Tải bản đầy đủ - 0 (trang)
Part II. Enterprise AAA and Cisco Secure Access Control Server

Part II. Enterprise AAA and Cisco Secure Access Control Server

Tải bản đầy đủ - 0trang

Chapter4.EnterpriseAuthentication

Servers

Inthischapter,youlearnthefollowingtopics:

CiscoSecureAccessControlServersoftwareandversions

TheCiscoSecureSolutionEngine

Numerousenterpriselevelauthenticationserversareonthe

markettoday.PopularamongtheseareFunk'sSteel-Belted

RADIUSserver,LivingstonEnterprises'RADIUSAuthentication

BillingManager,andMeritNetworks'RADIUSservers.While

thesearereputablecompanieswithpopularproducts,theylack

theabilitytocombineboththeTACACS+andRADIUSprotocols

intoasingleboxsolution.Fortunately,theCiscoSecureACSfor

WindowsServer(ACS)isaone-stopsolutionforauthentication,

authorization,andaccounting(AAA)viabothTACACS+and

RADIUS.Thisproductisthefocusofthischapter.



CiscoSecureAccessControlServerSoftware

andVersions

ACSprovidesahighlyscalable,centralizeduseraccesscontrol

framework.VersionsofACSnumberfromversion2.0through

3.2,whichisthemostcurrentversion.Witheachreleaseof

ACS,moresupporthasbeenaddedformultiplevendors'AAA

implementations,aswellasexternaldatabasesupport.ACShas

abrowserdriveninterfacethatmakesconfigurationasimple

taskinacentrallylocateddatabase.

ACSprovidesfortheauthenticationofCiscorouters,switches,

firewalls,andwirelessaccesspoints.InadditiontotheCisco

productsthatACSsupports,ACSalsoperformsauthentication

forAscend,Juniper,Nortel,iPass,andotherdevicesthat

supportInternetEngineeringTaskForce(IETF)implementations

ofRADIUS.

CiscoSecureAccessControlServersbeganwithwhatwas

calledEasyACSversion1.0.SincethattimetheACSproduct

linehasundergonenumerousfaceliftsandfunctionality

enhancementstocreateaproductthatisabletograspthe

leadingedgeinauthentication,authorization,andaccounting

technologies.

Inthefollowingsections,youfindinformationaboutspecific

versionsoftheACSproductline.



CiscoSecureACSforWindowsServerVersion

2.0

TheversionsofACSdiscussedinthischapterbeginwith2.0.

ACS2.0forWindowsNTsupportedthefollowingfeatures:



SimultaneousTACACS+andRADIUSsupportforaflexible

solution

HTML/Javagraphicaluserinterface(GUI)thatsimplifiesand

distributesconfigurationforuserprofiles,groupprofiles,

andACSconfiguration

Helpandonlinedocumentationincludedforquickproblem

solving

Groupadministrationofusersformaximumflexibilityand

tofacilitateenforcementandchangesofsecuritypolicies

Virtualprivatenetwork(VPN)supportavailableatthe

originationandterminationofVPN(L2F)tunnels

Importmechanismtorapidlyimportalargenumberof

users

Hash-indexedflatfiledatabasesupportforhigh-speed

transactionprocessing

WindowsNTdatabasesupporttoleverageandconsolidate

WindowsNTusernameandpasswordmanagement

WindowsNTsinglelogin

RunsonWindowsNTstandalone,PDC,andBDCservers

PasswordsupportthatincludesChallengeHandshake

AuthenticationProtocol(CHAP),PasswordAuthentication

Protocol(PAP),andAppleTalkRemoteAccess(ARA)

TokencardserversupportforSecurityDynamicsandAxent



TokencachingforISDNterminaladaptersofSecurity

Dynamicstokens

Time-of-dayandday-of-weekaccessrestrictions

Userrestrictionsbasedonremoteaddresscallingline

identification(CLID)

Disablinganaccountonaspecificdate

DisablinganaccountafterNfailedattempts

Viewinglogged-inuserlist

WindowsNTPerformanceMonitorsupportforreal-time

statisticviewing

AccountingandauditinformationstoredinCSVformatfor

convenientimportintobillingapplications

SimpleupgradefromCiscoSecureEasyACSv1.0



CiscoSecureACSforWindowsServerVersion

2.1

ThenextversionofACSmadeavailablewasversion2.1.The

followingenhancementsweremade:

User/groupassignmentwasnowhandledcorrectlyby

CSutil.ThiswasaproblemintheearlierreleaseofACS.

