CiscoSecure Access Control Server Software

Product Overview 

Cisco has developed a line of Access Control Server software products to provide a scalable method for the centralization of security. CiscoSecure Access Control Server software complements and protects any network installation, centralizing individual access control of network access servers, firewalls, and routers.

Cisco's complete line of Access Control Server software products can be used for:

• service providers that create carrier class, unique, and scalable offerings

• corporations that build secure infrastructures

• small to medium businesses developing network security policies

The products range from an entry-level product, CiscoSecure EasyACS (included with every Cisco Access Server), to powerful carrier class Access Control Server software.

• CiscoSecure ACS v2.1 for UNIX is an Access Control Server for Solaris offers robust functionality that controls the authentication, authorization, and accounting of users accessing the Internet or intranet.

• CiscoSecure ACS v2.0 for Windows NT is an Access Control Server that offers tight integration of an Access Server and a Windows NT infrastructure.

Introducing Cisco's Newest Release:
CiscoSecure Global Roaming Server v1.1 for UNIX

Product Overview

The CiscoSecure Global Roaming Server (GRS) for UNIX is one of many solutions in Cisco's suite of specialized, security software solutions for Authentication, Authorization, and Accounting (AAA). CiscoSecure GRS for UNIX turns existing dial infrastructures into global roaming networks. The use of CiscoSecure GRS can increase the number of Internet access points a service provider can offer to a customer without incurring the costs associated with additional equipment. With the deployment of GRS into complex environments using both TACACS+ and RADIUS facilitating proxy and translation, GRS provides concurrent true global scalability and dialup access across thousands of globally deployed access control servers.

CiscoSecure GRS for UNIX enables service providers to provide a new level of service to other Service Providers (SPs) and corporate customers to take local Internet connectivity to a global scale. This server can provide the complex operation of the "proxy" and translation of TACACS+ and RADIUS security protocols. This functionality removes the proprietary burden of forcing every end of a secured connection to be from a single manufacturer, and makes adding services a simple action instead of a network overhaul.

Key Features and Benefits

CiscoSecure GRS is a scaleable global roaming server with many Service Provider features:

• Enables to SP's to partner and extend their territory without additional hardware costs.

• Permits SP's to over additional value-add services to their customers and open new markets.

• HTML/Java Web Interface provides a ubiquitous interface that simplifies configuration for user and group profiles and administration from anywhere in the network

• Command Line Interface for service providers, ISPs, and large customers have already built applications that provision users and customers. This interface can allow provisioning programs to configure all GRS parameters.

• TACACS+ and RADIUS Translation makes installation of GRS in mixed security protocol environments possible without hardware changes.

• Authorization Filtering prevents authorization privileges from being granted across a network that shouldn't be permitted

• Max Roaming Sessions controls the number of roaming connections for a particular customer, making it possible to package levels of service as well as preventing the over subscription of connections

GRS enables:

• mobile users to roam throughout multiple territories, making local calls to POPs.

• service providers to dramatically expands its coverage by partnering with another service provider. The service provider does not have to incur the additional overhead of maintaining additional dial access points. This additional coverage can be used for roaming users, or for stationary users who require access outside the service provider's territory.

• service providers to have a new line of business, as they can provide additional coverage to other service providers.

Specifications

Table 5-1: System Specifications

	Description
Hardware	Sun SPARCstation 20 CD-ROM drive 128 MB of RAM 128 MB of disk swap space 500 MB of disk space
Software	Solaris V2.51

Table 5-2: Other Information/Components Specifications

Description	Product Number
CiscoSecure GRS V.1.1 for UNIX (1 server license)	CSU-GRS-1.1
CiscoSecure GRS V.1.1 for UNIX (4 server license)	CSU-GRS-4S-1.1
CiscoSecure GRS software application support (1 server license)	CON-SAS-CSGRS
CiscoSecure GRS software application support plus upgrade (1 server license)	CON-SAU-CSGRS

CiscoSecure Access Control Server v2.2 for UNIX (Solaris)

Product Overview

To support the growing population of network devices that directly or indirectly control how users connect to the public Internet and the corporate intranet, Cisco introduces CiscoSecure ACS v2.2 for UNIX. CiscoSecure ACS v2.2 for UNIX is an Access Control Server for Solaris that controls the authentication, authorization, and accounting of users accessing the Internet or intranet.

Primary applications for the CiscoSecure Access Control Server include securing dial-up access servers and firewalls for network access and securing the management of routers and switches within a network. Both applications have unique authentication and authorization requirements. With CiscoSecure Access Control Server, system administrators can select a variety of authentication methods that each provide a set of authorization privileges.

Completing the access control functionality, the CiscoSecure Access Control Server serves as a central repository for accounting information. Each session that is established can be fully accounted for and stored on the server. This accounting information can be used for security audits, capacity planning, or bill-back network usage.

Key Features and Benefits

CiscoSecure ACS is a powerful access control server with many Service Provider and Enterprise features:

• Simultaneous TACACS+ and RADIUS support for a flexible solution

• HTML/JAVA GUI for a ubiquitous interface that simplifies and speeds up configuration for user and group profiles. SSL is also available to secure server configuration.

