Positioning ACS in Your Network | Cisco Access Control Security: AAA Administration Services

Positioning ACS in your network is an integral part of the deployment process. This chapter provides only general guidelines for positioning your ACS. Each network has individual traits that influence the determination of where to place your server. Nonetheless, the following sections explore some common network topologies such as dialup access and VPN, as well as possibilities for placement of ACS.

Dialup Access

Dialup access is a key technology that uses the services of ACS for the authentication and authorization of remote users.

In my previous employment, I was in a situation where I would use a notebook computer and dial in to a remote access server (RAS) from the field, to upload and download my job assignments. When I would dial in, a username and password were required to determine who I was and what area, jobs, and network rights I was supposed to receive. This is the perfect place to deploy an ACS device. The size of the company that I worked for was big enough that we could have deployed ACS in multiple locations.

Deployment in large networks works best when separated into geographic locations. You could then use a proxy distribution table for access to the corporate network when you dial in from the road and need access to the network where you have a different ACS device authenticating you. You could also use replication of all ACS devices so that they all have the same database information. You can also deploy multiple servers for redundancy in a large network and perform replication to maintain database synchronization.

In a larger dialup network, the ACS devices can be used to service multiple NAS devices. For smaller business models, a single ACS device might be better suited for all users with a secondary ACS device as a backup. You could use database replication in both situations. In the larger company, database replication can be used to ensure that all ACS devices have the same user accounts, groups, and configurations.

Figure 5-4 is an example of the possible placement of an ACS device in a small dialup network. Note that the ACS is on the dial-in side of the network, protected behind a Cisco Private Internet Exchange (PIX) Firewall. As we add more AAA functionality to ACS, we can incorporate the Cisco PIX Firewall as a NAS device to ACS. For now, we are using only the dialup NAS. In this situation, users dial in to the NAS, and the NAS acts as a client to ACS to verify that the user is authorized to establish a connection into the network.

Figure 5-4. ACS in a Small Dialup Network

Virtual Private Networks

Virtual private networks (VPNs) are the evolution of the dialup network. VPNs use the Internet to access the corporate network. Because a connection into a service provider is not as secure as a private dialup, network users must make use of today's encryption technologies such as Internet Protocol Security (IPSec).

In an IPSec environment, a user makes a connection into the VPN-enabled NAS that requests authentication information from the ACS device. A common VPN topology is shown in Figure 5-5. This example uses a Cisco Internetwork Operating System (IOS) router as a VPN-enabled NAS, but can be replaced by a PIX Firewall or a VPN concentrator. One catch to using a VPN concentrator is that with the 3000 series concentrators, users must authenticate using the RADIUS protocol. IOS devices require version 12.2(8)T.

Figure 5-5. VPN Topology

Another common issue to watch out for is access list filtering. Access list filtering is a method of interrogating packets that pass through a router or a PIX Firewall to make a determination as to whether it is permitted traffic, or if it should be denied. The filtering is based on source or destination IP addresses, source or destination ports, and protocol. Often times in a VPN environment, the VPN-enabled device is behind an edge router. If this edge router is filtering traffic coming into your network with access listing, you might need to modify the access list rules to permit UDP port 500, the Encapsulating Security Payload (ESP), and Authentication Header (AH).

Figure 5-6 shows a configuration on a Cisco IOS edge router device that is permitting the IPSec protocols with access list 110. The VPN concentrator is located at the IP address 172.168.4.5. This access list would be applied to interface f0/0. Examine Example 5-1.

Example 5-1. Permitting the IPSec Protocols

 edge-router#show run | include access-list ! access-list 110 permit udp any host 172.168.4.5 eq isakmp access-list 110 permit esp any host 172.168.4.5 access-list 110 permit ahp any host 172.168.4.5 ! edge-router#

Figure 5-6. Cisco IOS Edge Router

Wireless Deployment

When deploying ACS into a wireless network, you must determine whether users need to roam from one wireless access point to another. If the answer is yes, the task ahead has just become a bit more difficult, yet not impossible. You might want to consider breaking up your ACS deployment into geographic locations where common users can be grouped. By placing the users into groups defined by geographic locations, you can spread the load placed on each ACS. Keep in mind that your deployment in a wireless local-area network (WLAN) with one access point will be very different than a WLAN with multiple access points and numerous locations that require roaming. Figure 5-7 shows a simple WLAN deployment.

Figure 5-7. Simple WLAN Deployment

Other Deployments

Up to this point, you have seen AAA implemented for the most part on a user basis. A user accesses network resources and is authenticated to ACS. In some other deployments, you might see switchport authentication on a switchport using EAP-TLS or EAP-MD5. EAP-TLS is the Extensible Authentication Protocol-Transport Layer Security. EAP-TLS uses digital certificates instead of usernames and passwords to fulfill a mutual challenge. When a client authenticates, they receive a certificate as a response from the server.

The client also has a certificate that is in return sent to the challenging device. The two devices can determine authentication based on the value of the certificates that are exchanged. Extensible Authentication Protocol-Message Digest 5 is commonly used in Microsoft Windows XP; however, Windows XP has support for PEAP, EAP-MSCHAP v2, and Smart Card. This is another method where a challenge takes place. EAP-MD5 is not as secure as LEAP or EAP-TLS and is not recommended. You can see these property configuration options in Figure 5-8.

Figure 5-8. Windows XP Local-Area Connection Properties

This type of authentication can be used in some Cisco switches to authenticate users at the switchport. Note that this configuration is discussed in Chapter 7, "Configuring User Accounts."

ACS is also commonly deployed to authenticate, authorize, and account for network administrators that access a company's network devices and are issuing commands to that device that might affect network connectivity. By using ACS to authenticate these administrators, you can manage the type of commands that unseasoned administrators can use, keep a paper trail of their activity, and use this as a tool for bringing new employees into the network without jeopardizing network availability to users. For more information on deploying ACS, refer to the following documentation on the Cisco website at http://www.cisco.com/en/US/products/sw/secursw/ps2086/prod_configuration_examples_list.html.