|
|
CiscoSecure ACS 2.4 for Windows NT Server (CiscoSecure ACS) network security software helps you authenticate users by controlling dial-in access to a network access server (NAS) device---an access server, Cisco PIX firewall, or router.
CiscoSecure ACS operates as a Windows NT service and controls the authentication, authorization, and accounting (AAA, pronounced "triple A") of users accessing networks. CiscoSecure ACS operates with Windows NT server version 4.0.
CiscoSecure ACS helps centralize access control and accounting for dial-up access servers and firewalls as well as management of access to routers and switches. With CiscoSecure ACS, service providers can quickly administer accounts and globally change levels of service offerings for entire groups of users. The tight integration of CiscoSecure ACS with the Windows NT operating system enables companies to leverage the working knowledge and the investment already made into building a Windows NT network.
CiscoSecure ACS supports Cisco NASes such as the Cisco 2509, 2511, 3620, 3640, AS5200 and AS5300, AS5800, the Cisco PIX firewall, and any third-party device that can be configured with the Terminal Access Controller Access Control System (TACACS+) and/or the Remote Access Dial-In User Service (RADIUS) protocol. CiscoSecure ACS uses the TACACS+ and/or RADIUS protocols to provide AAA services to ensure a secure environment.
CiscoSecure ACS can authenticate users against any of the following user databases:
The NAS directs all dial-in user access requests to CiscoSecure ACS for authentication and authorization of privileges. Using either the RADIUS or TACACS+ protocol, the NAS sends authentication requests to CiscoSecure ACS, which verifies the username and password. CiscoSecure ACS then returns a success or failure response to the NAS, which permits or denies user access. When the user has been authenticated, CiscoSecure ACS sends a set of authorization attributes to the NAS, and the accounting functions take effect.
CiscoSecure ACS conforms to the following specifications:
Your Windows NT server must meet the following minimum requirements.
Your Windows NT server must meet the following minimum hardware requirements:
Your Windows NT server must meet the following minimum software requirements:
CiscoSecure ACS can be installed as a new installation or as an upgrade from any previous version of CiscoSecure ACS.
 | Caution If you are upgrading, be sure to back up your CiscoSecure ACS system files and database and your Windows Registry. For information on backing up, see "Database Information Management." |
For more detailed information on installation, see the quick reference cards.
If a message stating that "The ODBC resource DLL (filename) is a different version than the ODBC (file type and name)" displays during installation, follow these steps:
Step 1 Exit the installation program.
Step 3 When you have finished installing these ODBC components, click SETUP.EXE in the root directory of the CD-ROM to restart installation of CiscoSecure ACS.
If you get an error message during installation indicating that installation has failed, follow these steps:
Step 1 Click Start/Settings/Control Panel/Add/Remove Program.
Step 2 Select CiscoSecure ACS 2.4 for Windows NT.
Step 3 Click Uninstall.
Step 4 When you have finished uninstalling, click SETUP.EXE in the root directory of the CD-ROM to restart installation of CiscoSecure ACS.
If Uninstall terminates abnormally or if installation still fails, follow these steps:
Step 1 Go to the SUPPORT\CLEAN directory and click CLEAN.EXE. This uninstalls CiscoSecure ACS completely and cleans up certain statements from the Windows NT Registry that prevent installation of CiscoSecure ACS.
Step 2 When you have finished running CLEAN.EXE, reboot the system and run SETUP.EXE from the root directory of the CD-ROM to restart installation of CiscoSecure ACS.
CiscoSecure ACS Release 2.4 adds the following new features and capabilities:
Features included in this and previous versions of CiscoSecure ACS include:
This section describes some of the different components that work together with CiscoSecure ACS to provide network security.
The NAS is configured to direct all user access requests to CiscoSecure ACS for authentication and authorization of privileges. Using the TACACS+ or RADIUS protocol, the NAS sends authentication requests to CiscoSecure ACS, which verifies the username and password against the selected user database. CiscoSecure ACS then returns a success or failure response to the NAS, which permits or denies user access.
When the user has successfully authenticated, a set of session attributes can be sent to the NAS to provide additional security and control of privileges. These attributes might include the IP address pool, access control list, or type of connection (for example, IP, IPX, or Telnet).