OpenDataBaseConnectivity(ODBC)threads=1



(previouslywasa.regpatch).SettheAccessDatabase

enginetosinglethreadmode.

CorrectedgrammarintheNew-Pinmodeprompt.Thiswas

alsoanissueintheearlierrelease.

RemoteAdministrationwasadded.

SupplementaryUserIDfieldswereadded.

PasswordsupportthatincludesChallengeHandshake

AuthenticationProtocol(CHAP),PasswordAuthentication

Protocol(PAP),andAppleTalkRemoteAccessPassword

(ARAP)wasadded.

SupportforSafeWordandCRYPTOCardTokenServerswas

added.

TheUserandGroupMAXsessionsconfigurationoptions

wereadded.

Configurablecharacterstringstrippingwasadded.

Authenticationforwardingwasadded.

Configurablegraphicaluserinterface(GUI)wasadded.

RDBMSsynchronizationwasadded.

Databasereplicationwasadded.

System/databasebackupwasadded.

Dialednumberidentificationservice(DNIS)supportwas



added.

ThisversionwasalsoYear2000compliant.



CiscoSecureACSforWindowsServerVersion

2.3

Whenversion2.3wasdeployed,thefollowingnewfeatures

wereadded:

Passwordagingwasaddedtocontroluserpassword

security.

IPpoolswereaddedtoprovideforIPaddressassignment

basedonanaddresspool.

UserChangeablePasswordswereimplementedthrougha

newmodulethatwouldallowuserstobrowsetoaURLand

changetheirpassword.

SupportfortheMicrosoftCommercialInternetSystem

LightweightDirectoryAccessProtocol(MCISLDAP).

SupportforOpenDataBaseConnectivity(ODBC)compliant

databases.

SupportforMicrosoft'sversionoftheChallengeHandshake

AuthenticationProtocol(MS-CHAP).

Per-userAdvancedTerminalAccessControllerAccess

ControlSystemPlus(TACACS+)and/orRemote

AuthenticationDial-InUserService(RADIUS)attributes.



Multileveladministration.

CSMonitorservicewasaddedtokeepaneyeonthe

servicesthatwerecrucialtothefunctionsofACS.

ACSBackupandRestorefunctionalitywasbuiltintoprovide

forthebackupandrestorationofACS.

TheabilitytoimportpasswordfilesfromaUNIX-based

devicewasadded.

NetworkDeviceGroups(NDGs)wereaddedtobreakAAA

clientsintogroupstoeasethemanagementofmultipleAAA

clients.

Loggingandreportingenhancementswereaddedtothis

version.

TheabilitytoupgradefromallpreviousversionsofCisco

SecureACSforWindowsNTwasadded.

SupportforthenullpasswordrequirementofVoiceoverIP

(VoIP)wasalsoaddedtothisversion.



CiscoSecureACSforWindowsServerVersion

2.4and2.5

Later,aversion2.4and2.5werereleased.Inaneffortto

providesupportforWindows2000,release2.5wasthefirst

versionthatcouldberunonaWindows2000server.



CiscoSecureACSforWindowsServerVersion



2.6

Version2.6isaWindowsNT/2000releasethatincludedadded

supportforthefollowing:

Awiderrangeoftokenservers,suchasSecurityDynamics,

Inc.;ACE/Serverversion4.1andACE/Clientversion1.1for

Windows2000;CRYPTOAdminversion5.0(build27);Axent

Defenderversions4.0.3and4.1.0;andSecureComputing

SafeWordversion5.1.1.

SupportforNovell4.6forWindowsNTandNovellclient4.7

forWindows2000.

Windows2000ServicePack1isrequiredand128-bit

encryptionwithMicrosoftDial-UpNetworkingwasadded.

Thelastrevisionofthe2.6versionwas2.6.4.Thisisstillwidely

usedintoday'senterprisenetworks.



CiscoSecureACSforWindowsServerVersion

3.0

ThenextversionintheACSproductlinewasversion3.0.ACS

version3.0wasdesignedforWindowsNT/2000.ACSversion

3.0introducedsomenewfunctions.Thesefunctionsare

includedinthefollowinglist:

802.1xsupportwasadded.

ExtensibleAuthenticationProtocol-MessageDigest5(EAPMD5)supportwasadded.



ExtensibleAuthenticationProtocol-TransportLayerSecurity

(EAP-TLS)supportwasadded.

