Cisco Secure Access Control Server Software and Versions

Previous page
Table of content
Next page

ACS provides a highly scalable, centralized user access control framework. Versions of ACS number from version 2.0 through 3.2, which is the most current version. With each release of ACS, more support has been added for multiple vendors' AAA implementations, as well as external database support. ACS has a browser driven interface that makes configuration a simple task in a centrally located database.

ACS provides for the authentication of Cisco routers, switches, firewalls, and wireless access points. In addition to the Cisco products that ACS supports, ACS also performs authentication for Ascend, Juniper, Nortel, iPass, and other devices that support Internet Engineering Task Force (IETF) implementations of RADIUS.

Cisco Secure Access Control Servers began with what was called Easy ACS version 1.0. Since that time the ACS product line has undergone numerous facelifts and functionality enhancements to create a product that is able to grasp the leading edge in authentication, authorization, and accounting technologies.

In the following sections, you find information about specific versions of the ACS product line.

Cisco Secure ACS for Windows Server Version 2.0

The versions of ACS discussed in this chapter begin with 2.0. ACS 2.0 for Windows NT supported the following features:

  • Simultaneous TACACS+ and RADIUS support for a flexible solution

  • HTML/Java graphical user interface (GUI) that simplifies and distributes configuration for user profiles, group profiles, and ACS configuration

  • Help and online documentation included for quick problem solving

  • Group administration of users for maximum flexibility and to facilitate enforcement and changes of security policies

  • Virtual private network (VPN) support available at the origination and termination of VPN (L2F) tunnels

  • Import mechanism to rapidly import a large number of users

  • Hash-indexed flat file database support for high-speed transaction processing

  • Windows NT database support to leverage and consolidate Windows NT username and password management

  • Windows NT single login

  • Runs on Windows NT standalone, PDC, and BDC servers

  • Password support that includes Challenge Handshake Authentication Protocol (CHAP), Password Authentication Protocol (PAP), and AppleTalk Remote Access (ARA)

  • Token card server support for Security Dynamics and Axent

  • Token caching for ISDN terminal adapters of Security Dynamics tokens

  • Time-of-day and day-of-week access restrictions

  • User restrictions based on remote address calling line identification (CLID)

  • Disabling an account on a specific date

  • Disabling an account after N failed attempts

  • Viewing logged-in user list

  • Windows NT Performance Monitor support for real-time statistic viewing

  • Accounting and audit information stored in CSV format for convenient import into billing applications

  • Simple upgrade from Cisco Secure Easy ACS v1.0

Cisco Secure ACS for Windows Server Version 2.1

The next version of ACS made available was version 2.1. The following enhancements were made:

  • User/group assignment was now handled correctly by CSutil. This was a problem in the earlier release of ACS.

  • Open DataBase Connectivity (ODBC) threads = 1 (previously was a .reg patch). Set the Access Database engine to single thread mode.

  • Corrected grammar in the New-Pin mode prompt. This was also an issue in the earlier release.

  • Remote Administration was added.

  • Supplementary User ID fields were added.

  • Password support that includes Challenge Handshake Authentication Protocol (CHAP), Password Authentication Protocol (PAP), and AppleTalk Remote Access Password (ARAP) was added.

  • Support for SafeWord and CRYPTOCard Token Servers was added.

  • The User and Group MAX sessions configuration options were added.

  • Configurable character string stripping was added.

  • Authentication forwarding was added.

  • Configurable graphical user interface (GUI) was added.

  • RDBMS synchronization was added.

  • Database replication was added.

  • System/database backup was added.

  • Dialed number identification service (DNIS) support was added.

  • This version was also Year 2000 compliant.

Cisco Secure ACS for Windows Server Version 2.3

When version 2.3 was deployed, the following new features were added:

  • Password aging was added to control user password security.

  • IP pools were added to provide for IP address assignment based on an address pool.

  • User Changeable Passwords were implemented through a new module that would allow users to browse to a URL and change their password.

  • Support for the Microsoft Commercial Internet System Lightweight Directory Access Protocol (MCIS LDAP).

