Overview of Cisco Secure Access Control Server for Windows NT/2000 Servers

Table of Contents

Overview of Cisco Secure Access Control Server for Windows NT/2000 Servers

System Requirements
Networking Requirements
Upgrading from Previous Versions of Cisco Secure ACS
New Features in Release 2.6
Other Cisco Secure ACS Features
Cisco Secure ACS Concepts and Functions
Max Sessions
HTTP Port Allocation for Administrative Sessions
Dynamic Usage Quotas
Network Device Groups

Overview of Cisco Secure Access Control Server for Windows NT/2000 Servers

Cisco Secure Access Control Server for Windows NT/2000 Servers Version 2.6 (Cisco Secure ACS) is network security software that helps you authenticate users by controlling dial-in access to a network access server (NAS) device, such as an access server, PIX Firewall, or router.

Note   Unless specifically stated otherwise, all references in this user guide to NAS apply to any access device.

Cisco Secure ACS operates as a Windows NT or Windows 2000 service and controls the authentication, authorization, and accounting (AAA) of users accessing networks. Cisco Secure ACS operates with Windows NT 4.0 Server and Windows 2000 Server.

Cisco Secure ACS helps centralize access control and accounting for dial-up access servers and firewalls as well as management of access to routers and switches. With Cisco Secure ACS, service providers can quickly administer accounts and globally change levels of service offerings for entire groups of users. The tight integration of Cisco Secure ACS with the Windows NT and Windows 2000 operating systems enables companies to use the working knowledge gained from and the investment already made in building their Windows NT and Windows 2000 network.

Cisco Secure ACS supports Cisco NAS devices such as the Cisco 2509, 2511, 3620, 3640, AS5200 and AS5300, AS5800, the Cisco PIX Firewall, and any third-party device that can be configured with the Terminal Access Controller Access Control System (TACACS+) or the Remote Access Dial-In User Service (RADIUS) protocol. Cisco Secure ACS uses the TACACS+ and RADIUS protocols to provide AAA services to ensure a secure environment.

Cisco Secure ACS can authenticate users against any of the following user databases:

  • Windows NT

  • Windows 2000 Active Directory

  • Cisco Secure ACS

  • Token-card servers, including the following:
  • Novell NetWare Directory Services (NDS), version 4.6 or greater
  • Generic Lightweight Directory Access Protocol (LDAP)
  • Microsoft Commercial Internet System (MCIS)
  • Relational databases fully compliant with Microsoft Open DataBase Connectivity (ODBC)

The NAS directs all dial-in user access requests to Cisco Secure ACS for authentication and authorization of privileges. Using either the RADIUS or TACACS+ protocol, the NAS sends authentication requests to Cisco Secure ACS, which verifies the username and password. Cisco Secure ACS then returns a success or failure response to the NAS, which permits or denies user access. When the user has been authenticated, Cisco Secure ACS sends a set of authorization attributes to the NAS, and the accounting functions take effect.


Cisco Secure ACS conforms to the following specifications:

System Requirements

Your Cisco Secure ACS server must meet the following minimum hardware and software requirements.

Hardware Requirements

Your Cisco Secure ACS server must meet the following minimum hardware requirements:

  • Pentium II processor, 300 MHz or faster

  • 128 MB of RAM required, 256 MB recommended for Windows 2000 Server

  • At least 250 MB of free disk space. If you are running your database on the same machine, more disk space is required.

  • Minimum resolution of 256 colors at 800 x 600 lines

Software Requirements

Your Windows NT 4.0 or Windows 2000 server must meet the following minimum software requirements:

Note   A Cisco Secure ACS Windows NT 4.0 server can be a Primary Domain Controller or a Backup Domain Controller. If you are not using Windows NT/2000 user databases to authenticate users, Cisco Secure ACS can also be a Windows NT 4.0 member server.

Note   Both Java and JavaScript must be enabled in browsers used to administer Cisco Secure ACS.

Note   See the Release Notes for information about issues with various browser versions.

Networking Requirements

Your network should meet the following requirements before you begin installing Cisco Secure ACS.

Upgrading from Previous Versions of Cisco Secure ACS

Cisco Secure ACS can be installed as a new installation or as an upgrade from any previous version of Cisco Secure ACS.

Caution If you are upgrading, be sure to back up your Cisco Secure ACS system files and database and your Windows Registry. For information on backing up, see "Database Information Management."

