|
|
The CiscoSecure ACS can be used in a distributed system; that is, multiple CiscoSecure ACS servers and AAA servers can be configured to communicate with one another as masters, clients, or peers. This allows you to use powerful features such as:
It also allows the CiscoSecure ACS to recognize network access restrictions of other CiscoSecure ACSes on the distributed network.
For more information on Database Replication and RDBMS Synchronization, see the chapter "Database Information Management."
An AAA (Authentication, Authorization, and Accounting) Server is the generic term for an access control server (ACS), and the two terms are often used interchangeably. AAA servers are used to determine who can access the network and what services are authorized for each user. The AAA server stores a profile containing authentication and authorization information for each user. Authentication information validates the users' identity, and authorization information determines what network services they are allowed. An AAA server can be used simultaneously with dial-up access servers, routers, and firewalls. Each network device can be configured to communicate with an AAA server. This makes it possible to centrally provision and control dial-up access for a service provider as well as secure corporate network devices from unauthorized access.
Both applications have unique authentication and authorization requirements. With the CiscoSecure ACS, system administrators can use a variety of authentication methods that are used with different degrees of authorization privileges. Completing the access control functionality, the CiscoSecure ACS serves as a central repository for accounting information. Each user session that is granted by the ACS can be fully accounted for and stored in the server. This accounting information can be used for billing, capacity planning, and security audits.
If the fields mentioned in this section do not display in your CiscoSecure ACS interface, click Interface Configuration: Advanced Options: Distributed System Settings. You will also need to enable the specific option you want to use; for example, Database Replication. Once configured, if the check boxes for these options are later disabled but you have previously configured information for the feature, the applicable areas for these options will still display in the interface.
After the Distributed System Setting option is enabled, two additional tables will appear in the Network Configuration screen: the AAA server table and the distribution table. The parameters configured within these tables create the foundation to allow multiple CiscoSecure ACSes to be configured to work with each other. Each of the tables will contain a CiscoSecure ACS entry for itself. In the AAA server table, the only listed AAA server upon the initial enabling of this feature will be its own parameters and, in the distribution table, an entry of \Default, which basically displays how this local CiscoSecure ACS is configured to handle each authentication request locally. Additional AAA servers can be configured in the AAA server table, allowing these devices to become available from within the user interface to be configured for other distributed features, such as authentication forwarding, CiscoSecure database replication, remote logging, and RDBMS synchronization.
To configure distributed system features, you must first define the AAA server(s) that the CiscoSecure ACS will use as partner(s). Enter the following information when adding or editing the parameters for the CiscoSecure ACS:
For further details on defining and configuring AAA servers, see the section "Network Configuration" in the chapter "Step-by-Step Configuration for the CiscoSecure ACS."
The entries defined and placed in the distribution table can be considered turnstiles for each authentication request that CiscoSecure ACS is presented with from the NAS. How the authentication request is defined in the distribution table will depend on where it will be forwarded. If a match to an entry in the distribution table that contains authentication forwarding information is found, then the CiscoSecure ACS will forward the request to the appropriate AAA server.
The entry of \Default in distribution table represents the local CiscoSecure ACS. This means that all authentication requests handled by the AAA server that do not contain a matched character string defined in the distribution table will be handled locally. This entry is always present and cannot be deleted or overwritten from this table during database replication.
To define an entry in the distribution table to forward the authentication request to another AAA server, enter the following information:
Authentication Forwarding is a powerful feature that allows the CiscoSecure ACS to automatically forward an authentication request from a network access server (NAS) to another AAA server. Although the name implies that the authentication of the username is all that is handled, once the request is successfully authenticated, the authorization privileges that have been configured for the user on the remote AAA server are then passed back to the original CiscoSecure ACS, where the user's profile information is applied for that session on the NAS.
The ability to determine if and where an authentication request is to be forwarded is defined in the distribution table in the Network Configuration screen (see the section "Distribution Table."). The capability exists to have various CiscoSecure ACSes throughout the network and, depending on a defined character string entered with the username (for example, mary@corporate.com, where @corporate.com is the defined character string), when the user dials in to the NAS and a match is found in the distribution table, the authentication request is then forwarded to a remote AAA server to permit or deny access to the network.
It is useful for administrators with geographically dispersed networks to configure and manage the user profiles of employees within their immediate location or building. This allows the administrator to manage the policies of just their users and allows all other authentication requests from other users within the company to be forwarded to their respective AAA server for authentication. Every user profile does not need to reside on every AAA server on the enterprise. This saves administration time and server space, as well as allowing users to maintain the same privileges on any machine on the network.
You can configure the order in which the remote AAA servers will be checked by the CiscoSecure ACS if the network connection to the primary AAA server fails. If an authentication request cannot be sent to the first listed server due to a network connection failure, the next listed server will be checked, and so on in order down the list, until the authentication request is handled by an AAA server. If the CiscoSecure ACS cannot connect to any of the servers in the list, authentication will fail.
