Introduction
Cisco Secure ACS for UNIX Version 1.0 was introduced in 1992. The original version supported the Terminal Access Controller Access Control System Plus (TACACS+) only. Cisco Secure ACS for Windows was originally released as EasyACS in 1997. This version, too, supported TACACS+ only. Cisco Secure ACS v2.0 for UNIX and the newly renamed CiscoSecure ACS 2.0 for Windows NT added support for Remote Authentication Dial-In User Service (RADIUS). Though similar in functionality, each product preceded along its own line of development with different development teams. The Enterprise Management Business Unit (EMBU) acquired support for Cisco Secure ACS for Windows as part of the enterprise management suite in 2000.
This bulletin will compare the overall feature sets of both platforms, as well as examine the advantages and disadvantages of Cisco Secure ACS for Windows and Cisco Secure ACS for UNIX and discuss issues related to migrating from the UNIX-based product to the Windows version.
Overview of Cisco Secure ACS for UNIX
Cisco Secure ACS for UNIX runs on a Sun Solaris platform. For administration, it supports both an HTML and Java graphical user interface (GUI) and a command-line interface, both of which can be used remotely. It offers most of the standard AAA functions with perhaps proxy support and Extensible Authentication Protocol (EAP) 802.1x support being the only major omissions. For storage of configuration information, Cisco Secure ACS for UNIX can support a number of databases, which include Sybase SQLAnywhere, Sybase Enterprise, and Oracle Enterprise. (A no-charge SQLAnywhere database is included with the Cisco Secure ACS for UNIX license and is limited to a 5,000-user database.) Most large-scale customers prefer to use the Oracle and Sybase Enterprise database platforms to provide replication and fault-tolerance functionality.
Overview of Cisco Secure ACS for Windows
Cisco Secure ACS for Windows runs on Windows 2000 Server, Windows Server 2003 and a Windows based appliance. Cisco Secure ACS for Windows is similar to Cisco Secure ACS for UNIX in that it uses a Web-based front end, but its feature set differs greatly. Where the Cisco Secure ACS for UNIX GUI is protocol-oriented, requiring the user to have a detailed understanding of the AAA protocols, the Cisco Secure ACS for Windows GUI attempts to reduce the user's level of AAA knowledge by providing menus with more details and easy access to help information.
Note: Cisco Secure ACS v3.1 for Windows and later cannot be installed on Windows NT 4.0 systems.
Direct Comparison
Providing a feature-by-feature comparison of the two products is difficult because their layouts differ, primarily because of the differences between the operating systems on which each product was developed. Another difficulty is that the two products were developed by separate teams, at different times, using different philosophies. Nevertheless, this bulletin attempts to provide a one-to-one comparison, given the constraints of each application's organization.
Network Access Server Configuration
Table 1 compares the two products' network-access-server configurations.
Table 1. Configuration of Network Access Servers
Figures 1 and 2 show how TACACS+ network access servers are configured on Cisco Secure ACS for UNIX. Figure 3 shows the RADIUS network access server configuration window under the advanced GUI. Compare this to Cisco Secure ACS for Windows in figures 4 through 6. Figure 4 shows the different network device groups. Figure 5 shows the network access servers in the network device group. Figure 6 shows the configuration window for the individual network access server.
Figure 1. Cisco Secure ACS for UNIX Network Access Server Selection Window (TACACS+)
Figure 2. Cisco Secure ACS for UNIX Network Access Server Configuration Window (TACACS+)
Figure 3. Cisco Secure ACS for UNIX Network Access Server Configuration Window (RADIUS)
Figure 4. Cisco Secure ACS for Windows Network Device Group Selection Window
Figure 5. Cisco Secure ACS for Windows Network Access Server Selection Window
Figure 6. Cisco Secure ACS for Windows Network Access Server Configuration Window
User and Group Administration
Table 2 compares how user and group administration differs between the two products.
Table 2. User and Group Administration
The two products differ significantly in how each supports user, group, administrator, and unknown-user configurations.
Users
Both products allow only a single entry of a username. In Cisco Secure ACS for UNIX, the administrator may configure TACACS+ either through member administration (Figure 7) or by using the advanced GUI (Figure 8). For RADIUS configuration, Cisco Secure ACS for UNIX is limited to the advanced GUI. By contrast, Cisco Secure ACS for Windows does all configurations for a single user in one window (Figure 9).
