Previous Page Next Page

Chapter 9. Cisco Secure ACS Software and Appliance

As discussed in the previous chapter, with networks growing beyond the campus, network security increases in importance and administrative complexity. Identity security and access management are essential for networks and network resources to safeguard them from unauthorized access.

Cisco Secure Access Control Server (ACS) provides a centralized access management solution for managing enterprise-wide network users and network infrastructure resources with policy-based enforcement. ACS provides a comprehensive identity-based network access control solution for intelligent information networks.

Cisco Secure ACS Software for Windows

Cisco Secure ACS software for Windows provides a scalable, centralized identity-based access control solution. ACS provides the structure to enforce user-based policies and allows granular control of user access to network and network resources.

ACS software supplies the following provisions:

Cisco Secure ACS is one of the key components in the integration of the Cisco trust and identity security solutions. It provides the structure for access control security by provisioning the authentication, authorization, and accounting (AAA) architecture and policy control from a centralized identity networking framework, thereby allowing greater scalability and flexibility, increased security, and user productivity gains.

ACS support spans all major Cisco devices and other network access servers (NAS), also referred to as AAA client, including

Figure 9-1 depicts the AAA client-server model. Note that the diagram shows the external database as optional. ACS supports local user databases and external databases, which will be discussed further in this chapter.

Figure 9-1. AAA Client-Server Model Using ACS


AAA Server: Cisco Secure ACS

The AAA framework implementation consists of two parts: the client side and the server side. As shown in Figure 9-1, Cisco Secure ACS serves as the AAA server side by providing authentication, authorization, and accounting services to network devices on the AAA client side. The Cisco ACS is also referred to as the network access server (NAS) or network access device (NAD). The NAS/NAD can be any Cisco device, such as the router, switch, firewall, concentrator, access point, or any other non-Cisco device. The AAA client serves as the gateway and forwards all access requests to the AAA server on behalf of the end user. The AAA server verifies the credentials by using its internal local database or optionally configured external database. The AAA server responds to the NAS with an [access-accept] or an [access-reject] message with a set of authorization attributes. Refer back to Figure 9-1 to see the basic flow.

ACS operates as a set of Windows services and can run on Microsoft Windows 2000 Server and the Windows Server 2003 operating system. ACS can be installed as a domain controller or a member server.

For further details, refer to the ACS installation and user guide:

Protocol Compliance

ACS supports both RADIUS and TACACS+ AAA security protocols.

ACS conforms to TACACS+ protocol as defined by Cisco Systems in draft 1.78 on TCP port 49.

ACS conforms to RADIUS protocol in the following RFCs:

The RADIUS ports used in AAA have changed in RFCs. ACS supports both the older and newer RFC-defined ports in its implementation. For authentication and authorization, ACS accepts requests on UDP port 1645 and UDP port 1812. For accounting, ACS accepts requests on both UDP port 1646 and UDP port 1813.

In addition to the AAA protocol support, ACS extends support to the following common password protocols for end-user authentication (see Figure 9-1):

The implementation of the previously mentioned password protocol depends on the support of external databases available in ACS. Table 9-1 lists the Protocol-Database Compatibility reference supported by the various databases.

Table 9-1. Protocol-Database Compatibility
DatabaseASCIIPAPCHAPARAPMS-CHAP v1MS-CHAP v2LEAPEAP-MD5EAP-TLSPEAP (EAP-GTC)
Cisco Secure ACSYesYesYesYesYesYesYesYesYesNo
Windows SAMYesYesNoNoYesYesYesNoNoYes
Windows ADYesYesNoNoYesYesYesNoYesYes
LDAPYesYesNoNoNoNoNoNoYesYes
Novell NDSYesYesNoNoNoNoNoNoNoYes
ODBCYesYesYesYesYesYesYesYesNoYes
LEAP Proxy RADIUS ServerYesYesNoNoYesYesYesNoNoNo
RSAYesYesNoNoNoNoNoNoNoYes
ActivCardYesYesNoNoNoNoNoNoNoYes
CRYPTOCardYesYesNoNoNoNoNoNoNoYes
PassGoYesYesNoNoNoNoNoNoNoYes
SafewordYesYesNoNoNoNoNoNoNoYes
VascoYesYesNoNoNoNoNoNoNoYes
RADIUS Token ServerYesYesNoNoNoNoNoNoNoYes


Previous Page Next Page