|
Table Of Contents
CiscoSecure ACS Components Overview
CiscoSecure ACS Components Overview
This chapter presents a brief overview of the software modules that work together as part of the CiscoSecure ACS 2.3 for UNIX package.
The CiscoSecure ACS consists of several interrelated software modules that carry out different communication, profile data retrieval, profile data storage, administrative, and performance-enhancement functions. Understanding the interaction of these modules is useful for troubleshooting or fine tuning CiscoSecure ACS 2.3 for UNIX performance.
The CiscoSecure ACS components described in this chapter include:
•AAA Server
•DBServer
•Relational database management system (RDBMS)
•Two web server modules: Netscape FastTrack and Acme FastAdmin
•Optional Distributed Sessions Manager (DSM)
•Command-line interface (CLI) module
The diagram in Figure 2-1 represents how the components of the CiscoSecure ACS interact with each other and other elements on the network.
Figure 2-1 CiscoSecure ACS Components
At a network level, user login requests are transmitted through the network access servers (NASes) to one entity called the "CiscoSecure ACS," which checks its RDBMS database of group and user profiles against each user logging in and issues instructions to the NASes to allow or disallow user login, and enforce any restrictions on the connection.
If the user is using a token card generated one-time password (OTP) login, the ACS forwards the login request to a token server for further processing and transmits the results back to the assigned NAS.
Internally, the CiscoSecure ACS components interoperate as described in Table 2-1.
Table 2-1 Components of the CiscoSecure ACS
Module DescriptionAAA Server
The component that carries on direct communications with the NASes and the token servers on the network. Its functions include:
•Receiving, through the TACACS+ or RADIUS protocols, login requests from the NASes assigned to it, and sending user and group profile queries to the DBServer for information on the users logging in.
•Forwarding OTP login requests to a designated token server to process.
•If token caching is enabled, storing a user's initial token server generated OTP in the token cache and, for a specified duration, using the stored OTP to authenticate subsequent logins from that user.
•If the optional CiscoSecure Distributed Session Manager (DSM) feature set is installed and enabled, querying the DSM for the users current concurrent login count and the maximum number of logins permitted based on group, user, or VPDN DSM settings.
•Based on the information it receives, transmitting back to the NAS whether to allow or disallow user authentication, and any restrictions to enforce on the connection, based on the user's protocol.
DBServer
The component that handles most of the direct access to the RDBMS.
•Receiving database query requests from the AAA Server.
•Receiving database query requests from the optional DSM.
•Receiving database query and modification requests from the Administrator web pages, or the CLI.
•Receiving database query and modification requests from other CiscoSecure utilities (CSMigrate, CSimport, AcctExport, DBTestUI).
•Translating those requests into SQL requests to the RDBMS through the Java database connectivity (JDBC) and object database connectivity (ODBC) drivers.
•Transmitting back responses to queries from the RDBMS.
Note Some database operations, such as database replication or operations by third-party applications, bypass the DBServer and access and modify the RDBMS directly.
Relational database management system (RDBMS)
The relational database where the group and user profile data (including max sessions data) is stored. The RDBMS can be installed locally, on the same machine as the CiscoSecure ACS; or it can be installed on a remote server.
The RDBMS can be one of three supported database engines: SQLAnywhere (supplied and installed by the CiscoSecure installation program), Sybase Enterprise, or Oracle Enterprise (supplied and installed by the customer prior to CiscoSecure installation). Its functions include:
•Receiving the SQL format query or modification requests from the DBServer and performing the query or modifications requested.
•Carrying out optional replication of the CiscoSecure profile database (supported by Oracle or Sybase), or other operations requested by third-party software.
CiscoSecure Web Interface
The Web server component of the CiscoSecure ACS supports HTML and Java pages that allow GUI-based user, group administrator, and system administrator level management of the CiscoSecure ACS. It consists of special licensed web server products bundled with CiscoSecure.
•The Netscape FastTrack server supports the Java-based CiscoSecure Administrator advanced configuration program. It receives profile query or modification requests from a user, group administrator, or system administrator accessing the CiscoSecure from a Windows or UNIX-based web browser and transmits these requests to the DBServer.
•The Acme FastAdmin server supports the HTML-based CiscoSecure ACS 2.3 Administrator web pages. It receives profile query or modification requests from a user, group administrator, or system administrator accessing the CiscoSecure ACS from a Windows or UNIX-based web browser and transmits these requests to the DBServer.
•Receiving max sessions query and modification requests from the administrative web pages and forwarding them to the DBServer.
•Sending back max sessions statistical information that it has received from the DBServer to the administrative web pages.
Distributed Sessions Manager (DSM)
The optional server module that maintains and enforces a concurrent max sessions limitations on users, groups, or VPDNs. Its functions include:
•Receiving max sessions query requests from the AAA server for each login attempt being processed and checking its counters to verify that the maximum session counts have not been exceeded.
•Replying to the AAA server whether the session should be allowed based on the maximum session setting and current count.
•Updating other interested DSM servers as to the current session counts.
Command-
Line Interface (CLI)The module that enables a group or system administrator to edit group or user profiles through CiscoSecure command lines. It takes command line input from the system administrator and transmits this input to the DBServer.
Profile Cache
The optional local memory cache into which the DBServer downloads the RDBMS profile data. The DBServer then uses the profile cache for authentication, authorization, and query operations until the profile database is updated or until a periodic update of the profile cache is run.
Token Cache
The optional local memory cache into which the AAA server stores an enabled user's initial token card generated one-time password (OTP). Thereafter, for a specified period of time, the AAA server will use the stored OTP to authenticate this user for new sessions rather than forward the login to the token server.
CiscoSecure utilities
Numerous utilities, not included in Figure 2-1, that import, export, and modify profile data in the RDBMS through access to the DBServer. These utilities include:
•CSmigrate—Enables you to transfer and convert to CiscoSecure ACS 2.3 format a database created by a RADIUS access control server not using CiscoSecure.
•CSimport—Enables you to convert an existing CiscoSecure ACS database created with CiscoSecure 1.x to CiscoSecure 2.3.
•AcctExport—Enables you to extract accounting data from the CiscoSecure RDBMS.
•CSdbTool—Enables you to directly update certain CiscoSecure tables in the RDBMS for specific purposes.
Posted: Wed Feb 16 10:14:28 PST 2005
All contents are Copyright © 1992--2005 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.