CiscoSecure ACS 2.4 for Windows NT User Guide
Distributed Systems

Table of Contents

Distributed Systems
AAA Servers
Proxy
Remote Logging

Distributed Systems


Cisco Secure ACS 2.4 for Windows NT Server (CiscoSecure ACS) can be used in a distributed system; that is, multiple CiscoSecure ACS servers and authentication, authorization, and accounting (AAA—pronounced "triple A") servers can be configured to communicate with one another as primary, backup, client, or peer systems. This allows you to use powerful features such as:

  • Proxy
  • Fallback on failed connection
  • CiscoSecure database replication
  • Relational database management system (RDBMS) synchronization
  • Remote and centralized logging

It also allows CiscoSecure ACS to recognize network access restrictions of other CiscoSecure ACSes on the distributed network.


Note      If the fields mentioned in this section are not displayed in your CiscoSecure ACS interface, click Interface Configuration: Advanced Options: Distributed System Settings. You also need to enable the specific option you want to use; for example, Database Replication. If the check box for any of these options is disabled but you have previously configured the information, the applicable areas for these options still display in the interface.


For more information on database replication and RDBMS synchronization, see "Database Information Management."

AAA Servers

AAA server is the generic term for an access control server (ACS), and the two terms are often used interchangeably. AAA servers are used to determine who can access the network and what services are authorized for each user. The AAA server stores a profile containing authentication and authorization information for each user. Authentication information validates the users' identity, and authorization information determines what network services they are allowed to use. AAA servers can be used simultaneously with dial-up access servers, routers, and firewalls. Each network device can be configured to communicate with a AAA server. This makes it possible to centrally control dial-up access for a service provider, as well as to secure network devices from unauthorized access.

Both applications have unique authentication and authorization requirements. With CiscoSecure ACS, system administrators can use a variety of authentication methods that are used with different degrees of authorization privileges. Completing the access control functionality, CiscoSecure ACS serves as a central repository for accounting information. Each user session granted by the ACS can be fully accounted for and stored in the server. This accounting information can be used for billing, capacity planning, and security audits.

If the fields mentioned in this section do not display in your CiscoSecure ACS interface, click Interface Configuration: Advanced Options: Distributed System Settings. You also need to enable the specific option you want to use; for example, Database Replication. After these options have been configured, if the check boxes for these options are later disabled but you have previously configured information for the feature, the applicable areas for these options still display in the interface.

Default Distributed System Settings

After the Distributed System Settings option is enabled, two additional tables appear in the Network Configuration window: the AAA server table and the distribution table. (If you are using network device groups (NDGs), these tables appear in the window for the NDG.) The parameters configured within these tables create the foundation to allow multiple CiscoSecure ACSes to be configured to work with each other. Each of the tables contains a CiscoSecure ACS entry for itself. In the AAA server table, the only listed AAA server upon the initial enabling of this feature is itself and, in the distribution table, an entry of \Default, which displays how this local CiscoSecure ACS is configured to handle each authentication request locally. You can configure additional AAA servers in the AAA server table. This allows these devices to become available in the user interface so that they can be configured for other distributed features such as proxy, CiscoSecure database replication, remote logging, and RDBMS synchronization.

Adding an Entry in the AAA Server Table

To configure distributed system features, you must first define the CiscoSecure ACS' AAA server partner(s). Enter the following information when adding or editing parameters for CiscoSecure ACS:

  • AAA Server Name—The name of the remote AAA server to be used in conjunction within the distributed system features.
  • AAA Server IP Address—The IP address of the remote AAA server.
  • Key—The secret key that enables encryption. Keys are used to ensure that all data sent among AAA servers is encrypted.

Note The key is case-sensitive. If the keys between the two AAA servers are not identical when authentication is forwarded, the request is encrypted incorrectly and authentication fails.


  • AAA Server Type—CiscoSecure ACS can work with non-Cisco AAA servers to forward authentication requests. Protocols that the remote AAA server can use are:
    • RADIUS—Select this option if the remote AAA server is configured using any type of Remote Access Dial-In Service (RADIUS) protocol.
    • TACACS+—Select this option if the remote AAA server is configured using the Terminal Access Controller Access Control System (TACACS+) protocol.
    • CiscoSecure ACS for Windows NT—Select this item if the remote AAA server is another CiscoSecure ACS. This lets you configure features that are only available with other CiscoSecure ACSes, such as database replication and remote logging.

Note The remote CiscoSecure ACS must be using Release 2.1 or later.