  • Support for Open DataBase Connectivity (ODBC)compliant databases.

  • Support for Microsoft's version of the Challenge Handshake Authentication Protocol (MS-CHAP).

  • Per-user Advanced Terminal Access Controller Access Control System Plus (TACACS+) and/or Remote Authentication Dial-In User Service (RADIUS) attributes.

  • Multilevel administration.

  • CSMonitor service was added to keep an eye on the services that were crucial to the functions of ACS.

  • ACS Backup and Restore functionality was built in to provide for the backup and restoration of ACS.

  • The ability to import password files from a UNIX-based device was added.

  • Network Device Groups (NDGs) were added to break AAA clients into groups to ease the management of multiple AAA clients.

  • Logging and reporting enhancements were added to this version.

  • The ability to upgrade from all previous versions of Cisco Secure ACS for Windows NT was added.

  • Support for the null password requirement of Voice over IP (VoIP) was also added to this version.

Cisco Secure ACS for Windows Server Version 2.4 and 2.5

Later, a version 2.4 and 2.5 were released. In an effort to provide support for Windows 2000, release 2.5 was the first version that could be run on a Windows 2000 server.

Cisco Secure ACS for Windows Server Version 2.6

Version 2.6 is a Windows NT/2000 release that included added support for the following:

  • A wider range of token servers, such as Security Dynamics, Inc.; ACE/Server version 4.1 and ACE/Client version 1.1 for Windows 2000; CRYPTOAdmin version 5.0 (build 27); Axent Defender versions 4.0.3 and 4.1.0; and Secure Computing SafeWord version 5.1.1.

  • Support for Novell 4.6 for Windows NT and Novell client 4.7 for Windows 2000.

  • Windows 2000 Service Pack 1 is required and 128-bit encryption with Microsoft Dial-Up Networking was added.

The last revision of the 2.6 version was 2.6.4. This is still widely used in today's enterprise networks.

Cisco Secure ACS for Windows Server Version 3.0

The next version in the ACS product line was version 3.0. ACS version 3.0 was designed for Windows NT/2000. ACS version 3.0 introduced some new functions. These functions are included in the following list:

  • 802.1x support was added.

  • Extensible Authentication Protocol-Message Digest 5 (EAP-MD5) support was added.

  • Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) support was added.

  • Command authorization sets were added.

  • Microsoft Challenge Authentication Handshake Protocol (MS-CHAP) version 2 support was added.

These were considered to be the major features that were added. Other minor features were added to ACS that deem mentioning. These include the following:

  • Per-user access control lists

  • Shared Network Access Restriction (NAR)

  • Wildcards in the NAR

  • Multiple devices per AAA client configuration

  • Multiple Lightweight Directory Access Protocol (LDAP) lookups and LDAP failover

  • User-defined RADIUS vendor-specific attributes

Many of these features are configured throughout the course of this book.

Cisco Secure ACS for Windows Server Version 3.1

The next version available was ACS version 3.1. ACS version 3.1 added the following features:

  • Protected Extensible Authentication Protocol-Generic Token Cards (PEAP-GTC) support PEAP provides stronger security, greater extensibility, and support for one-time token authentication and password aging. The goal of our PEAP implementation is to replace Lightweight Extensible Authentication Protocol (LEAP) client/server user authentication services with the standards-based, non-proprietary PEAP protocol for wireless user authentication. PEAP provides enhanced security and richer extensibility of end user databases than can be provided with LEAP.

  • Secure Sockets Layer (SSL) support for administrative access Administrative access to the Cisco Secure ACS HTML interface can be secured with SSL. This security enhancement provides both certificate-based server authentication and encrypted tunnel support so that administrative access is encrypted with SSL.

  • CHPASS improvements Cisco Secure ACS allows you to control whether network administrators can change passwords during Telnet sessions hosted by TACACS+ AAA clients.

