Table of Contents
Overview of CiscoSecure ACS 2.4 for Windows NT Server
Upgrading from Previous Versions of CiscoSecure ACS
New Features in Release 2.4
Other CiscoSecure ACS Features
CiscoSecure ACS Concepts and Functions
Network Device Groups
Overview of CiscoSecure ACS 2.4 for Windows NT Server
CiscoSecure ACS 2.4 for Windows NT Server (CiscoSecure ACS) network security software helps you authenticate users by controlling dial-in access to a network access server (NAS) devicean access server, Cisco PIX firewall, or router.
Note Unless specifically stated otherwise, all references in this user guide to NAS apply to any access device.
CiscoSecure ACS operates as a Windows NT service and controls the authentication, authorization, and accounting (AAA, pronounced "triple A") of users accessing networks. CiscoSecure ACS operates with Windows NT server version 4.0.
CiscoSecure ACS helps centralize access control and accounting for dial-up access servers and firewalls as well as management of access to routers and switches. With CiscoSecure ACS, service providers can quickly administer accounts and globally change levels of service offerings for entire groups of users. The tight integration of CiscoSecure ACS with the Windows NT operating system enables companies to leverage the working knowledge and the investment already made into building a Windows NT network.
CiscoSecure ACS supports Cisco NASes such as the Cisco 2509, 2511, 3620, 3640, AS5200 and AS5300, AS5800, the Cisco PIX firewall, and any third-party device that can be configured with the Terminal Access Controller Access Control System (TACACS+) and/or the Remote Access Dial-In User Service (RADIUS) protocol. CiscoSecure ACS uses the TACACS+ and/or RADIUS protocols to provide AAA services to ensure a secure environment.
CiscoSecure ACS can authenticate users against any of the following user databases:
- Windows NT
- CiscoSecure ACS
- Token-card servers, including:
- Security Dynamics, Inc. (SDI)
- Novell Directory Services (NDS)
- Directory Services (DS)
- Microsoft Commercial Internet System Lightweight Directory Access Protocol (MCIS LDAP)
- Microsoft Open DataBase Connectivity (ODBC)
The NAS directs all dial-in user access requests to CiscoSecure ACS for authentication and authorization of privileges. Using either the RADIUS or TACACS+ protocol, the NAS sends authentication requests to CiscoSecure ACS, which verifies the username and password. CiscoSecure ACS then returns a success or failure response to the NAS, which permits or denies user access. When the user has been authenticated, CiscoSecure ACS sends a set of authorization attributes to the NAS, and the accounting functions take effect.
CiscoSecure ACS conforms to the following specifications:
CiscoSecure ACS conforms to the TACACS+ protocol as defined by Cisco Systems in draft 1.77. See your Cisco IOS software documentation or Cisco Connection Online (http://www.cisco.com) for more information.
CiscoSecure ACS software conforms to the RADIUS protocol as defined in draft April 1997 and in the following Requests for Comments (RFCs):
- RFC 2138, Remote Authentication Dial In User Service
- RFC 2139, RADIUS Accounting
- Year 2000CiscoSecure ACS meets the requirements of year-2000 compliance.
Your Windows NT server must meet the following minimum requirements.
Your Windows NT server must meet the following minimum hardware requirements:
- Pentium processor, 200 MHz or faster
- Windows NT Server 4.0 or higher operating system, English language version, with at least Service Pack 4 installed. (Service Pack 3 and earlier are not Y2K compliant.) CiscoSecure ACS has been tested with Service Pack 4 and 5. See the Release Notes for any information on other compatible Service Pack versions.
- 64 MB of RAM required, 128 MB recommended
- At least 150 MB of free disk space. If you are running your database on the same machine, more disk space is required.
- Minimum resolution of 256 colors at 800 x 600 lines
Your Windows NT server must meet the following minimum software requirements:
- To have CiscoSecure ACS refer to the Grant Dial-in Permission to User feature, make sure this option is checked in the Windows NT User Manager for the applicable user accounts.
- Make sure your NAS is running Cisco IOS Release 11.2 or higher or you are using a third-party device that can be configured with TACACS+ and/or RADIUS.
Note Be sure to read the Cisco IOS notes for important information on Year-2000 compliance.
- Make sure dial-up clients can successfully dial in to your NAS.
- Make sure the Windows NT server can ping the NAS.
- A compatible browser installed on the Windows NT server. CiscoSecure ACS has been tested with the following browsers:
- Microsoft Internet Explorer 4 or 5
- Netscape Navigator 4.0x and Communicator 4.x
Note See the Release Notes for information about issues with various browser versions.