  • Traffic Type—Select one of the following fields to define the direction of the traffic flow between this CiscoSecure ACS and the remote AAA server:
    • Inbound—The selected AAA server will accept an authentication request that has been forwarded to it and not re-forward the request to another AAA server. Use this parameter if you do not want to allow any requests to be forwarded.
    • Outbound—The selected AAA server will send out an authentication request but not receive it. If a distribution table entry is configured to forward a request to a AAA server that is configured for Outbound, the request is not sent.
    • Inbound/Outbound—The specified AAA server will both forward and accept authentication requests. This allows the selected server to handle requests as defined in the distribution tables.

For more information on defining and configuring AAA servers, see the "Network Configuration" section.

Distribution Table

The entries defined and placed in the distribution table can be considered turnstiles for each authentication request that CiscoSecure ACS receives from the NAS. How the authentication request is defined in the distribution table depends on where it will be forwarded. If a match to an entry in the distribution table that contains proxy information is found, then CiscoSecure ACS forwards the request to the appropriate AAA server.

The \Default entry in the distribution table represents the local CiscoSecure ACS. This means that all authentication requests handled by the AAA server that do not contain a matched character string defined in the distribution table are handled locally. This entry is always present and cannot be deleted or overwritten from this table.

Adding an Entry in the Distribution Table

To define an entry in the distribution table, enter the following information:

  • Character String—Defines a "string" of characters (including the delimiter) to match against when the authentication request is received from the NAS.
  • Position—The position of the character string accompanied by the username to search on and match.
    • Prefix—Select this option if the character string comes at the front of the username.
    • Suffix—Select this option if the character string comes at the end of the username.
  • Strip—Whether the character string is to be stripped from the user ID. This is useful with virtual private dialup networks (VPDN) or other proxy scenarios.
    • Yes—Select this option to enable stripping.
    • No—Select this option to disable stripping.
  • AAA Servers/Forward To—The AAA servers box displays each of the defined AAA servers from the AAA server table. Select and move the AAA server into the Forward To column. If there is a network connection failure, the authentication request is forwarded to the next AAA server in the Forward To column, and so on down the list until the request is handled. (See the "Fallback on Failed Connection" section.)
  • Send Accounting Information—Defines whether to send the accounting packet along with the authentication request. (See the "Sending Accounting Packets" section.)
    • Local—Keep the accounting packet and log the record locally to the applicable report on the AAA server.
    • Remote—Send the accounting packet and let the remote AAA server log the record onto its applicable report on the AAA server.
    • Local/Remote—Send the accounting packets to both the local and remote AAA servers. For more details on defining and configuring AAA servers, see the "Network Configuration" section.

Proxy

Proxy is a powerful feature that allows CiscoSecure ACS to automatically forward an authentication request from a NAS to another AAA server. After the request has been successfully authenticated, the authorization privileges that have been configured for the user on the remote AAA server are passed back to the original CiscoSecure ACS, where the user's profile information is applied for that session on the NAS.

The ability to determine if and where an authentication request is to be forwarded is defined in the distribution table in the Network Configuration window. (See the "Distribution Table" section.) Multiple CiscoSecure ACSes can be used throughout the network and, depending on a defined character string entered with the username (for example, mary@corporate.com, where @corporate.com is the defined character string), when the user dials in to the NAS and a match is found in the distribution table, the authentication request is then forwarded to a remote AAA server to permit or deny access to the network.

Administrators with geographically dispersed networks can configure and manage the user profiles of employees within their immediate location or building. This allows the administrator to manage the policies of just their users and allows all other authentication requests from other users within the company to be forwarded to their respective AAA server for authentication. Every user profile does not need to reside on every AAA server on the enterprise. This saves administration time and server space, as well as allowing users to maintain the same privileges on any machine on the network.

Fallback on Failed Connection

You can configure the order in which the remote AAA servers are checked by CiscoSecure ACS if the network connection to the primary AAA server fails. If an authentication request cannot be sent to the first listed server because of a network failure, the next listed server is checked, and so on, in order down the list until the authentication request is handled by a AAA server. If CiscoSecure ACS cannot connect to any of the servers in the list, authentication fails.

Character String

CiscoSecure ACS forwards the authentication requests using a configurable set of characters with a delimiter, such as dots (.), slashes (/), and hyphens (-). When configuring the CiscoSecure ACS character string to match, you must specify whether the character string is the prefix or suffix. For example, you can use "domain.us" as a suffix character string in username*domain.us (* represents any delimiter). An example of a prefix character string is domain.us*username.

