Overview

The CiscoSecure ACS 2.1 for Windows NT (CiscoSecure ACS) network security software helps you authenticate users by controlling dial-in access to a Cisco network access server (NAS) or a Cisco PIX Firewall. The CiscoSecure access control server (ACS) operates as a Windows NT service and controls the authentication, authorization, and accounting of users accessing networks.

The CiscoSecure ACS supports the centralization of access control and accounting for dialup access servers and firewalls and management of access to routers and switches. With it, service providers can quickly administer accounts and globally change levels of service offerings for entire groups of users. Because of its tight integration with the Windows NT operating system, companies can leverage the working knowledge and the investment already made into building a Windows NT network.

The CiscoSecure ACS supports different Cisco NASes (such as the Cisco 2509, 2511, 3620, 3640, and AS5200) and the Cisco PIX firewall. It is an ACS for Windows NT Server Version 4.0. CiscoSecure uses the Terminal Access Controller Access Control System (TACACS+) and Remote Access Dial-In User Service (RADIUS) protocols to provide Authentication, Authorization, and Accounting (AAA) to ensure a secure environment. CiscoSecure can authenticate users against either the Windows NT User Database, the CiscoSecure User Database, a token-card server's database, or a Novell Directory Services (NDS) Database.

The NAS directs all dial-in user access requests to the CiscoSecure ACS for authentication and authorization of privileges. Using either the RADIUS or TACACS+ protocol, the NAS sends authentication requests to the CiscoSecure server, which verifies the username and password. The CiscoSecure server then returns a success or failure response to the NAS, which permits or denies user access. When the user has been authenticated, the CiscoSecure ACS sends a set of authorization attributes to the NAS, and the accounting functions take effect.

CiscoSecure Features

Sophisticated Unknown User Handling
Remote Administration
Centralized Logging
Group Mappings
Supplementary User ID Fields
Simultaneous TACACS+ and RADIUS support for a flexible solution
HTML/Java graphical user interface (GUI) that simplifies and distributes configuration for user profiles, group profiles, and ACS configuration
Help and online documentation included for quick problem solving
Group Administration of Users for maximum flexibility and to facilitate enforcement and changes of security policies
Virtual Private Dialup Network (VPDN) support available at the origination and termination of VPN (L2F) tunnels
Import mechanism to rapidly import a large number of users
Hash-indexed flatfile database support for high-speed transaction processing
Windows NT database support to leverage and consolidate Windows NT username and password management
Windows NT single login
Runs on Windows NT stand-alone, PDC, and BDC servers
Password support that includes Challenge Handshake Authentication Protocol (CHAP), Password Authentication Protocol (PAP), and AppleTalk Remote Access Password (ARAP)
Support for the following security servers:

Security Dynamics SDI SecurID Token Card
SafeWord Token Card
CRYPTOCard Token Card
AXENT Token Card

Token caching for ISDN terminal adapters of Security Dynamics and other OTP tokens
Time-of-day and day-of-week access restrictions
Network access restrictions based on remote address Caller Line Identification (CLID)
Ability to disable an account on a specific date
Ability to disable an account after an amount of failed attempts specified by the administrator
Ability to view logged-in user list
Windows NT Performance Monitor support for real-time statistic viewing
Configurable accounting and auditing information stored in comma-separated values (CSV) format for convenient import into billing applications
Simple upgrade from CiscoSecure EasyACS 1.0 and CiscoSecure ACS 2.0
User and Group Max Sessions
Configurable character string stripping
Authentication forwarding
Configurable GUI (graphical user interface)
RDBMS synchronization
Database replication
System/database backup
Dialed Number Identification Service (DNIS) Support
Database Maintenance
Year-2000 compliance

Specifications

The CiscoSecure ACS 2.1 for Windows NT software conforms to the following specifications:

The CiscoSecure ACS 2.1 for Windows NT software conforms to the TACACS+ protocol as defined by Cisco Systems in draft 1.77. See your Cisco IOS software documentation or Cisco Connection Online (www.cisco.com) for more information.

