Overview of Cisco Secure Access Control Server for Windows NT/2000 Servers
Table of Contents
Overview of Cisco Secure Access Control Server for Windows NT/2000 Servers
Upgrading from Previous Versions of Cisco Secure ACS
Upgrading to Windows 2000New Features in Release 2.6
ODBC Message During Installation
Service Pack 6a Message During Installation
Installation Terminates Abnormally
Other Cisco Secure ACS Features
Cisco Secure ACS Concepts and Functions
Generic LDAPPAP, CHAP, and ARAP Support
Basic Password Configurations
Advanced Password Configurations
CiscoSecure Authentication Agent
HTTP Port Allocation for Administrative Sessions
Dynamic Usage Quotas
Network Device Groups
Cisco Secure Access Control Server for Windows NT/2000 Servers Version 2.6 (Cisco Secure ACS) is network security software that helps you authenticate users by controlling dial-in access to a network access server (NAS) device, such as an access server, PIX Firewall, or router.
Cisco Secure ACS operates as a Windows NT or Windows 2000 service and controls the authentication, authorization, and accounting (AAA) of users accessing networks. Cisco Secure ACS operates with Windows NT 4.0 Server and Windows 2000 Server.
Cisco Secure ACS helps centralize access control and accounting for dial-up access servers and firewalls as well as management of access to routers and switches. With Cisco Secure ACS, service providers can quickly administer accounts and globally change levels of service offerings for entire groups of users. The tight integration of Cisco Secure ACS with the Windows NT and Windows 2000 operating systems enables companies to use the working knowledge gained from and the investment already made in building their Windows NT and Windows 2000 network.
Cisco Secure ACS supports Cisco NAS devices such as the Cisco 2509, 2511, 3620, 3640, AS5200 and AS5300, AS5800, the Cisco PIX Firewall, and any third-party device that can be configured with the Terminal Access Controller Access Control System (TACACS+) or the Remote Access Dial-In User Service (RADIUS) protocol. Cisco Secure ACS uses the TACACS+ and RADIUS protocols to provide AAA services to ensure a secure environment.
The NAS directs all dial-in user access requests to Cisco Secure ACS for authentication and authorization of privileges. Using either the RADIUS or TACACS+ protocol, the NAS sends authentication requests to Cisco Secure ACS, which verifies the username and password. Cisco Secure ACS then returns a success or failure response to the NAS, which permits or denies user access. When the user has been authenticated, Cisco Secure ACS sends a set of authorization attributes to the NAS, and the accounting functions take effect.
For more information about installing Cisco Secure ACS, see the Cisco Secure ACS 2.6 for Windows NT/2000 Servers Getting Started and Installing Cisco Secure ACS 2.6 for Windows NT/2000 Servers reference cards.
Beginning with version 2.5, Cisco Secure ACS runs on either Window NT 4.0 or Windows 2000. For exact operating system requirements, see the "Software Requirements" section. If you are upgrading from a version of Cisco Secure ACS prior to version 2.4, upgrade Cisco Secure ACS first, remaining on the Windows NT 4.0 operating system.
The installation routine for Cisco Secure ACS detects which operating system is running on the server on which Cisco Secure ACS is to be installed, and Cisco Secure ACS is customized for that operating system. As a result, upgrading a Cisco Secure ACS version 2.5 or 2.6 server to Windows 2000 without taking the necessary steps with Cisco Secure ACS will cause Cisco Secure ACS to fail.
Because versions of Cisco Secure ACS previous to version 2.5 run only on Windows NT 4.0, you cannot upgrade the operating system of a pre-version 2.5 Cisco Secure ACS server to Windows 2000 prior to installing a Windows 2000-compatible version of Cisco Secure ACS.
Upgrading the operating system from Windows NT 4.0 to Windows 2000 involves your current Cisco Secure ACS server and a second server. The second server should have Windows 2000 installed prior to beginning the following procedure. After you complete the procedure, the second server will be your Cisco Secure ACS server; therefore, the second server must meet all Cisco Secure ACS system requirements. See the "System Requirements" section.
To upgrade the Cisco Secure ACS server operating system to Windows 2000, follow these steps:
Step 1 Complete the upgrade of Cisco Secure ACS on your current Cisco Secure ACS server to version 2.6. This server will become your old Cisco Secure ACS server. For more information, see the Installing Cisco Secure ACS 2.6 for Windows 2000/NT Servers reference card.
Step 2 On a Windows 2000 server that meets all Cisco Secure ACS system requirements, install Cisco Secure Access Control Server for Windows NT/2000 Servers Version 2.6. This server will become your new Cisco Secure ACS server. For more information, see the Installing Cisco Secure ACS 2.6 for Windows 2000/NT Servers reference card.