For more information about installing Cisco Secure ACS, see the Cisco Secure ACS 2.6 for Windows NT/2000 Servers Getting Started and Installing Cisco Secure ACS 2.6 for Windows NT/2000 Servers reference cards.

Upgrading to Windows 2000

Beginning with version 2.5, Cisco Secure ACS runs on either Window NT 4.0 or Windows 2000. For exact operating system requirements, see the "Software Requirements" section. If you are upgrading from a version of Cisco Secure ACS prior to version 2.4, upgrade Cisco Secure ACS first, remaining on the Windows NT 4.0 operating system.

The installation routine for Cisco Secure ACS detects which operating system is running on the server on which Cisco Secure ACS is to be installed, and Cisco Secure ACS is customized for that operating system. As a result, upgrading a Cisco Secure ACS version 2.5 or 2.6 server to Windows 2000 without taking the necessary steps with Cisco Secure ACS will cause Cisco Secure ACS to fail.

Because versions of Cisco Secure ACS previous to version 2.5 run only on Windows NT 4.0, you cannot upgrade the operating system of a pre-version 2.5 Cisco Secure ACS server to Windows 2000 prior to installing a Windows 2000-compatible version of Cisco Secure ACS.

Upgrading the operating system from Windows NT 4.0 to Windows 2000 involves your current Cisco Secure ACS server and a second server. The second server should have Windows 2000 installed prior to beginning the following procedure. After you complete the procedure, the second server will be your Cisco Secure ACS server; therefore, the second server must meet all Cisco Secure ACS system requirements. See the "System Requirements" section.

To upgrade the Cisco Secure ACS server operating system to Windows 2000, follow these steps:

Step 1   Complete the upgrade of Cisco Secure ACS on your current Cisco Secure ACS server to version 2.6. This server will become your old Cisco Secure ACS server. For more information, see the Installing Cisco Secure ACS 2.6 for Windows 2000/NT Servers reference card.

Step 2   On a Windows 2000 server that meets all Cisco Secure ACS system requirements, install Cisco Secure Access Control Server for Windows NT/2000 Servers Version 2.6. This server will become your new Cisco Secure ACS server. For more information, see the Installing Cisco Secure ACS 2.6 for Windows 2000/NT Servers reference card.

Step 3   Perform a database replication from the old Cisco Secure ACS server to the new Cisco Secure ACS server. This will make the new, Windows 2000-based Cisco Secure ACS server a mirror system of your old, Windows NT 4.0-based Cisco Secure ACS server. For more information about database replication, see the "Database Replication" section.

Step 4   Change the IP address on the new Cisco Secure ACS server to the IP address of the old server, and assign the old Cisco Secure ACS server a different IP address.

Note   If you do not change the IP address of the new Cisco Secure ACS server to the address of the old Cisco Secure ACS server, you will have to reconfigure all NASes to use the IP address of the new Cisco Secure ACS server in order to force AAA functions to be performed on the new Cisco Secure ACS server.

Retaining the Same Cisco Secure ACS Server after Upgrading to Windows 2000

You can keep Cisco Secure ACS on your original Cisco Secure ACS server after performing the procedure in the "Upgrading to Windows 2000" section.

To keep Cisco Secure ACS on the same server you used for prior releases of Cisco Secure ACS, follow these steps:

Step 1   Complete the procedure in the "Upgrading to Windows 2000" section. This is the only way to get your existing Cisco Secure ACS database upgraded to a server running Windows 2000.

Step 2   On your old Cisco Secure ACS server, uninstall Cisco Secure ACS. If you are prompted to retain the existing database, click Delete Database.

Step 3   Upgrade the old Cisco Secure ACS server operating system to Windows 2000.

Step 4   Install Cisco Secure Access Control Server for Windows NT/2000 Servers Version 2.6 on the old Cisco Secure ACS server. For more information, see the Installing Cisco Secure ACS 2.6 for Windows 2000/NT Servers reference card.

Step 5   Perform a database replication from the second server to the upgraded Cisco Secure ACS server. For more information about database replication, see the "Database Replication" section.

Step 6   If you switched the IP address of your Cisco Secure ACS server to the second server, change the IP address on the first Cisco Secure ACS server back to its original address. Assign the second Cisco Secure ACS server a different IP address.

