Filter
Top Products
2-3
Configuration Guide for Cisco Secure ACS 4.2
OL-14390-02
Chapter 2 Deploy the Access Control Servers
Determining the Deployment Architecture
• EAP-TLS—Extensible Authentication Protocol-Transport Layer Security (EAP-TLS). EAP-TLS
uses the TLS protocol (RFC 2246), which is the latest version of the Secure Socket Layer (SSL)
protocol from the IETF. TLS provides a way to use certificates for user and server authentication
and for dynamic session key generation.
• PEAP— Protected Extensible Authentication Protocol (PEAP) is an 802.1x authentication type for
wireless LANs (WLANs). PEAP provides strong security, user database extensibility, and support
for one-time token authentication and password change or aging. PEAP is based on an Internet Draft
that Cisco Systems, Microsoft, and RSA Security submitted to the IETF.
Small LAN Environment
In a small LAN environment (a LAN containing up to 3,000 users; see Figure 2-1), a single ACS is
usually located close to the switch and behind a firewall. In this environment, the user database is usually
small because few switches require access to ACS for AAA, and the workload is small enough to require
only a single ACS.
However, you should still deploy a second ACS server for redundancy, and set up the second ACS server
as a replication partner to the primary server; because, losing the ACS would prevent users from gaining
access to the network. In
Figure 2-1, an Internet connection via firewall and router are included because
these are likely to be features of such a network; but, they are not strictly related to the Cisco Catalyst
AAA setup or required as part of it.
You should also limit access to the system hosting the ACS to as small a number of users and devices as
necessary. As shown in
Figure 2-1, you set access by connecting the ACS host to a private LAN segment
on the firewall. Access to this segment is limited only to the Cisco Catalyst Switch client and those user
machines that require HTTP access to the ACS for administrative purposes. Users should not be aware
that the ACS is part of the network.
Figure 2-1 ACS Server in a Small LAN Environment
Campus LAN
You can use ACS for wired access in a campus LAN. A campus LAN is typically divided into subnets.
Figure 2-2 shows an ACS deployment in a wired campus LAN.
Catalyst 2900/3500
Switch
Firewall
Cisco Secure ACS
158316
Internet