Step 3 Perform a database replication from the old Cisco Secure ACS server to the new Cisco Secure ACS server. This will make the new, Windows 2000-based Cisco Secure ACS server a mirror system of your old, Windows NT 4.0-based Cisco Secure ACS server. For more information about database replication, see the "Database Replication" section.
Step 4 Change the IP address on the new Cisco Secure ACS server to the IP address of the old server, and assign the old Cisco Secure ACS server a different IP address.
You can keep Cisco Secure ACS on your original Cisco Secure ACS server after performing the procedure in the "Upgrading to Windows 2000" section.
To keep Cisco Secure ACS on the same server you used for prior releases of Cisco Secure ACS, follow these steps:
Step 1 Complete the procedure in the "Upgrading to Windows 2000" section. This is the only way to get your existing Cisco Secure ACS database upgraded to a server running Windows 2000.
Step 2 On your old Cisco Secure ACS server, uninstall Cisco Secure ACS. If you are prompted to retain the existing database, click Delete Database.
Step 3 Upgrade the old Cisco Secure ACS server operating system to Windows 2000.
Step 4 Install Cisco Secure Access Control Server for Windows NT/2000 Servers Version 2.6 on the old Cisco Secure ACS server. For more information, see the Installing Cisco Secure ACS 2.6 for Windows 2000/NT Servers reference card.
Step 5 Perform a database replication from the second server to the upgraded Cisco Secure ACS server. For more information about database replication, see the "Database Replication" section.
Step 6 If you switched the IP address of your Cisco Secure ACS server to the second server, change the IP address on the first Cisco Secure ACS server back to its original address. Assign the second Cisco Secure ACS server a different IP address.
The Cisco Secure ACS installation routine tests for the presence and proper functionality of the ODBC components needed by Cisco Secure ACS. If it does not find them or if they are not functioning properly, a dialog box displays the following message:
Setup could not find a suitable ODBC Jet driver.
To resolve the ODBC error message, follow these steps:
Step 1 Click Install MDAC 2.5 From CD.
Step 2 Complete the ODBC installation. ODBC is packaged by Microsoft as a subset of Microsoft Data Components. The installation routine may thus be called MDAC rather than ODBC.
Step 3 When you finish installing ODBC, restart the Cisco Secure ACS installation routine by running setup.exe in the root directory of the Cisco Secure ACS installation CD-ROM.
If your Cisco Secure ACS server is using Windows NT, some features of Cisco Secure ACS depend upon Service Pack 6a. The installation routine checks for Service Pack 6a. If it determines that Service Pack 6a has not been applied to the operating system, a dialog box displays the following message:
This product is only supported if Service Pack 6a is installed.
To resolve the Service Pack 6a error message, follow these steps:
Step 1 To exit the installation routine, click No.
Step 2 Install Service Pack 6a on the server on which you are installing Cisco Secure ACS. For assistance with installing Service Pack 6a, see your Microsoft documentation.
Step 3 When you finish installing Service Pack 6a, restart the Cisco Secure ACS installation routine by running setup.exe in the root directory of the Cisco Secure ACS installation CD-ROM.
If the installation of Cisco Secure ACS fails to complete successfully, you will receive an error message. Cisco Secure ACS is then partially installed. Prior to restarting the installation, you will need to uninstall the unsuccessful Cisco Secure ACS installation.
To recover from an unsuccessful installation, follow these steps:
Step 1 From the Windows desktop, click Start > Settings > Control Panel > Add/Remove Program.
Step 2 Select CiscoSecure ACS v2.6.
Step 3 Click Uninstall.
Step 4 If Uninstall completes successfully, click setup.exe in the root directory of the CD-ROM to restart installation of Cisco Secure ACS.
Step 5 If Uninstall fails to complete successfully or if installation still fails, follow these steps:
a. Go to the support\clean directory on the CD-ROM and run clean.exe. This uninstalls Cisco Secure ACS completely and cleans up certain statements from the Windows NT/2000 Registry that prevent installation of Cisco Secure ACS.
b. When you have finished running clean.exe, reboot the system and run setup.exe from the root directory of the CD-ROM to restart installation of Cisco Secure ACS.
This section describes some of the different components that work together with Cisco Secure ACS to provide network security.
The NAS is configured to direct all user access requests to Cisco Secure ACS for authentication and authorization of privileges. Using the TACACS+ or RADIUS protocol, the NAS sends authentication requests to Cisco Secure ACS, which verifies the username and password against the selected user database. Cisco Secure ACS then returns a success or failure response to the NAS, which permits or denies user access.
When the user has successfully authenticated, a set of session attributes can be sent to the NAS to provide additional security and control of privileges. These attributes might include the IP address pool, access control list, or type of connection (for example, IP, IPX, or Telnet).
