Introduction to the CiscoSecure ACS Software

This chapter contains an overview of the CiscoSecure Access Control Server (ACS) 2.3 for UNIX (Solaris) software, defines package contents and system requirements, describes features of the software, and provides general information on network security.

Overview of CiscoSecure ACS

The CiscoSecure ACS software is designed to help ensure the security of your network and track the activity of people who successfully connect to your network. The CiscoSecure ACS software uses either the Terminal Access Controller Access Control System (TACACS)+ or the Remote Authentication Dial-In User Service (RADIUS) protocol to provide this network security and tracking.

The CiscoSecure ACS uses authentication, authorization, and accounting (AAA) to provide network security. Each facet of AAA significantly contributes to the overall security of your network:

•

Authentication determines the identity of users and whether they should be allowed access to the network.

•

Authorization determines the level of network services available to authenticated users after they are connected.

CiscoSecure ACS Network Architecture

The CiscoSecure ACS sits on a network that dial-in users and other types of outside users access through a network access server (NAS).

As users log in through the NAS, the CiscoSecure ACS exchanges data and instructions with the NAS, authenticating and authorizing users on the basis of user and group profiles that are stored in either a local or network database. After the CiscoSecure ACS software authenticates and authorizes users for the proper level of network access, it tracks individual user access and stores this information in a database where it can later be retrieved for accounting or analyzing network use.

System administrators authorized to manage the CiscoSecure ACS do so from a network workstation through the web-based CiscoSecure Administrator program.

Users can be granted access to a web-based CiscoSecure User Access program, through which they can change their login passwords.

You can configure the CiscoSecure ACS software to work in conjunction with token card servers and PIX firewall servers. (PIX does not currently support AAA accounting.)

New Features

•

Recognition of new attributes in the customary RADIUS AV pairs and the user profile

Additionally, with this release, CiscoSecure enables the "Valid Client" feature in the "CSConfig.ini" configuration file by default; previously, this feature was disabled by default. This feature requires a valid list of IP addresses (trusted hosts) to access the Debasers. A configuration parameter named "FastAdminValidClients" was added which allows the Fast Administration web-based GUI to permit the same IP addresses specified in the valid clients list. These configuration changes enable a higher default security level in the CiscoSecure product.

Features

Session Management Support

CiscoSecure ACS 2.3 for UNIX offers max sessions support. This feature is the ability to limit the number of concurrent sessions permitted per specific user, group, VPDN, or PoP group.

•

If you have the optional CiscoSecure Distributed Session Manager (DSM) module licensed, installed, and enabled (using the package labeled CiscoSecure ACS for UNIX with Distributed Session Manager at new CiscoSecure installation sites; or the package labeled CiscoSecure ACS Distributed Session Manager Option at existing CiscoSecure ACS 2.3 for UNIX sites), you can enable the CiscoSecure ACS to limit the number of concurrent sessions that are available to a specific user, group, or VPDN. This feature also gives the system administrator the ability to monitor and reset statistics associated with this sessions limitation.

Imposing a maximum sessions limitation per group, per user, or per VPDN enables the system administrator to ensure against one user or group of users from consuming a disproportionate amount of network connections.

•

If you install CiscoSecure without the DSM module licensed or installed, CiscoSecure ACS 2.3 for UNIX still provides limited-feature max sessions support, enabling you to set per-user session limits for individual users or groups of users.

Note Use of the DSM module also requires the CiscoSecure ACS configured to use the Oracle Enterprise or Sybase Enterprise RDBMS sites that have been set up for database replication.

Other Features

Features of previous versions of CiscoSecure also included in CiscoSecure ACS 2.3 for UNIX product include:

–

Set up and manage remote connections to virtual private dial-up networks (VPDNs).

–

Configure of a default profile to accommodate guest users or users logging in through a client NAS but who are authorized by some other control system to access the network.