The CiscoSecure ACS 2.1 for Windows NT software conforms to the RADIUS protocol as defined in draft April 1997 and in the following RFCs:

RFC2138, Remote Authentication Dial In User Service
RFC2139, RADIUS Accounting
Authentication Forwarding of Ascend RADIUS is performed in accordance with Ascend NAS software version 9/19/96

Year-2000—The CiscoSecure ACS 2.1 for Windows NT is year-2000 compliant

System Requirements

Hardware Requirements

Pentium 133 MHz processor or better
Windows NT Server 4.0 operating system
48 MB of RAM required, 64 MB recommended
At least 150 MB of free disk space
Minimum resolution of 256 colors at 800 x 600 lines

Software Requirements

Make sure dialup clients can successfully dial in to your network access server (NAS).
Make sure the Windows NT server can ping the NAS.
The NAS must be running Cisco IOS Release 11.1 or later.
One of the following browsers must be installed on the Windows NT server:

Microsoft Internet Explorer 3.02 or 4.0
Netscape Navigator 3.01
Netscape Communicator 4.03

Java and JavaScript support must be enabled.
CiscoSecure ACS does not require any Windows NT service packs.

CiscoSecure ACS Concepts and Functions

This section describes some of the different components that work together with the CiscoSecure ACS to provide network security.

CiscoSecure ACS 2.1 for Windows NT and the Access Device

The access device (NAS, firewall, or router) is configured to direct all user access requests to the CiscoSecure ACS for authentication and authorization of privileges. Using the TACACS+ or RADIUS protocol, the access device sends authentication requests to the CiscoSecure ACS, which verifies the username and password against either the Windows NT User Database or the CiscoSecure ACS User Database. The CiscoSecure ACS then returns a success or failure response to the NAS, which permits or denies user access.

When the user has been successfully authenticated, a set of session attributes can be sent to the access device to provide additional security and control of privileges. These attributes can include the IP address pool to pull from, and access control list and the type of connection (for example, IP, IPX, or Telnet).

TACACS+ and RADIUS

Both TACACS+ and RADIUS security protocols can be used by the CiscoSecure ACS. See Table 1-1.

Table 1-1 TACACS+ and RADIUS Security Protocols

TACACS+	RADIUS
TCP—Connection oriented transport layer protocol, reliable full-duplex data transmission	UDP—Connectionless transport layer protocol, datagram exchange without acknowledgments or guaranteed delivery
Full packet encryption	Encrypts only password up to 16 bytes
Independent AAA architecture	Authentication and Authorization combined
Useful for router management	Not useful for router management

Authentication

Authentication determines a user's identity, and then it verifies that information. Authentication can take many forms. Traditional authentication uses a name and a fixed password. More modern and secure methods use one-time passwords (OTPs) such as PAP and token cards. CiscoSecure provides support for these authentication methods.

A fundamental relationship between authentication and authorization is that the more authorization privileges a user receives, the stronger the authentication should be. The CiscoSecure ACS offers this capability by providing various methods of authentication.

Username and password is the most popular, simplest, and least expensive method used for authentication. This fits under the category of "something you know." No special equipment is required. This is a popular method for service providers because of its easy application by the client. The disadvantage is that what you know can be told to someone else, guessed, or captured. Username and password is not considered a strong authentication mechanism; therefore, you would use it for low authorization or privilege level such as Internet access, and it can be sufficient.

To reduce the risk of password capturing on the network, use encryption. Client and server access control protocols, such as Terminal Access Controller Access Control System (TACACS+) and Remote Authentication Dial-In User Service (RADIUS) encrypt passwords to prevent them from being captured within a network. However, TACACS+ and RADIUS operate between the NAS and the ACS. Clear-text passwords can be captured between a client host dialing up over a phone line or an Integrated Service Digital Network (ISDN) line terminating at a NAS.

Service providers offering increased levels of security services and corporate customers who want to lessen the chance of intruder access resulting from password capturing, can use an OTP. The CiscoSecure ACS supports several types of OTP solutions, including PAP for Point-to-Point Protocol (PPP) remote-node logon. Token cards are considered one of the strongest OTP authentication mechanisms available today. With token cards, authentication requires something you have and something you know, and it results in an OTP that prevents password captures.

The CRYPTOCard token-card server software is included with the CiscoSecure ACS. All you need is the CRYPTOCard token card.

