A fundamental relationship between
authentication and authorization is that the more authorization
privileges a user receives, the stronger the authentication should
be. The Cisco Secure ACS offers this capability by providing
several different methods of authentication. Username/password is
the most popular, simplest, and least-expensive method used for
authentication. This is considered "something you know."
No special equipment is required.
Username/password is a popular
method for service providers because of its easy application by
the client. The disadvantage is that "something you
know" can be told to someone else, guessed, or captured.
Username/password is not considered a strong authentication
mechanism, but it can be sufficient for a low authorization or
privilege level such as Internet access.
The risk of password capturing on
the network can be reduced by using encryption. Client/server
access control protocols, such as TACACS+ and RADIUS, encrypt
passwords to prevent them from being captured within a network.
However, TACACS+ and RADIUS operate between the NAS and the ACS.
Clear text passwords can be captured between a client host dialing
up over a phone line or an ISDN line terminating at a NAS.
An OTP can be deployed for service
providers that offer increased levels of security services and
corporate customers that desire to lessen the chance of intruder
access that can result from password capture. The Cisco Secure ACS
supports several types of OTP solutions, including CHAP for PPP
remote-node logon. Token cards are considered one of the strongest
OTP authentication mechanisms available today. With token cards,
authentication requires "something you have and something you
know," and it results in an OTP that prevents password
capture.
The Cisco Secure ACS for Windows NT currently supports four
different token-card manufacturers, including SDI, SafeWord
(Secure Computing), Cryptocard, and Axent Technologies. Cisco
Secure ACS "brokers" the username/OTP to the appropriate
token server when authentication is requested. Each token card
server is configured within Cisco Secure ACS to facilitate the
functionality to authenticate via the token-card server and then
return to Cisco Secure where the authorization for the user's
connection is applied.
One of the fastest growing services
being offered by service providers and adopted by corporations is
a service authorization for virtual private dialup networks (VPDNs).
The Cisco Secure ACS can provide information to the network device
for a specific user to configure a secure tunnel through a public
network such as the Internet. The information may be for the
Internet service provider's (ISP's) access server or for the home
gateway router to validate the user at the customer location. In
either case, a Cisco Secure ACS can be used for each end of the
VPDN.
Cisco Secure ACS can permit or deny
logins based on the time of day, or day of the week. For example, a group could be set for temporary accounts
which will be disabled on specified dates, enabling service providers to offer 30-day free trial. The same authorization could be used to create
a temporary account for a consultant with login permission limited
to Monday through Friday, 9 a.m. to 5 p.m.
Users can be restricted to any one
or a combination of PPP, AppleTalk Remote Access (ARA), Serial
Line Internet Protocol (SLIP), or EXEC services. After a service
is selected, Layer- 2 and 3 protocols can be restricted and access
lists applied. Access lists on a per-group basis can restrict
users from reaching certain parts of the network where critical
information may be protected. Access lists can prevent users from
using certain services such as File Transfer Protocol (FTP) or
Simple Network Management Protocol (SNMP).
In many circumstances, AAA uses
protocols such as RADIUS, TACACS+, and Kerberos to administer its
security functions. If your router or access server is acting as a
NAS, AAA is the means through which you establish communication
between your NAS and your RADIUS, TACACS+, or Kerberos security
server.