Features and Architecture of Cisco Secure ACS for Windows

IEEE 802.1x—Access Control for Switched LAN Users

The IEEE 802.1x standard brings new security services to the local area network (LAN) by letting network administrators control which users can access their switched LAN environment. The 802.1x standard manages port-level access control by using the Cisco Secure ACS Extensible Authentication Protocol (EAP), which is carried on RADIUS.

EAP Message Digest 5 (EAP-MD5) and?EAP?Transport?LAN?Services?(EAP-TLS)

EAP is an IETF RFC standard for various authentication methods carried over any Point-to-Point Protocol (PPP) connection. EAP-MD5 is a user name/password method incorporating MD5 hashing for security. EAP-TLS uses X.509 digital certificate technology to provide both Cisco Secure ACS server and client authentication. EAP-TLS also supports dynamic session key negotiation.

Microsoft Challenge Authentication Protocol (MSCHAP) Support

Cisco Secure ACS now supports MSCHAP version 2.0 exchanges and MSCHAP password change service for Microsoft Dial-Up Networking clients, Cisco VPN clients, and any other desktop client supporting MSCHAP version 2.0 password change service. A user whose password has expired now is automatically prompted to change their password after their next login.

Multiple LDAP Support

Cisco Secure ACS supports user authentication using records kept in a directory server through the LDAP, including Novell and Netscape, using a generic LDAP interface. New in Cisco Secure ACS version 3.0 is the capability to define multiple, different LDAP sources for user lookups. This lets you define a different LDAP repository to search for users. Another new feature is the capability to define secondary, backup LDAP servers, for times when a primary LDAP server is unavailable.

Device Command Sets (DCS)

Device Command Sets (DCS) is a new TACACS+ administration tool that uses a central Cisco Secure ACS graphical user interface (GUI) mechanism to control the authorization of each command on each device via per-user, per-group, or per-network device group mapping. DCS provides a method to group and name command profiles, which can then be paired with users, groups of users, or device groups. The new features and tools provide greater granularity, scalability, and manageability in setting authorization restrictions for network administrators.

Per-User Access Control Lists (ACL)

Per-user Access Control Lists (ACL) is a Cisco PIX Firewall Solution service that allows administrators to define access control lists (ACL) of any length, for users or groups of users using the Cisco Secure ACS GUI.

New NAS Wildcard, Multi-NAS, and Named Access Filters Features

NAS wildcard support for device, device group entry, and NAS filtering enables easier device entry and management in the Cisco Secure ACS system.

Multi-NAS allows the administrator to create shared NAS profile templates that define a group of network devices with the same attributes: shared key, authentication method, or login/accounting parameters. Multi-NAS also enables administrators to provide multiple IP addresses or ranges of IP addresses.

Named access filters simplify and facilitate assigning the same access filter to multiple devices or device groups.

User-Extensible Vendor-Specific Attributes (VSAs)

The Cisco Secure ACS now supports user-defined outbound Vendor-Specific Attributes (VSAs) using the web GUI, including support for Broadband Service Manager (BBSM) implementations.

CSAdmin

CSAdmin is the service for the Cisco Secure ACS internal web server that eliminates the need for a third-party web server. Once installed, Cisco Secure ACS must be configured from its HTML interface, which requires that CSAdmin be running. CSAdmin is a multithreaded application allowing multiple administrators to access it at the same time. CSAdmin is best for distributed, multiprocessor, and clustered environments.

While starting and stopping the other services from within the Cisco Secure ACS HTML interface is possible, this doesn’t include starting or stopping CSAdmin. If CSAdmin stops abnormally through an external action, Cisco Secure ACS is only accessible from the Windows NT/2000 server on which it’s running. CSAdmin can be started or stopped from the Windows NT/2000 Service menu.

CSAuth

CSAuth is the authentication and authorization service used to permit or deny access to users. CSAuth is the database manager that determines whether access should be granted and defines the privileges for a particular user. Cisco Secure ACS can access several different databases for authentication purposes. When a request for authentication arrives, Cisco Secure ACS checks the database configured for that user. If the user is unknown, Cisco Secure ACS checks the database(s) configured for unknown users. The database options include the following:

• Cisco Secure ACS user database The fastest option involves locating the user name and checking the password against the internal Cisco Secure ACS user database, as depicted in Figure 4-2. This avoids any delay while Cisco Secure ACS waits for a response from an external user database.

  
  Figure 4-2: Cisco Secure ACS using its own database to authenticate users

• Windows NT/2000 user database CSAuth passes the user name and password to Windows NT/2000 for authentication using its user database. Windows NT/2000 then provides a response approving or denying validation. Figure 4-3 represents Cisco Secure ACS using the network OS security database to authenticate users.

  
  Figure 4-3: Cisco Secure ACS using Windows security database for authentication

• Novell NDS option Uses the Novell NDS service to authenticate users. Cisco Secure ACS supports one tree, but the tree can have multiple Containers and Contexts. The Novell requester must be installed on the same Windows server as Cisco Secure ACS.

• ODBC Open Database Connectivity (ODBC)–compliant SQL databases use the ODBC standardized API developed by Microsoft and are now used by most major database vendors. A benefit of ODBC in a web-based environment is easy access to data storage programs, such as Microsoft Access and SQL Server.

• UNIX passwords Cisco Secure ACS includes a password import utility to import passwords from a UNIX database.

• Generic LDAP Cisco Secure ACS supports authentication of users against records kept in a directory server through the LDAP. Both PAP and CHAP passwords can be used when authenticating against the LDAP database.

• Token Card servers Cisco Secure ACS supports token servers, such as RSA SecurID, and SafeWord AXENT, and any hexadecimal X.909 Token Card, such as CRYPTOCard. Cisco Secure ACS either acts as a client to the token server or, in other cases, uses the token server’s RADIUS interface for authentication requests. Figure 4-4 shows the Token Card server interacting with Cisco Secure ACS.

  
  Figure 4-4: Remote user authentication using Token Card

When the user authenticates using one of the defined methods, Cisco Secure ACS obtains a set of authorizations from the user profile and any groups the user belongs to. This information is stored with the user name in the Cisco Secure ACS user database. Some authorizations are the services the user is entitled to, such as IP over PPP, IP pools from which to draw an IP address, access lists, and password aging information. The authorizations, with the authentication approval, are then passed to the CSTacacs or CSRadius modules to be sent to the requesting device.

CSDBSync

CSDBSync is an alternative to using the ODBC dynamic link library (DLL) to synchronize the Cisco Secure ACS database with third-party RDBMS systems. Because version 2.4, CSDBSync synchronizes AAA client, AAA server, network device groups (NDGs), and proxy table information.

CSLog

CSLog is the service that captures and places logging information. CSLog gathers data from the TACACS+ or RADIUS packet and CSAuth, and formats the data into the comma-separated value (CSV) files that can be imported into spreadsheets supporting the format.

CSMon

CSMon minimizes downtime in a remote access network environment. CSMon works for both TACACS+ and RADIUS by automatically detecting which protocols are in use. CSMon performs four basic activities:

• Monitoring Monitors the overall status of Cisco Secure ACS and the host system it’s running on. It uses the Windows Event Log and Performance Monitor to monitor overall system health, including disk, CPU, and memory utilization.

• Recording Records and reports all exceptions to a special log file that can be used to diagnose problems.

• Notification Alerts the administrator to potential problems and real events regarding Cisco Secure ACS, and records all such problems. The default notification method is Simple Mail Transfer Protocol (SMTP) e-mail, but scripts can be written to enable other methods, such as pager notification.

• Response Can be configured to attempt to fix detected problems automatically and intelligently, such as running scripts to restart stopped services.

CSTacacs and CSRadius

The CSTacacs and CSRadius services communicate between the CSAuth module and the access device requesting authentication and authorization services. CSTacacs is used to communicate with TACACS+ devices, and CSRadius is used to communicate with RADIUS devices. Both services can run at the same time. CSTacacs and CSRadius services must be configured from CSAdmin.

Each module can be started and stopped individually from within the Microsoft Service Control Panel; or, with the exception of CSAdmin, each can be stopped from within the Cisco Secure ACS HTML interface.