The CiscoSecure ACS also supports the following token-card servers for authentication:

Security Dynamics, Inc. (SDI)
SafeWord
AXENT

The CiscoSecure ACS requires the client software for SDI's ACE server so that it calls the server when their token-card authentication solution. The AXENT token-card server is configured in the CiscoSecure ACS with an address and shared secret.

Passwords

The CiscoSecure ACS 2.1 for Windows NT supports all of the leading authentication protocols:

ASCII/PAP
CHAP
ARAP
External token-card server
Windows NT User Database
Novell NDS

Passwords can be processed using these protocols based on the version and type of security control protocol used and the configuration of the NAS and client. The following sections outline the different conditions and functions of password handling.

The CiscoSecure ACS acts as a client to the token-card server. A secured communication link is required between the CiscoSecure ACS and the token-card server. This is done by either configuring a shared secret password between the two servers and defining the IP address, or by installing a file created by the token-card server containing the same information into the CiscoSecure ACS.

Basic Password Configurations

Single password for ASCII/PAP/CHAP/ARAP—This is the most convenient method for both the SYSOP when setting up accounts and for the user when obtaining authentication. However, because the password is transmitted in clear text during an ASCII/PAP login, there is the chance that the CHAP password can become known.
Separate passwords for ASCII/PAP and CHAP/ARAP—For a higher level of security, users can be given two separate passwords. If the ASCII/PAP password is compromised, the CHAP/ARAP password remains secure.
ASCII login with Token Card—For basic ASCII authentication via a token-card server, the user does not need a password to be held in the CiscoSecure User Database.
Novell NDS—For authentication when using a Novell NDS server.
Windows NT User Database—Again, the user does not configure a password in the CiscoSecure User Database; however, only ASCII/PAP authentication can be supported.

Advanced Password Configurations

In addition to the four basic password configurations given above, the CiscoSecure ACS also provides for:

Inbound Passwords—Passwords used by most CiscoSecure ACS users. These are supported by both the TACACS+ and RADIUS protocols. They are held internally to the CiscoSecure User Database and are not usually given up to an external source if an outbound password has been configured.
Outbound Passwords—The TACACS+ protocol has the concept of outbound passwords that can be used, for example, when a NAS has to be authenticated by another NAS and client. These scenarios result in passwords from the CiscoSecure User Database being sent back to the NAS and client.
Token caching—When token caching is enabled, ISDN users can connect a second B Channel using the same OTP entered during the original authentication (for a limited time period). For a higher level of security, the B channel authentication request from the NAS should include the OTP in the username value (for example Fred*apassword) while the password value contains an ASCII/PAP/ARAP password. The TACACS+ and RADIUS servers then verify that the token is still cached and validate the incoming password against either the single ASCII/PAP/ARAP or separate CHAP/ARAP password, depending on the USER configuration.

You can use the TACACS+ SENDAUTH feature to enable a NAS to authenticate itself to another NAS/client via an outbound authentication. The outbound authentication can be PAP, CHAP, or ARAP and results in the CiscoSecure ACS password being given out. By default, the user's ASCII/PAP or CHAP/ARAP password is used (depending on how this has been configured); however, it is recommended that the separate SENDAUTH password be configured for the user so that the CiscoSecure ACS inbound passwords are never compromised.

If you want to use outbound passwords and maintain the highest level of security, we recommend that you configure the CiscoSecure ACS with a separate outbound password that is different from the inbound password.

Cisco IOS Release 11.1 CHAP and ARAP Considerations

When using CHAP and ARAP authentication with a NAS configured to use TACACS+ with Cisco IOS Release 11.1, authentication is performed by the NAS and not by the CiscoSecure ACS TACACS+ server. This results in the CiscoSecure ACS returning a password to the NAS.

A NAS running Cisco IOS Release 11.1 generates TACACS+ SENDPASS requests in order to service a CHAP or ARAP authentication. The TACACS+ server replies with either the single ASCII PAP, CHAP, ARAP, or separate CHAP and ARAP password, depending on how the user is configured.

