|
|
This chapter describes the differences between local and remote security databases and the basic authentication process for each. Remote security databases described in this chapter include Terminal Access Controller Access Control System (TACACS+) with Cisco proprietary enhancements and Remote Access Dial-In User Service (RADIUS).
Generally the size of the network and type of corporate security policies and control determines whether you use a local or remote security database.
 | Caution This chapter does not provide an exhaustive security overview. For example, it does not describe how to configure TACACS, Extended TACACS, Kerberos, or access lists. It presents the most commonly used security mechanisms to prevent unauthenticated and unauthorized access to network resources through Cisco access servers. For a comprehensive overview of Cisco security mechanisms, refer to the Security Configuration Guide. |
Specifically, this chapter describes the following:
This chapter assumes the following:
If you have one or two access servers providing access to your network, you probably want to store username and password security information on the Cisco access server itself. This is referred to as local authentication. A remote security server is not used. (See Figure 103.)
A local security database configured on the access server is useful if you have very few access servers providing network access. A local security database does not require a separate (and costly) security server.
As your network or demand for dial access grows, you need a centralized security database that provides username and password information to each of the access servers on the network. This centralized security database resides in a security server, which allows you to more easily manage your security solution. (See Figure 104.)
An example of a remote security database server is the CiscoSecure product from Cisco Systems, Inc. CiscoSecure is a UNIX security daemon solution, with which the administrator creates a database that defines the network users and their privileges. CiscoSecure uses a central database that stores user and group profiles with authentication and authorization information.
The Cisco access server exchanges user authentication information with a TACACS+ or RADIUS database on the security server by transmitting encrypted TACACS+ or RADIUS packets across the network.
For specific information about the interaction between the security server and the access server, refer to the Security Configuration Guide.
A remote, centralized security database is useful when you have a large number of access servers providing network access. It prevents having to update each access server with new or changed authentication and authorization information for potentially hundreds of thousands of dial-in network users. A centralized security database also helps establish consistent remote access policies throughout a corporation.
For more information about security databases and how to configure authentication, refer to the chapter "Configuring Authentication" in this publication.
|
|