ODBC Message During Installation

The Cisco Secure ACS installation routine tests for the presence and proper functionality of the ODBC components needed by Cisco Secure ACS. If it does not find them or if they are not functioning properly, a dialog box displays the following message:

    Setup could not find a suitable ODBC Jet driver.
    Cisco Secure requires an Microsoft Access (Jet) ODBC driver to be installed on the system in order to work properly. You can install one by running the Microsoft Data Access Components 2.5 install located on the CD or download the latest version from Microsoft at the following location:


    Please rerun Setup after a Jet driver has been installed.

Note   If you choose to download the driver from the Microsoft web site, be sure you procure and install the Jet driver rather than Microsoft Data Access Components (MDAC) 2.6. While MDAC version 2.5, included on the CD-ROM, does contain the Jet driver, version 2.6, available from the Microsoft web site, does not. The Jet driver must be downloaded separately from MDAC 2.6.

To resolve the ODBC error message, follow these steps:

Step 1   Click Install MDAC 2.5 From CD.

Note   If you exit the installation routine at this point, you can install the appropriate ODBC driver by running mdac_typ.exe from the Cisco Secure ACS installation CD-ROM. It is located in the support\odbc folder. Otherwise, restart the installation and select Install ODBC rather than exiting the installation routine.

Step 2   Complete the ODBC installation. ODBC is packaged by Microsoft as a subset of Microsoft Data Components. The installation routine may thus be called MDAC rather than ODBC.

Step 3   When you finish installing ODBC, restart the Cisco Secure ACS installation routine by running setup.exe in the root directory of the Cisco Secure ACS installation CD-ROM.

Service Pack 6a Message During Installation

If your Cisco Secure ACS server is using Windows NT, some features of Cisco Secure ACS depend upon Service Pack 6a. The installation routine checks for Service Pack 6a. If it determines that Service Pack 6a has not been applied to the operating system, a dialog box displays the following message:

    This product is only supported if Service Pack 6a is installed.
    You may continue but certain features may not operate correctly.
    It is recommended that you quit and install Service Pack 6a.
    Do you want to continue with the installation?

To resolve the Service Pack 6a error message, follow these steps:

Step 1   To exit the installation routine, click No.

Step 2   Install Service Pack 6a on the server on which you are installing Cisco Secure ACS. For assistance with installing Service Pack 6a, see your Microsoft documentation.

Step 3   When you finish installing Service Pack 6a, restart the Cisco Secure ACS installation routine by running setup.exe in the root directory of the Cisco Secure ACS installation CD-ROM.

Installation Terminates Abnormally

If the installation of Cisco Secure ACS fails to complete successfully, you will receive an error message. Cisco Secure ACS is then partially installed. Prior to restarting the installation, you will need to uninstall the unsuccessful Cisco Secure ACS installation.

To recover from an unsuccessful installation, follow these steps:

Step 1   From the Windows desktop, click Start > Settings > Control Panel > Add/Remove Program.

Step 2   Select CiscoSecure ACS v2.6.

Step 3   Click Uninstall.

Step 4   If Uninstall completes successfully, click setup.exe in the root directory of the CD-ROM to restart installation of Cisco Secure ACS.

Step 5   If Uninstall fails to complete successfully or if installation still fails, follow these steps:

   a. Go to the support\clean directory on the CD-ROM and run clean.exe. This uninstalls Cisco Secure ACS completely and cleans up certain statements from the Windows NT/2000 Registry that prevent installation of Cisco Secure ACS.

   b. When you have finished running clean.exe, reboot the system and run setup.exe from the root directory of the CD-ROM to restart installation of Cisco Secure ACS.

New Features in Release 2.6

Cisco Secure Access Control Server for Windows NT/2000 Servers Version 2.6 adds the following new capabilities:

  • Cisco Aironet Access Point support—Authentication of users accessing your network via Cisco Aironet Access Point devices

Note   Aironet authentication is limited to users whose records reside in either the CiscoSecure User Database, a Windows NT/2000 user database, an ODBC user database, or an MCIS user database.

