Cisco Secure Access Control Server
Cisco Secure Access Control Server (ACS) is a scalable, centralized user access control software package for both Unix and Windows NT. Cisco Secure ACS offers centralized command and control of all user authentication, authorization, and accounting services via a Web−based, graphical interface. With Cisco Secure ACS, an enterprise can quickly administer accounts and globally change levels of security for entire groups of users. The Cisco Secure security server is designed to ensure the security of your network by providing authentication and authorization services and to track the activity of the people who connect to the network by providing feature−rich accounting services. The Cisco Secure security server software supports these features by using either the TACACS+ or RADIUS protocols. As mentioned, the Cisco Secure ACS software can run on either a Windows NT server or a Unix server; I’ll discuss the Windows NT version.
Cisco Secure ACS for Windows
Cisco Secure ACS supports any network access servers that can be configured with the TACACS+ or RADIUS protocol. Cisco Secure ACS helps to centralize access control and accounting for dial−up access servers and firewalls and makes it easier to manage access to routers and switches. Cisco Secure ACS uses the TACACS+ and RADIUS protocols to provide AAA services to ensure a secure environment.
Cisco Secure ACS can authenticate users against any of the following user databases:
Windows 2000 Active Directory
Cisco Secure ACS
Novell NetWare Directory Services (NDS), version 4.6 or greater
Generic Lightweight Directory Access Protocol (LDAP)
Microsoft Commercial Internet System (MCIS)
Relational databases fully compliant with Microsoft Open Database Connectivity (ODBC)
Cisco Secure ACS Requirements
To install Cisco Secure ACS, you must ensure that the system on which you are installing the software package meets the minimum system requirements, which are as follows:
Pentium II, 300MHz processor or faster
Windows NT Server 4 (with service pack 6a) or Windows 2000 Server ·
128MB RAM; recommended 256MB ·
At least 250MB of free disk space; more if you’re using the Cisco Secure local database ·
Minimum resolution of 256 colors for 800×600 ·
Microsoft Internet Explorer 4.x or higher or Netscape Communicator 4.x or higher ·
Microsoft Internet Information Server for User Changeable Passwords utility (optional) ·
Cisco Secure ACS Architecture
Cisco Secure ACS is designed to be both flexible and modular. Within the context of Cisco Secure ACS, modular refers to the seven modules that make up the architecture of the AAA server. These modules are installed as services within Windows NT and can be stopped and started by using the settings accessed by clicking the Services icon within Control Panel in Windows NT Server. The modules are described in the following list:
CSAdmin—Cisco Secure is equipped with its own internal Web server and, as such, does not require the presence of a third−party Web server. CSAdmin is the service that controls the operation of the internal Web server, allowing users to remotely manage the server via the Web interface.
CSAuth—CSAuth is the database manager that acts as the authentication and authorization service. The primary purpose of the CSAuth service is to authenticate and authorize requests to permit or deny access to users. CSAuth determines if access should be granted and, if access is granted, defines the privileges for a particular user.
CSTacacs and CSRadius—The CSTacacs and CSRadius services communicate with the CSAuth module and the network access device that is requesting authentication and
authorization services. CSTacacs is used to communicate with TACACS+ devices and CSRadius is used to communicate with RADIUS devices. The CSTacacs and CSRadius
services can run at the same time. When only one protocol is used, only the corresponding service needs to be running; however, the other service will not interfere with normal operation and does not need to be disabled.
TACACS+ or RADIUS packet and the CSAuth service and then manipulates the data to be placed into the comma−separated value (CSV) files for exporting.
CSMon—CSMon is a service that provides monitoring, recording, notification, and response for both TACACS+ and RADIUS protocols. The monitoring function monitors the general health of the machine the application is running on, as well as the application and the resources that Cisco Secure ACS is using on the server. Recording records all exception events within the server logs. Notification can be configured to send an email in the event of an error state on the server, and Response responds to the error by logging the event, sending notifications, and, if the event is a failure, carrying out a pre−defined or user−configured response.
CSDBSync—CSDBSync is the service used to synchronize the Cisco Secure ACS database with third−party relational database management system (RDBMS) system.