|
Table Of Contents
Introduction to the CiscoSecure ACS Software
CiscoSecure ACS Network Architecture
CiscoSecure ACS Flexibility and Scalability
Network-Wide, Web-Based Management
Multiple Levels of Access Control Administration
Accommodation of Non-CiscoSecure Users
Basic CiscoSecure ACS Concepts
TACACS+ and RADIUS Protocol Support
Dictionaries for the RADIUS Protocol
CiscoSecure ACS Web-Based Interface
Three Components of Dial-In Network Security
Introduction to the CiscoSecure ACS Software
This chapter contains an overview of the CiscoSecure Access Control Server (ACS) 2.3 for UNIX (Solaris) software, defines package contents and system requirements, describes features of the software, and provides general information on network security.
Overview of CiscoSecure ACS
The CiscoSecure ACS software is designed to help ensure the security of your network and track the activity of people who successfully connect to your network. The CiscoSecure ACS software uses either the Terminal Access Controller Access Control System (TACACS)+ or the Remote Authentication Dial-In User Service (RADIUS) protocol to provide this network security and tracking.
The CiscoSecure ACS uses authentication, authorization, and accounting (AAA) to provide network security. Each facet of AAA significantly contributes to the overall security of your network:
•Authentication determines the identity of users and whether they should be allowed access to the network.
•Authorization determines the level of network services available to authenticated users after they are connected.
•Accounting keeps track of each user's network activity.
Note AAA accounting is not supported by PIX firewalls.
CiscoSecure ACS Network Architecture
The CiscoSecure ACS sits on a network that dial-in users and other types of outside users access through a network access server (NAS).
Figure 1-1 Overview of CiscoSecure ACS Configuration
As users log in through the NAS, the CiscoSecure ACS exchanges data and instructions with the NAS, authenticating and authorizing users on the basis of user and group profiles that are stored in either a local or network database. After the CiscoSecure ACS software authenticates and authorizes users for the proper level of network access, it tracks individual user access and stores this information in a database where it can later be retrieved for accounting or analyzing network use.
System administrators authorized to manage the CiscoSecure ACS do so from a network workstation through the web-based CiscoSecure Administrator program.
Users can be granted access to a web-based CiscoSecure User Access program, through which they can change their login passwords.
You can configure the CiscoSecure ACS software to work in conjunction with token card servers and PIX firewall servers. (PIX does not currently support AAA accounting.)
New Features
This release of CiscoSecure ACS for UNIX adds the following features:
•Support for IETF RADIUS tunneling attributes
•Recognition of new attributes in the customary RADIUS AV pairs and the user profile
•Decryption and encryption of RADIUS tunnel passwords
•New dictionary that includes 3Com RADIUS attributes
Additionally, with this release, CiscoSecure enables the "Valid Client" feature in the "CSConfig.ini" configuration file by default; previously, this feature was disabled by default. This feature requires a valid list of IP addresses (trusted hosts) to access the Debasers. A configuration parameter named "FastAdminValidClients" was added which allows the Fast Administration web-based GUI to permit the same IP addresses specified in the valid clients list. These configuration changes enable a higher default security level in the CiscoSecure product.
Features
This section describes the features available in CiscoSecure ACS.
Session Management Support
CiscoSecure ACS 2.3 for UNIX offers max sessions support. This feature is the ability to limit the number of concurrent sessions permitted per specific user, group, VPDN, or PoP group.
•If you have the optional CiscoSecure Distributed Session Manager (DSM) module licensed, installed, and enabled (using the package labeled CiscoSecure ACS for UNIX with Distributed Session Manager at new CiscoSecure installation sites; or the package labeled CiscoSecure ACS Distributed Session Manager Option at existing CiscoSecure ACS 2.3 for UNIX sites), you can enable the CiscoSecure ACS to limit the number of concurrent sessions that are available to a specific user, group, or VPDN. This feature also gives the system administrator the ability to monitor and reset statistics associated with this sessions limitation.