PAP, CHAP, and ARAP Support

Different levels of security can be used with the CiscoSecure ACS for different requirements. The basic level of user-to-network security is PAP. Although it does not represent the highest form of encrypted security, PAP does offer convenience and simplicity for the client. When using the Windows NT User Database, PAP allows authentication against that database. By using PAP and the Windows NT User Database, single login can be achieved. A higher level of security for encrypting passwords when communicating from a client to the network device, such as an access server, is CHAP. This can be used when using the CiscoSecure User Database. To support Apple clients, ARAP support is included.

Comparing PAP, CHAP, and ARAP

PAP, CHAP, and ARAP are authentication protocols used to encrypt passwords. However, each provides a different level of security.

PAP—Uses clear-text passwords and is the least sophisticated authentication protocol. Authenticating users against the Windows NT User Database only allows password encryption using PAP.
CHAP—Uses a challenge-response mechanism with one-way encryption on the response. It allows the CiscoSecure ACS to negotiate downward from the most secure to the least secure encryption mechanism, and it protects passwords transmitted in the process. CHAP passwords are reusable. If you are using the CiscoSecure User Database for authentication, you can use either PAP or CHAP.
ARAP—ARAP uses a two-way challenge-response mechanism. The NAS challenges the dial-in client to authenticate itself, and the dial-in client challenges the NAS to authenticate itself.

Authorization

Authorization determines what a user is allowed to do. The CiscoSecure ACS can send user profile policies to a network device such as an access server to determine the network services they can access or the level of service subscribed to. You can configure authorization to give different users and groups different levels of service. For example, standard dialup users might not have the same access privileges as premium customers and users. You can also differentiate by levels of security, access times, and services.

The CiscoSecure ACS can enable Network Access Restrictions to permit or deny login based on time-of-day and day-of-week. For example, you could create a group for temporary accounts that can be set up to be disabled on specified dates. This would make it possible for a service provider to offer a 30-day free trial. The same authorization could be used to create a temporary account for a consultant with login permission limited to Monday through Friday, 9 a.m. to 5 p.m.

You can also restrict use by way of the Max Sessions feature, allowing a maximum number of concurrent sessions per user or group.

You can restrict users to any one or a combination of PPP, ARA, Serial Line Internet Protocol (SLIP), or EXEC services. After a service is selected, you can restrict Layer 2 and 3 protocols, such as IP and IPX, and you can apply individual access lists. Access lists on a per-user or per-group basis can restrict users from reaching parts of the network where critical information is stored. Access lists can prevent users from using certain services such as File Transfer Protocol (FTP) or Simple Network Management Protocol (SNMP).

One fast-growing service being offered by service providers and adopted by corporations is a service authorization for Virtual Private Dialup Networks (VPDNs). The CiscoSecure ACS can provide information to the network device for a specific user to configure a secure tunnel through a public network such as the Internet. The information can be for the access server (such as the Home Gateway for that user) or for the Home Gateway router to validate the user at the customer premise. In either case, the CiscoSecure ACS can be used for each end of the VPDN.

Accounting

Accounting is the action of recording what a user is doing or has done. The CiscoSecure ACS writes accounting records to a CSV log file daily. You can easily update this log file into popular database and spreadsheet applications for billing, security audits, and report generation. Among the types of accounting logs you can generate:

TACACS+ Accounting—Lists when sessions start and stop; records NAS messages with username; provides caller line identification information; records the duration of each session.
RADIUS Accounting—Lists when sessions stop and start; records NAS messages with username; provides caller line identification information; records the duration of each session.
Administrative Accounting—Lists configuration commands entered on the NAS.

Max Sessions

Max Sessions is a useful feature for organizations that need to limit the number of concurrent sessions available to either a user or a group:

User Max Sessions—For example, an ISP can limit each account holder to a single session.
Group Max Sessions—For example, an enterprise administrator might want to allow the remote access infrastructure to be shared equally among a number of departments and limit the maximum number of concurrent sessions all the users of any one department might have.

In addition to simple User and Group Max Sessions control, the CiscoSecure ACS allows the administrator to specify a Group Max Sessions value and a group-based User Max Sessions value; that is, a User Max Sessions value based on the user's group membership. For example, an administrator can allocate a Group Max Sessions value of 50 to the group Sales and also limit each member of group Sales to 5 sessions each. This way, no single member of a group account would be able to use more than five sessions at any one time, but the group could still have up to 50 active sessions.

Table of Contents