Chapter 2 Deploying Cisco Secure ACS
Suggested Deployment Sequence
2-18
User Guide for Cisco Secure ACS for Windows Server
78-14696-01, Version 3.1
Network Latency and Reliability
Network latency and reliability are also important factors in how you deploy
Cisco Secure ACS. Delays in authentication can result in timeouts at the end-user
client or the AAA client.
The general rule for large, extended networks, such as a globally dispersed
corporation, is to have at least one Cisco Secure ACS deployed in each region.
This may not be adequate without a reliable, high-speed connection between sites.
Many corporations use secure VPN connections between sites so that the Internet
provides the link. This saves time and money but it does not provide the speed and
reliability that a dedicated frame relay or T1 link provides. If reliable
authentication service is critical to business functionality, such as retail outlets
with cash registers that are linked by a wireless LAN, the loss of WAN connection
to a remote Cisco Secure ACS could be catastrophic.
The same issue can be applied to an external database used by Cisco Secure ACS.
The database should be deployed close enough to Cisco Secure ACS to ensure
reliable and timely access. Using a local Cisco Secure ACS with a remote
database can result in the same problems as using a remote Cisco Secure ACS.
Another possible problem in this scenario is that a user may experience timeout
problems. The AAA client would be able to contact Cisco Secure ACS, but
Cisco Secure ACS would wait for a reply that might be delayed or never arrive
from the external user database. If the Cisco Secure ACS were remote, the AAA
client would time out and try an alternative method to authenticate the user, but
in the latter case, it is likely the end-user client would time out first.
Suggested Deployment Sequence
While there is no single process for all Cisco Secure ACS deployments, you
should consider following the sequence, keyed to the high-level functions
represented in the navigation toolbar. Also bear in mind that many of these
deployment activities are iterative in nature; you may find that you repeatedly
return to such tasks as interface configuration as your deployment proceeds.
•
Configure Administrators—You should configure at least one
administrator at the outset of deployment; otherwise, there is no remote
administrative access and all configuration activity must be done from the
server. You should also have a detailed plan for establishing and maintaining
an administrative policy.