  • Passed Authentications report—A listing of successful authentications as either a comma-separated value or an ODBC report

  • Multiple generic LDAP database support—Support for more than one LDAP-compliant user database, including separate group mappings and unknown user policies for each

Other Cisco Secure ACS Features

Features included in this and previous versions of Cisco Secure ACS include the following:

  • Password Aging

  • IP Pools

  • User-Changeable Password

  • Support for generic LDAP

  • Support for MCIS

  • Support for relational databases that are fully compliant with ODBC specifications

  • Support for Microsoft's version of the Challenge Handshake Authentication Protocol (MS-CHAP)

  • Ability to map an NDS group

  • Multi-level administration

  • Per-user TACACS+ or RADIUS attributes

  • Support for IETF RADIUS tunneling attributes, enabling you to specify multiple tunnels in a single RADIUS packet

  • Ability to define different privileges for remote administrators, including logging records

  • CSMonitor service

  • Detailed logging information

  • Scheduled ACS system backup and ability to restore from the backup file

  • Ability to import UNIX password file

  • Ability for external users to authenticate via an enable password

  • Network Device Groups (NDGs) allow different privilege levels per IP address

  • Ability to assign user groups to an NDG

  • Ability to view detailed information for logged-in users

  • Ability to upgrade from all previous versions of Cisco Secure ACS for Windows NT

  • Support for Voice over IP (VoIP), including configurable logging of accounting data

  • Sophisticated handling of unknown users

  • Remote administration

  • Configurable port range for administrative HTTP sessions, to facilitate firewall configuration that enables remote Cisco Secure ACS administration

  • Centralized logging

  • Group mapping

  • Supplementary user ID fields

  • Simultaneous TACACS+ and RADIUS support

  • Configurable HTML/Java HTML user interface (HTML interface)

  • Help and online documentation included

  • Group administration of users, with support for up to 500 groups

  • Virtual private dial-up network (VPDN) support available at the origination and termination of L2F tunnels

  • Import mechanism to rapidly import a large number of users

  • Hash-indexed flat-file database support for high-speed transaction processing

  • Windows NT/2000 database support to leverage and consolidate Windows NT/2000 username and password management

  • Windows NT/2000 single login

  • Runs on Windows NT/2000 standalone (member), primary domain controller, and backup domain controller servers
  • Password support including Challenge Handshake Authentication Protocol, Password Authentication Protocol (PAP), Microsoft Challenge Handshake Authentication Protocol (MS-CHAP), and AppleTalk Remote Access Password (ARAP)
  • Support for token card security servers
  • Support for the Microsoft Callback feature

  • Token caching for Integrated Services Digital Network (ISDN) terminal adapters of one-time password (OTP) tokens

  • Time-of-day and day-of-week access restrictions

  • Usage quotas for groups and users, based on time used on line or number of sessions

  • Network access restrictions based on remote address caller line identification (CLID)
  • Ability to disable an account on a specific date

  • Ability to disable an account after an amount of failed attempts specified by the administrator

  • Ability to view a list of logged-in users

  • Windows NT/2000 Performance Monitor support for real-time statistic viewing

  • Configurable accounting and auditing information stored in comma-separated values (CSV) format for convenient import into billing applications

  • Configurable accounting and auditing information stored in ODBC format for convenient logging to an ODBC-compliant relational database.

  • User and group MaxSessions

  • Configurable character string stripping

  • Authentication forwarding

  • Relational database management system (RDBMS) synchronization

  • Database replication

  • System/database backup and maintenance

  • Dialed number identification service (DNIS) Support

Cisco Secure ACS Concepts and Functions

This section describes some of the different components that work together with Cisco Secure ACS to provide network security.

Cisco Secure ACS and the Access Device

The NAS is configured to direct all user access requests to Cisco Secure ACS for authentication and authorization of privileges. Using the TACACS+ or RADIUS protocol, the NAS sends authentication requests to Cisco Secure ACS, which verifies the username and password against the selected user database. Cisco Secure ACS then returns a success or failure response to the NAS, which permits or denies user access.

When the user has successfully authenticated, a set of session attributes can be sent to the NAS to provide additional security and control of privileges. These attributes might include the IP address pool, access control list, or type of connection (for example, IP, IPX, or Telnet).


Cisco Secure ACS can use both the TACACS+ and RADIUS security protocols.

Table 1-1: TACACS+ and RADIUS Protocol



TCP—Connection-oriented transport layer protocol, reliable full-duplex data transmission

UDP—Connectionless transport layer protocol, datagram exchange without acknowledgments or guaranteed delivery

Full packet encryption

Encrypts only passwords up to 16 bytes

Independent AAA architecture

Authentication and authorization combined

Useful for router management

Not useful for router management


Authentication determines a user's identity and verifies the information. Traditional authentication uses a name and a fixed password. More modern and secure methods use OTPs such as CHAP and token cards. Cisco Secure ACS provides support for these authentication methods.

