|
|
Authentication services are used to authenticate clients and users to Policy Enforcment Points, such as routers running IOS software, PIX Firewalls, and other edge devices. This panel enables you to specify the settings for any authentication servers that reside on your networks.
From the Authentication Server panel, you can specify three types of authentication servers: Certificate Authority, TACACS+, and RADIUS. You can configure Cisco Secure Policy Manager to utilize these server types to authenticate clients and users that are trying to access network services through a Policy Enforcment Point residing on your network or to authenticate the peer Policy Enforcment Points participating in an IPSec tunnel.
Unlike RADIUS and TACACS+ authentication servers, Certificate Authority servers rely on a third-party authority to establish the trust relationship between two network objects that communicate. These special Host nodes run certificate authentication/generation software, such as the Netscape Certificate Authority Server. These servers are used by organizations that want to maintain strict control of their own certification authority functions. In other words, these servers are responsible for verifying the public keys owned by users within that organization, preventing man-in-the-middle attacks based on public-private key pairs. Within the Cisco Secure Policy Manager system, these servers enable policy enforcement by assigning and authenticating certificates used by the Policy Enforcment Points and hosts that participate in IPSec tunnels. IPSec tunnels are used to encrypt IP-based traffic that runs across untrusted and/or public network segments, such as the Internet, as well as to provide the secure download of device-specific command sets between Cisco Secure Policy Manager servers and the Policy Enforcment Points that they control.
The primary reason that you must specify these hosts in the Network Topology tree is to help Cisco Secure Policy Manager generate the commands that ensure the appropriate Policy Enforcment Points permit the required Policy Enforcment Point-to-Certificate Authority server traffic to pass. Once you associate a Policy Enforcment Point to a Certificate Authority server in the Network Topology tree, Cisco Secure Policy Manager generates the correct security policies that enable this traffic to flow correctly.
You can use the Authentication Server panel to perform the following task.
You can specify that a Certificate Authority, TACACS+, or RADIUS client/server product type is running on a host after you have defined the Host node. This feature helps you identify those special hosts that run authentication servers that Cisco Secure Policy Manager uses when informing Policy Enforcment Points about the location of such services.
To specify that an authentication server resides on an existing host, perform the following task:
Step 2 To see the properties associated with the new host, click Properties on the shortcut menu.
Result: The Host panel appears in the View pane.
Step 3 To specify that an authentication server runs on this host, click Add.
Result: The Add Client/Server Product dialog box appears.
Step 4 To select the authentication server type, click that type in the Product Type box.
The lists displays the supported authentication server types:
Result: The Product Name (specify) box displays the selected product type name.
Step 5 To specify a meaningful name for this authentication server, type the name in the Product Name (specify) box.
Step 6 To add this authentication server type to the host, click OK.
Result: The Add Client/Server Product dialog box closes and a new tab appears on the Host node.
Step 7 To configure the authentication server residing on this host, click the new tab that was created for this network service.
Result: The panel associated with the new authentication server appears in the View pane.
The tab's name is the product name that you specified in Step 5.
Step 8 To specify the network service that clients should use when requesting services from this authentication server, click that service name in the Associated Network Service box.
This network service identifies the protocol and port on which the authentication server listens for requests from client. For a Certificate Authority server, this service must be HTTP.
Step 9 To specify the IP address that clients use when requesting services from this authentication server, click that IP address in the Associated IP address box.
This IP address is assigned in the General panel of the Host node on which this authentication server resides. Because a host can have multiple IP addresses associated with it, this selection ensures that Cisco Secure Policy Manager generates the correct commands for the Policy Enforcment Points that must communicate with the authentication server.
Step 10 To accept your changes and close the selected panel, click OK.
Step 11 To save any changes that you have made, click Save on the File menu.
Posted: Tue May 30 08:32:37 PDT 2000
Copyright 1989 - 2000©Cisco Systems Inc.