12.1 Cisco Access-Control Solutions
12.1.1 Security solutions
 As shown in the Figure, Cisco provides the following security solutions:
  • Clients - The dial clients can utilize CiscoRemote or token cards as a secure means for dialup. Token cards such as Secure Dynamics, Inc. (SDI), Enigma, and CryptoCards are supported.
  • Client protocols - Cisco IOS® software supports Point-to-Point Protocol (PPP), Challenge Handshake Authentication Protocol (CHAP), Password Authentication Protocol (PAP), and MS-CHAP protocols for dialup security. Cisco recommends using PPP with CHAP authentication. But if Remote Access Dial-In User Service (RADIUS) or token cards are implemented, PAP is required.
  • Access servers - Cisco IOS software supports the following protocols to provide a secure means for dialup: dialer profiles, access control lists, per-user access control lists, Lock and Key, Layer 2 Forwarding Protocol (L2F), Layer 2 Tunnel Protocol (L2TP), and Kerberos V.
  • Central-site protocols - For security verification between the network access server (NAS) and the network security server, the NAS supports Terminal Access Controller Access System plus (TACACS+), RADIUS, and Kerberos V protocols.
  • Security servers - Cisco Secure is the umbrella under which Cisco has a variety of security server solutions. Cisco Secure UNIX and Cisco Secure NT provide your network with AAA capabilities. Cisco also offers the PIX™ Firewall as a standalone unit.

The graphic shows the Cisco Secure access control server (ACS). This ACS can be used simultaneously with dialup access servers, routers, and firewalls. Each of the network devices can be configured to communicate with an ACS, making central control of dialup access possible for a service provider. It can also be used to secure corporate network devices from unauthorized access. Both applications have unique authentication and authorization requirements. With a Cisco Secure ACS, system administrators may use a variety of authentication methods that are aligned with a varying degree of authorization privileges. Centralizing control of network access simplifies access management and helps establish consistent provisioning and security policies.

Completing the access control functionality, the Cisco Secure ACS serves as a central repository for accounting information. Each user session that is granted by the ACS can be fully accounted for and stored in the server. This accounting information can be used for billing, capacity planning, and security audits.