Cisco Secure Access Control Server 4.0 for Windows Datasheet

Embed Doc
Copy Link
Readcast
Collections

CommentGo Back

DATA SHEET

CISCO SECURE ACCESS CONTROL SERVER 4.0 FOR WINDOWS

Cisco

Secure Access Control Server provides a comprehensive identity-based access control solution for Cisco intelligentinformation networks. It is the integration and control layer for managing enterprise network users, administrators, and theresources of the network infrastructure.

Cisco

Secure Access Control Server provides a comprehensive identity-based access control solution for Cisco intelligent information networks.It is the integration and control layer for managing enterprise network users, administrators, and the resources of the network infrastructure.

PRODUCT OVERVIEW

With an ever-increasing number of methods for accessing networks today, security breaches and uncontrolled user access are a primary concernamong enterprises. With the wide adoption of IEEE 802.11 wireless LANs and ubiquitous broadband Internet connections, security challenges existnot only at the perimeter, but also inside a network. Identity networking technologies that can mitigate these security vulnerabilities have become of prime interest to customers worldwide.Stronger forms of authentication, such as public key infrastructure (PKI) and one-time passwords (OTPs), are increasingly used to control user accessto corporate resources from public networks. Network administrators look for solutions that provide flexible authorization policies that are tied to theuser identity, as well as to the network access type and the security of the machine used to access the network. Lastly, the ability to centrally track and monitor the connectivity of network users is of primary importance in isolating unwanted and excessive use of valuable network resources.Cisco

Secure ACS (ACS) is a highly scalable, high-performance access control server that operates as a centralized RADIUS and TACACS+ server.Cisco Secure ACS extends access security by combining authentication, user access, and administrator access with policy control within a centralizedidentity networking solution, allowing greater flexibility and mobility, increased security, and user productivity gains. It enforces a uniform securitypolicy for all users regardless of how users access the network. It reduces the administrative and management burden involved in scaling user andnetwork administrator access to the network. By using a central database for all user accounts, Cisco Secure ACS centralizes the control of all userprivileges and distributes them to hundreds or thousands of access points throughout the network. As an accounting service, Cisco Secure ACSprovides detailed reporting and monitoring capabilities of network users’ behavior and keeps a record of every access connection and deviceconfiguration change across the entire network. This feature has become extremely important for organizations in complying with Sarbanes Oxleyregulations. Cisco Secure ACS supports a broad variety of access connections, including wired and wireless LAN, dialup, broadband, content,storage, voice over IP (VoIP), firewalls, and VPNs.Cisco Secure ACS is an important component of theCisco Identity-Based Networking Services (IBNS)architecture. Cisco IBNS is based onport-security standards such as 802.1x (an IEEE standard for port-based network access control) and Extensible Authentication Protocol (EAP),and extends security authentication, authorization, and accounting (AAA) from the perimeter of the network to every connection point insidethe LAN. New policy controls (such as per-user quotas, VLAN assignments, and access-control lists [ACLs]) can be deployed within this newarchitecture, due to the extended capabilities of Cisco switches and wireless access points to query Cisco Secure ACS over the RADIUS protocol.Cisco Secure ACS is also an important component of CiscoNetwork Admission Control(NAC). Cisco NAC is an industry initiative sponsoredby Cisco Systems

that uses the network infrastructure to enforce security policy compliance on all devices seeking to access network computingresources, thereby limiting damage from viruses and worms. With NAC, customers can allow network access only to compliant and trusted endpointdevices (for instance, PCs, servers, and personal digital assistants) and can restrict the access of noncompliant devices. Cisco NAC is part of the

Cisco Self-Defending Network initiative and is the foundation for enabling network admission control on Layer 2 and Layer 3 networks. Futurephases extend endpoint and network security interoperation to include dynamic incident-containment capabilities. This innovation enables compliantsystem elements to report misuse emanating from rogue or infected systems during an attack. Thus, infected systems can be dynamically quarantinedfrom the rest of the network to significantly reduce virus, worm, and blended threat propagation.Cisco Secure ACS is a powerful access control server with many high-performance and scalability features for any organization growing its WANor LAN connectivity. Table 1 lists the main benefits of Cisco Secure ACS.

Table 1.

Main Cisco Secure ACS Benefits

Benefit DescriptionEase of Use

A Web-based user interface simplifies and distributes configuration for user profiles, group profiles, and Cisco SecureACS configuration.

