Support User Manuals

Cisco Systems Servers Server User Manual

Open as PDF

of 654

1-13

Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide

78-13751-01, Version 3.0

Chapter 1 Overview of Cisco Secure ACS

AAA Server Functions and Concepts

request from the AAA client should include the OTP in the username value

(for example Fredpassword) while the password value contains an

ASCII/PAP/ARAP password. The TACACS+ and RADIUS servers then

verify that the token is still cached and validate the incoming password

against either the single ASCII/PAP/ARAP or separate CHAP/ARAP

password, depending on the user’s configuration.

The TACACS+ SENDAUTH feature enables a AAA client to authenticate

itself to another AAA client or an end-user client via outbound

authentication. The outbound authentication can be PAP, CHAP, or ARAP.

With outbound authentication, the Cisco Secure ACS password is given out.

By default, the user’s ASCII/PAP or CHAP/ARAP password is used,

depending on how this has been configured; however, we recommend that the

separate SENDAUTH password be configured for the user so that

Cisco Secure ACS inbound passwords are never compromised.

If you want to use outbound passwords and maintain the highest level of security,

we recommend that you configure users in the CiscoSecure user database with an

outbound password that is different from the inbound password.

Password Aging

With Cisco Secure ACS you can choose whether and how you want to employ

password aging. Control for password aging may reside either in the CiscoSecure

user database, or in the Windows NT/2000 directory. Each password aging

mechanism differs as to requirements and setting configurations.

The password aging feature controlled by the CiscoSecure user database enables

you force users to change their passwords under any of the following conditions:

• After a specified number of days

• After a specified number of logins

• The first time a new user logs in

For information on the requirements and configuration of the password aging

feature controlled by the CiscoSecure user database, see the “Enabling Password

Aging for the CiscoSecure User Database” section on page 6-20.

The Windows NT/2000-based password aging feature enables you to control the

following password aging parameters:

• Maximum password age in days

• Minimum password age in days

previous next