- Windows NT Service Packs are recommended. CiscoSecure ACS has been tested with Service Pack 4 and 5. (Service Pack 3 and earlier are not Year-2000 compliant.) See the Release Notes for information on any issues with other Service Pack versions.
- If you are using the Security Dynamics, Inc. (SDI) token server authentication, Cisco recommends using ACE/Client version 4.2 and ACE/Server version 3.3.
Upgrading from Previous Versions of CiscoSecure ACS
CiscoSecure ACS can be installed as a new installation or as an upgrade from any previous version of CiscoSecure ACS.
If you are upgrading, be sure to back up your CiscoSecure ACS system files and database and your Windows Registry. For information on backing up, see "Database Information Management."
For more detailed information on installation, see the quick reference cards.
ODBC Message During Upgrade Installation
If a message stating that "The ODBC resource DLL (filename) is a different version than the ODBC (file type and name)" displays during installation, follow these steps:
Step 1 Exit the installation program.
Step 2 Run the ODBCDMIN.EXE file, which is located in the SUPPORT\ODBC directory on the CiscoSecure ACS CD-ROM. Installing the ODBCDMIN.EXE file will install the ODBC 3.0 components.
Step 3 When you have finished installing these ODBC components, click SETUP.EXE in the root directory of the CD-ROM to restart installation of CiscoSecure ACS.
Installation Terminates Abnormally
If you get an error message during installation indicating that installation has failed, follow these steps:
Step 1 Click Start/Settings/Control Panel/Add/Remove Program.
Step 2 Select CiscoSecure ACS 2.4 for Windows NT.
Step 3 Click Uninstall.
Step 4 When you have finished uninstalling, click SETUP.EXE in the root directory of the CD-ROM to restart installation of CiscoSecure ACS.
If Uninstall terminates abnormally or if installation still fails, follow these steps:
Step 1 Go to the SUPPORT\CLEAN directory and click CLEAN.EXE. This uninstalls CiscoSecure ACS completely and cleans up certain statements from the Windows NT Registry that prevent installation of CiscoSecure ACS.
Step 2 When you have finished running CLEAN.EXE, reboot the system and run SETUP.EXE from the root directory of the CD-ROM to restart installation of CiscoSecure ACS.
New Features in Release 2.4
CiscoSecure ACS Release 2.4 adds the following new features and capabilities:
- Encryption enhancementsStronger encryption for the CiscoSecure ACS database.
- Database Replication enhancementsEnhancements to the database replication feature
- Directory Services authenticationAuthentication to any supported version of the LDAP Directory Service (DS)
- External User Database Enable OptionsAbility for external users to authenticate via an enable password
- Group-level Network Device Groups (NDGs)ability to assign user groups to an NDG
- NDS Database Group Mappingsability to map a Novell Directory Services (NDS) group
- RDBMS Synchronization enhancementsAbility to synchronize NAS, AAA, NDG, and Proxy table entries
- VPDN Using the CiscoSecure ACS User Database with RADIUS Tunnelling AttributesSupport for IETF RADIUS tunneling attributes, allowing you to specify multiple tunnels in a single RADIUS packet, as specified in draft-ietf-radius-tunnel-auth-07.txt and draft-ietf-radius-tunnel-acct-03.txt
- VoIP AccountingAbility to log Voice over IP (VoIP) accounting data to the normal RADIUS accounting CSV or ODBC file, the additional VoIP accounting CSV or ODBC file, or both
- Date Format ControlAbility to use either a month/day/year or day/month/year format
- MS CallbackSupport for the Microsoft Callback feature
- CSV and ODBC Log FilesSupport for both comma-separated value (CSV) and Open DataBase Connectivity (ODBC) compatible accounting and administration logging
Other CiscoSecure ACS Features
Features included in this and previous versions of CiscoSecure ACS include:
- Password Aging
- IP Pools
- User-Changeable Password
- Support for MCIS LDAP
- Support for Microsoft Open Database Connectivity (ODBC) specifications
- Support for Microsoft's version of the Challenge Handshake Authentication Protocol (MS-CHAP)
- Multi-level administration
- Per-User TACACS+ or RADIUS attributes
- Ability to define different privileges for remote administrators, including logging records
- CSMonitor service
- Detailed logging information
- Scheduled ACS system backup and ability to restore from the backup file
- Ability to import UNIX password file
- Network Device Groups allow different privilege levels per IP address
- Ability to view detailed information for logged-on users
- Ability to upgrade from all previous versions of CiscoSecure ACS for Windows NT
- Support for Voice over IP (VoIP)
- Sophisticated handling of unknown users
- Remote administration
- Centralized logging
- Group mapping
- Supplementary user ID fields
- Simultaneous TACACS+ and RADIUS support
- Configurable HTML/Java HTML user interface (HTML interface)
- Help and online documentation included
- Group administration of users