Imposing a maximum sessions limitation per group, per user, or per VPDN enables the system administrator to ensure against one user or group of users from consuming a disproportionate amount of network connections.
•If you install CiscoSecure without the DSM module licensed or installed, CiscoSecure ACS 2.3 for UNIX still provides limited-feature max sessions support, enabling you to set per-user session limits for individual users or groups of users.
Caution The DSM module features cannot be implemented for members of VPDNs set up to use the Cisco IOS Release 11.3 dial-in number information service (DNIS) feature.
Note Use of the DSM module also requires the CiscoSecure ACS configured to use the Oracle Enterprise or Sybase Enterprise RDBMS sites that have been set up for database replication.
Other Features
Features of previous versions of CiscoSecure also included in CiscoSecure ACS 2.3 for UNIX product include:
•Web-page-based interface to:
–Manage TACACS+-enabled and RADIUS-enabled NAS clients.
–Manage TACACS+-enabled and RADIUS-enabled CiscoSecure ACSes.
–Set up and manage remote connections to virtual private dial-up networks (VPDNs).
–Configure of a default profile to accommodate guest users or users logging in through a client NAS but who are authorized by some other control system to access the network.
–Assign mid-level group administration privileges.
–Configure token-caching for all users logging in through a token server.
–Assign group-level absolute attributes.
–Administer Secure Computing token card users.
•UNIX command-line interface support
•Profile data caching—For enhanced authentication performance
•Support for database replication among multiple Oracle or Sybase database sites that contain the profile data for multiple CiscoSecure ACS sites
CiscoSecure ACS Flexibility and Scalability
The CiscoSecure ACS is designed to provide for easy expansion of AAA services in a NAS. It uses relational enterprise databases, allowing an environment in which any number of CiscoSecure ACSes can be distributed among many locations.
For example, in a dial-in network where dial-in port banks are located in different regions, you can scale network performance by installing separate CiscoSecure ACSes to support each region.
In this distributed architecture, the number of authentications per second would be equal to the number of CiscoSecure ACSes multiplied by the authentications per second of a given ACS. That is, if the performance of a CiscoSecure ACS is x authentications per second, when you use 10 CiscoSecure ACSes, you'll achieve 10x authentications per second.
If you have multiple points of presence (PoPs), each PoP can use its own CiscoSecure ACS. The distributed databases provide the necessary replication of data among the CiscoSecure ACSes. This solution allows for redundancy, user-entry scalability, and performance scalability.
Redundancy
The NAS at each PoP can always use its local CiscoSecure ACS as the primary server. The scalable architecture of the CiscoSecure ACS provides that, in the event a NAS is unable to use its primary server, the NAS can also point to two other backup CiscoSecure ACSes. This helps to ensure continuous availability of network resources.
Network-Wide, Web-Based Management
During installation, CiscoSecure ACS sets up the CiscoSecure ACS web site for administrators and users to access and carry out appropriate administration tasks. This interface allows multiple administrators to add users to CiscoSecure ACS. It allows authorized users to access it to change their passwords. It provides record locking so that only one administrator at a time can modify information for the same user.
It enables system administrators to set global login restrictions that apply to all client NASes using the CiscoSecure ACS services.
Using the CiscoSecure ACS software saves memory in all the access devices and eliminates the need to update every NAS when new users are added, authorization is modified, or users change their passwords. Changes are made instead to the CiscoSecure profile database.
Quick Addition of NAS Clients
If you want to specify multiple NASes as CiscoSecure ACS clients, you can use the web-based CiscoSecure ACS 2.3 for UNIX administration interface to designate and configure specific TACACS+-enabled NASes and RADIUS-enabled NASes as CiscoSecure clients.
Multiple Levels of Access Control Administration
CiscoSecure ACS 2.3 for UNIX supports multiple levels of access control administration.
The top level, or system administrator can manage network access control of all users and groups in the AAA database.