CiscoSecure ACS can use both the TACACS+ and RADIUS security protocols..
| TACACS+ | RADIUS |
TCP---Connection oriented transport layer protocol, reliable full-duplex data transmission | UDP---Connectionless transport layer protocol, datagram exchange without acknowledgments or guaranteed delivery |
Full packet encryption | Encrypts only passwords of up to 16 bytes |
Independent AAA architecture | Authentication and authorization combined |
Useful for router management | Not useful for router management |
There is a fundamental relationship between authentication and authorization. The more authorization privileges a user receives, the stronger the authentication should be. CiscoSecure ACS offers this capability by providing various methods of authentication.
Username and password is the most popular, simplest, and least expensive method used for authentication. No special equipment is required. This is a popular method for service providers because of its easy application by the client. The disadvantage is that this information can be told to someone else, guessed, or captured. Username and password is not considered a strong authentication mechanism but can be sufficient for low authorization or privilege levels such as Internet access.
To reduce the risk of password capturing on the network, use encryption. Client and server access control protocols such as TACACS+ and RADIUS encrypt passwords to prevent them from being captured within a network. However, TACACS+ and RADIUS operate between the NAS and the access control server. Clear-text passwords can be captured between a client host dialing up over a phone line or an ISDN line terminating at a NAS.
Service providers who offer increased levels of security services, and corporations who want to lessen the chance of intruder access resulting from password capturing, can use an OTP. CiscoSecure ACS supports several types of OTP solutions, including PAP for Point-to-Point Protocol (PPP) remote-node logon. Token cards are considered one of the strongest OTP authentication mechanisms.
The CRYPTOCard token-card server software is included with CiscoSecure ACS. All you need is the CRYPTOCard token card. CiscoSecure ACS also supports the following token-card servers for authentication:
To use SDI's ACE server, you must install the ACE clients and configure them in CiscoSecure ACS to call the server when a user attempts to authenticate with an ACE token card.
To use the AXENT token-card server, configure CiscoSecure ACS with the AXENT server's address and shared secret.
CiscoSecure ACS supports all leading authentication protocols:
Passwords can be processed using these protocols based on the version and type of security control protocol used and the configuration of the NAS and client. The following sections outline the different conditions and functions of password handling.
CiscoSecure ACS acts as a client to the token-card server. The communication link between CiscoSecure ACS and the token-card server must be secure. This is done by either configuring a shared secret password between the two servers and defining the IP address or by installing a file created by the token-card server containing the same information into CiscoSecure ACS.
CiscoSecure ACS supports authentication of users against records kept in a Directory Server through the Lightweight Directory Access Protocol (LDAP). CiscoSecure interacts with the most popular directory servers, including Novell and Netscape. PAP passwords can be used when authenticating against the Directory Server. CiscoSecure ACS logs these transactions and displays their results in the Reports & Activity section of the CiscoSecure ACS HTML interface.
You can use the secure socket layer (SSL) protocol to create a secure tunnel from the ACS to the Directory Server for transporting AAA traffic.For more information, see the "Protecting Your Web Server (Optional)" section on the Web Server Installation for CiscoSecure ACS for Windows NT User-changeable Passwords quick reference card.
CiscoSecure ACS supports the Microsoft Commercial Internet System Lightweight Directory Access Protocol ( MCIS LDAP). MCIS is Microsoft's product suite of commercial-grade server components designed for Internet service providers (ISPs) and commercial web sites. MCIS is a member of the Microsoft BackOffice family of servers and runs on Microsoft Windows NT Server and Microsoft Internet Information Server (IIS). For more information on MCIS, see your Microsoft documentation.
CiscoSecure ACS supports authentication via an Open DataBase Connectivity (ODBC)-compliant SQL database. ODBC is a standardized API that was first developed by Microsoft and is now used by most major database vendors. ODBC now follows the specifications of the SQL Access Group. The benefit of ODBC in a web-based environment is easy access to data storage programs such as Microsoft Access and SQL Server. For more information on ODBC, see your ODBC and database vendor documentation.
There are six basic password configurations:
In addition to the basic password configurations listed above, CiscoSecure ACS also provides for:
If you want to use outbound passwords and maintain the highest level of security, Cisco recommends that you configure CiscoSecure ACS with a separate outbound password that is different from the inbound password.