- Virtual private dial-up network (VPDN) support available at the origination and termination of L2F tunnels
- Import mechanism to rapidly import a large number of users
- Hash-indexed flatfile database support for high-speed transaction processing
- Windows NT database support to leverage and consolidate Windows NT username and password management
- Windows NT single login
- Runs on Windows NT stand-alone, primary domain controller (PDC), and backup domain controller (BDC) servers
- Password support including Challenge Handshake Authentication Protocol (CHAP), Password Authentication Protocol (PAP), Microsoft Challenge Handshake Authentication Protocol (MS-CHAP), and AppleTalk Remote Access Password (ARAP)
- Support for token card security servers
- Token caching for Integrated Services Digital Network (ISDN) terminal adapters of one-time password (OTP) tokens
- Time-of-day and day-of-week access restrictions
- Network access restrictions based on remote address caller line identification (CLID)
- Ability to disable an account on a specific date
- Ability to disable an account after an amount of failed attempts specified by the administrator
- Ability to view a list of logged-in users
- Windows NT Performance Monitor support for real-time statistic viewing
- Configurable accounting and auditing information stored in comma-separated values (CSV) format for convenient import into billing applications
- Configurable accounting and auditing information stored in Open Database Connectivity (ODBC) format for convenient logging to an ODBC server.
- User and group MaxSessions
- Configurable character string stripping
- Authentication forwarding
- Relational database management system (RDBMS) synchronization
- Database replication
- System/database backup and maintenance
- Dialed number identification service (DNIS) Support
- Year-2000 compliance
CiscoSecure ACS Concepts and Functions
This section describes some of the different components that work together with CiscoSecure ACS to provide network security.
CiscoSecure ACS and the Access Device
The NAS is configured to direct all user access requests to CiscoSecure ACS for authentication and authorization of privileges. Using the TACACS+ or RADIUS protocol, the NAS sends authentication requests to CiscoSecure ACS, which verifies the username and password against the selected user database. CiscoSecure ACS then returns a success or failure response to the NAS, which permits or denies user access.
When the user has successfully authenticated, a set of session attributes can be sent to the NAS to provide additional security and control of privileges. These attributes might include the IP address pool, access control list, or type of connection (for example, IP, IPX, or Telnet).
TACACS+ and RADIUS
CiscoSecure ACS can use both the TACACS+ and RADIUS security protocols..
TACACS+ and RADIUS Protocol
TCPConnection oriented transport layer protocol, reliable full-duplex data transmission
UDPConnectionless transport layer protocol, datagram exchange without acknowledgments or guaranteed delivery
Full packet encryption
Encrypts only passwords of up to 16 bytes
Independent AAA architecture
Authentication and authorization combined
Useful for router management
Not useful for router management
Authentication determines a user's identity and verifies the information. Traditional authentication uses a name and a fixed password. More modern and secure methods use OTPs such as CHAP and token cards. CiscoSecure ACS provides support for these authentication methods.
There is a fundamental relationship between authentication and authorization. The more authorization privileges a user receives, the stronger the authentication should be. CiscoSecure ACS offers this capability by providing various methods of authentication.
Username and password is the most popular, simplest, and least expensive method used for authentication. No special equipment is required. This is a popular method for service providers because of its easy application by the client. The disadvantage is that this information can be told to someone else, guessed, or captured. Username and password is not considered a strong authentication mechanism but can be sufficient for low authorization or privilege levels such as Internet access.
To reduce the risk of password capturing on the network, use encryption. Client and server access control protocols such as TACACS+ and RADIUS encrypt passwords to prevent them from being captured within a network. However, TACACS+ and RADIUS operate between the NAS and the access control server. Clear-text passwords can be captured between a client host dialing up over a phone line or an ISDN line terminating at a NAS.
Service providers who offer increased levels of security services, and corporations who want to lessen the chance of intruder access resulting from password capturing, can use an OTP. CiscoSecure ACS supports several types of OTP solutions, including PAP for Point-to-Point Protocol (PPP) remote-node logon. Token cards are considered one of the strongest OTP authentication mechanisms.