The system administrator can, in turn, parcel out administrative access control tasks to mid-level group administrators on a per-group basis. The system administrator can assign (to selected users) group administrator access control privileges that those users can exercise within their home groups and in any subordinate group, but cannot apply at any level above or equal to their home group.
For example, the system administrator can empower User A as the group administrator of the network access of fellow users in Group A and in its child groups but prevent User A from viewing or administering users in Group B even though the users in both groups are accessing the network through the same NAS and ACS system.
Local and Remote VPDN Access
If you maintain an Internet service accessed by various customers maintaining separate virtual private dial-up networks (VPDNs), you can configure the CiscoSecure ACS to authenticate VPDN users logging in to access local domains and route VPDN users logging in to access remote domains.
You can configure the CiscoSecure ACS to recognize and authenticate users logging in with specific local domain name strings. You can also configure the CiscoSecure ACS to recognize and route users logging in with specific remote domain name strings to the home gateway NAS of those domains.
Thus a VPDN user logging in through local NAS_A at Service_Provider_A as sam@zephyrware, would be authorized for the remote zephyrware domain by local ACS_A and routed to the home gateway NAS_B for the Zephyrware domain and authenticated there by ACS_B.
User Group Scalability
The CiscoSecure ACS supports user group profiles. This feature allows you to define a group with a set of attributes based on your security policy. When you add a user to that group (defining the user's password in the process), the new user is automatically assigned the attributes for the group. This dramatically simplifies the process of adding a user and makes your security easy to enforce and modify.
Performance Scalability
The distributed architecture of the CiscoSecure ACS allows you to scale your performance. In a dial-in network with multiple dial-in port banks located in different regions, you can scale network performance by installing separate CiscoSecure ACSes to support each region.
Database Options
The CiscoSecure ACS supports the following database options for storing group and user profiles and accounting information:
•Using the SQLAnywhere included with the CiscoSecure ACS
The CiscoSecure ACS includes SQLAnywhere from Sybase. Although this version of the database does not have client/server support, it is optimized to perform the essential AAA services with the CiscoSecure ACS.
Caution The SQLAnywhere database option will not support profile databases exceeding 5,000 users, replication of profile information among database sites, or the CiscoSecure DSM feature.
•Using an Oracle or Sybase RDBMS
If you intend to support CiscoSecure profile databases of 5,000 or more users, database replication, or the CiscoSecure DSM feature, you must pre-install an Oracle (version 7.3.2, 7.3.3, or 8.0.3) or Sybase SQL server (version 11) relational database management system (RDBMS) to hold your CiscoSecure profile information. Database replication requires further RDBMS configuration after the CiscoSecure installation program is complete.
•Upgrading an existing database from a previous (2.x) version of CiscoSecure
If you are upgrading from a previous 2.x version of CiscoSecure, the CiscoSecure installation program automatically upgrades the profile database to be compatible with CiscoSecure ACS 2.3 for UNIX.
•Importing an existing Profile database
You can convert existing freeware TACACS+ or RADIUS profile databases or flat files for use with this version of the CiscoSecure ACS. See the chapter "Converting an Existing AA Database for CiscoSecure ACS 2.3."
Database Replication Support
If you are supporting multiple CiscoSecure ACS sites using Oracle or Sybase database engines, you can implement periodic Oracle or Sybase database updating and replication between the sites. Database replication ensures that additions or modifications to the user profile database at one ACS site are incorporated at the other ACS sites. Consequently, every CiscoSecure ACS on the network is providing authentication, authorization and accounting services using a common consistent pool of user profile information.
Accommodation of Non-CiscoSecure Users
The CiscoSecure ACS allows you to easily configure a default profile for unknown_user to apply to non-CiscoSecure users, that is, users logging in through the client NAS without a CiscoSecure ACS user profile configured. You might want to configure a default profile to accommodate guest users or users who are being authenticated by another login control system.