•

Support for database replication among multiple Oracle or Sybase database sites that contain the profile data for multiple CiscoSecure ACS sites

CiscoSecure ACS Flexibility and Scalability

The CiscoSecure ACS is designed to provide for easy expansion of AAA services in a NAS. It uses relational enterprise databases, allowing an environment in which any number of CiscoSecure ACSes can be distributed among many locations.

For example, in a dial-in network where dial-in port banks are located in different regions, you can scale network performance by installing separate CiscoSecure ACSes to support each region.

In this distributed architecture, the number of authentications per second would be equal to the number of CiscoSecure ACSes multiplied by the authentications per second of a given ACS. That is, if the performance of a CiscoSecure ACS is x authentications per second, when you use 10 CiscoSecure ACSes, you'll achieve 10x authentications per second.

If you have multiple points of presence (PoPs), each PoP can use its own CiscoSecure ACS. The distributed databases provide the necessary replication of data among the CiscoSecure ACSes. This solution allows for redundancy, user-entry scalability, and performance scalability.

Redundancy

The NAS at each PoP can always use its local CiscoSecure ACS as the primary server. The scalable architecture of the CiscoSecure ACS provides that, in the event a NAS is unable to use its primary server, the NAS can also point to two other backup CiscoSecure ACSes. This helps to ensure continuous availability of network resources.

Network-Wide, Web-Based Management

During installation, CiscoSecure ACS sets up the CiscoSecure ACS web site for administrators and users to access and carry out appropriate administration tasks. This interface allows multiple administrators to add users to CiscoSecure ACS. It allows authorized users to access it to change their passwords. It provides record locking so that only one administrator at a time can modify information for the same user.

It enables system administrators to set global login restrictions that apply to all client NASes using the CiscoSecure ACS services.

Using the CiscoSecure ACS software saves memory in all the access devices and eliminates the need to update every NAS when new users are added, authorization is modified, or users change their passwords. Changes are made instead to the CiscoSecure profile database.

Quick Addition of NAS Clients

If you want to specify multiple NASes as CiscoSecure ACS clients, you can use the web-based CiscoSecure ACS 2.3 for UNIX administration interface to designate and configure specific TACACS+-enabled NASes and RADIUS-enabled NASes as CiscoSecure clients.

Multiple Levels of Access Control Administration

CiscoSecure ACS 2.3 for UNIX supports multiple levels of access control administration.

The top level, or system administrator can manage network access control of all users and groups in the AAA database.

The system administrator can, in turn, parcel out administrative access control tasks to mid-level group administrators on a per-group basis. The system administrator can assign (to selected users) group administrator access control privileges that those users can exercise within their home groups and in any subordinate group, but cannot apply at any level above or equal to their home group.

For example, the system administrator can empower User A as the group administrator of the network access of fellow users in Group A and in its child groups but prevent User A from viewing or administering users in Group B even though the users in both groups are accessing the network through the same NAS and ACS system.

Local and Remote VPDN Access

If you maintain an Internet service accessed by various customers maintaining separate virtual private dial-up networks (VPDNs), you can configure the CiscoSecure ACS to authenticate VPDN users logging in to access local domains and route VPDN users logging in to access remote domains.

You can configure the CiscoSecure ACS to recognize and authenticate users logging in with specific local domain name strings. You can also configure the CiscoSecure ACS to recognize and route users logging in with specific remote domain name strings to the home gateway NAS of those domains.

Thus a VPDN user logging in through local NAS_A at Service_Provider_A as sam@zephyrware, would be authorized for the remote zephyrware domain by local ACS_A and routed to the home gateway NAS_B for the Zephyrware domain and authenticated there by ACS_B.

User Group Scalability

The CiscoSecure ACS supports user group profiles. This feature allows you to define a group with a set of attributes based on your security policy. When you add a user to that group (defining the user's password in the process), the new user is automatically assigned the attributes for the group. This dramatically simplifies the process of adding a user and makes your security easy to enforce and modify.

Performance Scalability

The distributed architecture of the CiscoSecure ACS allows you to scale your performance. In a dial-in network with multiple dial-in port banks located in different regions, you can scale network performance by installing separate CiscoSecure ACSes to support each region.