The CRYPTOCard token-card server software is included with CiscoSecure ACS. All you need is the CRYPTOCard token card. CiscoSecure ACS also supports the following token-card servers for authentication:
- Security Dynamics, Inc. (SDI)
To use SDI's ACE server, you must install the ACE clients and configure them in CiscoSecure ACS to call the server when a user attempts to authenticate with an ACE token card.
Note If you are using the Security Dynamics, Inc. (SDI) token server authentication, Cisco recommends using ACE/Client version 4.2 and ACE/Server version 3.3.
To use the AXENT token-card server, configure CiscoSecure ACS with the AXENT server's address and shared secret.
CiscoSecure ACS supports all leading authentication protocols:
- External token-card server
- Windows NT user database
- Directory services (DS) (LDAP)
- Microsoft MCIS LDAP
- Novell NDS
Passwords can be processed using these protocols based on the version and type of security control protocol used and the configuration of the NAS and client. The following sections outline the different conditions and functions of password handling.
CiscoSecure ACS acts as a client to the token-card server. The communication link between CiscoSecure ACS and the token-card server must be secure. This is done by either configuring a shared secret password between the two servers and defining the IP address or by installing a file created by the token-card server containing the same information into CiscoSecure ACS.
Directory Services (DS) (LDAP)
CiscoSecure ACS supports authentication of users against records kept in a Directory Server through the Lightweight Directory Access Protocol (LDAP). CiscoSecure interacts with the most popular directory servers, including Novell and Netscape. PAP passwords can be used when authenticating against the Directory Server. CiscoSecure ACS logs these transactions and displays their results in the Reports & Activity section of the CiscoSecure ACS HTML interface.
You can use the secure socket layer (SSL) protocol to create a secure tunnel from the ACS to the Directory Server for transporting AAA traffic.For more information, see the "Protecting Your Web Server (Optional)" section on the Web Server Installation for CiscoSecure ACS for Windows NT User-changeable Passwords quick reference card.
CiscoSecure ACS supports the Microsoft Commercial Internet System Lightweight Directory Access Protocol ( MCIS LDAP). MCIS is Microsoft's product suite of commercial-grade server components designed for Internet service providers (ISPs) and commercial web sites. MCIS is a member of the Microsoft BackOffice family of servers and runs on Microsoft Windows NT Server and Microsoft Internet Information Server (IIS). For more information on MCIS, see your Microsoft documentation.
CiscoSecure ACS supports authentication via an Open DataBase Connectivity (ODBC)-compliant SQL database. ODBC is a standardized API that was first developed by Microsoft and is now used by most major database vendors. ODBC now follows the specifications of the SQL Access Group. The benefit of ODBC in a web-based environment is easy access to data storage programs such as Microsoft Access and SQL Server. For more information on ODBC, see your ODBC and database vendor documentation.
Basic Password Configurations
There are six basic password configurations:
Note These configurations are all classed as Inbound authentication.
- Single password for ASCII/PAP/CHAP/MS-CHAP/ARAPThis is the most convenient method for both the SYSOP when setting up accounts and for the user when obtaining authentication. However, because the CHAP password is the same as the PAP password, and the PAP password is transmitted in clear text during an ASCII/PAP login, there is the chance that the CHAP password can become known.
- Separate passwords for ASCII/PAP and CHAP/MS-CHAP/ARAPFor a higher level of security, users can be given two separate passwords. If the ASCII/PAP password is compromised, the CHAP/ARAP password remains secure.
- ASCII login with token cardFor basic ASCII authentication via a token-card server, the user does not need a password to be held in the CiscoSecure ACS user database.
- Novell NDSFor authentication when using a Novell NDS server.
- DS (LDAP)For authentication against records kept in a directory server through the Lightweight Directory Access Protocol (LDAP). CiscoSecure interacts with the most popular directory servers, including Novell and Netscape.
- MCIS LDAPFor authentication when using the Microsoft Commercial Internet System Lightweight Directory Access Protocol.
- ODBCFor authentication when using the Open DataBase Connectivity system.
- Windows NT user databaseAgain, the user does not configure a password in the CiscoSecure ACS user database; however, only ASCII/PAP authentication is supported.
