CiscoSecure ACS 2.4 for Windows NT User Guide
Table of ContentsDistributed Systems
Default Distributed System SettingsProxy
Fallback on Failed ConnectionRemote Logging
Proxy in an Enterprise
Sending Accounting Packets
Database Replication and RDBMS Synchronization
Cisco Secure ACS 2.4 for Windows NT Server (CiscoSecure ACS) can be used in a distributed system; that is, multiple CiscoSecure ACS servers and authentication, authorization, and accounting (AAApronounced "triple A") servers can be configured to communicate with one another as primary, backup, client, or peer systems. This allows you to use powerful features such as:
Note If the fields mentioned in this section are not displayed in your CiscoSecure ACS interface, click Interface Configuration: Advanced Options: Distributed System Settings. You also need to enable the specific option you want to use; for example, Database Replication. If the check box for any of these options is disabled but you have previously configured the information, the applicable areas for these options still display in the interface.
For more information on database replication and RDBMS synchronization, see "Database Information Management."
AAA server is the generic term for an access control server (ACS), and the two terms are often used interchangeably. AAA servers are used to determine who can access the network and what services are authorized for each user. The AAA server stores a profile containing authentication and authorization information for each user. Authentication information validates the users' identity, and authorization information determines what network services they are allowed to use. AAA servers can be used simultaneously with dial-up access servers, routers, and firewalls. Each network device can be configured to communicate with a AAA server. This makes it possible to centrally control dial-up access for a service provider, as well as to secure network devices from unauthorized access.
Both applications have unique authentication and authorization requirements. With CiscoSecure ACS, system administrators can use a variety of authentication methods that are used with different degrees of authorization privileges. Completing the access control functionality, CiscoSecure ACS serves as a central repository for accounting information. Each user session granted by the ACS can be fully accounted for and stored in the server. This accounting information can be used for billing, capacity planning, and security audits.
If the fields mentioned in this section do not display in your CiscoSecure ACS interface, click Interface Configuration: Advanced Options: Distributed System Settings. You also need to enable the specific option you want to use; for example, Database Replication. After these options have been configured, if the check boxes for these options are later disabled but you have previously configured information for the feature, the applicable areas for these options still display in the interface.
After the Distributed System Settings option is enabled, two additional tables appear in the Network Configuration window: the AAA server table and the distribution table. (If you are using network device groups (NDGs), these tables appear in the window for the NDG.) The parameters configured within these tables create the foundation to allow multiple CiscoSecure ACSes to be configured to work with each other. Each of the tables contains a CiscoSecure ACS entry for itself. In the AAA server table, the only listed AAA server upon the initial enabling of this feature is itself and, in the distribution table, an entry of \Default, which displays how this local CiscoSecure ACS is configured to handle each authentication request locally. You can configure additional AAA servers in the AAA server table. This allows these devices to become available in the user interface so that they can be configured for other distributed features such as proxy, CiscoSecure database replication, remote logging, and RDBMS synchronization.
Note The key is case-sensitive. If the keys between the two AAA servers are not identical when authentication is forwarded, the request is encrypted incorrectly and authentication fails.
Note The remote CiscoSecure ACS must be using Release 2.1 or later.
For more information on defining and configuring AAA servers, see the "Network Configuration" section.
The entries defined and placed in the distribution table can be considered turnstiles for each authentication request that CiscoSecure ACS receives from the NAS. How the authentication request is defined in the distribution table depends on where it will be forwarded. If a match to an entry in the distribution table that contains proxy information is found, then CiscoSecure ACS forwards the request to the appropriate AAA server.
The \Default entry in the distribution table represents the local CiscoSecure ACS. This means that all authentication requests handled by the AAA server that do not contain a matched character string defined in the distribution table are handled locally. This entry is always present and cannot be deleted or overwritten from this table.
Proxy is a powerful feature that allows CiscoSecure ACS to automatically forward an authentication request from a NAS to another AAA server. After the request has been successfully authenticated, the authorization privileges that have been configured for the user on the remote AAA server are passed back to the original CiscoSecure ACS, where the user's profile information is applied for that session on the NAS.
The ability to determine if and where an authentication request is to be forwarded is defined in the distribution table in the Network Configuration window. (See the "Distribution Table" section.) Multiple CiscoSecure ACSes can be used throughout the network and, depending on a defined character string entered with the username (for example, email@example.com, where @corporate.com is the defined character string), when the user dials in to the NAS and a match is found in the distribution table, the authentication request is then forwarded to a remote AAA server to permit or deny access to the network.
Administrators with geographically dispersed networks can configure and manage the user profiles of employees within their immediate location or building. This allows the administrator to manage the policies of just their users and allows all other authentication requests from other users within the company to be forwarded to their respective AAA server for authentication. Every user profile does not need to reside on every AAA server on the enterprise. This saves administration time and server space, as well as allowing users to maintain the same privileges on any machine on the network.
