RADIUS Accounting Process
The network access server and RADIUS server communicate accounting information between one another on UDP port 1646. It is the network access server's responsibility to send accounting information to the RADIUS server after initial authentication and authorization is complete, and it does so by sending an Accounting−Request packet to the server. This is considered the Accounting−Start packet. Because RADIUS implements services using the UDP protocol (which is connectionless oriented), the RADIUS server has the responsibility of acknowledging the Accounting−Request packet with an Accounting−Response packet. When the session is complete, the network access server sends another Accounting−Request packet to the RADIUS security server, detailing the delivered service. This is considered the Accounting−Stop packet. Finally, the RADIUS security server sends an Accounting−Response packet back to the network access server, acknowledging the receipt of the stop packet. This is detailed in Figure 2.7.
Figure 2.7: RADIUS accounting process.
Cisco Secure Access Control Server
Cisco Secure Access Control Server (ACS) is a scalable, centralized user access control software package for both Unix and Windows NT. Cisco Secure ACS offers centralized command and control of all user authentication, authorization, and accounting services via a Web−based, graphical interface. With Cisco Secure ACS, an enterprise can quickly administer accounts and globally change levels of security for entire groups of users. The Cisco Secure security server is designed to ensure the security of your network by providing authentication and authorization services and to track the activity of the people who connect to the network by providing feature−rich accounting services. The Cisco Secure security server software supports these features by using either the TACACS+ or RADIUS protocols. As mentioned, the Cisco Secure ACS software can run on either a Windows NT server or a Unix server; I'll discuss the Windows NT version.
Cisco Secure ACS for Windows
Cisco Secure ACS supports any network access servers that can be configured with the TACACS+ or RADIUS protocol. Cisco Secure ACS helps to centralize access control and accounting for dial−up access servers and firewalls and makes it easier to manage access to routers and switches. Cisco Secure ACS uses the TACACS+ and RADIUS protocols to provide AAA services to ensure a
53
secure environment.
Cisco Secure ACS can authenticate users against any of the following user databases:
∙Windows NT
∙Windows 2000 Active Directory
∙Cisco Secure ACS
∙Novell NetWare Directory Services (NDS), version 4.6 or greater
∙Generic Lightweight Directory Access Protocol (LDAP)
∙Microsoft Commercial Internet System (MCIS)
∙Relational databases fully compliant with Microsoft Open Database Connectivity (ODBC)
Cisco Secure ACS Requirements
To install Cisco Secure ACS, you must ensure that the system on which you are installing the software package meets the minimum system requirements, which are as follows:
∙Pentium II, 300MHz processor or faster
∙Windows NT Server 4 (with service pack 6a) or Windows 2000 Server
∙128MB RAM; recommended 256MB
∙At least 250MB of free disk space; more if you're using the Cisco Secure local database
∙Minimum resolution of 256 colors for 800×600
∙Microsoft Internet Explorer 4.x or higher or Netscape Communicator 4.x or higher
∙JavaScript enabled
∙Microsoft Internet Information Server for User Changeable Passwords utility (optional)
Cisco Secure ACS Architecture
Cisco Secure ACS is designed to be both flexible and modular. Within the context of Cisco Secure ACS, modular refers to the seven modules that make up the architecture of the AAA server. These modules are installed as services within Windows NT and can be stopped and started by using the settings accessed by clicking the Services icon within Control Panel in Windows NT Server. The modules are described in the following list:
∙CSAdmin—Cisco Secure is equipped with its own internal Web server and, as such, does not require the presence of a third−party Web server. CSAdmin is the service that controls the operation of the internal Web server, allowing users to remotely manage the server via the Web interface.
∙CSAuth—CSAuth is the database manager that acts as the authentication and authorization service. The primary purpose of the CSAuth service is to authenticate and authorize requests to permit or deny access to users. CSAuth determines if access should be granted and, if access is granted, defines the privileges for a particular user.
∙CSTacacs and CSRadius—The CSTacacs and CSRadius services communicate with the CSAuth module and the network access device that is requesting authentication and authorization services. CSTacacs is used to communicate with TACACS+ devices and CSRadius is used to communicate with RADIUS devices. The CSTacacs and CSRadius services can run at the same time. When only one protocol is used, only the corresponding service needs to be running; however, the other service will not interfere with normal operation and does not need to be disabled.
∙CSLog—CSLog is the service used to capture logging information. It gathers data from the TACACS+ or RADIUS packet and the CSAuth service and then manipulates the data to be placed into the comma−separated value (CSV) files for exporting.
54
∙CSMon—CSMon is a service that provides monitoring, recording, notification, and response for both TACACS+ and RADIUS protocols. The monitoring function monitors the general health of the machine the application is running on, as well as the application and the resources that Cisco Secure ACS is using on the server. Recording records all exception events within the server logs. Notification can be configured to send an email in the event of an error state on the server, and Response responds to the error by logging the event, sending notifications, and, if the event is a failure, carrying out a pre−defined or user−configured response.
∙CSDBSync—CSDBSync is the service used to synchronize the Cisco Secure ACS database with third−party relational database management system (RDBMS) system.
Cisco Secure ACS Database
You can configure the Cisco Secure ACS server to use a user−defined database that is local to the server or you can configure an external user database, such as a Windows NT Server. There are advantages and disadvantages to each.
When the Cisco Secure ACS server is configured to use the local database for authentication of usernames and passwords and it receives a request from the network access server, it searches its local database for the credentials that were supplied in the REPLY packet of the GETUSER packet. If it finds a match for the GETUSER packet, it compares the values that it receives from the REPLY packet of the GETPASS packet to the locally configured password for the account. The Cisco Secure ACS server then returns a pass or fail response to the network access server. After the user has been authenticated, the Cisco Secure ACS server sends the attributes of authorization to the network access server. The advantage to using the locally configured database is ease of administration and speed. The disadvantage is that manual configuration is needed to populate the database.
You can also configure the Cisco Secure ACS server to authenticate usernames and passwords credentials against those already defined within a Windows NT or 2000 user database. If the Cisco Secure ACS server receives a request from the network access server, it searches its local database to find a match. If it does not find a match and the server is configured to forward requests to an external user database, the username and password are forwarded to the external database for authentication. The external database forwards back to the Cisco Secure ACS server a pass or fail response. If a match is confirmed, the username is stored in the Cisco Secure user database for future authentication requests; however, the password is not stored. This allows the user to authenticate much faster for subsequent requests.
In enterprises that have a substantial Windows NT network already installed, Cisco Secure ACS can leverage the work already invested in building the database without any additional input. This eliminates the need for separate databases. An added benefit of using an external user database is that the username and password used for authentication are also used to log into the network. This allows you to configure the Cisco Secure ACS so that users need to enter their usernames and passwords only once, thus providing a single login. One of the major disadvantages of using an external database for authentication is that the Cisco Secure server cannot store any third−party passwords such as PAP and CHAP passwords. Also, in the event of a network issue that prevents the Cisco Secure ACS server from receiving a response from the external database for an authentication request, you could potentially lock yourself out of the network access server because the user never gets authenticated.
55