Filter
Top Products
2-19
Configuration Guide for Cisco Secure ACS 4.2
OL-14390-02
Chapter 2 Deploy the Access Control Servers
Additional Topics
Conversely, if a general user attempts to use his or her remote access to log in to a network device, ACS
checks and approves the username and password; but, the authorization process would fail because that
user would not have credentials that allow shell or exec access to the device.
Database Considerations
Aside from topological considerations, the user database is one of the most influential factors in
deployment decisions for ACS. The size of the user base, distribution of users throughout the network,
access requirements, and type of user database are all factors to consider when you decide how to deploy
ACS.
Number of Users
ACS is designed for the enterprise environment, and can handle 300,000 users. This capacity is usually
more than adequate for a corporation. In an environment that exceeds these numbers, the user base would
typically be geographically dispersed, which requires the use of more than one ACS configuration. A
WAN failure could render a local network inaccessible because of the loss of the authentication server.
In addition, reducing the number of users that a single ACS handles improves performance by lowering
the number of logins occurring at any given time and reducing the load on the database.
Type of Database
ACS supports several database options, including the ACS internal database or by using remote
authentication with any of the external databases that ACS supports. Each database option has its own
advantages and limitations in scalability and performance.
Network Latency and Reliability
Network latency and reliability are also important factors in how you deploy ACS. Delays in
authentication can result in timeouts for the end-user client or the AAA client.
The general rule for large, extended networks, such as those in a globally dispersed corporation, is to
have at least one ACS deployed in each region. This configuration may not be adequate without a
reliable, high-speed connection between sites. Many corporations use secure VPN connections between
sites so that the Internet provides the link. Although this option saves time and money, it does not provide
the speed and reliability of a dedicated frame relay or T1 link. If a reliable authentication service is
critical to business functionality, such as a WLAN of retail outlets with cash registers that are linked by
a WLAN, the loss of WAN connection to a remote ACS could be catastrophic.
The same issue can be applied to an external database that ACS uses. You should deploy the database
close enough to ACS to ensure reliable and timely access. Using a local ACS with a remote database can
result in the same problems as using a remote ACS. Another possible problem in this scenario is that a
user may experience timeout problems. The AAA client would be able to contact ACS; but, ACS would
wait for a reply that might be delayed or never arrive from the external user database. If the ACS were
remote, the AAA client would time out and try an alternate method to authenticate the user; but, in the
latter case, it is likely the end-user client would time out first.