CiscoSecure ACS 2.4 for Windows NT User Guide
CiscoSecure ACS Architecture
Table of Contents
CiscoSecure ACS Architecture
Windows NT Environment Overview
CiscoSecure ACS Web Server
CSTacacs and CSRadius
Cisco Secure ACS 2.4 for Windows NT Server is designed to be modular and flexible to fit the needs of both simple and large networks. This chapter describes the CiscoSecure ACS architectural components. CiscoSecure ACS includes the following service modules:
Each module can be started and stopped individually from within the Microsoft Service Control Panel or as a group from within the CiscoSecure ACS browser interface. Each module can operate independently, but this limits functionality.
This section gives a brief overview of essential Windows NT concepts that relate to CiscoSecure ACS as a service of Windows NT.
All of the CiscoSecure ACS services can be started, stopped, and restarted from the Windows NT Services window. The CiscoSecure ACS services are preceded by the letters CS. The sorting mechanism within Windows NT Services lists services alphabetically. All the CiscoSecure ACS services should be displayed in one area of the list.
Note Cisco recommends that you do not modify this file unless you have enough knowledge and experience to edit the file without destroying any existing data in the file. Always back up the Windows Registry before editing.
The CiscoSecure ACS information is located in the Windows Registry key:
CiscoSecure ACS has a built-in web server for support using a hypertext markup language (HTML) interface. This eliminates the necessity of installing another web server on the Windows NT server running CiscoSecure ACS. Because the CiscoSecure ACS web server uses port 2002, you can use another web server on the same machine to provide other web services.
CSAdmin is the service for the internal web server. CiscoSecure ACS does not require the presence of a third party web server; it is equipped with its own internal server. After CiscoSecure ACS is installed, you must configure it from its HTML interface. This means that CSAdmin must be running when you configure CiscoSecure ACS.
Although you can start and stop services from within the CiscoSecure ACS HTML interface, this does not start or stop CSAdmin. If CSAdmin stops abnormally because of an external action, you cannot access CiscoSecure ACS from any machine other than the Windows NT server on which it is running. You can start or stop CSAdmin from the Windows NT Service menu.
CSAdmin is a multithreaded application that lets several administrators access it at the same time. Therefore, CSAdmin is best for distributed, multiprocessor, and clustered environments.
Note When you access CSAdmin from a browser, a new port is assigned for that session of the browser. This increases security and helps with session management. Therefore, when a firewall is used with authentication forwarding, you must exclude the server IP address:2002 port.
CSAuth is the authentication and authorization service. Its primary purpose is the authentication and authorization of requests to permit or deny access to users. CSAuth determines if access should be granted and defines the privileges for a particular user. CSAuth is the database manager.
CiscoSecure ACS can access several different databases for authentication. When a request for authentication arrives, CiscoSecure ACS checks the database that is configured for that user. If the user is unknown, CiscoSecure ACS checks the database(s) configured for unknown users.
CiscoSecure ACS can check the user database to authenticate first-time logins. If the username is not in the CiscoSecure user database, CiscoSecure ACS does not deny authentication yet; it forwards the request to the configured unknown user database to see if it can authenticate the user. If it can, then authentication is granted.
Note With unknown user databases such as Windows NT and Novell NDS, only PAP passwords are supported.
There are several user database options:
For more information on csutil, see the "Importing User Information from a Text File" section.
When a user has authenticated using one of the described methods, CiscoSecure ACS obtains a set of authorizations from the user profile and the group to which the user is assigned. This information is stored with the username in the CiscoSecure user database. Some of the authorizations included are the services to which the user is entitled, such as IP over PPP, IP pools from which to draw an IP address, access lists, and password aging information. The authorizations, with the approval of authentication, are then passed to the CSTacacs or CSRadius modules to be forwarded to the requesting device.
CSDBSync is the service used to used to synchronize the CiscoSecure ACS database with third-party RDBMS systems and is an alternative to using the ODBC dynamic link library (DLL). Release 2.4 provides enhancements to CSDBSync that allow synchronization of NAS, AAA server, network device groups (NDGs) and Proxy Table information. For information on relational database management system (RDBMS) synchronization, see the "RDBMS Synchronization" section.
CSLog is the service used to capture and place logging information. CSLog gathers data from the TACACS+ or RADIUS packet and CSAuth, then manipulates the data to be placed into the comma-separated value (CSV) files. By default, the CSV files are created daily at midnight, but beginning with Release 2.3, the CSV files can be created daily, weekly, monthly or by file size. The CSV files can be imported into spreadsheets that support this format.
CSV files are stored in the default subdirectory \Program Files\
CSMon works for both TACACS+ and RADIUS and will automatically detect which protocols are in use.
Note CSMon is not intended as a replacement for system, network, or application management applications but is provided as an application-specific utility that can be used with other, more generic system management tools.
CSMon actively monitors three basic sets of system parameters:
CSMon cooperates with CSAuth to keep a track of user accounts being disabled by exceeding their failed attempts count maximum. This feature is more oriented to security and user support than system viability. If configured, it provides immediate warning of "brute force" attacks by alerting the administrator to a large number of accounts becoming disabled. In addition, it facilitates a support help desk to anticipate problems with individual users gaining access.
CSMon records all exception events in logs that you can use to diagnose problems. CSMon puts the logs in two places, sends notification(s), and responds:
The following scripts are provided with CSMon:
You can configure the following items through CSAdmin:
The CSTacacs and CSRadius services communicate between the CSAuth module and the access device that is requesting the authentication and authorization services. For CSTacacs and CSRadius to work properly, the system must meet the following conditions:
CSTacacs is used to communicate with TACACS+ devices and CSRadius to communicate with RADIUS devices. Both services can run at the same time. When only one security protocol is used, only the applicable service needs to be running; however, the other service will not interfere with normal operation and does not need to be disabled. See "TACACS+ Attribute-Value Pairs," for more information on TACACS+ AV pairs or "RADIUS Attribute-Value Pairs," for more information on RADIUS+ AV pairs.