Chapter 1 Overview of Cisco Secure ACS
AAA Server Functions and Concepts
1-8
User Guide for Cisco Secure ACS for Windows Server
78-14696-01, Version 3.1
There is a fundamental implicit relationship between authentication and
authorization. The more authorization privileges granted to a user, the stronger the
authentication should be. Cisco Secure ACS supports this relationship by
providing various methods of authentication.
Authentication Considerations
Username and password is the most popular, simplest, and least expensive method
used for authentication. No special equipment is required. This is a popular
method for service providers because of its easy application by the client. The
disadvantage is that this information can be told to someone else, guessed, or
captured. Simple unencrypted username and password is not considered a strong
authentication mechanism but can be sufficient for low authorization or privilege
levels such as Internet access.
To reduce the risk of password capturing on the network, use encryption. Client
and server access control protocols such as and RADIUS encrypt
passwords to prevent them from being captured within a network. However,
and RADIUS operate only between the AAA client and the access
control server. Before this point in the authentication process, unauthorized
persons can obtain clear-text passwords, such as the communication between an
end-user client dialing up over a phone line or an ISDN line terminating at a
network access server, or over a Telnet session between an end-user client and the
hosting device.
Network administrators who offer increased levels of security services, and
corporations that want to lessen the chance of intruder access resulting from
password capturing, can use an OTP. Cisco Secure ACS supports several types of
OTP solutions, including PAP for Point-to-Point Protocol (PPP) remote-node
login. Token cards are considered one of the strongest OTP authentication
mechanisms.
Authentication and User Databases
Cisco Secure ACS supports a variety of user databases. It supports the
CiscoSecure user database and several external user databases, including the
following:
•
Windows NT/2000 User Database
•
Generic LDAP