Cisco Systems Servers Server User Manual


 
Chapter 1 Overview of Cisco Secure ACS
AAA Server Functions and Concepts
1-8
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
78-13751-01, Version 3.0
Authentication Considerations
Username and password is the most popular, simplest, and least expensive
method used for authentication. No special equipment is required. This is a
popular method for service providers because of its easy application by the client.
The disadvantage is that this information can be told to someone else, guessed, or
captured. Simple unencrypted username and password is not considered a strong
authentication mechanism but can be sufficient for low authorization or privilege
levels such as Internet access.
To reduce the risk of password capturing on the network, use encryption. Client
and server access control protocols such as TACACS+ and RADIUS encrypt
passwords to prevent them from being captured within a network. However,
TACACS+ and RADIUS operate only between the AAA client and the access
control server. Before this point in the authentication process, unauthorized
persons can obtain clear-text passwords, such as the communication between an
end-user client dialing up over a phone line or an ISDN line terminating at a
network access server, or over a Telnet session between an end-user client and the
hosting device.
Network administrators who offer increased levels of security services, and
corporations that want to lessen the chance of intruder access resulting from
password capturing, can use an OTP. Cisco Secure ACS supports several types of
OTP solutions, including PAP for Point-to-Point Protocol (PPP) remote-node
login. Token cards are considered one of the strongest OTP authentication
mechanisms.
Authentication and User Databases
Cisco Secure ACS supports a variety of user databases. In addition to the
CiscoSecure user database, Cisco Secure ACS supports several external user
databases, including the following:
Windows NT/2000 User Database
Generic LDAP
Novell NetWare Directory Services (NDS)
Open Database Connectivity (ODBC)-compliant relational databases
CRYPTOCard token server
SafeWord token server