The password aging feature of CiscoSecure ACS lets you force users to change their passwords under any of the following conditions:
Password aging requires the following conditions:
Password aging parameters are configured in the Group Setup window. For more information on the password aging feature, see the "Password Aging Rules" section.
With CiscoSecure ACS, you can install a separate program that lets users change their passwords using a web-based utility. For more information, see the Web Server Installation for CiscoSecure ACS for Windows NT User-Changeable Passwords quick reference card.
To use the user-changeable password feature of CiscoSecure ACS, make sure you have installed the latest version of the CAA software. See your CAA documentation for more information.
Different levels of security can be used with CiscoSecure ACS for different requirements. The basic user-to-network security level is PAP. Although it does not represent the highest form of encrypted security, PAP does offer convenience and simplicity for the client. PAP allows authentication against the Windows NT database. With this configuration, users need to log in only a single time. CHAP allows a higher level of security for encrypting passwords when communicating from a client to the NAS. You can use CHAP with the CiscoSecure ACS user database. ARAP support is included to support Apple clients.
PAP, CHAP, and ARAP are authentication protocols used to encrypt passwords. However, each protocol provides a different level of security.
CiscoSecure ACS supports Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP) for user authentication. The differences between MS-CHAP and standard CHAP are:
For more information on MS-CHAP, see RFC draft-ietf-pppext-mschap-00.txt, RADIUS Attributes for MS-CHAP Support.
Authorization determines what a user is allowed to do. CiscoSecure ACS can send user profile policies to a NAS to determine the network services the user can access or the level of service to which the users is subscribed. You can configure authorization to give different users and groups different levels of service. For example, standard dial-up users might not have the same access privileges as premium customers and users. You can also differentiate by levels of security, access times, and services.
The CiscoSecure ACS access restrictions feature lets you permit or deny logins based on time-of-day and day-of-week. For example, you could create a group for temporary accounts that can be disabled on specified dates. This would make it possible for a service provider to offer a 30-day free trial. The same authorization could be used to create a temporary account for a consultant with login permission limited to Monday through Friday, 9 am to 5 pm.
You can also restrict use by way of the Max Sessions feature, allowing a maximum number of concurrent sessions per user or group.
You can restrict users to a service or combination of services such as Point-to-Point Protocol (PPP), AppleTalk Remote Access (ARA), Serial Line Internet Protocol (SLIP), or EXEC. After a service is selected, you can restrict Layer 2 and Layer 3 protocols, such as IP and IPX, and you can apply individual access lists. Access lists on a per-user or per-group basis can restrict users from reaching parts of the network where critical information is stored or prevent them from using certain services such as File Transfer Protocol (FTP) or Simple Network Management Protocol (SNMP).
One fast-growing service being offered by service providers and adopted by corporations is a service authorization for Virtual Private Dial-Up Networks (VPDNs). CiscoSecure ACS can provide information to the network device for a specific user to configure a secure tunnel through a public network such as the Internet. The information can be for the access server (such as the Home Gateway for that user) or for the Home Gateway router to validate the user at the customer premises. In either case, CiscoSecure ACS can be used for each end of the VPDN.
In addition to simple User and Group Max Sessions control, CiscoSecure ACS lets the administrator specify a Group Max Sessions value and a group-based User Max Sessions value; that is, a User Max Sessions value based on the user's group membership. For example, an administrator can allocate a Group Max Sessions value of 50 to the group "Sales" and also limit each member of the "Sales" group to 5 sessions each. This way no single member of a group account would be able to use more than 5 sessions at any one time, but the group could still have up to 50 active sessions.
A device can belong to only one NDG at a time.
Using NDGs allows an organization with a large number of routers spread across a large geographical area to logically organize their environment within CiscoSecure ACS to reflect the physical setup. For example, all routers in Europe could belong to a group named Europe; all routers in the United States could belong to a US group; and so on. This would be especially convenient if each region's NASes were administered along the same divisions. Alternatively, the environment could be organized by some other attribute such as divisions, departments, business functions, and so on.
Beginning with release 2.4 of CiscoSecure ACS, you can assign a group of users to an NDG. For more information on NDGs, see the "Network Device Groups" section.
Posted: Fri Sep 24 10:57:48 PDT 1999
Copyright 1989-1999©Cisco Systems Inc.