2-15
User Guide for Cisco Secure ACS for Windows Server
78-14696-01, Version 3.1
Chapter 2 Deploying Cisco Secure ACS
Basic Deployment Factors for Cisco Secure ACS
The type of access is also an important consideration. If there are to be different
administrative access levels to the AAA clients, or if a subset of administrators is
to be limited to certain systems, Cisco Secure ACS can be used with command
authorization per network device to restrict network administrators as necessary.
To use local authentication restricts the administrative access policy to no login
on a device or using privilege levels to control access. Controlling access by
means of privilege levels is cumbersome and not very scalable. This requires that
the privilege levels of specific commands are altered on the AAA client device
and specific privilege levels are defined for the user login. It is also very easy to
create more problems by editing command privilege levels. Using command
authorization on Cisco Secure ACS does not require that you alter the privilege
level of controlled commands. The AAA client sends the command to
Cisco Secure ACS to be parsed and Cisco Secure ACS determines whether the
administrator has permission to use the command. The use of AAA allows
authentication on any AAA client to any user on Cisco Secure ACS and facilitates
the limitation of access to these devices on a per-AAA client basis.
A small network with a small number of network devices may require only one or
two individuals to administer it. Local authentication on the device is usually
sufficient. If you require more granular control than that which authentication can
provide, some means of authorization is necessary. As discussed earlier,
controlling access using privilege levels can be cumbersome. Cisco Secure ACS
reduces this problem.
In large enterprise networks, with many devices to administer, the use of
Cisco Secure ACS becomes a practical necessity. Because administration of
many devices requires a larger number of network administrators, with varying
levels of access, the use of local control is simply not a viable way of keeping
track of network device configuration changes required when changing
administrators or devices. The use of network management tools, such as
CiscoWorks 2000, helps to ease this burden, but maintaining security is still an
issue. Because Cisco Secure ACS can comfortably handle up to 100,000 users,
the number of network administrators that Cisco Secure ACS supports is rarely an
issue. If there is a large remote access population using RADIUS for AAA
support, the corporate IT team should consider separate authentication
using Cisco Secure ACS for the administrative team.This would isolate the
general user population from the administrative team and reduce the likelihood of
inadvertent access to network devices. If this is not a suitable solution, using
for administrative (shell/exec) logins, and RADIUS for remote
network access, provides sufficient security for the network devices.