Chapter 2 Deploying Cisco Secure ACS
Basic Deployment Factors for Cisco Secure ACS
2-14
User Guide for Cisco Secure ACS for Windows Server
78-14696-01, Version 3.1
Cisco Secure ACS remote access policy provides control by using central
authentication and authorization of remote users. The CiscoSecure user database
maintains all user IDs, passwords, and privileges. Cisco Secure ACS access
policies can be downloaded in the form of ACLs to network access servers such
as the Cisco AS5300 Network Access Server, or by allowing access during
specific periods, or on specific access servers.
The remote access policy is part of the overall corporate security policy.
Security Policy
We recommend that every organization that maintains a network develop a
security policy for the organization. The sophistication, nature, and scope of your
security policy directly affect how you deploy Cisco Secure ACS.
For more information about developing and maintaining a comprehensive
security policy, refer to the following documents:
•
Network Security Policy: Best Practices White Paper
•
Delivering End-to-End Security in Policy-Based Networks
•
Cisco IOS Security Configuration Guide
Administrative Access Policy
Managing a network is a matter of scale. Providing a policy for administrative
access to network devices depends directly on the size of the network and the
number of administrators required to maintain the network. Local authentication
on a network device can be performed, but it is not scalable. The use of network
management tools can help in large networks, but if local authentication is used
on each network device, the policy usually consists of a single login on the
network device.This does not promote adequate network device security. Using
Cisco Secure ACS allows a centralized administrator database, and
administrators can be added or deleted at one location. is the
recommended AAA protocol for controlling AAA client administrative access
because of its ability to provide per-command control (command authorization)
of AAA client administrator access to the device. RADIUS is not well-suited for
this purpose because of the one-time transfer of authorization information at time
of initial authentication.