Advanced Password Configurations
In addition to the basic password configurations listed above, CiscoSecure ACS also provides for:
- Inbound passwordsPasswords used by most CiscoSecure ACS users. These are supported by both the TACACS+ and RADIUS protocols. They are held internally to the CiscoSecure ACS user database and are not usually given up to an external source if an outbound password has been configured.
- Outbound passwordsThe TACACS+ protocol supports outbound passwords that can be used, for example, when a NAS has to be authenticated by another NAS and client. Passwords from the CiscoSecure ACS user database are then sent back to the NAS and client.
- Token cachingWhen token caching is enabled, ISDN users can connect (for a limited time period) a second B Channel using the same OTP entered during the original authentication. For a higher level of security, the B-Channel authentication request from the NAS should include the OTP in the username value (for example Fred*apassword) while the password value contains an ASCII/PAP/ARAP password. The TACACS+ and RADIUS servers then verify that the token is still cached and validate the incoming password against either the single ASCII/PAP/ARAP or separate CHAP/ARAP password, depending on the user's configuration.
The TACACS+ SENDAUTH feature enables a NAS to authenticate itself to another NAS/client via an outbound authentication. The outbound authentication can be PAP, CHAP, or ARAP. With outbound authentication, the CiscoSecure ACS password is given out. By default, the user's ASCII/PAP or CHAP/ARAP password is used, depending on how this has been configured; however, Cisco recommends that the separate SENDAUTH password be configured for the user so that CiscoSecure ACS inbound passwords are never compromised.
If you want to use outbound passwords and maintain the highest level of security, Cisco recommends that you configure CiscoSecure ACS with a separate outbound password that is different from the inbound password.
The password aging feature of CiscoSecure ACS lets you force users to change their passwords under any of the following conditions:
- After a specified number of days
- After a specified number of logins
- The first time a new user logs in
Note CiscoSecure ACS password aging is not affiliated with Windows NT password aging.
Password aging requires the following conditions:
- The CiscoSecure Authentication Agent (CAA) software must be installed in Windows 95/98 or Windows NT on the PC from which the user will dial. The CAA software is available at http://www.cisco.com.
- The users must be using the Windows 95/98, Windows NT 3.51, or Windows NT 4.0 dial-up networking client or another PPP dial-up client.
- The connections must be using PPP.
- You must set up your NAS to perform Authentication and Accounting using the same protocoleither TACACS+ or RADIUS.
- The NAS must be using Cisco IOS Release 11.2.7 or later and be configured to send a "watchdog" accounting packet (aaa accounting new-info update) with the IP address of the calling station.
Password aging parameters are configured in the Group Setup window. For more information on the password aging feature, see the "Password Aging Rules" section.
With CiscoSecure ACS, you can install a separate program that lets users change their passwords using a web-based utility. For more information, see the Web Server Installation for CiscoSecure ACS for Windows NT User-Changeable Passwords quick reference card.
CiscoSecure Authentication Agent
To use the user-changeable password feature of CiscoSecure ACS, make sure you have installed the latest version of the CAA software. See your CAA documentation for more information.
PAP, CHAP, and ARAP Support
Different levels of security can be used with CiscoSecure ACS for different requirements. The basic user-to-network security level is PAP. Although it does not represent the highest form of encrypted security, PAP does offer convenience and simplicity for the client. PAP allows authentication against the Windows NT database. With this configuration, users need to log in only a single time. CHAP allows a higher level of security for encrypting passwords when communicating from a client to the NAS. You can use CHAP with the CiscoSecure ACS user database. ARAP support is included to support Apple clients.
Comparing PAP, CHAP, and ARAP
PAP, CHAP, and ARAP are authentication protocols used to encrypt passwords. However, each protocol provides a different level of security.
- PAPUses clear-text passwords and is the least sophisticated authentication protocol. If you are using the Windows NT user database to authenticate users, you must use PAP password encryption.
- CHAPUses a challenge-response mechanism with one-way encryption on the response. CHAP lets CiscoSecure ACS negotiate downward from the most secure to the least secure encryption mechanism, and it protects passwords transmitted in the process. CHAP passwords are reusable. If you are using the CiscoSecure ACS user database for authentication, you can use either PAP or CHAP.
- ARAPARAP uses a two-way challenge-response mechanism. The NAS challenges the dial-in client to authenticate itself, and the dial-in client challenges the NAS to authenticate itself.
CiscoSecure ACS supports Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP) for user authentication. The differences between MS-CHAP and standard CHAP are:
- The MS-CHAP Response packet is in a format compatible with Microsoft Windows NT, Windows 95/98, and LAN Manager 2.x. The MS-CHAP format does not require the authenticator to store a clear-text or reversibly encrypted password.
