or Windows 2000 domains
Runs on Windows NT or Windows 2000 standalone, primary domain controller (PDC), and backup domain controller (BDC) server configurations
Supports the use of external user database:
External token card servers
Supports the following, leading authentication protocols:
Network access server callback feature supported for increased security
Figure 3-2 General Features
Although Cisco Secure ACS for Windows can function on a BDC or PDC, Cisco SAFE practices recommend placing the application on a standalone server to separate the services of one authentication server from another. Doing so will improve the security posture by making it potentially more difficult for an attacker to penetrate multiple devices.
Cisco Secure ACS for Windows supports the following AAA features:
TACACS+ support for:
Access lists, named or numbered
Time-of-day and day-of-week access restrictions
AppleTalk Remote Access (ARA) support
Enable-privilege support levels
Authentication to an LDAP server
One-time password (OTP) for enable passwords
Cisco RADIUS Attribute-Value pairs
Proprietary RADIUS extensions (Lucent)
Single TACACS+/RADIUS database for simultaneous support
Other AAA product features are as follows:
VPN and Virtual Private Dialup Network (VPDN) support is available at the origination and termination of VPN (L2F) tunnels
User restrictions can be based on remote address Calling Line Identification (CLID)
Can disable an account on a specific date or after "n" failed attempts
Cisco Secure ACS for Windows has many user-friendly administration features, such as:
Browser-based GUI allows management from a web browser via a LAN or by dialing in. Simplifies and distributes configuration for ACS, user profiles, and group profiles:
Help and online documentation is included for quick problem solving and access from a web browser (The browser does not use SSL; it uses CSAdmin running as a Windows service to provide the website for ACS)
Permits group administration of users for maximum flexibility and to facilitate enforcement and changes of security policies
Remote administration can be permitted/denied by using a unique administration username/password
Remote administrator session has a timeout value
Can view a logged-in user list for a quick view of who is connected
Creates separate TACACS+ and RADIUS files stored in comma-separated value (CSV) spreadsheet format for easy import into databases and spreadsheet applications
Has import utility to rapidly import a large number of users
Hash-indexed flat-file database support for high-speed transaction processing (Cisco Secure ACS for Windows user database)
Distributed System Features
As shown in Figure 3-3, Cisco Secure ACS for Windows can be used in a distributed system. Multiple Cisco Secure ACS for Windows servers and AAA servers can be configured to communicate with one another as masters, clients, or peers. Cisco Secure ACS for Windows also recognizes network access restrictions of other Cisco Secure ACS for Windows servers on the distributed network.
Figure 3-3 Distributed System Features
Cisco Secure ACS for Windows allows you to use powerful features, such as:
Authentication forwardingAuthentication forwarding allows the Cisco Secure ACS for Windows to automatically forward an authentication request from a network access server to another Cisco Secure ACS for Windows. After authentication, authorization privileges are applied to the network access server for that user authentication.
Fallback on failed connectionYou can configure the order in which Cisco Secure ACS for Windows checks the remote Cisco Secure ACS for Windows servers if the network connection to the primary Cisco Secure ACS for Windows server fails. If an authentication request cannot be sent to the first listed server, the next listed server is checked, in order down the list, until a Cisco Secure ACS for Windows server handles the authentication. If Cisco Secure ACS for Windows cannot connect to any of the servers on the list, authentication fails.
Remote and centralized accountingCisco Secure ACS for Windows can be configured to point to a centralized Cisco Secure ACS for Windows that is used as the accounting server. The centralized Cisco Secure ACS for Windows will still have all the capabilities that a Cisco Secure ACS for Windows server has, with the addition of being a central repository for all accounting logs that are sent.
External Database Support
You can configure Cisco Secure ACS for Windows to forward authentication of users to one or more external user databases. Support for external user databases means that Cisco Secure ACS for Windows does not require that you create duplicate user entries in the Cisco Secure user database. Users can be authenticated using any of the following:
Windows NT or Windows 2000 user database
Open Database Connectivity (ODBC)compliant relational databases
LEAP Proxy RADIUS servers
Symantec (AXENT) Defender token servers
Secure Computing SafeWord token servers
RSA SecurID token servers
RADIUS-based token servers, including:
ActivCard token servers
CRYPTOCard token servers
VASCO token servers
Generic RADIUS token servers
Regardless of which database is used to authenticate users, the Cisco Secure user database, internal to Cisco Secure ACS for Windows, authorizes requested network services.
