12.1 Cisco Access- Control Solutions
12.1.3 Understanding AAA
Configuring the Cisco Secure server is the first part of a two-part process to develop an operational access-control system. The second part involves configuring the NAS so that it functions properly with the Cisco Secure server. Remember that a NAS is any client (such as a router) that makes authentication and authorization requests, or generates accounting packets. These steps are critical and must be completed with extreme precision. Failure to configure the NAS properly may result in being locked out of the router.

The three parts of AAA are defined as follows:

  • Authentication - Authentication determines a user's identity, and then verifies that information. Authentication can take many forms. Traditional authentication uses a name and a fixed password. More modern and secure methods use one-time passwords (OTPs) such as CHAP and token cards. Cisco Secure provides support for these authentication methods.

A fundamental relationship between authentication and authorization is that the more authorization privileges a user receives, the stronger the authentication should be. The Cisco Secure ACS offers this capability by providing several different methods of authentication. Username/password is the most popular, simplest, and least-expensive method used for authentication. This is considered "something you know." No special equipment is required.

Username/password is a popular method for service providers because of its easy application by the client. The disadvantage is that "something you know" can be told to someone else, guessed, or captured. Username/password is not considered a strong authentication mechanism, but it can be sufficient for a low authorization or privilege level such as Internet access.

The risk of password capturing on the network can be reduced by using encryption. Client/server access control protocols, such as TACACS+ and RADIUS, encrypt passwords to prevent them from being captured within a network. However, TACACS+ and RADIUS operate between the NAS and the ACS. Clear text passwords can be captured between a client host dialing up over a phone line or an ISDN line terminating at a NAS.

An OTP can be deployed for service providers that offer increased levels of security services and corporate customers that desire to lessen the chance of intruder access that can result from password capture. The Cisco Secure ACS supports several types of OTP solutions, including CHAP for PPP remote-node logon. Token cards are considered one of the strongest OTP authentication mechanisms available today. With token cards, authentication requires "something you have and something you know," and it results in an OTP that prevents password capture.

The Cisco Secure ACS for Windows NT currently supports four different token-card manufacturers, including SDI, SafeWord (Secure Computing), Cryptocard, and Axent Technologies. Cisco Secure ACS "brokers" the username/OTP to the appropriate token server when authentication is requested. Each token card server is configured within Cisco Secure ACS to facilitate the functionality to authenticate via the token-card server and then return to Cisco Secure where the authorization for the user's connection is applied.

  • Authorization - Authorization determines what a user is allowed to do. The Cisco Secure ACS can send user profile policies to a network device such as an access server to determine the network services they can access or the level of service subscribed to. Authorization can be configured to give different users and groups different levels of service. For example, standard dialup customers/users might not have the same access privileges as premium customers/users. Service might be differentiated by levels of security, access times, and services.

One of the fastest growing services being offered by service providers and adopted by corporations is a service authorization for virtual private dialup networks (VPDNs). The Cisco Secure ACS can provide information to the network device for a specific user to configure a secure tunnel through a public network such as the Internet. The information may be for the Internet service provider's (ISP's) access server or for the home gateway router to validate the user at the customer location. In either case, a Cisco Secure ACS can be used for each end of the VPDN.

Cisco Secure ACS can permit or deny logins based on the time of day, or day of the week. For example, a group could be set for temporary accounts which will be disabled on specified dates, enabling service providers to offer 30-day free trial. The same authorization could be used to create a temporary account for a consultant with login permission limited to Monday through Friday, 9 a.m. to 5 p.m.

Users can be restricted to any one or a combination of PPP, AppleTalk Remote Access (ARA), Serial Line Internet Protocol (SLIP), or EXEC services. After a service is selected, Layer- 2 and 3 protocols can be restricted and access lists applied. Access lists on a per-group basis can restrict users from reaching certain parts of the network where critical information may be protected. Access lists can prevent users from using certain services such as File Transfer Protocol (FTP) or Simple Network Management Protocol (SNMP).

  • Accounting - Accounting is the action of recording what a user is doing or has done. Accounting information can be used for both service billing and security auditing. Cisco Secure ACS for Windows NT writes accounting records to a comma separated value (CSV) log file. This log file can be easily imported into popular database and spreadsheet applications for billing, security audits, and report generation.

In many circumstances, AAA uses protocols such as RADIUS, TACACS+, and Kerberos to administer its security functions. If your router or access server is acting as a NAS, AAA is the means through which you establish communication between your NAS and your RADIUS, TACACS+, or Kerberos security server.