• Administration of users using groups for maximum flexibility and to facilitate enforcement and changes of security policies

• Group Administration

• Token Caching

• Local and Remote Domain declaration

• VPDN support at the origination and termination of VPDN (L2F) tunnels

• Import mechanism to rapidly import a large number of users

• Relational Database support using Oracle, Sybase, or the included SQL Anywhere

• Password support that includes Cleartext, DES encrypted, Bellcore S/Key, UNIX /etc/passwd file, Challenge Handshake Authentication Protocol (CHAP), Password Authentication Protocol (PAP), and AppleTalk Remote Access (ARA)

• Token Server support for CryptoCard, Secure Computing, and Security Dynamics

• Time-of-day and day-of-week access restrictions

• User restrictions based on NAS name, Port Name, or Remote Address including CLID

• Disabling of an account on a specific date

• Disabling of an account after N failed attempts to prevent brute force attacks

• Accounting information stored in the Relational Database

Using CiscoSecure Access Control Server, a network administrator can control the following:

• Who can log in to the network

• What privileges each user has in the network

• What accounting information is recorded in terms of security audits or account billing

Specifications

Table 5-3: System Specifications

	Description
Hardware	Sun SPARCstation 20 CD-ROM drive 128 MB of RAM 256 MB of disk swap space 500 MB of disk space
Software	Solaris V2.51 or V2.6 IOS v11.1 (TACACS+) IOS v11.2 (RADIUS) Oracle v7.33 or v8.03 Sybase v11.1

Table 5-4 lists the CiscoSecure Access Control Server product numbers. Note that each copy of CiscoSecure is licensed to be installed on a single Sun Workstation. A backup copy can also be used, but this backup copy can only be used to Authenticate, Authorize, or Account when the primary CiscoSecure is not active. There are no license restrictions on number of users or ports.

Table 5-4: Other Information/Components Specifications

Description	Product Number
CiscoSecure Access Control Server Version 2.2 for UNIX (Solaris)	CSU-2.2
CiscoSecure Access Control Server Version 1.x/2.x to Version 2.2 upgrade	CSU-2.2-UG
CiscoSecure software application support for UNIX	CON-SAS-CSU
CiscoSecure software application support plus upgrades for UNIX	CON-SAU-CSU

CiscoSecure ACS v2.1 for Windows NT

Product Overview

To support the growing population of network devices that directly or indirectly control how users connect to the public Internet and the corporate intranet, Cisco introduces CiscoSecure ACS v2.1 for Windows NT. CiscoSecure ACS v2.1 for Windows NT is an Access Control Server that operates as a Windows NT Service and controls the authentication, authorization, and accounting of users accessing thousands of network ports.

CiscoSecure ACS v2.1 for Windows NT supports the centralization of access control and accounting for dial-up access servers and firewalls, and management of access to routers and switches. With it, service providers can quickly administer accounts and globally change levels of service offerings for entire groups of users. This improves their ability to deliver wholesale dial-up services to corporations investing in the outsourcing of dial-up and networking services.

For corporations supporting the rollout of their own access control infrastructure and those investing in service provider outsourcing while maintaining ownership of user account control, CiscoSecure ACS can be used for both. Because of its tight integration with the Windows NT operating system, companies can leverage their working knowledge, and the investment already made into building a Windows NT network and the Windows NT database.

Key Features and Benefits

CiscoSecure ACS is a powerful access control server with many Service Provider and Enterprise features:

• Simultaneous TACACS+ and RADIUS support for a flexible solution

• HTML/JAVA GUI for a ubiquitous interface that simplifies and distributes configuration for user profiles, group profiles, and ACS configuration

• Help and online documentation for quick problem solving

• Administration of users using groups for maximum flexibility and to facilitate enforcement and changes of security policies

• Sophisticated unknown user handling

• Domain stripping and authentication forwarding

• Authentication against the NDS database

• ODBC import

• Automatic replication

• VPDN support at the origination and termination of VPDN (L2F) tunnels

• Import mechanism to rapidly import a large number of users

• Hash-indexed flat file database support for high-speed transaction processing

• Windows NT database support to leverage and consolidate Windows NT username/password management and enable single login

• Password support that includes Challenge Handshake Authentication Protocol (CHAP), Password Authentication Protocol (PAP), and AppleTalk Remote Access (ARA)

• Token Server support for Security Dynamics, Axent Technologies, Secure Computing and CryptoCard

• Token caching for ISDN terminal adapters

• Time-of-day and day-of-week access restrictions

• User restrictions based on Remote Address such as CLID

• Disabling of an account on a specific date

• Disabling of an account after N failed attempts

• Viewing of logged-in user list

• Windows NT Performance Monitor support for real-time statistic viewing

• Accounting and audit information stored in CSV format for convenient import into billing applications

• Simple upgrading from CiscoSecure EasyACS v1.0

Using CiscoSecure Access Control Server, a network administrator can control the following:

• Who can log in to the network

• What privileges each user has in the network

• What accounting information is recorded in terms of security audits or account billing

Specifications

Table 5-5: System Specifications

	Description
Hardware	Intel class Pentium 133 MHz PC or compatible 32 MB of RAM 10 MB hard drive space CD-ROM drive Screen resolution of 800 x 600 or better
Software	Microsoft Windows NT Server v4.0 Microsoft Internet Explorer v3.02 or higher or NetScape Navigator v3.0 or higher Cisco IOS 11.1 or higher on the network device (11.2 for RADIUS)

Table 5-6 lists the CiscoSecure ACS v2.1 for Windows NT product numbers. Note that CiscoSecure ACS v2.1 for Windows NT is licensed on a per-server basis. There are no restrictions on the number of users or the number of ports used on a licensed server.