Table 1-1: TACACS+ and RADIUS Protocol
Authentication determines a user's identity and verifies the information. Traditional authentication uses a name and a fixed password. More modern and secure methods use OTPs such as CHAP and token cards. Cisco Secure ACS provides support for these authentication methods.
There is a fundamental relationship between authentication and authorization. The more authorization privileges a user receives, the stronger the authentication should be. Cisco Secure ACS offers this capability by providing various methods of authentication.
Username and password is the most popular, simplest, and least expensive method used for authentication. No special equipment is required. This is a popular method for service providers because of its easy application by the client. The disadvantage is that this information can be told to someone else, guessed, or captured. Username and password is not considered a strong authentication mechanism but can be sufficient for low authorization or privilege levels such as Internet access.
To reduce the risk of password capturing on the network, use encryption. Client and server access control protocols such as TACACS+ and RADIUS encrypt passwords to prevent them from being captured within a network. However, TACACS+ and RADIUS operate between the NAS and the access control server. Clear-text passwords can be captured between a client host dialing up over a phone line or an ISDN line terminating at a NAS.
Service providers who offer increased levels of security services, and corporations who want to lessen the chance of intruder access resulting from password capturing, can use an OTP. Cisco Secure ACS supports several types of OTP solutions, including PAP for Point-to-Point Protocol (PPP) remote-node login. Token cards are considered one of the strongest OTP authentication mechanisms.
The CRYPTOCard token-card server software is included with Cisco Secure ACS. All you need is the CRYPTOCard token card. Cisco Secure ACS also supports the following token-card servers for authentication:
Passwords can be processed using these password authentication protocols based on the version and type of security control protocol (for example, RADIUS, TACACS+) used and the configuration of the NAS and client. The following sections outline the different conditions and functions of password handling.
Cisco Secure ACS acts as a client to the token-card server. The communication link between Cisco Secure ACS and the token-card server must be secure. This is done by either configuring a shared secret password between the two servers and defining the IP address or by installing a file created by the token-card server containing the same information into Cisco Secure ACS.
Cisco Secure ACS supports authentication of users against records kept in a directory server using LDAP. CiscoSecure interacts with the most popular directory servers, including Novell and Netscape. PAP passwords can be used when authenticating against the directory server. Cisco Secure ACS logs these transactions and displays their results in the Reports & Activity section of the Cisco Secure ACS HTML interface.
You can use the Secure Sockets Layer (SSL) protocol to create a secure tunnel from the Cisco Secure ACS server to the LDAP database for transporting AAA traffic. For more information, see the "Protecting Your Web Server (Optional)" section in the Web Server Installation for Cisco Secure ACS for Windows NT/2000 User-Changeable Passwords quick reference card.
Cisco Secure ACS supports MCIS. MCIS is Microsoft's product suite of commercial-grade server components designed for Internet service providers (ISPs) and commercial web sites. MCIS is a member of the Microsoft BackOffice family of servers and runs on Microsoft Windows NT/2000 Servers and Microsoft Internet Information Server (IIS). For more information on MCIS, see your Microsoft documentation.
Cisco Secure ACS supports authentication via an ODBC-compliant relational database. ODBC is a standardized API that was first developed by Microsoft, now used by most major database vendors. It currently follows the specifications of the SQL Access Group. The benefit of ODBC in a web-based environment is easy access to data storage programs such as Microsoft Access and SQL Server. For more information on ODBC, see your ODBC and database vendor documentation.
There are several basic password configurations:
In addition to the basic password configurations listed above, Cisco Secure ACS also provides for the following:
The TACACS+ SENDAUTH feature enables a NAS to authenticate itself to another NAS/client via outbound authentication. The outbound authentication can be PAP, CHAP, or ARAP. With outbound authentication, the Cisco Secure ACS password is given out. By default, the user's ASCII/PAP or CHAP/ARAP password is used, depending on how this has been configured; however, Cisco recommends that the separate SENDAUTH password be configured for the user so that Cisco Secure ACS inbound passwords are never compromised.
If you want to use outbound passwords and maintain the highest level of security, Cisco recommends that you configure Cisco Secure ACS with a separate outbound password that is different from the inbound password.
The password aging feature of Cisco Secure ACS enables you force users to change their passwords under any of the following conditions:
With Cisco Secure ACS, you can install a separate program that allows users to use a web-based utility to change their passwords. For more information, see the Web Server Installation for Cisco Secure ACS for Windows NT/2000 User-Changeable Passwords quick reference card.
Different levels of security can be used with Cisco Secure ACS for different requirements. The basic user-to-network security level is PAP. Although it does not represent the highest form of encrypted security, PAP does offer convenience and simplicity for the client. PAP allows authentication against the Windows NT/2000 database. With this configuration, users need to log in only once. CHAP allows a higher level of security for encrypting passwords when communicating from a client to the NAS. You can use CHAP with the Cisco Secure ACS user database. ARAP support is included to support Apple clients.