There is a fundamental relationship between authentication and authorization. The more authorization privileges a user receives, the stronger the authentication should be. Cisco Secure ACS offers this capability by providing various methods of authentication.

Username and password is the most popular, simplest, and least expensive method used for authentication. No special equipment is required. This is a popular method for service providers because of its easy application by the client. The disadvantage is that this information can be told to someone else, guessed, or captured. Username and password is not considered a strong authentication mechanism but can be sufficient for low authorization or privilege levels such as Internet access.

To reduce the risk of password capturing on the network, use encryption. Client and server access control protocols such as TACACS+ and RADIUS encrypt passwords to prevent them from being captured within a network. However, TACACS+ and RADIUS operate between the NAS and the access control server. Clear-text passwords can be captured between a client host dialing up over a phone line or an ISDN line terminating at a NAS.

Service providers who offer increased levels of security services, and corporations who want to lessen the chance of intruder access resulting from password capturing, can use an OTP. Cisco Secure ACS supports several types of OTP solutions, including PAP for Point-to-Point Protocol (PPP) remote-node login. Token cards are considered one of the strongest OTP authentication mechanisms.

The CRYPTOCard token-card server software is included with Cisco Secure ACS. All you need is the CRYPTOCard token card. Cisco Secure ACS also supports the following token-card servers for authentication:


  • SafeWord

  • Security Dynamics, Inc. (SDI)

To use SDI's ACE server, you must install the ACE clients and configure them in Cisco Secure ACS to call the server when a user attempts to authenticate with an ACE token card.

Note   If you are using the SDI token server authentication, Cisco recommends using ACE/Client version 4.2 and ACE/Server version 3.3.

To use the AXENT token-card server, configure Cisco Secure ACS with the AXENT server's address and shared secret.


Cisco Secure ACS supports all leading authentication protocols:

  • CHAP


  • ARAP

  • External token-card server

  • Windows NT/2000 user database

  • Generic LDAP

  • Microsoft MCIS

  • Novell NDS

  • ODBC

Passwords can be processed using these password authentication protocols based on the version and type of security control protocol (for example, RADIUS, TACACS+) used and the configuration of the NAS and client. The following sections outline the different conditions and functions of password handling.

Cisco Secure ACS acts as a client to the token-card server. The communication link between Cisco Secure ACS and the token-card server must be secure. This is done by either configuring a shared secret password between the two servers and defining the IP address or by installing a file created by the token-card server containing the same information into Cisco Secure ACS.

Generic LDAP

Cisco Secure ACS supports authentication of users against records kept in a directory server using LDAP. CiscoSecure interacts with the most popular directory servers, including Novell and Netscape. PAP passwords can be used when authenticating against the directory server. Cisco Secure ACS logs these transactions and displays their results in the Reports & Activity section of the Cisco Secure ACS HTML interface.

You can use the Secure Sockets Layer (SSL) protocol to create a secure tunnel from the Cisco Secure ACS server to the LDAP database for transporting AAA traffic. For more information, see the "Protecting Your Web Server (Optional)" section in the Web Server Installation for Cisco Secure ACS for Windows NT/2000 User-Changeable Passwords quick reference card.


Cisco Secure ACS supports MCIS. MCIS is Microsoft's product suite of commercial-grade server components designed for Internet service providers (ISPs) and commercial web sites. MCIS is a member of the Microsoft BackOffice family of servers and runs on Microsoft Windows NT/2000 Servers and Microsoft Internet Information Server (IIS). For more information on MCIS, see your Microsoft documentation.


Cisco Secure ACS supports authentication via an ODBC-compliant relational database. ODBC is a standardized API that was first developed by Microsoft, now used by most major database vendors. It currently follows the specifications of the SQL Access Group. The benefit of ODBC in a web-based environment is easy access to data storage programs such as Microsoft Access and SQL Server. For more information on ODBC, see your ODBC and database vendor documentation.

Basic Password Configurations

There are several basic password configurations:

Note   These configurations are all classed as Inbound authentication.

