Now that you’ve been introduced to the AAA (Authentication, Authorization, and Accounting) interface, and you’re familiar with the configuration of an NAS (network access server) for

AAA using the local database, you’re ready to put these great tools to use.

And that’s exactly where we’re going in this chapter. I’m going to guide you through configuring AAA using a TACACS+ or RADIUS-enabled security server as a centralized database. I’m also going to explain how to use the access control servers (ACSs) that support this centralized security process.

This chapter begins by looking at Cisco’s ACS product on the Microsoft Windows NT/ 2000 platform, zooming in on how efficient the CiscoSecure ACS 3.0 for Windows NT or Windows 2000 technology can be when it’s placed between the NAS and one of several existing user databases. Doing this facilitates AAA without requiring yet another user database— one that you’ll have to take the time to configure and maintain. It’s a very cool strategy! Next, you’ll get a quick tour through CiscoSecure ACS 2.3 for Unix (CSU), an enterprise product that runs on the Solaris platform.

This chapter wraps up by discussing the communication between the NAS and ACS. You’ll see that Cisco has truly provided all that’s needed for both TACACS+ and RADIUS communications between the NAS and ACS. So roll up your sleeves and let’s get started!

Introduction to the CiscoSecure ACS

As is true with life, change on your network is inevitable. This is a good thing—it keeps you employed! And products that are adaptable can minimize cost while giving you the options you need to meet the changing business requirements with speed and agility. So the built-in capacity for growth and change is something you really love to see in a product. Think chameleon. And

CiscoSecure (CS) ACS 3.0 for Windows NT (CSNT) or Windows 2000 is just that product— it blends in and works well with any network access device. It can be used with dial-up NASs and firewalls, or it can be used to manage access to switches and routers. The NAS can be literally any device capable of using the TACACS+ or RADIUS protocol—a beautiful chameleon indeed.

Let’s look at how CiscoSecure ACS 3.0 for Windows NT or Windows 2000 works in a simple example. Suppose that you have a network such as the one introduced in the last chapter, illustrated in the following graphic:

The NAS must be configured so that the user access request is redirected to CS ACS for authentication and authorization rather than checking local user databases for authentication. The NAS uses either the RADIUS or TACACS+ protocol to send the authentication request to CS ACS. CS ACS then verifies the username and password (I’ll discuss that process shortly) and replies to the NAS. Once the user has been authenticated, CS ACS sends a set of authorization attributes to the NAS. Finally, if configured, the NAS accounting functions can take effect.

76 Chapter 3 Configuring CiscoSecure ACS and TACACS+

This can be a real advantage in situations where you have multiple NASs. Check out the network in Figure 3.1.

F I G U R E 3 . 1 A network with multiple NAS devices

Network access server

Network access server

CiscoSecure

ACS NT server

Network access server

In Figure 3.1, multiple NASs are configured using TACACS+ or RADIUS to send their user access requests to a single CS ACS server.

Let’s move on to discuss the database used for authentication on the CiscoSecure ACS.

Using User Databases for Authentication

CiscoSecure ACS 3.0 for Windows NT or Windows 2000 maintains its own database called the CiscoSecure User Database. When a user access request arrives at CiscoSecure ACS 3.0 for Windows NT or Windows 2000, it goes to that database first to check for information regarding that user.

If no matching information is found in the CiscoSecure User Database, CiscoSecure ACS 3.0 for Windows NT or Windows 2000 can be configured to check a number of additional user databases—a fine example of that wonderful flexibility—including the following options:

Windows NT/2000

Novell Directory Services (NDS)

Directory Services (DS)

Token Server

Microsoft Commercial Internet System Lightweight Directory Access Protocol (MCIS LDAP)

Open Database Connectivity (ODBC)

The CiscoSecure ACS 3.0 for Windows NT or Windows 2000 can use any of the following token-card servers (the most secure method) for authentication:

Populating the User Database Population

And your options don’t end with authentication. To provide you with even more flexibility, the CiscoSecure User Database can be populated in a number of ways:

Manual population really means “by hand.” Unless you’re really bored, you’ll want to avoid all this work by using the replication and import utilities provided with the Cisco ACS.

The Database Replication utility provides fault tolerance and redundancy of your CiscoSecure User Database by allowing several independent CS ACS servers to synchronize their data. This means you can introduce a new CS ACS server that’s configured for database replication to the network and can be populated with a replica of the existing CiscoSecure User Database—sweet!

If you have an existing ODBC-compliant database, you can also use the included Database Import utility CSUtil.exe to import user information from that database. (Refer to Cisco’s documentation for formatting and import syntax.)