Cisco Secure ACS for Windows requires an application program interface (API) for third-party authentication support. Cisco Secure ACS for Windows communicates with the external user database using the API. For Windows NT or Windows 2000, Generic LDAP, and Novell NDS authentication, the API for the external authentication is local to the Cisco Secure ACS for Windows system and is provided by the local operating system. In these cases, no further components are required.
In the case of ODBC authentication sources, in addition to the Windows ODBC interface, the third-party ODBC driver must be installed on the Cisco Secure ACS for Windows server.
To communicate with each traditional token server, you must have software components provided by the OTP vendors installed, in addition to the Cisco Secure ACS for Windows components. You must also specify in User Setup that a token card server be used.
For RADIUS-based token servers, such as those from ActivCard, CRYPTOCard, and VASCO, the standard RADIUS interface serves as the third-party API.
Database Management Features
Two utilities, Database Replication and Relational Database Management System (RDBMS) Synchronization, are provided with Cisco Secure ACS for Windows. These utilities help automate the process of keeping your Cisco Secure ACS for Windows database and network configuration current. A third utility, CSUtil.exe, allows for database backup and restore functionality.
Figure 3-4 shows a typical installation that can support Database Replication, RDBMS Synchronization, and ODBC import. These three topics will be discussed in the following sections.
Figure 3-4 Database Management Features
Database Replication is a powerful feature that is designed to simplify the construction of a fault-tolerant AAA service environment based on the Cisco Secure ACS for Windows. The primary purpose of Database Replication is to provide the facility to replicate various parts of the setup on a Cisco Secure ACS for Windows master server to one or more Cisco Secure ACS for Windows client systems, allowing the administrator to automate the creation of mirror systems. These mirror systems can then be used to provide server redundancy as fallback or secondary servers to support fault-tolerant operation if the master or primary system fails.
Do not confuse Database Replication with database/system backup. Database Replication is not a complete replacement for database backup. You should still have a reliable database backup strategy to ensure data integrity.
RDBMS Synchronization is an integration feature designed to simplify integration of Cisco Secure ACS for Windows with a third-party RDBMS application. RDBMS Synchronization automates synchronization with an SQL, Oracle, or Sybase RDBMS data source by providing the following functions:
Specification of an ODBC data source to use for synchronization data that is shared by Cisco Secure ACS for Windows and the other RDBMS application and to provide control of the Cisco Secure ACS for Windows updates to an external application
Control of the timing of the import/synchronization process, including the creation of schedules
Control of which systems are to be synchronized
The RDBMS Synchronization feature has two components:
CSDBSyncCSDBSync is a dedicated Windows NT or Windows 2000 service that performs automated user and group account management services for Cisco Secure ACS for Windows.
ODBC data store (table)This table specifies the record format. Each record holds user or group information that corresponds with the data stored for each user in the Cisco Secure ACS for Windows database. Additionally, each record contains other fields, including an action code for the record. Any application can write to this table, and CSDBSync reads from it and takes actions on each record that it finds in the table (for example, add user, delete user, and so on) as determined by the action code.
ODBC Import Definitions
Cisco Secure ACS for Windows supports the import of data from ODBC-compliant databases, such as Microsoft Access or Oracle. Importing is done with a single table to import user/group information into one or more ACS servers.
The CSAccupdate service processes the table and updates local/remote ACS installations according to its configuration.
Cisco Secure ACS for Windows provides AAA services to multiple NASs or perimeter routers. It includes seven service modules, as shown in Figure 3-5.
Figure 3-5 Windows Architecture
Each module can be started and stopped individually from within the Microsoft Service Control Panel or as a group from within the Cisco Secure ACS for Windows browser interface.
Cisco Secure ACS for Windows installs the following Windows services on your server:
Administration service (CSAdmin)Cisco Secure ACS for Windows is equipped with its own internal web server. After Cisco Secure ACS for Windows is installed, you must configure it from its HTML/Java interface, which requires CSAdmin to always be enabled.
Authentication and authorization service (CSAuth)The primary responsibility of Cisco Secure ACS for Windows is the authentication and authorization of requests from devices to permit or deny access to a specified user. CSAuth is the service that is responsible for determining whether access should be granted and for defining the privileges associated with that user. CSAuth is the database manager.