Advanced Password Configurations

In addition to the basic password configurations listed above, Cisco Secure ACS also provides for the following:

The TACACS+ SENDAUTH feature enables a NAS to authenticate itself to another NAS/client via outbound authentication. The outbound authentication can be PAP, CHAP, or ARAP. With outbound authentication, the Cisco Secure ACS password is given out. By default, the user's ASCII/PAP or CHAP/ARAP password is used, depending on how this has been configured; however, Cisco recommends that the separate SENDAUTH password be configured for the user so that Cisco Secure ACS inbound passwords are never compromised.

If you want to use outbound passwords and maintain the highest level of security, Cisco recommends that you configure Cisco Secure ACS with a separate outbound password that is different from the inbound password.

Password Aging

The password aging feature of Cisco Secure ACS enables you force users to change their passwords under any of the following conditions:

  • After a specified number of days

  • After a specified number of logins

  • The first time a new user logs in

Note   Cisco Secure ACS password aging is not affiliated with Windows NT/2000 password aging.

Password aging requires the following conditions:

Password aging parameters are configured in the Group Setup window. For more information on the password aging feature, see the "Password Aging Rules" section.

User-Changeable Passwords

With Cisco Secure ACS, you can install a separate program that allows users to use a web-based utility to change their passwords. For more information, see the Web Server Installation for Cisco Secure ACS for Windows NT/2000 User-Changeable Passwords quick reference card.

CiscoSecure Authentication Agent

To use the user-changeable password feature of Cisco Secure ACS, make sure you have installed the latest version of the CAA software. See your CAA documentation for more information.

PAP, CHAP, and ARAP Support

Different levels of security can be used with Cisco Secure ACS for different requirements. The basic user-to-network security level is PAP. Although it does not represent the highest form of encrypted security, PAP does offer convenience and simplicity for the client. PAP allows authentication against the Windows NT/2000 database. With this configuration, users need to log in only once. CHAP allows a higher level of security for encrypting passwords when communicating from a client to the NAS. You can use CHAP with the Cisco Secure ACS user database. ARAP support is included to support Apple clients.

Comparing PAP, CHAP, and ARAP

PAP, CHAP, and ARAP are authentication protocols used to encrypt passwords. However, each protocol provides a different level of security.

  • PAP—Uses clear-text passwords and is the least sophisticated authentication protocol. If you are using the Windows NT/2000 user database to authenticate users, you must use PAP password encryption.

  • CHAP—Uses a challenge-response mechanism with one-way encryption on the response. CHAP lets Cisco Secure ACS negotiate downward from the most secure to the least secure encryption mechanism, and it protects passwords transmitted in the process. CHAP passwords are reusable. If you are using the Cisco Secure ACS user database for authentication, you can use either PAP or CHAP.

  • ARAP—ARAP uses a two-way challenge-response mechanism. The NAS challenges the dial-in client to authenticate itself, and the dial-in client challenges the NAS to authenticate itself.


Cisco Secure ACS supports Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP) for user authentication. Differences between MS-CHAP and standard CHAP are the following:

For more information on MS-CHAP, see RFC draft-ietf-pppext-mschap-00.txt, RADIUS Attributes for MS-CHAP Support.


Authorization determines what a user is allowed to do. Cisco Secure ACS can send user profile policies to a NAS to determine the network services the user can access or the level of service to which the user is subscribed. You can configure authorization to give different users and groups different levels of service. For example, standard dial-up users might not have the same access privileges as premium customers and users. You can also differentiate by levels of security, access times, and services.

The Cisco Secure ACS access restrictions feature lets you permit or deny logins based on time-of-day and day-of-week. For example, you could create a group for temporary accounts that can be disabled on specified dates. This would make it possible for a service provider to offer a 30-day free trial. The same authorization could be used to create a temporary account for a consultant with login permission limited to Monday through Friday, 9 A.M. to 5 P.M.

You can also restrict use by way of the Max Sessions feature, allowing a maximum number of concurrent sessions per user or group.

You can restrict users to a service or combination of services such as PPP, AppleTalk Remote Access (ARA), Serial Line Internet Protocol (SLIP), or EXEC. After a service is selected, you can restrict Layer 2 and Layer 3 protocols, such as IP and IPX, and you can apply individual access lists. Access lists on a per-user or per-group basis can restrict users from reaching parts of the network where critical information is stored or prevent them from using certain services such as File Transfer Protocol (FTP) or Simple Network Management Protocol (SNMP).