Figure 7. Cisco Secure ACS for UNIX User Configuration Window (GUI)
Figure 8. Cisco Secure ACS for UNIX User Configuration Window (Advanced GUI)
Figure 9. Cisco Secure ACS for Windows User Configuration Window
Another difference is that in Cisco Secure ACS for UNIX, the administrator first selects the group that the user will be in and then adds the user. In Cisco Secure ACS for Windows, the administrator adds the user and then selects the group from within the user configuration.
Groups
Cisco Secure ACS for UNIX supports group nesting and group inheritance. Figure 10 provides an example:
Figure 10. Group Nesting in Cisco Secure ACS for UNIX
In this example, everyone is in group 1. Each user will receive all group 1 attributes. The user larry belongs only to group 1 and is limited to those attributes unless an attribute found in the user larry configuration is the same type as in group 1, in which case the user larry configuration overrides group 1. The user sue is a member of group 1.1. Group 1.1 is a member of group 1 and will inherit the group 1 attributes. As in the user larry case, any attributes in group 1.1 that are the same type as in group 1 will override the super group configuration. This applies to all users and groups. Therefore, the user bob, a member of group 1.2.1, inherits group 1, group 1.2, and group 1.2.1 attributes, unless specific lower level attributes override the upper level attributes.
Cisco Secure ACS for UNIX is not limited to the number of groups that can be configured except as specified by the database. Cisco Secure ACS for UNIX includes SQLAnywhere as the default database. SQLAnywhere is limited to a combined number of 5000 users, groups, and network access servers.
Cisco Secure ACS for Windows does not support group nesting. Cisco Secure ACS for Windows also uses SQLAnywhere as the internal database, which does not have the same limitations as it does in Cisco Secure ACS for UNIX. Cisco Secure ACS for Windows has 500 user groups. This number is not configurable.
Administrators
Cisco Secure ACS for UNIX and Cisco Secure ACS for Windows differ greatly in the configuration of ACS administrators.
With Cisco Secure ACS for UNIX, administrators and users are configured by the same method. In Figure 11, there is a group called administrator and there is a user, superuser. Superuser can be configured for network access, as well as for administrative functions.
ACS administrators are configured in a separate location in Cisco Secure ACS for Windows (Figure 15). If network access is required for an administrator, the administrator requires a separate configuration for TACACS and RADIUS.
Migration issue: Cisco Secure ACS for Windows uses a separate configuration for ACS administrators. Cisco Secure ACS for UNIX uses the same user area as network users. This may cause problems for migrations.
Figure 11. Superuser in Advanced GUI
Figure 12. Adding an Administrator in Cisco Secure ACS for UNIX
Figure 13. Cisco Secure ACS for UNIX Web Privilege Selection Pull-Down Menu
Figure 14. GrpLd1 in the Cisco Secure ACS for UNIX Advanced GUI
Figure 15. Cisco Secure ACS for Windows Administrator Configuration Window
Unknown User Configuration
To allow instant integration with an existing authentication system, Cisco Secure ACS for UNIX has an unknown_user profile. Cisco Secure ACS for Windows uses this profile if the system fails to find the user in the database. This profile can be set up so that its password type is one of the external authentication databases, such as SDI or UNIX. This allows Cisco Secure ACS for UNIX just to manage the authorization and accounting for the user. For example, if an unknown_user profile with password type set to system, Cisco Secure for UNIX can authenticate any unknown user with a valid UNIX username and password. This user profile is created by default and is configured in the same manner as a conventional user.
Figure 16 shows the default configuration in the Cisco Secure ACS for UNIX GUI, and Figure 17 shows it in the advanced GUI. Note that the unknown_user is not associated to a group by default. Cisco Secure ACS for UNIX does not attempt to remember an unknown user after authentication. As a result, there is no duplication occurs between the external database Thus when a user is removed from the external authenticator, he or she will no longer be able to log in. As a result, Cisco Secure ACS for UNIX cannot provide dynamic group placement, as does Cisco Secure ACS for Windows.