Database Options

The CiscoSecure ACS supports the following database options for storing group and user profiles and accounting information:

The CiscoSecure ACS includes SQLAnywhere from Sybase. Although this version of the database does not have client/server support, it is optimized to perform the essential AAA services with the CiscoSecure ACS.

If you intend to support CiscoSecure profile databases of 5,000 or more users, database replication, or the CiscoSecure DSM feature, you must pre-install an Oracle (version 7.3.2, 7.3.3, or 8.0.3) or Sybase SQL server (version 11) relational database management system (RDBMS) to hold your CiscoSecure profile information. Database replication requires further RDBMS configuration after the CiscoSecure installation program is complete.

If you are upgrading from a previous 2.x version of CiscoSecure, the CiscoSecure installation program automatically upgrades the profile database to be compatible with CiscoSecure ACS 2.3 for UNIX.

You can convert existing freeware TACACS+ or RADIUS profile databases or flat files for use with this version of the CiscoSecure ACS. See the chapter "Converting an Existing AA Database for CiscoSecure ACS 2.3."

Database Replication Support

If you are supporting multiple CiscoSecure ACS sites using Oracle or Sybase database engines, you can implement periodic Oracle or Sybase database updating and replication between the sites. Database replication ensures that additions or modifications to the user profile database at one ACS site are incorporated at the other ACS sites. Consequently, every CiscoSecure ACS on the network is providing authentication, authorization and accounting services using a common consistent pool of user profile information.

Accommodation of Non-CiscoSecure Users

The CiscoSecure ACS allows you to easily configure a default profile for unknown_user to apply to non-CiscoSecure users, that is, users logging in through the client NAS without a CiscoSecure ACS user profile configured. You might want to configure a default profile to accommodate guest users or users who are being authenticated by another login control system.

Upgrade Options

If you are using CiscoSecure ACS 2.x, your database will be supported in this version of CiscoSecure ACS when you install the new version.

Standards and Specifications

The CiscoSecure ACS software conforms to the following standards and specifications:

The CiscoSecure ACS software conforms to the TACACS+ protocol as defined by Cisco Systems. See your Cisco IOS software documentation for more information.

The CiscoSecure ACS software conforms to the RADIUS protocol as defined in the following RFCs:

•

CiscoSecure ACS for UNIX is Y2K compliant as defined on Cisco's Year 2000 web page at http://www.cisco.com/warp/public/752/2000/index.shtml

Basic CiscoSecure ACS Concepts

•

Java Database Connectivity (JDBC)-compliant relational database software—Installed on the network: either an Oracle Enterprise database engine, a Sybase Enterprise database engine, or an ODBC-compliant CiscoSecure-supplied SQLAnywhere database engine.

•

NAS—Functioning as a router to dial-in users and a client to the ACS server.

•

Token card server—An optional token card server to support token card authentications.

•

CiscoSecure ACS console—A workstation with an installed web browser for administering the ACS through the CiscoSecure ACS web pages.

In this example, the NAS, CiscoSecure ACS, external relational database, web browser workstation, and token card server are interconnected. With the appropriate authorization, the CiscoSecure ACS can be managed from any computer on the network running a supported web browser.

CiscoSecure ACS software uses group-and-user information stored in a relational database for authentication, authorization, and accounting. This database is known as the AAA database.

CiscoSecure ACS and the NAS

The CiscoSecure ACS software does the actual work of verifying AAA, and responds to the NAS for access requests by users outside the LAN. Using the TACACS+ or RADIUS protocol, the NAS sends authentication requests to the CiscoSecure ACS, which then verifies the username and password and returns a success or failure response to the NAS.

When the user has been authenticated, a set of session attributes can be sent to the NAS to provide additional security. These attributes can include per-user access lists, specific services that can be used, and session timeout values.

Figure 1-3 illustrates a scenario in which the process of AAA is performed by the NAS and the CiscoSecure ACS.