TACACS service (CSTacacs) and RADIUS service (CSRadius)These services communicate between the CSAuth module and the access device that is requesting the authentication and authorization services. CSTacacs is used to communicate with TACACS+ devices and CSRadius is used to communicate with RADIUS devices. Both services can run simultaneously. When only one security protocol is used, only the respective service needs to be running.
Logging service (CSLog)CSLog is the service that is used to capture and place logging information. CSLog gathers data from the TACACS+ or RADIUS packet and CSAuth and manipulates the data to be put into the CSV files. The CSV files are created daily starting at midnight.
CSDBSync serviceThis service performs automated user and group account management services for Cisco Secure ACS for Windows. CSDBSync is the service that is used to synchronize the Cisco Secure ACS for Windows database with third-party RDBMSs and is an alternative to using the ODBC dynamic link library (DLL). Starting with Version 2.4, CSDBSync synchronizes AAA client, AAA server, network device groups (NDGs), and Proxy Table information with data from an external relational database.
CSMonCSMon is the Cisco Secure ACS for Windows self-monitoring and self-correcting service. CSMon works for both TACACS+ and RADIUS and automatically detects which protocols are in use. CSMon facilitates minimum downtime in a remote access network environment by performing four basic activities:
MonitoringMonitors the overall status of Cisco Secure ACS for Windows and the host server on which it is running. CSMon monitors the generic host system state, application-specific performance, and system resource consumption by Cisco Secure ACS for Windows.
RecordingRecords and reports all exceptions to the CSMon Log or the Windows Event Log.
NotificationAlerts the administrator to potential problems and real events regarding Cisco Secure ACS for Windows and records the activity. CSMon can be configured to send messages concerning exception events, responses, and the outcomes of response actions.
ResponseAttempts to automatically and intelligently fix detected problems. CSMon can respond to warning events and failure events by taking either predefined actions or customer-definable actions.
Using the ACS Database
Using either the TACACS+ or the RADIUS protocol, the network access server directs all dial-in user access requests to Cisco Secure ACS for Windows for authentication and authorization of privileges, which verifies the username and password. Cisco Secure ACS for Windows then returns a success or failure response to the network access server, which permits or denies user access. When the user has been authenticated, Cisco Secure ACS for Windows sends a set of authorization attributes to the network access server, and then the accounting functions take effect.
Referring to the numbers shown in Figure 3-6, when the Cisco Secure ACS for Windows user database is selected, the following service and database interaction occurs:
TACACS+ or RADIUS service directs the request to the Cisco Secure ACS Authentication and Authorization Windows NT or Windows 2000 service.
The request is authenticated against the Cisco Secure ACS for Windows user database, associated authorizations are assigned, and accounting information is logged to the Cisco Secure ACS Logging service.
The Windows NT or Windows 2000 user database does not authenticate the user to permit dial. The user must log in to Windows NT or Windows 2000 once the dialup AAA process is complete.
Figure 3-6 Using the ACS Database
Cisco Secure ACS for Windows uses a built-in user database that is a hash-indexed flat file. This type of file is not searched from the top of a text file as typically associated with the term flat file, but instead is indexed like a database. The hash-indexed flat file builds an index and tree structure so that searches can occur exponentially, which enables the Cisco Secure ACS for Windows user database to rapidly authenticate users.
Using the Cisco Secure ACS for Windows user database requires you to manually enter the usernames. However, after the usernames exist in the Cisco Secure ACS for Windows user database, administration is easier than using the Windows NT or Windows 2000 user database. The Cisco Secure ACS for Windows user database supports authentication for PAP, CHAP, and MS-CHAP.
Using Windows User Database
Figure 3-7 shows the flow of the steps used when you elect to use the Windows NT or Windows 2000 user database for authentication and authorization.
Following the numbers shown in Figure 3-7, when Cisco Secure ACS for Windows uses the Windows NT or Windows 2000 user database for AAA, the following service and database interaction occurs:
TACACS+ or RADIUS service directs the request to the Cisco Secure ACS Authentication and Authorization service.
The username and password are sent to the Windows NT or Windows 2000 user database for authentication.
If approved, Windows NT or Windows 2000 grants dial permission as a local user.
A response is returned to Cisco Secure ACS for Windows and authorizations are assigned.
Confirmation and associated authorizations assigned in Cisco Secure ACS for Windows for that user are sent to the network access server. Accounting information is logged.
Figure 3-7 Using Windows User Database
An added benefit of using the Windows NT or Windows 2000 user database is that the username and password that are used for authentication are the same that are used for network login. As such, you can require users to enter their username and password once, for the convenience of a simple, single login.
