Features and Architecture of Cisco Secure ACS for Windows

Features and Architecture of Cisco Secure?ACS?for Windows

The latest Windows version is Cisco Secure ACS version 3.0 for Windows 2000 and NT, supporting both RADIUS and TACACS+ server systems. New features included in Cisco Secure ACS version 3.0 allow network administrators to scale and deploy secure network services with centralized control, access management, and accounting within the Cisco Secure ACS framework. Using Cisco Secure ACS, network administrators can control

  • Which users can access the network from either wired or wireless connections

  • What privileges each user will have while in the network

  • What accounting information is kept for capacity planning, account billing, or security audits

  • What access and command controls are enabled for each configuration administrator

Features and Benefits

Specific features included in Cisco Secure ACS version 3.0 are the following.

IEEE 802.1x—Access Control for Switched LAN Users

The IEEE 802.1x standard brings new security services to the local area network (LAN) by letting network administrators control which users can access their switched LAN environment. The 802.1x standard manages port-level access control by using the Cisco Secure ACS Extensible Authentication Protocol (EAP), which is carried on RADIUS.

EAP Message Digest 5 (EAP-MD5) and?EAP?Transport?LAN?Services?(EAP-TLS)

EAP is an IETF RFC standard for various authentication methods carried over any Point-to-Point Protocol (PPP) connection. EAP-MD5 is a user name/password method incorporating MD5 hashing for security. EAP-TLS uses X.509 digital certificate technology to provide both Cisco Secure ACS server and client authentication. EAP-TLS also supports dynamic session key negotiation.

Microsoft Challenge Authentication Protocol (MSCHAP) Support

Cisco Secure ACS now supports MSCHAP version 2.0 exchanges and MSCHAP password change service for Microsoft Dial-Up Networking clients, Cisco VPN clients, and any other desktop client supporting MSCHAP version 2.0 password change service. A user whose password has expired now is automatically prompted to change their password after their next login.

Multiple LDAP Support

Cisco Secure ACS supports user authentication using records kept in a directory server through the LDAP, including Novell and Netscape, using a generic LDAP interface. New in Cisco Secure ACS version 3.0 is the capability to define multiple, different LDAP sources for user lookups. This lets you define a different LDAP repository to search for users. Another new feature is the capability to define secondary, backup LDAP servers, for times when a primary LDAP server is unavailable.

Device Command Sets (DCS)

Device Command Sets (DCS) is a new TACACS+ administration tool that uses a central Cisco Secure ACS graphical user interface (GUI) mechanism to control the authorization of each command on each device via per-user, per-group, or per-network device group mapping. DCS provides a method to group and name command profiles, which can then be paired with users, groups of users, or device groups. The new features and tools provide greater granularity, scalability, and manageability in setting authorization restrictions for network administrators.

Per-User Access Control Lists (ACL)

Per-user Access Control Lists (ACL) is a Cisco PIX Firewall Solution service that allows administrators to define access control lists (ACL) of any length, for users or groups of users using the Cisco Secure ACS GUI.

New NAS Wildcard, Multi-NAS, and Named Access Filters Features

NAS wildcard support for device, device group entry, and NAS filtering enables easier device entry and management in the Cisco Secure ACS system.

Multi-NAS allows the administrator to create shared NAS profile templates that define a group of network devices with the same attributes: shared key, authentication method, or login/accounting parameters. Multi-NAS also enables administrators to provide multiple IP addresses or ranges of IP addresses.

Named access filters simplify and facilitate assigning the same access filter to multiple devices or device groups.

User-Extensible Vendor-Specific Attributes (VSAs)

The Cisco Secure ACS now supports user-defined outbound Vendor-Specific Attributes (VSAs) using the web GUI, including support for Broadband Service Manager (BBSM) implementations.

Cisco Secure ACS Benefits

Cisco Secure ACS is a powerful access control system with many high-performance, flexibility, and scalability features for the growing WAN or LAN. Some of the benefits of the Windows 3.0 version include the following.