TACACS+ and RADIUS Protocol Support

TACACS+ and RADIUS are AAA protocols through which the NAS and the CiscoSecure ACS communicate. CiscoSecure supports both protocols. Table 1-1 lists the AAA features supported by the two protocols.

Table 1-1 Protocol-Supported AAA Features
AAA Feature	TACACS+ Support	RADIUS Support
Web-based administration	Yes	Yes
Encrypted password transactions	Yes	Yes
Solaris 2.5 or greater support	Yes	Yes
Option to disable accounts after failed login attempt count exceeded	Yes	Yes
User group membership support	Yes	Yes
Accounting support	Yes	Yes
S/Key authentication support	Yes	Yes
Option to specify maximum sessions per user	Yes	Yes
Support for use of common token card servers (CRYPTOCard, Secure Computing, and Security Dynamics, Inc. [SDI])	Yes	Yes
Password aging and configurable warning period	Yes	No
Allow/refuse filter option for remote addresses	Yes	No
Option to change user passwords or reject passwords not meeting security requirements	Yes	No
Language configurable message catalogs	Yes	No
Option for a single TCP¹ connection between the NAS and the CiscoSecure ACS	Yes	No
Permit/deny control for X.121 addresses (on a network-wide basis)	Yes	No
Permit/deny control for X.121 addresses (on a NAS-by-NAS basis)	Yes	Yes

¹TCP = Transmission Control Protocol.

Dictionaries for the RADIUS Protocol

To support the use of RADIUS protocols, CiscoSecure supplies RADIUS protocol dictionaries that support the sets of Attribute-Value pairs for commonly-used versions of the RADIUS protocol. CiscoSecure supplies separate dictionaries to support the attribute sets supported by Cisco IOS Release 11.2, Cisco IOS Release 11.3, Ascend, Ascend 5, and the IETF-RADIUS specification.

Using the CiscoSecure Administrator, you can customize a dictionary's attribute set to suit the access control attributes your NAS is configured to support and assign this dictionary to a group profile or user profile. When users fitting this profile log in through the NAS, the CiscoSecure ACS and the NAS communicate through the RADIUS protocol, using the attributes specified in the customized dictionary to determine the authentication and authorization of the new user, and also store user accounting information.

CiscoSecure ACS Web-Based Interface

The CiscoSecure web interface enables you to use Netscape Navigator or Microsoft Internet Explorer to easily set up and modify the authorization and authentication parameters of any group or user on your network. You can assign users to groups that have a set of common configuration parameters. You can then further modify the parameters for each individual user. The CiscoSecure Administrator web interface provides a point-and-click interface to administer the user database.

Note For security reasons, the use of the Refresh button in Internet Explorer and the Shift + Reload feature in Netscape are not supported in the Advanced Administrator interface.

Three Components of Dial-In Network Security

To maintain reliability and security in your network, the AAA features of the CiscoSecure ACS software help you monitor and control:

•

Authorization—Whether a particular user should be using the requested service

Authentication

Authentication allows network managers to bar intruders from their networks. Simple authentication methods use a database of usernames and passwords, while more complex methods use one-time passwords (OTP).

CiscoSecure ACS software uses the TACACS+ and/or RADIUS protocol to authenticate users who dial in to accept usernames or password information sent to a NAS by different protocols such as the AppleTalk Remote Access Protocol (ARAP), Serial Line Internet Protocol (SLIP), Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), and standard Telnet. This broad protocol support provides flexibility for network administrators to define the same or different usernames and passwords for different protocols.

•

Passwords supported—Data Encryption Standard (DES), Clear Text, UNIX File, UNIX System, No Password, PAP, CHAP, ARAP, S/Key, CRYPTOCard, SDI, and SafeWord

•

Aging of passwords (TACACS+ only)—Setting passwords and privilege attributes with expiration dates

•

Support for the token cards supported by the following token card servers: CRYPTOCard, Secure Computing, SDI, and S/Key (MD4 version)

Authorization

Authorization lets network managers limit the network services available to each user and helps restrict access to the internal network to outside callers. It also lets mobile users connect to the closest local connection and still have the same access privileges they would have if they were directly connected to their local networks. Authorization also lets you specify which commands a new system administrator can issue on specific network devices.

