1-5
User Guide for Cisco Secure ACS for Windows Server
78-14696-01, Version 3.1
Chapter 1 Overview of Cisco Secure ACS
AAA Server Functions and Concepts
AAA Server Functions and Concepts
Cisco Secure ACS is a AAA server, providing authentication, authorization, and
accounting services to network devices that can act as AAA clients.
As a AAA server, Cisco Secure ACS incorporates many technologies to render
AAA services to AAA clients. Understanding Cisco Secure ACS requires
knowledge of many of these technologies. To address the most significant aspects,
this section contains the following topics:
•
Cisco Secure ACS and the AAA Client, page 1-5
•
AAA Protocols— and RADIUS, page 1-6
•
Authentication, page 1-7
•
Authorization, page 1-15
•
Accounting, page 1-20
•
Administration, page 1-21
Cisco Secure ACS and the AAA Client
A AAA client is software running on a network device that enables the network
device to defer authentication, authorization, and logging (accounting) of user
sessions to a AAA server. AAA clients must be configured to direct all end-user
client access requests to Cisco Secure ACS for authentication of users and
authorization of service requests. Using the or RADIUS protocol, the
AAA client sends authentication requests to Cisco Secure ACS.
Cisco Secure ACS verifies the username and password using the user databases it
is configured to query. Cisco Secure ACS returns a success or failure response to
the AAA client, which permits or denies user access, based on the response it
receives. When the user authenticates successfully, Cisco Secure ACS sends a set
of authorization attributes to the AAA client. The AAA client then begins
forwarding accounting information to Cisco Secure ACS.
When the user has successfully authenticated, a set of session attributes can be
sent to the AAA client to provide additional security and control of privileges,
otherwise known as authorization. These attributes might include the IP address
pool, access control list, or type of connection (for example, IP, IPX, or Telnet).
More recently, networking vendors are expanding the use of the attribute sets
returned to cover an increasingly wider aspect of user session provisioning.