Ease of use

A web-based user interface simplifies and distributes configuration for user profiles, group profiles, and ACS configuration.

Product flexibility

AAA support is integrated in the Cisco IOS Software, allowing Cisco Secure ACS to be implemented across virtually any Cisco NAS.


Built to support large networks with support for redundant servers, remote databases, and backup user database services.


LDAP authentication forwarding supports user authentication using profiles stored in directories or databases from leading vendors, such as Microsoft, Netscape, and Novell.


The capability to assign different access levels to each Cisco Secure administrator, plus the option to group network devices, facilitates easier control, flexibility, and granularity in defining, changing, and enforcing security policy administration.


Shares Windows user name/password management by using Windows 2000 Active Directory and NT database support, as well as using the Windows Performance Monitor for real-time statistics viewing.

Protocol flexibility

Simultaneous TACACS+ and RADIUS support allows flexible implementation of VPN or dial support at both ends of Internet Protocol Security (IPSec) and Point-to-Point Tunneling Protocol (PPTP) tunnels.

Token server support

Token server support for RSA SecurID, Passgo, Secure Computing, ActiveCard, Vasco, and CryptoCard.


Supports dynamic quotas for time-of-day, network usage, number of logged sessions, and day-of-week access restrictions.

Cisco Secure ACS for Windows Internal Architecture

Cisco Secure ACS for Windows NT/2000 version 3.0 servers is designed to be modular and flexible to scale from simple to complex networks. Cisco Secure ACS includes the following service modules:


CSAdmin is the service for the Cisco Secure ACS internal web server that eliminates the need for a third-party web server. Once installed, Cisco Secure ACS must be configured from its HTML interface, which requires that CSAdmin be running. CSAdmin is a multithreaded application allowing multiple administrators to access it at the same time. CSAdmin is best for distributed, multiprocessor, and clustered environments.

While starting and stopping the other services from within the Cisco Secure ACS HTML interface is possible, this doesn’t include starting or stopping CSAdmin. If CSAdmin stops abnormally through an external action, Cisco Secure ACS is only accessible from the Windows NT/2000 server on which it’s running. CSAdmin can be started or stopped from the Windows NT/2000 Service menu.


CSAuth is the authentication and authorization service used to permit or deny access to users. CSAuth is the database manager that determines whether access should be granted and defines the privileges for a particular user. Cisco Secure ACS can access several different databases for authentication purposes. When a request for authentication arrives, Cisco Secure ACS checks the database configured for that user. If the user is unknown, Cisco Secure ACS checks the database(s) configured for unknown users. The database options include the following:

  • Cisco Secure ACS user database The fastest option involves locating the user name and checking the password against the internal Cisco Secure ACS user database, as depicted in Figure 4-2. This avoids any delay while Cisco Secure ACS waits for a response from an external user database.

    Click To expand
    Figure 4-2: Cisco Secure ACS using its own database to authenticate users

  • Windows NT/2000 user database CSAuth passes the user name and password to Windows NT/2000 for authentication using its user database. Windows NT/2000 then provides a response approving or denying validation. Figure 4-3 represents Cisco Secure ACS using the network OS security database to authenticate users.

    Click To expand
    Figure 4-3: Cisco Secure ACS using Windows security database for authentication

  • Novell NDS option Uses the Novell NDS service to authenticate users. Cisco Secure ACS supports one tree, but the tree can have multiple Containers and Contexts. The Novell requester must be installed on the same Windows server as Cisco Secure ACS.

  • ODBC Open Database Connectivity (ODBC)–compliant SQL databases use the ODBC standardized API developed by Microsoft and are now used by most major database vendors. A benefit of ODBC in a web-based environment is easy access to data storage programs, such as Microsoft Access and SQL Server.

  • UNIX passwords Cisco Secure ACS includes a password import utility to import passwords from a UNIX database.

  • Generic LDAP Cisco Secure ACS supports authentication of users against records kept in a directory server through the LDAP. Both PAP and CHAP passwords can be used when authenticating against the LDAP database.