One fast-growing service being offered by service providers and adopted by corporations is a service authorization for Virtual Private Dial-Up Networks (VPDNs). Cisco Secure ACS can provide information to the network device for a specific user to configure a secure tunnel through a public network such as the Internet. The information can be for the access server (such as the home gateway for that user) or for the home gateway router to validate the user at the customer premises. In either case, Cisco Secure ACS can be used for each end of the VPDN.


Accounting is the action of recording what a user is doing or has done. Cisco Secure ACS writes accounting records to a CSV log file or ODBC database daily. You can easily update this log file into popular database and spreadsheet applications for billing, security audits, and report generation. Among the types of accounting logs you can generate are the following:

  • TACACS+ Accounting—Lists when sessions start and stop; records NAS messages with username; provides caller line identification information; records the duration of each session.

  • RADIUS Accounting—Lists when sessions stop and start; records NAS messages with username; provides caller line identification information; records the duration of each session.

  • Administrative Accounting—Lists configuration commands entered on the NAS.

Max Sessions

Max Sessions is a useful feature for organizations that need to limit the number of concurrent sessions available to either a user or a group:

  • User Max Sessions—For example, an ISP can limit each account holder to a single session.

  • Group Max Sessions—For example, an enterprise administrator can allow the remote access infrastructure to be shared equally among a number of departments and limit the maximum number of concurrent sessions for all users of any one department.

In addition to simple User and Group Max Sessions control, Cisco Secure ACS enables the administrator to specify a Group Max Sessions value and a group-based User Max Sessions value; that is, a User Max Sessions value based on the user's group membership. For example, an administrator can allocate a Group Max Sessions value of 50 to the group "Sales" and also limit each member of the "Sales" group to 5 sessions each. This way no single member of a group account would be able to use more than 5 sessions at any one time, but the group could still have up to 50 active sessions.

HTTP Port Allocation for Administrative Sessions

The range of TCP ports used for administrative HTTP sessions is configurable. You can constrain the range of ports that Cisco Secure ACS uses so that administrative sessions may be conducted from a browser outside the firewall that protects Cisco Secure ACS while maintaining a smaller number of ports that might be vulnerable to unauthorized users outside the network perimeter. A firewall configured to permit HTTP traffic over the Cisco Secure ACS administrative port range must also permit HTTP traffic through port 2002, because this is the port a remote web browser must access in order to initiate an administrative session.

Note   A broad HTTP port range could create a security risk. To prevent accidental discovery of an active administrative port by unauthorized users, keep the HTTP port range as narrow as possible. Cisco Secure ACS tracks the IP address associated with each remote administrative session. An unauthorized user would have to impersonate, or "spoof", the IP address of the legitimate remote host to make use of the active administrative session HTTP port.

Dynamic Usage Quotas

Cisco Secure ACS enables you to define usage quotas for users. You can limit the network access of each user in a group or individual users. You define quotas by duration of sessions or the total number of sessions. Quotas can be either absolute or based on daily, weekly, or monthly periods. To grant access to users who have exceeded their quotas, you can reset session quota counters as needed.

To support time-based quotas, we recommend enabling accounting update packets on all NASes. If update packets are not enabled, then the quota will only be updated when the user logs off. If the NAS through which the user is accessing your network fails, the quota would not be updated. In the case of multiple sessions, such as with ISDN, the quota would not be updated until all sessions terminate, which means that a second channel will be accepted even if the first channel has exhausted the user's quota.

Network Device Groups

With NDGs you can view and administer a collection of network devices as a single logical group. To simplify administration, you can assign to each group a convenient name that can be used to refer to all devices within that group. This creates two levels of network devices within Cisco Secure ACS—single discrete devices such as an individual router, NAS, or PIX Firewall, and an NDG; that is, a collection of routers or AAA servers.

A device can belong to only one NDG at a time.

Using NDGs enables an organization with a large number of routers spread across a large geographical area to logically organize their environment within Cisco Secure ACS to reflect the physical setup. For example, all routers in Europe could belong to a group named Europe; all routers in the United States could belong to a US group; and so on. This would be especially convenient if each region's NASes were administered along the same divisions. Alternatively, the environment could be organized by some other attribute such as divisions, departments, business functions, and so on.

You can assign a group of users to an NDG. For more information on NDGs, see the "Network Device Groups" section.