Support User Manuals

Cisco Systems Servers Server User Manual

Open as PDF

of 654

Chapter 2 Deploying Cisco Secure ACS

Basic Deployment Factors for Cisco Secure ACS

2-16

Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide

78-13751-01, Version 3.0

Separation of Administrative and General Users

It is important to keep the general network user from accessing network devices.

Even though the general user may not have any intention to “hack the system,”

inadvertent access could easily cause accidental disruption to network access.

Separation of the general user from the administrative user falls into the realm of

AAA and Cisco Secure ACS.

The easiest, and recommended, method to perform such separation is to use

RADIUS for the general remote access user and TACACS+ for the administrative

user. An issue that arises is that an administrator may also require remote network

access, like the general user. If you use Cisco Secure ACS this poses no problem.

The administrator can have both RADIUS and TACACS+ configurations in

Cisco Secure ACS. Using authorization, RADIUS users can have PPP (or other

network access protocols) set as the permitted protocol. Under TACACS+, only

the administrator would be configured to allow shell (exec) access.

For example, if the administrator is dialing into the network as a general user, a

AAA client would use RADIUS as the authenticating/authorizing protocol and

the PPP protocol would be authorized. In turn, if the same administrator remotely

connects to a AAA client to make configuration changes, the AAA client would

use the TACACS+ protocol for authentication/authorization. Because this

administrator is configured on Cisco Secure ACS with permission for shell under

TACACS+, he would be authorized to log in to that device. This does require that

the AAA client have two separate configurations on Cisco Secure ACS, one for

RADIUS and one for TACACS+. An example of a AAA client configuration

under IOS that effectively separates PPP and shell logins follows:

aaa new-model

tacacs-server host

ip-address

tacacs-server key secret-key

radius-server host ip-address

radius-server key secret-key

aaa authentication ppp default group radius

aaa authentication login default group tacacs+ local

aaa authentication login console none

aaa authorization network default group radius

aaa authorization exec default group tacacs+ none

aaa authorization command 15 default group tacacs+ none

username

user password password

line con 0

login authentication console

previous next