Token Card Support
Cisco Secure ACS for Windows supports several third-party token servers, such as RSA SecurID, Secure Computing SafeWord, Symantec (AXENT) Defender, and any hexadecimal X.909 token card such as CRYPTOCard. As shown in Figure 3-8, for some token servers, Cisco Secure ACS for Windows acts as a client to the token server.
Figure 3-8 Token Card Support
For others, it uses the token server's RADIUS interface for authentication requests. As with the Windows NT or Windows 2000 database, after the username is located in the Cisco Secure user database, CSAuth can check the selected token server to verify the username and token-card password. The token server then provides a response, approving or denying validation. If the response is approved, CSAuth knows that authentication should be granted for the user.
Cisco Secure ACS for Windows can support token servers using the RADIUS server that is built into the token server. Rather than using the vendor's proprietary API, Cisco Secure ACS for Windows sends standard RADIUS authentication requests to the RADIUS authentication port on the token server. The token servers that are supported through their RADIUS servers are those from ActivCard, CRYPTOCard, VASCO, PassGo Technologies, RSA Security, and Secure Computing.
Before Cisco Secure ACS 3.0.1, support for CRYPTOCard token servers used the vendor-proprietary interface provided with the CRYPTOCard token server.
Beginning with Cisco Secure ACS 3.0.1, Cisco supports CRYPTOCard token servers using a standard RADIUS interface.
Cisco Secure ACS for Windows also supports any token server that is a RADIUS server compliant with IETF RFC 2865. So, in addition to the RADIUS-enabled token server vendors that are explicitly supported, this enables you to use any token server that supports RADIUS-based authentication.
You can create multiple instances of each of these token server types in Cisco Secure ACS for Windows.
Versions 3.1 and 3.2 Enhancements
Cisco is constantly upgrading and enhancing hardware and software products, and Cisco Secure ACS for Windows is no exception. You can always find the latest version information at Cisco's website. This section looks at some of the important new features that have been added to Cisco Secure ACS for Windows by versions 3.1 and 3.2.
The following are the Cisco Secure ACS for Windows version 3.1 product enhancements:
Protected Extensible Authentication Protocol (PEAP) supportNonproprietary PEAP for wireless user authentication provides stronger security, greater extensibility, and support for one-time token authentication and password aging.
SSL support for administrative accessSSL can be used to secure administrative access to the Cisco Secure ACS for Windows HTML interface.
Change Password (CHPASS) improvementsCisco Secure ACS for Windows allows you to control whether network administrators can change passwords during Telnet sessions that are hosted by TACACS+ AAA clients.
Improved IP pool addressingTo reduce the possibility of allocating an IP address that is already in use, Cisco Secure ACS for Windows uses the IETF RADIUS Class attribute as an additional index for user sessions.
Network device searchNew search capabilities let you search for a configured network device based on the device name, IP address, type (AAA client or AAA server), and network device group.
Improved Public Key Infrastructure (PKI) supportDuring Extensible Authentication Protocol Transport Layer Security (EAP-TLS) authentication, Cisco Secure ACS for Windows can perform binary comparison of the certificate received from an end-user client to user certificates stored in Lightweight Directory Access Protocol (LDAP) directories.
Extensible Authentication Protocol (EAP) proxy enhancementsCisco Secure ACS for Windows supports Light Extensible Authentication Protocol (LEAP) and EAP-TLS proxy to other RADIUS or external databases using EAP over standard RADIUS.
CiscoWorks Management Center application supportCisco Secure ACS for Windows provides a consolidated administrative TACACS+ control framework for many Cisco security management tools, such as CiscoWorks VPN/Security Management Solution (VMS) and the suite of CiscoWorks Management Centers.
The following are the Cisco Secure ACS for Windows version 3.2 product enhancements:
PEAP support for Microsoft Windows clientsSupport for Microsoft PEAP supplicants that are available for Windows 98, NT, 2000, and XP was added in this update.
LDAP multithreadingTo improve performance in task-intensive environments such as wireless deployments, Cisco Secure ACS for Windows Server Version 3.2 is now capable of processing multiple LDAP authentication requests in parallel.
EAP-TLS enhancementsNew EAP-TLS enhancements have been brought in Cisco Secure ACS for Windows Server Version 3.2 that further extend Cisco Secure ACS PKI capabilities.