The CiscoSecure ACS will forward the authentication requests using a configurable set of characters with a delimiter, such as dots (.), slashes (/), and hyphens (-). When configuring the CiscoSecure ACS character string to match, you must specify whether the character string is the prefix or suffix. For example, you can use "domain.us" as a suffix character string in username*domain.us (* represents any delimiter). An example of a prefix character string is domain.us*username.
Stripping allows the CiscoSecure ACS to remove (strip) the matched character string from the username. When stripping is enabled, the CiscoSecure ACS examines each authentication request for matching information. When a match by character string has been found in the distribution table, if CiscoSecure ACS is configured to do so, the character string is stripped off. For example, in the authentication forwarding example that follows, the ability to forward the request to another AAA server is based on the character string that accompanies the username. If the user must enter the user ID of mary@corporate.com to be forwarded correctly to the AAA server for authentication, a match might be found on the "@corporate.com" character string, and stripping can be enabled to remove the "@corporate.com," leaving a username of just "mary." This allows only a single entry of "mary" in the AAA server database instead of having a second entry for the user of mary@corporate.com.
This section presents a scenario of authentication forwarding used in an Enterprise system. Mary is an employee with an office in the corporate headquarters in Los Angeles. Her username is mary@corporate.com and when Mary needs access to the network, she is able to access the network locally and authenticate her username and password. Since Mary works out of the Los Angeles office, her user profile, which defines her authentication and authorization privileges, resides on the local AAA server. But Mary occasionally travels to a division within the corporation in New York and, when she is there, she still needs to access the corporate network to get her e-mail and other files. Mary dials in to the New York office and logs on as mary@corporate.com. Her username is not recognized by the New York CiscoSecure ACS, but configured in the distribution table is the entry to forward the authentication request to the Los Angeles CiscoSecure ACS. Because Mary's username and password information reside on that AAA server, when she authenticates correctly, the authorization parameters assigned to her are applied back on the NAS in the New York office.
Being able to send the accounting packet to the remote CiscoSecure ACS has many benefits that Administrators can take advantage of by providing statistical information on the remote AAA server. When the CiscoSecure ACS is configured to send the accounting packet to the remote AAA server, upon a successful authentication, the remote AAA server will receive and log an entry in the accounting report for that session. Additionally, the CiscoSecure ACS will "cache" the user's connection information by adding an entry in the List Logged on Users screen to view the users that are currently connected. Even if the connection fails, because the accounting information is being sent to the remote AAA server, the administrator is able to view the "Failed Attempts" report on the remote AAA server to help troubleshoot the reason that the connection is failing.
The Max Sessions feature might be the determining factor in deciding to send the accounting information to the remote AAA server. The Max Sessions feature uses the Start and Stop records in the accounting packet. If the remote AAA server is a CiscoSecure ACS and the Max Sessions feature has been implemented, the number of sessions a user is allowed can be tracked.
Two features, database replication and RDBMS synchronization, are provided with the CiscoSecure ACS. These features help automate the process of keeping your CiscoSecure ACS database and network configuration current. The primary purpose of Database Replication is to provide the facility to replicate various parts of the configuration, along with user and group information, on a CiscoSecure ACS master server to one or more CiscoSecure ACS client systems, allowing the administrator to automate the creation of mirror CiscoSecure ACSes. These mirror systems can be used to provide server redundancy as fallback or secondary servers to support fault-tolerant operation if the master or primary system fails.
While their functions are somewhat similar, RDBMS synchronization allows the CiscoSecure ACS to tightly integrate with other RDBMS data sources.
For more details on the configuration and functionality of database replication and RDBMS synchronization, see the chapter "Database Information Management."
In a geographically dispersed network environment, gathering the accounting logs generated on each CiscoSecure ACS is simplified by configuring the remote logging feature. The CiscoSecure ACS can be configured to point to a centralized CiscoSecure ACS that will be used as the "logging server." The centralized CiscoSecure ACS will still have all the capabilities that a AAA server has, with the addition of being a central repository for all accounting logs that are sent.
To set up remote logging, you must define the "central" CiscoSecure ACS that will be used as the remote logging server in the AAA Servers Table on each of the "remote" CiscoSecure ACSes. (See the section "AAA Servers.") In the Service Configuration: Remote Logging window on each of the remote CiscoSecure ACSes, select Log to All Selected Hosts, select the Log Server, and move it to the Log To column. The Log to Subsequent Selected Hosts on Failure option allows backup Logging Server(s) to be configured and accounting logs to be captured if the primary Logging Server goes out of service.
There are differences between the Remote Logging and Sending Accounting Information features. The Remote Logging feature allows the accounting data to be sent directly to the CSLOG service on the Remote Logging Server, where the record is then written into the .CSV file. Enabling the Send Accounting Information feature sends the accounting information to the CSAuth service, which uses the accounting packet to control access to the CiscoSecure ACS via the Max Sessions feature. Connection status is provided in the Reports and Activity: List Logged on Users window.
|
|