Chapter 1 Overview of Cisco Secure ACS
AAA Server Functions and Concepts
1-16
User Guide for Cisco Secure ACS for Windows Server
78-14696-01, Version 3.1
groups different levels of service. For example, standard dial-up users might not
have the same access privileges as premium customers and users. You can also
differentiate by levels of security, access times, and services.
The Cisco Secure ACS access restrictions feature enables you to permit or deny
logins based on time-of-day and day-of-week. For example, you could create a
group for temporary accounts that can be disabled on specified dates. This would
make it possible for a service provider to offer a 30-day free trial. The same
authorization could be used to create a temporary account for a consultant with
login permission limited to Monday through Friday, 9 A.M. to 5 P.M.
You can restrict users to a service or combination of services such as PPP,
AppleTalk Remote Access (ARA), Serial Line Internet Protocol (SLIP), or
EXEC. After a service is selected, you can restrict Layer 2 and Layer 3 protocols,
such as IP and IPX, and you can apply individual access lists. Access lists on a
per-user or per-group basis can restrict users from reaching parts of the network
where critical information is stored or prevent them from using certain services
such as File Transfer Protocol (FTP) or Simple Network Management Protocol
(SNMP).
One fast-growing service being offered by service providers and adopted by
corporations is a service authorization for Virtual Private Dial-Up Networks
(VPDNs). Cisco Secure ACS can provide information to the network device for a
specific user to configure a secure tunnel through a public network such as the
Internet. The information can be for the access server (such as the home gateway
for that user) or for the home gateway router to validate the user at the customer
premises. In either case, Cisco Secure ACS can be used for each end of the
VPDN.
Max Sessions
Max Sessions is a useful feature for organizations that need to limit the number
of concurrent sessions available to either a user or a group:
•
User Max Sessions—For example, an Internet service provider can limit
each account holder to a single session.
•
Group Max Sessions—For example, an enterprise administrator can allow
the remote access infrastructure to be shared equally among several
departments and limit the maximum number of concurrent sessions for all
users in any one department.