Commandauthorizationsetswereadded.

MicrosoftChallengeAuthenticationHandshakeProtocol(MSCHAP)version2supportwasadded.

Thesewereconsideredtobethemajorfeaturesthatwere

added.OtherminorfeatureswereaddedtoACSthatdeem

mentioning.Theseincludethefollowing:

Per-useraccesscontrollists

SharedNetworkAccessRestriction(NAR)

WildcardsintheNAR

MultipledevicesperAAAclientconfiguration

MultipleLightweightDirectoryAccessProtocol(LDAP)

lookupsandLDAPfailover

User-definedRADIUSvendor-specificattributes

Manyofthesefeaturesareconfiguredthroughoutthecourseof

thisbook.



CiscoSecureACSforWindowsServerVersion

3.1

ThenextversionavailablewasACSversion3.1.ACSversion



3.1addedthefollowingfeatures:

ProtectedExtensibleAuthenticationProtocol-Generic

TokenCards(PEAP-GTC)supportPEAPprovides

strongersecurity,greaterextensibility,andsupportforonetimetokenauthenticationandpasswordaging.Thegoalof

ourPEAPimplementationistoreplaceLightweight

ExtensibleAuthenticationProtocol(LEAP)client/serveruser

authenticationserviceswiththestandards-based,nonproprietaryPEAPprotocolforwirelessuserauthentication.

PEAPprovidesenhancedsecurityandricherextensibilityof

enduserdatabasesthancanbeprovidedwithLEAP.

SecureSocketsLayer(SSL)supportfor

administrativeaccessAdministrativeaccesstotheCisco

SecureACSHTMLinterfacecanbesecuredwithSSL.This

securityenhancementprovidesbothcertificate-based

serverauthenticationandencryptedtunnelsupportsothat

administrativeaccessisencryptedwithSSL.

CHPASSimprovementsCiscoSecureACSallowsyouto

controlwhethernetworkadministratorscanchange

passwordsduringTelnetsessionshostedbyTACACS+AAA

clients.

ImprovedIPPooladdressingCiscoSecureACSusesthe

IETFRADIUSclassattributeasanadditionalindexforuser

sessions.ThisreducesthepossibilityofallocatinganIP

addressthatisalreadyinusebutincorrectlyreportedto

CiscoSecureACSasreleased.

NetworkdevicesearchYoucansearchforaconfigured

networkdevicebasedonthedevicename,IPaddress,type

(AAAclientorAAAserver),andnetworkdevicegroup.This

featureisparticularlyusefulifyouaremanagingseveral

networkdevices.



ImprovedPublicKeyInfrastructure(PKI)support

DuringEAP-TLSauthentication,CiscoSecureACScan

performbinarycomparisonofthecertificatereceivedfrom

anenduserclienttousercertificatesstoredinLDAP

directories.

EAPproxyenhancementsCiscoSecureACSsupports

LEAPandEAP-TLSproxytootherRADIUSorexternal

databasesusingEAPoverstandardRADIUS.Previous

versionsofCiscoSecureACSreliedonLEAPproxyusing

MS-CHAPoverRADIUSproxy,makingitmoredifficultto

scaleoveranextendedrangeofexternaluserdatabases.

CiscoManagementCenterapplicationsupportCisco

SecureACSprovidesaconsolidatedadministrative

TACACS+controlframeworkformanyCiscosecurity

managementtools,suchasCiscoWorksVPN/Security

ManagementSolution(VMS)andCiscoWorksManagement

Centers.

ACSversion3.1alsoaddressedahighlyrequestedfeatureof

beingabletoaccessthemanagementinterfacefromoutsidea

firewall.Inversion3.1,afunctionthatusesthedomainname

andtranslatestheIPaddressinthepacketwasadded.

Inadditiontotheseadditionsandchanges,Ciscoalsochanged

thewaythatACSsupportstokenservers.Inpreviousversions

ofACS,tokenserversupportwasbasedonproprietary

interfaces.InACSversion3.1.1,allexceptfortheRSASecurID

aresupportedusingRADIUS.



NOTE

CRYPTOCardOTPinterfacewasincludedinversion3.0;

however,itusesRADIUSratherthantheCRYPTOCard

proprietaryprotocolinterface.In3.1.1,theCRYPTOCard



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Part II. Enterprise AAA and Cisco Secure Access Control Server

Tải bản đầy đủ ngay(0 tr)

×