  • Token Card servers Cisco Secure ACS supports token servers, such as RSA SecurID, and SafeWord AXENT, and any hexadecimal X.909 Token Card, such as CRYPTOCard. Cisco Secure ACS either acts as a client to the token server or, in other cases, uses the token server’s RADIUS interface for authentication requests. Figure 4-4 shows the Token Card server interacting with Cisco Secure ACS.

    Click To expand
    Figure 4-4: Remote user authentication using Token Card

When the user authenticates using one of the defined methods, Cisco Secure ACS obtains a set of authorizations from the user profile and any groups the user belongs to. This information is stored with the user name in the Cisco Secure ACS user database. Some authorizations are the services the user is entitled to, such as IP over PPP, IP pools from which to draw an IP address, access lists, and password aging information. The authorizations, with the authentication approval, are then passed to the CSTacacs or CSRadius modules to be sent to the requesting device.


CSDBSync is an alternative to using the ODBC dynamic link library (DLL) to synchronize the Cisco Secure ACS database with third-party RDBMS systems. Because version 2.4, CSDBSync synchronizes AAA client, AAA server, network device groups (NDGs), and proxy table information.


CSLog is the service that captures and places logging information. CSLog gathers data from the TACACS+ or RADIUS packet and CSAuth, and formats the data into the comma-separated value (CSV) files that can be imported into spreadsheets supporting the format.


CSMon minimizes downtime in a remote access network environment. CSMon works for both TACACS+ and RADIUS by automatically detecting which protocols are in use. CSMon performs four basic activities:

  • Monitoring Monitors the overall status of Cisco Secure ACS and the host system it’s running on. It uses the Windows Event Log and Performance Monitor to monitor overall system health, including disk, CPU, and memory utilization.

  • Recording Records and reports all exceptions to a special log file that can be used to diagnose problems.

  • Notification Alerts the administrator to potential problems and real events regarding Cisco Secure ACS, and records all such problems. The default notification method is Simple Mail Transfer Protocol (SMTP) e-mail, but scripts can be written to enable other methods, such as pager notification.

  • Response Can be configured to attempt to fix detected problems automatically and intelligently, such as running scripts to restart stopped services.

CSTacacs and CSRadius

The CSTacacs and CSRadius services communicate between the CSAuth module and the access device requesting authentication and authorization services. CSTacacs is used to communicate with TACACS+ devices, and CSRadius is used to communicate with RADIUS devices. Both services can run at the same time. CSTacacs and CSRadius services must be configured from CSAdmin.

Each module can be started and stopped individually from within the Microsoft Service Control Panel; or, with the exception of CSAdmin, each can be stopped from within the Cisco Secure ACS HTML interface.

System Performance

Cisco Secure ACS’s performance capabilities, like most server services, are largely dependent on the resources of the Windows server it’s installed on. Other factors include network topology, network management, and the selection of user authentication databases. Common sense would rightly indicate that a faster processor, increased memory, and high-speed connectivity will increase both the speed and volume of authentications per second.

The following items are general indicators of system performance, but the actual Cisco Secure ACS performance on a particular network could vary based on the environment and AAA configuration.

  • Maximum users supported Technically, no limit exists to the number of users the Cisco Secure ACS user database can support if disk space is available. Cisco has successfully tested Cisco Secure ACS with databases greater than 100,000 users. While a single Cisco Secure ACS server using multiple databases might be able to support 300,000 to 500,000 users, using replicated multiple Cisco Secure ACS servers would increase that number substantially.

  • Transaction processing A single minimal ACS server with a 10,000 user database might be able to process 80 RADIUS logins, plus approximately 40 TACACS+ logins per second. Increasing memory and/or the number and size of the processors would increase these numbers, while increasing the size of the database will reduce performance.

  • Maximum number of AAA client devices Approximately 2,000 network devices running any AAA client.

Part III: Virtual Private Networks (VPNs)