CiscoSecure Access Control Server Software

This chapter provides information on Cisco's access control server products. The information is organized into the following sections:

• Product Overview

• CiscoSecure Access Control Server v2.1 for UNIX (Solaris)

Product Overview 

Cisco has developed a line of Access Control Server software to provide a scalable method for the centralization of security and provisioning. CiscoSecure Access Control Server software complements and protects any Cisco Access Server installation, centralizing individual access control of network access servers, firewalls, and routers.

Cisco's complete line of Access Control Server software products can be in a dial network solution for:

• service providers that create carrier class, unique, and scalable offerings

• corporations that build secure class infrastructures

• small to medium businesses that develop network service device security policies

The products range from an entry-level product, CiscoSecure EasyACS (included with every Cisco Access Server), to powerful carrier class Access Control Server software.

• CiscoSecure ACS v2.1 for UNIX is an Access Control Server for Solaris that controls the authentication, authorization, and accounting of users accessing the Internet or intranet.

CiscoSecure Access Control Server v2.1 for UNIX (Solaris)

To support the growing population of network devices that directly or indirectly control how users connect to the public Internet and the corporate intranet, Cisco introduces CiscoSecure ACS v2.1 for UNIX. CiscoSecure ACS v2.1 for UNIX is an Access Control Server for Solaris that controls the authentication, authorization, and accounting of users accessing the Internet or intranet.

Primary applications for the CiscoSecure Access Control Server include securing dial-up access servers and firewalls for network access and securing the management of routers and switches within a network. Both applications have unique authentication and authorization requirements. With CiscoSecure Access Control Server, system administrators can select a variety of authentication methods that each provide a set of authorization privileges.

Completing the access control functionality, the CiscoSecure Access Control Server serves as a central repository for accounting information. Each session that is established can be fully accounted for and stored on the server. This accounting information can be used for security audits, capacity planning, or bill-back network usage.

CiscoSecure ACS is a powerful access control server with many Service Provider and Enterprise features:

• Simultaneous TACACS+ and RADIUS support for a flexible solution

• HTML/JAVA GUI for a ubiquitous interface that simplifies and speeds up configuration for user and group profiles. SSL is also available to secure server configuration.

• Administration of users using groups for maximum flexibility and to facilitate enforcement and changes of security policies

• VPDN support at the origination and termination of VPDN (L2F) tunnels

• Import mechanism to rapidly import a large number of users

• Relational Database support using Oracle, Sybase, or the included SQL Anywhere

• Password support that includes Cleartext, DES encrypted, Bellcore S/Key, UNIX /etc/passwd file, Challenge Handshake Authentication Protocol (CHAP), Password Authentication Protocol (PAP), and AppleTalk Remote Access (ARA)

• Token Server support for CryptoCard, Secure Computing, and Security Dynamics

• Time-of-day and day-of-week access restrictions

• User restrictions based on NAS name, Port Name, or Remote Address including CLID

• Disabling of an account on a specific date

• Disabling of an account after N failed attempts to prevent brute force attacks

• Accounting information stored in the Relational Database

Figure 42 displays a view of users and groups in the authentication and authorization (AA) database.

Figure 42: Users and Groups Displayed in the AA Database

Using CiscoSecure Access Control Server, a network administrator can control the following:

• Who can log in to the network

• What privileges each user has in the network

• What accounting information is recorded in terms of security audits or account billing

Table 35 lists the minimum hardware/software specifications for the CiscoSecure Access Control Server for UNIX.

Table  35: CiscoSecure Access Control Server Hardware/Software Specifications

Description	Specifications
Hardware requirements	Sun SPARCstation 20 CD-ROM drive 128 MB of RAM 128 MB of disk swap space 500 MB of disk space
Software requirements	Solaris V2.51 IOS v11.1 (TACACS+) IOS v11.2 (RADIUS) Oracle v7.3 Sybase v11.1

Table 36 lists the CiscoSecure Access Control Server product numbers. Note that each copy of CiscoSecure is licensed to be installed on a single Sun Workstation. A backup copy can also be used, but this backup copy can only be used to Authenticate, Authorize, or Account when the primary CiscoSecure is not active. There are no license restrictions on number of users or ports.

Table  36: CiscoSecure Access Server Product Numbers

Description	Product Number
CiscoSecure Access Control Server Version 2.1 for UNIX (Solaris)	CSU-2.1
CiscoSecure Access Control Server Version 1.0 to Version 2.0 upgrade	CSU-2.1-UG
SmartNet Contract for CiscoSecure Access Control Server	CON-SNT-CSU