- MS-CHAP provides an authenticator-controlled authentication retry mechanism.
- MS-CHAP provides addition failure codes in the Failure packet Message field.
For more information on MS-CHAP, see RFC draft-ietf-pppext-mschap-00.txt, RADIUS Attributes for MS-CHAP Support.
Authorization determines what a user is allowed to do. CiscoSecure ACS can send user profile policies to a NAS to determine the network services the user can access or the level of service to which the users is subscribed. You can configure authorization to give different users and groups different levels of service. For example, standard dial-up users might not have the same access privileges as premium customers and users. You can also differentiate by levels of security, access times, and services.
The CiscoSecure ACS access restrictions feature lets you permit or deny logins based on time-of-day and day-of-week. For example, you could create a group for temporary accounts that can be disabled on specified dates. This would make it possible for a service provider to offer a 30-day free trial. The same authorization could be used to create a temporary account for a consultant with login permission limited to Monday through Friday, 9 am to 5 pm.
You can also restrict use by way of the Max Sessions feature, allowing a maximum number of concurrent sessions per user or group.
You can restrict users to a service or combination of services such as Point-to-Point Protocol (PPP), AppleTalk Remote Access (ARA), Serial Line Internet Protocol (SLIP), or EXEC. After a service is selected, you can restrict Layer 2 and Layer 3 protocols, such as IP and IPX, and you can apply individual access lists. Access lists on a per-user or per-group basis can restrict users from reaching parts of the network where critical information is stored or prevent them from using certain services such as File Transfer Protocol (FTP) or Simple Network Management Protocol (SNMP).
One fast-growing service being offered by service providers and adopted by corporations is a service authorization for Virtual Private Dial-Up Networks (VPDNs). CiscoSecure ACS can provide information to the network device for a specific user to configure a secure tunnel through a public network such as the Internet. The information can be for the access server (such as the Home Gateway for that user) or for the Home Gateway router to validate the user at the customer premises. In either case, CiscoSecure ACS can be used for each end of the VPDN.
Accounting is the action of recording what a user is doing or has done. CiscoSecure ACS writes accounting records to a CSV log file or ODBC database daily. You can easily update this log file into popular database and spreadsheet applications for billing, security audits, and report generation. Among the types of accounting logs you can generate are:
- TACACS+ AccountingLists when sessions start and stop; records NAS messages with username; provides caller line identification information; records the duration of each session.
- RADIUS AccountingLists when sessions stop and start; records NAS messages with username; provides caller line identification information; records the duration of each session.
- Administrative AccountingLists configuration commands entered on the NAS.
Max Sessions is a useful feature for organizations that need to limit the number of concurrent sessions available to either a user or a group:
- User Max SessionsFor example, an ISP can limit each account holder to a single session.
- Group Max SessionsFor example, an enterprise administrator can allow the remote access infrastructure to be shared equally among a number of departments and limit the maximum number of concurrent sessions for all the users of any one department.
In addition to simple User and Group Max Sessions control, CiscoSecure ACS lets the administrator specify a Group Max Sessions value and a group-based User Max Sessions value; that is, a User Max Sessions value based on the user's group membership. For example, an administrator can allocate a Group Max Sessions value of 50 to the group "Sales" and also limit each member of the "Sales" group to 5 sessions each. This way no single member of a group account would be able to use more than 5 sessions at any one time, but the group could still have up to 50 active sessions.
Network Device Groups
Network Device Grouping (NDG) is an advanced feature that allows you to view and administer a collection of network devices as a single logical group. To simplify administration, each group can be assigned a convenient name that can be used to refer to all devices within that group. This creates two levels of network devices within CiscoSecure ACSsingle discrete devices such as an individual router, NAS, or PIX firewall, and an NDG; that is, a collection of routers or AAA servers.
A device can belong to only one NDG at a time.
Using NDGs allows an organization with a large number of routers spread across a large geographical area to logically organize their environment within CiscoSecure ACS to reflect the physical setup. For example, all routers in Europe could belong to a group named Europe; all routers in the United States could belong to a US group; and so on. This would be especially convenient if each region's NASes were administered along the same divisions. Alternatively, the environment could be organized by some other attribute such as divisions, departments, business functions, and so on.
Beginning with release 2.4 of CiscoSecure ACS, you can assign a group of users to an NDG. For more information on NDGs, see the "Network Device Groups" section.