|
The CiscoSecure ACS is designed to be modular and flexible. This enables it to fit the needs of both simple and large networks. This chapter describes the architectural components and the interface design.
The CiscoSecure ACS includes the following service modules:
Each module can be started and stopped individually from within the Microsoft Service Control Panel or as a group from within the CiscoSecure ACS browser interface. Each module can operate independently, but this limits functionality.
The CiscoSecure ACS has a built-in web server for support using an HTML interface. This eliminates the necessity of installing another web server on the Windows NT server running the CiscoSecure ACS. Because the CiscoSecure ACS web server uses port 2002, you can use another web server on the same machine to provide other web services.
CSAdmin is the service for the internal web server. The CiscoSecure ACS does not require the presence of a third party web server, it is equipped with its own internal server. After the CiscoSecure ACS is installed you must configure it from its HTML/Java interface. Therefore, to configure the CiscoSecure ACS, CSAdmin must always be running.
Although you can start and stop services from within the CiscoSecure ACS browser interface, it does not start or stop CSAdmin. If the service is stopped abnormally because of an external action, you would no longer be able to access the CiscoSecure ACS from any machines other than the Windows NT server on which it is running. You can start or stop CSAdmin from the Windows NT Service menu.
CSAdmin is designed as a multithreaded application to support environments where multiple administrators are accessing CSAdmin simultaneously. Therefore, CSAdmin is best for distributed, multiprocessor, and clustered environments.
CSAuth is the service for authentication and authorization. The primary responsibility of the CiscoSecure ACS is the authentication and authorization of requests from devices to permit or deny access to a specified user. CSAuth is the service responsible for determining if access should be granted and defining the privileges associated with that user. CSAuth is the database manager.
The CiscoSecure ACS can access several different databases for authentication. When a request for authentication arrives, the CiscoSecure ACS checks the database that is configured for that user. If the user is unknown, the CiscoSecure ACS checks the database(s) configured for Unknown Users.
When the authentication has occurred and been approved against one of the described methods, a set of authorizations is obtained from the profile of the user and the group to which the user is assigned. This information is stored with the username in the CiscoSecure User Database. Authorizations include the services to which the user is entitled, such as IP over PPP, IP pools from which to draw an IP address, or an access list. The authorizations, with the approval of authentication, are then passed to the CSTacacs or CSRadius modules to be forwarded to the requesting device.
CSTacacs and CSRadius services communicate between the CSAuth module and the access device requesting the authentication and authorization services. For CSTacacs and CSRadius to work properly, the following conditions must be met:
CSTacacs is used to communicate with TACACS+ devices and CSRadius to communicate with RADIUS devices. Both services can run at the same time. When only one security protocol is used, only the respective service needs to be running; however, the redundant service will not interfere with normal operation and does not need to be disabled. See the applicable appendix for more information on TACACS+ or RADIUS AV pairs.
DBSync is the service used to archive important data from a single machine into a defined backup format that can be used to later restore the configuration after a system failure or the corruption of the user data, providing protection from partial or complete server loss.
CSLog is the service used to capture and place logging information. CSLog gathers data from the TACACS+ or RADIUS packet and CSAuth and manipulates the data to be put into the CSV files. The CSV files are created daily starting at midnight. CSV files are stored in the default subdirectory \Program Files\CiscoSecure ACS v2.1\Logs\. There are three subdirectories located there: Audit, RadiusAccounting, and TacacsAccouting. The Audit subdirectory contains failed attempt information. The other two subdirectories contain successful authentication and authorizations for their respective protocols.
This section gives a brief overview of essential Windows NT concepts that relate to the CiscoSecure ACS as a service of Windows NT.
All of the CiscoSecure ACS services can be started, stopped, and restarted from the Services window. The CiscoSecure ACS services are preceded by the letters CS. The sorting mechanism within Windows NT Services lists services alphabetically. All the CiscoSecure ACS services should be displayed in one area of the list.
The Windows NT Registry is a storage area for all application information in a tree-like structure. We recommend that you do not modify this file unless you have enough knowledge and experience to edit the file without destroying any existing data in the file.
The CiscoSecure ACS information is located in:
HKEY_LOCAL_MACHINE\SOFTWARE\CISCO
Posted: Mon Mar 1 08:49:02 PST 1999
Copyright 1989-1999©Cisco Systems Inc.