For more information on MS-CHAP, see RFC draft-ietf-pppext-mschap-00.txt, RADIUS Attributes for MS-CHAP Support.
Authorization determines what a user is allowed to do. Cisco Secure ACS can send user profile policies to a NAS to determine the network services the user can access or the level of service to which the user is subscribed. You can configure authorization to give different users and groups different levels of service. For example, standard dial-up users might not have the same access privileges as premium customers and users. You can also differentiate by levels of security, access times, and services.
The Cisco Secure ACS access restrictions feature lets you permit or deny logins based on time-of-day and day-of-week. For example, you could create a group for temporary accounts that can be disabled on specified dates. This would make it possible for a service provider to offer a 30-day free trial. The same authorization could be used to create a temporary account for a consultant with login permission limited to Monday through Friday, 9 A.M. to 5 P.M.
You can also restrict use by way of the Max Sessions feature, allowing a maximum number of concurrent sessions per user or group.
You can restrict users to a service or combination of services such as PPP, AppleTalk Remote Access (ARA), Serial Line Internet Protocol (SLIP), or EXEC. After a service is selected, you can restrict Layer 2 and Layer 3 protocols, such as IP and IPX, and you can apply individual access lists. Access lists on a per-user or per-group basis can restrict users from reaching parts of the network where critical information is stored or prevent them from using certain services such as File Transfer Protocol (FTP) or Simple Network Management Protocol (SNMP).
One fast-growing service being offered by service providers and adopted by corporations is a service authorization for Virtual Private Dial-Up Networks (VPDNs). Cisco Secure ACS can provide information to the network device for a specific user to configure a secure tunnel through a public network such as the Internet. The information can be for the access server (such as the home gateway for that user) or for the home gateway router to validate the user at the customer premises. In either case, Cisco Secure ACS can be used for each end of the VPDN.
Accounting is the action of recording what a user is doing or has done. Cisco Secure ACS writes accounting records to a CSV log file or ODBC database daily. You can easily update this log file into popular database and spreadsheet applications for billing, security audits, and report generation. Among the types of accounting logs you can generate are the following:
In addition to simple User and Group Max Sessions control, Cisco Secure ACS enables the administrator to specify a Group Max Sessions value and a group-based User Max Sessions value; that is, a User Max Sessions value based on the user's group membership. For example, an administrator can allocate a Group Max Sessions value of 50 to the group "Sales" and also limit each member of the "Sales" group to 5 sessions each. This way no single member of a group account would be able to use more than 5 sessions at any one time, but the group could still have up to 50 active sessions.
The range of TCP ports used for administrative HTTP sessions is configurable. You can constrain the range of ports that Cisco Secure ACS uses so that administrative sessions may be conducted from a browser outside the firewall that protects Cisco Secure ACS while maintaining a smaller number of ports that might be vulnerable to unauthorized users outside the network perimeter. A firewall configured to permit HTTP traffic over the Cisco Secure ACS administrative port range must also permit HTTP traffic through port 2002, because this is the port a remote web browser must access in order to initiate an administrative session.
Cisco Secure ACS enables you to define usage quotas for users. You can limit the network access of each user in a group or individual users. You define quotas by duration of sessions or the total number of sessions. Quotas can be either absolute or based on daily, weekly, or monthly periods. To grant access to users who have exceeded their quotas, you can reset session quota counters as needed.
To support time-based quotas, we recommend enabling accounting update packets on all NASes. If update packets are not enabled, then the quota will only be updated when the user logs off. If the NAS through which the user is accessing your network fails, the quota would not be updated. In the case of multiple sessions, such as with ISDN, the quota would not be updated until all sessions terminate, which means that a second channel will be accepted even if the first channel has exhausted the user's quota.
With NDGs you can view and administer a collection of network devices as a single logical group. To simplify administration, you can assign to each group a convenient name that can be used to refer to all devices within that group. This creates two levels of network devices within Cisco Secure ACSsingle discrete devices such as an individual router, NAS, or PIX Firewall, and an NDG; that is, a collection of routers or AAA servers.
A device can belong to only one NDG at a time.
Using NDGs enables an organization with a large number of routers spread across a large geographical area to logically organize their environment within Cisco Secure ACS to reflect the physical setup. For example, all routers in Europe could belong to a group named Europe; all routers in the United States could belong to a US group; and so on. This would be especially convenient if each region's NASes were administered along the same divisions. Alternatively, the environment could be organized by some other attribute such as divisions, departments, business functions, and so on.
You can assign a group of users to an NDG. For more information on NDGs, see the "Network Device Groups" section.