  • Improved IP Pool addressing Cisco Secure ACS uses the IETF RADIUS class attribute as an additional index for user sessions. This reduces the possibility of allocating an IP address that is already in use but incorrectly reported to Cisco Secure ACS as released.

  • Network device search You can search for a configured network device based on the device name, IP address, type (AAA client or AAA server), and network device group. This feature is particularly useful if you are managing several network devices.

  • Improved Public Key Infrastructure (PKI) support During EAP-TLS authentication, Cisco Secure ACS can perform binary comparison of the certificate received from an end user client to user certificates stored in LDAP directories.

  • EAP proxy enhancements Cisco Secure ACS supports LEAP and EAP-TLS proxy to other RADIUS or external databases using EAP over standard RADIUS. Previous versions of Cisco Secure ACS relied on LEAP proxy using MS-CHAP over RADIUS proxy, making it more difficult to scale over an extended range of external user databases.

  • Cisco Management Center application support Cisco Secure ACS provides a consolidated administrative TACACS+ control framework for many Cisco security management tools, such as CiscoWorks VPN/Security Management Solution (VMS) and CiscoWorks Management Centers.

ACS version 3.1 also addressed a highly requested feature of being able to access the management interface from outside a firewall. In version 3.1, a function that uses the domain name and translates the IP address in the packet was added.

In addition to these additions and changes, Cisco also changed the way that ACS supports token servers. In previous versions of ACS, token server support was based on proprietary interfaces. In ACS version 3.1.1, all except for the RSA SecurID are supported using RADIUS.

NOTE

CRYPTOCard OTP interface was included in version 3.0; however, it uses RADIUS rather than the CRYPTOCard proprietary protocol interface. In 3.1.1, the CRYPTOCard proprietary protocol interface was added.


Cisco also made enhancements to the database replication functionality so that each ACS requires a handshake from the primary ACS using the secret key for the primary device.

Other changes made included the use of 128-bit encryption to communicate with ACS. This affected remote logging as well as the User Changeable Password (UCP) module. You would need to upgrade to the UCP module provided with ACS version 3.1.

Cisco Secure ACS for Windows Server Version 3.2

The next version of ACS was version 3.2. This is the most current version of ACS. The features and functions added to ACS version 3.2 are seen in the following list:

  • In ACS version 3.2, provisions were made for the support of PEAP with EAP-MS-CHAPv2. EAP-MS-CHAP is implemented according to the RFC. EAP-MS-CHAPv2 protocol is implemented as an internal EAP type, but only inside PEAP, as well as extensive EAP-TLS support.

  • Version 3.1 supported PEAP-GTC; however, MS-PEAP has many differences. ACS version 3.2 supports EAP-MS-CHAP inside PEAP. In addition to this support, provisions for PEAP version negotiations have been added.

  • ACS version 3.2 also includes EAP negotiation for the second EAP type. EAP-GTC and EAP-MS-CHAPv2 are supported simultaneously inside PEAP. If both internal EAP types are configured, ACS starts with EAP-MS-CHAPv2.

  • Additional Aironet support has been included in ACS version 3.2 to include extended client support and PEAP support to users created in the ACS internal database.

Other changes to ACS version 3.2 are seen in the following list:

  • LDAP multithreading

  • Machine authentication support

  • EAP mixed configurations

  • Accounting support for Aironet

  • Downloadable access control; lists for virtual private network (VPN) users

For more information regarding the functional specifications of ACS, see the release notes accessible through http://www.cisco.com/go/acs.



Previous page
Table of content
Next page
Cisco Access Control Security(c) AAA Administrative Services
Cisco Access Control Security: AAA Administration Services
ISBN: 1587051249
EAN: 2147483647
Year: 2006
Pages: 173
Authors: Brandon James Carroll
BUY ON AMAZON
Identifying and Managing Project Risk: Essential Tools for Failure-Proofing Your Project
Cisco IP Telephony (CIPT) (Authorized Self-Study) (2nd Edition)
C++ GUI Programming with Qt 3
GO! with Microsoft Office 2003 Brief (2nd Edition)
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
Java Concurrency in Practice
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy