This chapter contains an overview of Cisco Secure Access Control Server Release 4.0 for Windows,
hereafter referred to as ACS.
The following topics are presented:
• Introduction to ACS, page 1-1
• ACS Features, Functions and Concepts, page 1-2
• Managing and Administrating ACS, page 1-15
• ACS Specifications, page 1-19
Introduction to ACS
ACS is a scalable, high-performance Remote Access Dial-In User Service (RADIUS) and Terminal
Access Controller Access Control System (TACACS+) security server. As the centralized control point
for managing enterprise network users, network administrators, and network infrastructure resources,
ACS provides a comprehensive identity-based network-access control solution for Cisco intelligent
information networks.
ACS extends network-access security by combining traditional authentication, authorization, and
accounting (AAA - pronounced “triple A”) with policy control. ACS enforces a uniform network-access
security policy for network administrators and other network users.
ACS supports a broad variety of Cisco and other network-access devices (NADs), also known as AAA
clients, including:
• Wired and wireless LAN switches and access points
• Edge and core routers
• Dialup and broadband terminators
• Content and storage devices
• Voice over IP
• Firewalls
• Virtual private networks (VPNs)
Figure 1-1 on page 1-2 illustrates the role of ACS as a traditional network access control/AAA server.
1-3
User Guide for Cisco Secure Access Control Server for Windows
78-16992-02
Chapter 1 Overview
ACS Features, Functions and Concepts
ACS as the AAA Server
From the perspective of the NAD, ACS functions as the AAA server. You must configure the device,
which functions as a AAA client from the ACS perspective, to direct all end-user host access requests
to ACS, via the TACACS+ or RADIUS protocols.
TACACS+ is traditionally used to provide authorization for network administrative operations on the
network infrastructure itself; RADIUS is universally used to secure the access of end-users to network
resources.
Basically, the NAD serves as the network gatekeeper, and sends an access request to ACS on behalf of
the user. ACS verifies the username, password and possibly other data by using its internal database or
one of the configured external identity directories. ACS ultimately responds to the NAD with an access
denied or an access-accept message with a set of authorization attributes. When ACS is used in the
context of the NAC architecture, additional machine data, known as posture, is validated as well, before
the user is granted access to the network.
AAA Protocols-TACACS+ and RADIUS
ACS can use the TACACS+ and RADIUS AAA protocols.
Table 1-1 compares the two protocols.
TACACS+
ACS conforms to the TACACS+ protocol as defined by Cisco Systems in draft 1.78. For more
information, refer to the Cisco IOS software documentation at http://www.cisco.com.
RADIUS
ACS conforms to the RADIUS protocol as defined in the draft of April 1997 and in the following
Requests for Comments (RFCs):
• RFC 2138, Remote Authentication Dial In User Service
• RFC 2139, RADIUS Accounting
• RFC 2284
Download
No comments:
Post a Comment