Machine authentication supportMachine authentication allows pulling down machine group policies from Windows Active Directory independently of a subsequent interactive user authentication session.
EAP mixed configurationsCisco Secure ACS for Windows Server Version 3.2 supports the following EAP types:
Cisco EAP wireless
Flexible EAP settings allowedOne or several EAP types can be selected concurrently.
Accounting support for AironetCisco Secure ACS for Windows Server Version 3.2 supports user-based accounting from Cisco Aironet wireless access.
Downloadable access control lists for VPN usersCisco Secure ACS for Windows Server Version 3.2 extends per-user ACL support to Cisco VPN solutions.
Cisco Secure ACS for UNIX (Solaris)
Cisco Secure ACS for UNIX is used to authenticate users and determine which internal networks and services they may access. By authenticating users against a database of user and group profiles, Cisco Secure ACS for UNIX effectively secures private enterprise and service provider networks from unauthorized access.
Cisco Secure ACS for UNIX incorporates a multiuser, web-based Java configuration and management tool that simplifies server administration and enables multiple system administrators to simultaneously manage security services from multiple locations. The GUI supports Microsoft and Netscape web browsers, providing multiplatform compatibility and offering secure administration via the industry-standard SSL communication mechanism.
Token cards from CRYPTOCard, Secure Computing Corporation, and RSA Security are supported. Token cards are the strongest available method to authenticate users dialing in and to prevent unauthorized users from accessing proprietary information. Cisco Secure ACS for UNIX now supports industry-leading relational database technologies from Sybase, Inc. and Oracle Corporation. Traditional scalability, redundancy, and nondistributed architecture limitations are removed with the integration of relational database technologies, such as Sybase's SQLAnywhere. Storage and management of user and group profile information is greatly simplified.
Security is an increasingly important aspect of the growth and proliferation of LANs and WANs. You want to provide easy access to information on your network, but you also want to prevent access by unauthorized personnel. Cisco Secure ACS for UNIX is designed to help ensure the security of your network and track the activity of people who successfully connect to your network. Cisco Secure ACS for UNIX uses the TACACS+ protocol to provide this network security and tracking.
TACACS+ uses AAA to provide network access security and enable you to control access to your network from a central location. Each facet of AAA significantly contributes to the overall security of your network, as follows:
Authentication determines the identity of users and whether they should be allowed access to the network.
Authorization determines the level of network services available to authenticated users once they are connected.
Accounting keeps track of each user's network activity.
AAA within a client or server architecture (in which transaction responsibilities are divided into two parts: client [front end], and server [back end]) allows you to store all ecurity information in a single, centralized database instead of distributing the information around the network in many different devices.
For further information on AAA, see the section titled "Introduction to AAA for Cisco Routers" in Chapter 2, "Basic Cisco Router Security."
You can use Cisco Secure ACS for UNIX to make changes to the database that administers security on your network on a few security servers instead of making changes to every NAS in your network.
Using Cisco Secure ACS for UNIX, you can expand your network to accommodate more users and provide more services without overburdening system administrators with security issues. As new users are added, system administrators can make a small number of changes in a few places and still ensure network security.
Cisco Secure ACS for UNIX can be used with the TACACS+ protocol, the RADIUS protocol, or both. Some features are common to both protocols, while other features are protocol-dependent.
Cisco Secure ACS for UNIX has the following features when used with either the TACACS+ or RADIUS protocol:
Support for use of common token card servers, including those from CRYPTOCard, Secure Computing (formerly Enigma Logic), and RSA Security
Relational database support for Oracle Enterprise, Sybase Enterprise, and Sybase SQLAnywhere (supplied with Cisco Secure ACS for UNIX)
Encrypted protocol transactions so that passwords are never subject to unauthorized monitoring
Supported on SPARC Solaris version 2.51 or greater
Support for group membership
Support for accounting
Support for S/Key authentication
Ability to specify the maximum number of sessions per user
Ability to disable an account after n failed attempts
Web-based interface for easy administration of network security
Customers can upgrade to any 2.x version of Cisco Secure ACS for UNIX from existing versions, gaining access to the many user-friendly features of the latest version of Cisco Secure ACS for UNIX.
Cisco Secure ACS for UNIX 2.3 adds the Distributed Systems Manager (DSM), which enables system administrators to
Limit the number of concurrent sessions that are available to a specific user, group, or VPDN (DSM enabled)
Set per-user session limits for individual users or groups of users (limited support without DSM enabled)