Upgrade Options
The CiscoSecure ACS supports the following upgrade options:
•Upgrading from CiscoSecure ACS 1.x
If you are using the database included with CiscoSecure ACS 1.x, you can import your 1.0x user database into the CiscoSecure ACS relational database management system (RDBMS). See "Converting an Existing AA Database for CiscoSecure ACS 2.3."
•Upgrading from CiscoSecure ACS 2.x
If you are using CiscoSecure ACS 2.x, your database will be supported in this version of CiscoSecure ACS when you install the new version.
Standards and Specifications
The CiscoSecure ACS software conforms to the following standards and specifications:
•TACACS+
The CiscoSecure ACS software conforms to the TACACS+ protocol as defined by Cisco Systems. See your Cisco IOS software documentation for more information.
•RADIUS
The CiscoSecure ACS software conforms to the RADIUS protocol as defined in the following RFCs:
–RFC 2138, Remote Authentication Dial In User Service
–RFC 2139, RADIUS Accounting
•To support RADIUS tunneling:
•draft-ietf-radius-tunnel-auth-06.txt
•RFC 2138 and RFC 2139 extensions
•CiscoSecure ACS for UNIX is Y2K compliant as defined on Cisco's Year 2000 web page at http://www.cisco.com/warp/public/752/2000/index.shtml
Basic CiscoSecure ACS Concepts
The CiscoSecure ACS network might include these hardware and software elements:
•Java Database Connectivity (JDBC)-compliant relational database software—Installed on the network: either an Oracle Enterprise database engine, a Sybase Enterprise database engine, or an ODBC-compliant CiscoSecure-supplied SQLAnywhere database engine.
•NAS—Functioning as a router to dial-in users and a client to the ACS server.
•CiscoSecure ACS—Running on a UNIX workstation.
•Token card server—An optional token card server to support token card authentications.
•CiscoSecure ACS console—A workstation with an installed web browser for administering the ACS through the CiscoSecure ACS web pages.
Figure 1-2 shows a typical configuration.
Figure 1-2 Overview of Typical CiscoSecure ACS Configuration
In this example, the NAS, CiscoSecure ACS, external relational database, web browser workstation, and token card server are interconnected. With the appropriate authorization, the CiscoSecure ACS can be managed from any computer on the network running a supported web browser.
CiscoSecure ACS software uses group-and-user information stored in a relational database for authentication, authorization, and accounting. This database is known as the AAA database.
CiscoSecure ACS and the NAS
The CiscoSecure ACS software does the actual work of verifying AAA, and responds to the NAS for access requests by users outside the LAN. Using the TACACS+ or RADIUS protocol, the NAS sends authentication requests to the CiscoSecure ACS, which then verifies the username and password and returns a success or failure response to the NAS.
When the user has been authenticated, a set of session attributes can be sent to the NAS to provide additional security. These attributes can include per-user access lists, specific services that can be used, and session timeout values.
Figure 1-3 illustrates a scenario in which the process of AAA is performed by the NAS and the CiscoSecure ACS.
Figure 1-3 AAA from the NAS to the CiscoSecure ACS
TACACS+ and RADIUS Protocol Support
TACACS+ and RADIUS are AAA protocols through which the NAS and the CiscoSecure ACS communicate. CiscoSecure supports both protocols. Table 1-1 lists the AAA features supported by the two protocols.