Table 5-6: Other Information/Components Specifications

Description	Product Number
CiscoSecure ACS V.2.1 for Windows NT	CSNT-2.1
CiscoSecure ACS v1.0/v2.0 for Windows NT to v2.1 upgrade	CSNT-2.1-UG
CiscoSecure software application support for Windows NT	CON-SAS-CSNT
CiscoSecure software application support plus upgrades for Windows NT	CON-SAU-CSNT

CiscoSecure EasyACS v1.0 for Windows NT   

As more and more dial-up access servers, firewalls, and routers get deployed, centralized management of access becomes a requirement to be able to scale. The present and common method for controlling access is at the device itself. This is certainly secure but difficult to manage changes in personnel and policy. The most obvious method to support these types of changes and leverage much of the work already completed in designing a network of Windows NT servers is to move to a central repository concept of security on a Windows NT Server.

CiscoSecure EasyACS is entry-level, basic access control server software that can run on Windows NT and allow service providers and corporations to begin to roll out, or experiment with, the concept of a centralized access control and security system.

In many cases, basic access control service is sufficient for a single access server and customers can put this right into production environments. For administrators who desire to scale up to higher-end products, the installation and rollout of CiscoSecure EasyACS can be built upon, using all of the configuration and database already created. CiscoSecure ACS v2.0 for Windows NT is the higher-end Cisco ACS for Windows NT product that can scale the EasyACS installation to support many more features and multiple access devices.

For corporations supporting the rollout of their own access control infrastructure and those investing in service provider outsourcing while maintaining ownership of user account control, CiscoSecure EasyACS can be used for both as a low-risk, easy-to-use starting place. Because of its tight integration with the Windows NT operating system, companies may leverage the working knowledge and the investment already made into building a Windows NT network and the Windows NT database.

Features include:

• Basic TACACS+ support for a simplified solution

• Part of the Cisco dial-up access server solution and supported as part of the access server SmartNet contract

• Support for one access server

• HTML GUI for a ubiquitous interface that simplifies and distributes configuration for user profiles, group profiles, and EasyACS configuration

• Help and online documentation for quick problem solving

• Administration of users using groups for maximum flexibility and to facilitate enforcement and changes of security policies

• Hash-indexed flat file database support for high-speed transaction processing

• Windows NT database support to leverage and consolidate Windows NT username/password management and enable single login

• Password support that includes Challenge Handshake Authentication Protocol (CHAP) and Password Authentication Protocol (PAP)

• Disabling of an account on a specific date

• Disabling of an account after N failed attempts

• Viewing of logged-in user list

• Windows NT Performance Monitor support for real-time statistic viewing

• Accounting and audit information stored in CSV format for convenient import into billing applications

Using CiscoSecure Access Control Server, a network administrator can control the following:

• Who can log in to the network

• What privileges each user has in the network

• What accounting information is extracted for security audits or account billing

Figure 5-1 shows the navigation bar, edit field, and help windows of CiscoSecure EasyACS.

Figure 5-1: CiscoSecure EasyACS Navigation Bar, Edit Field, and Help Windows

Table 5-7 lists the specifications for CiscoSecure ACS v2.0 for Windows NT.

Table 5-7: CiscoSecure Access Control Server Minimum Hardware/Software  Specifications

Minimum Hardware Requirements	Software Requirements
Intel class Pentium 133 MHz PC or compatible 24 MB of RAM 10 MB hard drive space CD-ROM drive Screen resolution of 800 x 600 or better	Microsoft Windows NT Server v4.0
	Microsoft Internet Explorer v3.0 or Netscape Navigator v3.0
	Cisco IOS 11.1 or higher

CiscoSecure EasyACS is included on a CD-ROM with Cisco 2500 series access servers, AS5200 universal access servers, and Cisco 3600 series dial-up routers. CiscoSecure EasyACS is also available via CCO if you have a Cisco 2500 series access server, AS5200, or Cisco 3600 series installed at your site that is covered by a SMARTnet contract.

Table 5-8 shows the CiscoSecure Access Server product numbers. Note that CiscoSecure EasyACS v1.0 for Windows NT is licensed on a per-server basis and supports one access server or one firewall. There are no restrictions on the number of users or the number of ports used on a licensed server.

Table 5-8: CiscoSecure Access Server Product Numbers

Description	Part Number
CiscoSecure EasyACS v1.0	Included with Cisco Dial-up Access Servers; not orderable or for sale separately