Stripping

Stripping allows CiscoSecure ACS to remove (strip) the matched character string from the username. When stripping is enabled, CiscoSecure ACS examines each authentication request for matching information. When a match by character string has been found in the distribution table, if CiscoSecure ACS is configured to do so, the character string is stripped off. For example, in the proxy example that follows, the ability to forward the request to another AAA server is based on the character string that accompanies the username. If the user must enter the user ID of mary@corporate.com to be forwarded correctly to the AAA server for authentication, a match might be found on the "@corporate.com" character string, and stripping can be enabled to remove the "@corporate.com," leaving a username of just "mary." This allows only a single entry of "mary" in the AAA server database instead of having a second entry for the user of mary@corporate.com.

Proxy in an Enterprise

This section presents a scenario of proxy used in an Enterprise system. Mary is an employee with an office in the corporate headquarters in Los Angeles. Her username is mary@corporate.com. When Mary needs access to the network, she accesses the network locally and authenticates her username and password. Because Mary works in the Los Angeles office, her user profile, which defines her authentication and authorization privileges, resides on the local Los Angeles AAA server. But Mary occasionally travels to a division within the corporation in New York and, when she is there, she still needs to access the corporate network to get her e-mail and other files. When Mary is in New York, she dials in to the New York office and logs on as mary@corporate.com. Her username is not recognized by the New York CiscoSecure ACS, but the distribution table contains an entry to forward the authentication request to the Los Angeles CiscoSecure ACS. Because Mary's username and password information reside on that AAA server, when she authenticates correctly, the authorization parameters assigned to her are applied back on the NAS in the New York office.

Sending Accounting Packets

Sending accounting packets to the remote CiscoSecure ACS offers several benefits. When CiscoSecure ACS is configured to send the accounting packet to the remote AAA server, after a successful authentication, the remote AAA server receives and logs an entry in the accounting report for that session. CiscoSecure ACS also caches the user's connection information and adds an entry in the List Logged on Users window. You can then view the information for the users that are currently connected. Because the accounting information is being sent to the remote AAA server, even if the connection fails, you can view the Failed Attempts report to help troubleshoot the failed connection.

Sending the accounting information to the remote AAA server also allows you to use the Max Sessions feature. The Max Sessions feature uses the Start and Stop records in the accounting packet. If the remote AAA server is a CiscoSecure ACS and the Max Sessions feature is implemented, you can track the number of sessions allowed for each user or group.

You can also choose to have Voice over IP (VoIP) accounting information logged remotely, either appended to the RADIUS Accounting log, in a separate VoIP Accounting log, or both.

Database Replication and RDBMS Synchronization

The database replication and RDBMS synchronization features provided with CiscoSecure ACS help automate the process of updating your CiscoSecure ACS database and network configuration. Database replication allows you to replicate various parts of the configuration, including user and group information, from a CiscoSecure ACS primary server to one or more CiscoSecure ACS backup or client systems. Replication allows you to automate the creation of mirror CiscoSecure ACSes. You can use these mirror systems to provide redundant servers as backup servers to increase fault-tolerance if the primary system fails.

While its functions are somewhat similar to database replication, RDBMS synchronization allows CiscoSecure ACS to tightly integrate with other RDBMS data sources. You can synchronize information for users, groups, NASes, AAA servers, Proxy Tables, and NDGs.

For more details on configuring and using database replication and RDBMS synchronization, see "Database Information Management."

Remote Logging

If your network is geographically dispersed, the remote logging feature helps you simplify the process of gathering the accounting logs generated on each CiscoSecure ACS. Each CiscoSecure ACS can be configured to point to a centralized CiscoSecure ACS to be used as the logging server. The centralized CiscoSecure ACS still has all the capabilities of a AAA server but also becomes a central repository for all accounting logs that are sent.

To implement remote logging, define the CiscoSecure ACS to be used as the logging server in the AAA Servers Table on each of the remote CiscoSecure ACSes. (See the "AAA Servers" section.) In the Service Configuration: Remote Logging window on each of the remote CiscoSecure ACSes, select Log to All Selected Hosts, select the Log Server, and move it to the Log To column. The Log to Subsequent Selected Hosts on Failure option allows you to configure backup Logging Server(s) and to capture accounting logs if the primary Logging Server goes out of service.

Remote Logging versus Sending Accounting Information

There are differences between the remote logging and sending accounting information features. The remote logging feature allows the accounting data to be sent directly to the CSLOG service on the remote logging server, where the record is then written into the .CSV file. Enabling the send accounting information feature sends the accounting information to the CSAuth service, which uses the accounting packet to control access to CiscoSecure ACS via the MaxSessions feature. You can view the connection status in the Reports and Activity: List Logged on Users window.