You can configure the order in which the remote AAA servers are checked by CiscoSecure ACS if the network connection to the primary AAA server fails. If an authentication request cannot be sent to the first listed server because of a network failure, the next listed server is checked, and so on, in order down the list until the authentication request is handled by a AAA server. If CiscoSecure ACS cannot connect to any of the servers in the list, authentication fails.
CiscoSecure ACS forwards the authentication requests using a configurable set of characters with a delimiter, such as dots (.), slashes (/), and hyphens (-). When configuring the CiscoSecure ACS character string to match, you must specify whether the character string is the prefix or suffix. For example, you can use "domain.us" as a suffix character string in username*domain.us (* represents any delimiter). An example of a prefix character string is domain.us*username.
Stripping allows CiscoSecure ACS to remove (strip) the matched character string from the username. When stripping is enabled, CiscoSecure ACS examines each authentication request for matching information. When a match by character string has been found in the distribution table, if CiscoSecure ACS is configured to do so, the character string is stripped off. For example, in the proxy example that follows, the ability to forward the request to another AAA server is based on the character string that accompanies the username. If the user must enter the user ID of firstname.lastname@example.org to be forwarded correctly to the AAA server for authentication, a match might be found on the "@corporate.com" character string, and stripping can be enabled to remove the "@corporate.com," leaving a username of just "mary." This allows only a single entry of "mary" in the AAA server database instead of having a second entry for the user of email@example.com.
This section presents a scenario of proxy used in an Enterprise system. Mary is an employee with an office in the corporate headquarters in Los Angeles. Her username is firstname.lastname@example.org. When Mary needs access to the network, she accesses the network locally and authenticates her username and password. Because Mary works in the Los Angeles office, her user profile, which defines her authentication and authorization privileges, resides on the local Los Angeles AAA server. But Mary occasionally travels to a division within the corporation in New York and, when she is there, she still needs to access the corporate network to get her e-mail and other files. When Mary is in New York, she dials in to the New York office and logs on as email@example.com. Her username is not recognized by the New York CiscoSecure ACS, but the distribution table contains an entry to forward the authentication request to the Los Angeles CiscoSecure ACS. Because Mary's username and password information reside on that AAA server, when she authenticates correctly, the authorization parameters assigned to her are applied back on the NAS in the New York office.
Sending accounting packets to the remote CiscoSecure ACS offers several benefits. When CiscoSecure ACS is configured to send the accounting packet to the remote AAA server, after a successful authentication, the remote AAA server receives and logs an entry in the accounting report for that session. CiscoSecure ACS also caches the user's connection information and adds an entry in the List Logged on Users window. You can then view the information for the users that are currently connected. Because the accounting information is being sent to the remote AAA server, even if the connection fails, you can view the Failed Attempts report to help troubleshoot the failed connection.
Sending the accounting information to the remote AAA server also allows you to use the Max Sessions feature. The Max Sessions feature uses the Start and Stop records in the accounting packet. If the remote AAA server is a CiscoSecure ACS and the Max Sessions feature is implemented, you can track the number of sessions allowed for each user or group.
The database replication and RDBMS synchronization features provided with CiscoSecure ACS help automate the process of updating your CiscoSecure ACS database and network configuration. Database replication allows you to replicate various parts of the configuration, including user and group information, from a CiscoSecure ACS primary server to one or more CiscoSecure ACS backup or client systems. Replication allows you to automate the creation of mirror CiscoSecure ACSes. You can use these mirror systems to provide redundant servers as backup servers to increase fault-tolerance if the primary system fails.
While its functions are somewhat similar to database replication, RDBMS synchronization allows CiscoSecure ACS to tightly integrate with other RDBMS data sources. You can synchronize information for users, groups, NASes, AAA servers, Proxy Tables, and NDGs.
For more details on configuring and using database replication and RDBMS synchronization, see "Database Information Management."
If your network is geographically dispersed, the remote logging feature helps you simplify the process of gathering the accounting logs generated on each CiscoSecure ACS. Each CiscoSecure ACS can be configured to point to a centralized CiscoSecure ACS to be used as the logging server. The centralized CiscoSecure ACS still has all the capabilities of a AAA server but also becomes a central repository for all accounting logs that are sent.
To implement remote logging, define the CiscoSecure ACS to be used as the logging server in the AAA Servers Table on each of the remote CiscoSecure ACSes. (See the "AAA Servers" section.) In the Service Configuration: Remote Logging window on each of the remote CiscoSecure ACSes, select Log to All Selected Hosts, select the Log Server, and move it to the Log To column. The Log to Subsequent Selected Hosts on Failure option allows you to configure backup Logging Server(s) and to capture accounting logs if the primary Logging Server goes out of service.
There are differences between the remote logging and sending accounting information features. The remote logging feature allows the accounting data to be sent directly to the CSLOG service on the remote logging server, where the record is then written into the .CSV file. Enabling the send accounting information feature sends the accounting information to the CSAuth service, which uses the accounting packet to control access to CiscoSecure ACS via the MaxSessions feature. You can view the connection status in the Reports and Activity: List Logged on Users window.