Table 1-1 Protocol-Supported AAA Features
AAA Feature TACACS+ Support RADIUS SupportWeb-based administration
Yes
Yes
Encrypted password transactions
Yes
Yes
Solaris 2.5 or greater support
Yes
Yes
Option to disable accounts after failed login attempt count exceeded
Yes
Yes
User group membership support
Yes
Yes
Accounting support
Yes
Yes
S/Key authentication support
Yes
Yes
Option to specify maximum sessions per user
Yes
Yes
Support for use of common token card servers (CRYPTOCard, Secure Computing, and Security Dynamics, Inc. [SDI])
Yes
Yes
Password aging and configurable warning period
Yes
No
Allow/refuse filter option for remote addresses
Yes
No
Option to change user passwords or reject passwords not meeting security requirements
Yes
No
Language configurable message catalogs
Yes
No
Option for a single TCP1 connection between the NAS and the CiscoSecure ACS
Yes
No
Permit/deny control for X.121 addresses (on a network-wide basis)
Yes
No
Permit/deny control for X.121 addresses (on a NAS-by-NAS basis)
Yes
Yes
1 TCP = Transmission Control Protocol.
Dictionaries for the RADIUS Protocol
To support the use of RADIUS protocols, CiscoSecure supplies RADIUS protocol dictionaries that support the sets of Attribute-Value pairs for commonly-used versions of the RADIUS protocol. CiscoSecure supplies separate dictionaries to support the attribute sets supported by Cisco IOS Release 11.2, Cisco IOS Release 11.3, Ascend, Ascend 5, and the IETF-RADIUS specification.
Using the CiscoSecure Administrator, you can customize a dictionary's attribute set to suit the access control attributes your NAS is configured to support and assign this dictionary to a group profile or user profile. When users fitting this profile log in through the NAS, the CiscoSecure ACS and the NAS communicate through the RADIUS protocol, using the attributes specified in the customized dictionary to determine the authentication and authorization of the new user, and also store user accounting information.
CiscoSecure ACS Web-Based Interface
The CiscoSecure web interface enables you to use Netscape Navigator or Microsoft Internet Explorer to easily set up and modify the authorization and authentication parameters of any group or user on your network. You can assign users to groups that have a set of common configuration parameters. You can then further modify the parameters for each individual user. The CiscoSecure Administrator web interface provides a point-and-click interface to administer the user database.
Note For security reasons, the use of the Refresh button in Internet Explorer and the Shift + Reload feature in Netscape are not supported in the Advanced Administrator interface.
Three Components of Dial-In Network Security
To maintain reliability and security in your network, the AAA features of the CiscoSecure ACS software help you monitor and control:
•Authentication—Who is logging into the system
•Authorization—Whether a particular user should be using the requested service
•Accounting—What each user has been doing
Authentication
Authentication allows network managers to bar intruders from their networks. Simple authentication methods use a database of usernames and passwords, while more complex methods use one-time passwords (OTP).
CiscoSecure ACS software uses the TACACS+ and/or RADIUS protocol to authenticate users who dial in to accept usernames or password information sent to a NAS by different protocols such as the AppleTalk Remote Access Protocol (ARAP), Serial Line Internet Protocol (SLIP), Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), and standard Telnet. This broad protocol support provides flexibility for network administrators to define the same or different usernames and passwords for different protocols.
CiscoSecure ACS software supports the following password management features:
•Passwords supported—Data Encryption Standard (DES), Clear Text, UNIX File, UNIX System, No Password, PAP, CHAP, ARAP, S/Key, CRYPTOCard, SDI, and SafeWord
•Aging of passwords (TACACS+ only)—Setting passwords and privilege attributes with expiration dates
•Date qualification of users and groups
•Concept of unknown_user
•Support for the token cards supported by the following token card servers: CRYPTOCard, Secure Computing, SDI, and S/Key (MD4 version)
Authorization
Authorization lets network managers limit the network services available to each user and helps restrict access to the internal network to outside callers. It also lets mobile users connect to the closest local connection and still have the same access privileges they would have if they were directly connected to their local networks. Authorization also lets you specify which commands a new system administrator can issue on specific network devices.