•

Time-of-day or day-of-week—Logins that are restricted to certain times of day or certain days of the week

•

Multiple declarations of services, protocols, and commands—Placing restrictions on users at specified times or under specified operating conditions (TACACS+ only)

Accounting

System administrators might need to bill departments or customers for connection time or resources used on the network (for example, total time connected). Accounting tracks this kind of information. You can also use the accounting syslog to track suspicious connection attempts into the network. The accounting portion of AAA contains:

•

Packet-filter module where the log originates (supported for both TACACS+ and RADIUS, but implemented differently for each protocol)

The billing information includes connect time, user ID, connection location, amount of data transferred, start time, and stop time.

–

Inside the relational database management system (RDBMS) stored in TACACS+ format.

–

Flat file and RDBMS (stored in TACACS+ format)—If the network connection to the relational database fails, then accounting packets are written to a flat file.

User Profiles

For each user that logs in to the network through the NAS with a distinct ID, use the CiscoSecure Administrator web interface to set up a user profile in the AAA database. This profile contains all the relevant information that the ACS needs to authenticate, authorize, and log accounting information for that user on the network.

When authorized users log on to your network, the CiscoSecure ACS uses the group and user profiles to identify users of a service or a set of services.

Group Profiles

As the number of users grows, assigning all the necessary attributes to every individual user becomes time-consuming and unmanageable.

For large groups of users with similar characteristics, you can set up CiscoSecure user group profiles that allow you to set up AAA attributes for large numbers of users at the same time. This means that you can declare common characteristics once and then have all users assigned to the group inherit those characteristics when they are assigned to the group. This obviously saves a great deal of time.

One way to manage large numbers of users is to group them together according to the services they will use. Using the web-based CiscoSecure ACS Administrator program, you can modify the CiscoSecure ACS to define each group and authorize it to use the appropriate set of services. You can then add each new user to the appropriate group.

For example, you could restrict access by assigning regular employees and contract employees to separate groups and assigning attributes that allow the regular employees group to dial in at any time and the contract employees group to dial in only from 8:00 am to 5:00 pm Monday through Friday.

With grouping, you can also control the access of users to critical network services. For example, rather than controlling the access to a feature, you could control the ability of a group of users to log on to a specified server.

A group can be a member of another group. In a sales group, for example, the complete sales information group might be a member of a larger group of all sales employees that has access to other services and accounting information.

Grouping can simplify the task of ensuring a secure network in which users have easy access to necessary services and information, but no access to other services, which are unrelated to their jobs. In this way, you can reliably and easily ensure the security of the entire network regardless of its size or complexity.

Inheritance

The passing down of a user group's attributes to its member users is called inheritance.

Within the CiscoSecure ACS, inheritance means that in the absence of specifically assigned attribute values, individual users will have the same attribute values as the group from which they were derived.

•

TACACS+—Attribute values assigned to a group are passed down and applied to its member users. In specific cases, however, an individual member can choose to overwrite certain values, thereby individualizing the group, where required. If an attribute has no explicitly assigned value either at a group or user level, the default applied to the unknown_user applies.

•

RADIUS—Attributes assigned to groups do not override attributes assigned to members, nor do attributes assigned to members override attributes assigned to the group. If Group and User attributes are not carefully assigned, contention can result. For example, if you assign different passwords to the group and the user, there is no way to be certain which password will be chosen to authenticate against; therefore, the group or user may not be able to authenticate.

•

CiscoSecure ACS 2.3 for UNIX supports a category of attributes that can be assigned absolute status in a group profile. If absolute status is enabled for an attribute in a group profile, the value of that attribute cannot be overridden by contending attribute values assigned at any subordinate group or user level.

Table Of Contents