Figure 16. Unknown_user in the Cisco Secure ACS for UNIX User Configuration Window
Figure 17. Unknown_user in the Cisco Secure ACS for UNIX Advanced Configuration Window
Cisco Secure ACS for Windows also understands the concept of the unknown user. The application differs from Cisco Secure ACS for UNIX in that the unknown user is not configured as a conventional user. In Cisco Secure ACS for Windows, the unknown user is configured in the external databases section (Figure 18) because external database authentication is required to verify an unknown user. On receipt of an authentication request where the user is currently unknown, Cisco Secure ACS for Windows can hunt for the user in a set of configured third-party authenticators. Cisco Secure ACS for Windows automatically creates a dynamic entry for a successfully authenticated unknown user. Future authentications for that user are directed immediately to the correct authenticator. The user's group membership is then either determined based on group membership in the external authenticator or a simple static mapping for a particular type of authenticator (SDI, Axent, etc.). The resulting group then provides all of the user's initial authorization information.
Figure 18. Cisco Secure ACS for Windows External Databases
Migration issue: Cisco Secure ACS for Windows does not have the concept of a special user record for handling an unknown user. It defines a mapping between an external database user/group membership and a Cisco Secure ACS for Windows group. Therefore, all authorization information needs to reside at the group level, as opposed to Cisco Secure ACS for UNIX, where it can reside at the user level (unknown_user). To migrate a Cisco Secure UNIX unknown user who has authorization information defined at the user level, a Cisco Secure ACS for Windows user group must be configured that contains the full authorization information.
It is possible in Cisco Secure ACS for UNIX to have an internal password configured for the unknown user. Cisco Secure ACS for Windows does not support this configuration. Cisco Secure ACS for Windows only supports unknown user policies with external user databases.
It is not possible to support unknown-user behavior for password type File, because this is a Cisco Secure ACS for UNIX specific feature..
Additional Profile Differences
Attribute Fields
In Cisco Secure ACS for Windows, the administrator selects which attribute fields will be visible for group and user profiles. These attribute fields are then applied to all groups and users (Figure 19), whether or not the field will be applied to a particular group or user. However, this does prevent the administrator from having to "look around" to find the attributes that require configuration.
In Cisco Secure ACS for UNIX, attribute fields are selected as required from menus (Figure 20). The administrator must know which fields are available because no list of available fields or their locations exists.
Migration issue: As long as the profiles match between Cisco Secure ACS for UNIX and Cisco Secure ACS for Windows, there should be no difficulty. However, such things as TACACS+ command filtering might be difficult to translate from Cisco Secure ACS for UNIX to Cisco Secure ACS for Windows, because of the differing structure of databases. This will require manual redesign and configuration of the command filters in ACS for Windows.
Figure 19. Cisco Secure ACS for Windows Interface Configuration Window
Figure 20. Cisco Secure ACS for UNIX Attributes in the Options Menu
Profile Duplication
In Cisco Secure ACS for UNIX, the administrator can copy the attributes from one profile to another. Cisco Secure ACS for Windows does not allow this procedure.
Passwords
In Cisco Secure ACS for UNIX, different passwords can be set for each of the available password types. Additionally, passwords can be set at the group level. In Cisco Secure ACS for Windows, passwords can be set only at the user configuration; the application supports different passwords only for PAP (clear text) and for CHAP, MS-CHAP, and ARAP (hashed).
In Cisco Secure ACS for UNIX, at least one password type must be defined for a user. If multiple password types are defined, then the appropriate one will be selected based on the nature of the authentication request. Associated with each password is an optional date range. This date range defines the period when the password is valid. Not to be confused with time-of-day access, this feature defines a date range (day resolution) when the password is valid. With the ability to define multiple passwords for a user or group Cisco Secure ACS for UNIX deploys the following mechanism to determine which defined password type to use for authentication (Table 3). This processing depends on the AAA protocol in use and the contents of the request packet.
Table 3. Password Mechanism for Cisco Secure ACS for UNIX
Note: Cisco Secure ACS for Windows stops checking passwords after a successful authention has occurred.
Cisco Secure ACS for Windows can be configured to use privately defined passwords or can be integrated with an existing authentication service. The administrator can define up to two private passwords for each user. The first password is used for all plaintext authentications. The second password is used for CHAP, MS-CHAP, and ARAP authentications. If a second password is not defined, then the first password is used for all authentications. When an external authenticator is selected as the primary password, Cisco Secure ACS for Windows will use the secondary password only when the external authenticator cannot perform CHAP, MS-CHAP, or ARAP authentication.
Table 4 indicates the current set of external authenticators.
Table 4. External Authenticators for Cisco Secure ACS for Windows