The CiscoSecure ACS software also supports:
•Specification of NAS and, for TACACS+, port number of the caller
•Time-of-day or day-of-week—Logins that are restricted to certain times of day or certain days of the week
•Multiple declarations of services, protocols, and commands—Placing restrictions on users at specified times or under specified operating conditions (TACACS+ only)
Accounting
System administrators might need to bill departments or customers for connection time or resources used on the network (for example, total time connected). Accounting tracks this kind of information. You can also use the accounting syslog to track suspicious connection attempts into the network. The accounting portion of AAA contains:
•User network address
•Username
•Attempted service
•Time and date
•Packet-filter module where the log originates (supported for both TACACS+ and RADIUS, but implemented differently for each protocol)
The billing information includes connect time, user ID, connection location, amount of data transferred, start time, and stop time.
The following features are also supported:
•Compatible log file format (designed for ease of use).
•RADIUS accounting offers the following options:
–None—No RADIUS accounting packets are requested.
–Flat file—RADIUS accounting packets written to a UNIX flat file.
–Inside the relational database management system (RDBMS) stored in TACACS+ format.
–Flat file and RDBMS (stored in TACACS+ format)—If the network connection to the relational database fails, then accounting packets are written to a flat file.
User Profiles
For each user that logs in to the network through the NAS with a distinct ID, use the CiscoSecure Administrator web interface to set up a user profile in the AAA database. This profile contains all the relevant information that the ACS needs to authenticate, authorize, and log accounting information for that user on the network.
When authorized users log on to your network, the CiscoSecure ACS uses the group and user profiles to identify users of a service or a set of services.
Group Profiles
As the number of users grows, assigning all the necessary attributes to every individual user becomes time-consuming and unmanageable.
For large groups of users with similar characteristics, you can set up CiscoSecure user group profiles that allow you to set up AAA attributes for large numbers of users at the same time. This means that you can declare common characteristics once and then have all users assigned to the group inherit those characteristics when they are assigned to the group. This obviously saves a great deal of time.
One way to manage large numbers of users is to group them together according to the services they will use. Using the web-based CiscoSecure ACS Administrator program, you can modify the CiscoSecure ACS to define each group and authorize it to use the appropriate set of services. You can then add each new user to the appropriate group.
For example, you could restrict access by assigning regular employees and contract employees to separate groups and assigning attributes that allow the regular employees group to dial in at any time and the contract employees group to dial in only from 8:00 am to 5:00 pm Monday through Friday.
With grouping, you can also control the access of users to critical network services. For example, rather than controlling the access to a feature, you could control the ability of a group of users to log on to a specified server.
A group can be a member of another group. In a sales group, for example, the complete sales information group might be a member of a larger group of all sales employees that has access to other services and accounting information.
Grouping can simplify the task of ensuring a secure network in which users have easy access to necessary services and information, but no access to other services, which are unrelated to their jobs. In this way, you can reliably and easily ensure the security of the entire network regardless of its size or complexity.
Inheritance
The passing down of a user group's attributes to its member users is called inheritance.
Within the CiscoSecure ACS, inheritance means that in the absence of specifically assigned attribute values, individual users will have the same attribute values as the group from which they were derived.
Inheritance works differently depending on the AAA protocol being applied:
•TACACS+—Attribute values assigned to a group are passed down and applied to its member users. In specific cases, however, an individual member can choose to overwrite certain values, thereby individualizing the group, where required. If an attribute has no explicitly assigned value either at a group or user level, the default applied to the unknown_user applies.
•RADIUS—Attributes assigned to groups do not override attributes assigned to members, nor do attributes assigned to members override attributes assigned to the group. If Group and User attributes are not carefully assigned, contention can result. For example, if you assign different passwords to the group and the user, there is no way to be certain which password will be chosen to authenticate against; therefore, the group or user may not be able to authenticate.
•CiscoSecure ACS 2.3 for UNIX supports a category of attributes that can be assigned absolute status in a group profile. If absolute status is enabled for an attribute in a group profile, the value of that attribute cannot be overridden by contending attribute values assigned at any subordinate group or user level.
Posted: Wed Feb 16 10:18:16 PST 2005
All contents are Copyright © 1992--2005 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.