Scalability

Cisco Secure ACS is built to support large networked environments with support for redundant servers, remotedatabases, and database replication and backup services.

Extensibility

Lightweight Directory Access Protocol (LDAP) authentication forwarding supports the authentication of user profilesstored in directories from leading directory vendors, including Sun, Novell, and Microsoft.

Management

Windows Active Directory support consolidates Windows user name and password management and uses theWindows Performance Monitor for real-time statistics viewing.

Administration

Different access levels for each Cisco Secure ACS administrator—and the ability to group network devices—enableeasier control and maximum flexibility to facilitate enforcement and changes of security policy administration over allthe devices in a network.

Product Flexibility

Because Cisco IOS

Software has embedded support for AAA, Cisco Secure ACS can be used across virtually anynetwork access server that Cisco sells (the Cisco IOS Software release must support RADIUS or TACACS+).

Integration

Tight coupling with Cisco IOS routers and VPN solutions provides features such as Multichassis Multilink Point-to-PointProtocol (PPP) and Cisco IOS Software command authorization.

Third-Party Support

Cisco Secure ACS offers token server support for any OTP vendor that provides an RFC-compliant RADIUS interface(such as RSA, PassGo, Secure Computing, ActiveCard, Vasco, or CryptoCard).

Control

Cisco Secure ACS provides dynamic quotas for time-of-day, network use, number of logged sessions, and day-of-weekaccess restrictions.

FEATURES AND BENEFITS

Cisco Secure ACS 4.0 provides the following new features and benefits:

•

Cisco NAC support

—Cisco Secure ACS 4.0 acts as a policy decision point in NAC deployments. Using configurable policies, it evaluates thecredentials received from the Cisco Trust Agent, determines the state of the host, and sends a per-user authorization to the network access device:ACLs, a policy-based ACL, or a private VLAN assignment. Evaluation of the host credentials can enforce many specific policies, such as OSpatch level and antivirus DAT file version. Cisco Secure ACS records the policy evaluation results for use with your monitoring system. CiscoSecure ACS 4.0 also allows hosts without the appropriate agent technology to be audited by third-party audit vendors before granting network access. Cisco Secure ACS policies can be extended with external policy servers to which Cisco Secure ACS forwards credentials. For example,credentials specific to an antivirus vendor can be forwarded to the vendor’s antivirus policy server, and audit policy requests can be forwardedto audit vendors.

•

Scalability improvements

—Cisco Secure ACS 4.0 has been upgraded to use an industry-standard RDMBS system, improving the number of devices (AAA clients) supported by 10x and number of users by 3x. There have also been significant improvements in performance (transactionsper second) across the protocol portfolio that Cisco Secure ACS supports.

•

Profile-based policies

—Cisco Secure ACS 4.0 supports a new feature called network access profiles, which allow administrators to classify accessrequests according to network location, membership in a network device group, protocol type, or other specific RADIUS attribute values sent by

the network device through which the user connects. Authentication, access control, and authorization policies can be mapped to specific profiles.An example of a profile-based policy is the ability to apply a different access policy for wireless access versus remote (VPN) access.

•

Extended replication components

—Cisco Secure ACS 4.0 has improved and enhanced replication. Administrators now have the capability toreplicate network access profiles and all related configuration, including posture validation settings, AAA clients and hosts, external databaseconfiguration, global authentication configuration, network device groups, dictionaries, shared profile components, and additional loggingattributes.

•

EAP-Flexible Authentication via Secure Tunneling (FAST) enhanced support

—EAP-FAST is a new, publicly accessible IEEE 802.1x EAPtype developed by Cisco to support customers that cannot enforce a strong password policy or that wish to deploy an 802.1x EAP type that doesnot require digital certificates, supports a variety of user and password database types, supports password expiration and change, and is flexible,easy to deploy, and easy to manage. For example, a customer that cannot enforce a strong password policy and does not want to use certificatescan migrate to EAP-FAST for protection from dictionary attacks. Cisco Secure ACS 4.0 adds support for EAP-FAST supplicants available on awide variety of wireless client adapters.

•

Downloadable IP ACLs

—Cisco Secure ACS 4.0 extends per-user ACL support to any Layer 3 network device that supports this feature. Thisincludes Cisco PIX

security appliances, Cisco VPN solutions, and Cisco IOS routers. You can define sets of ACLs that can be applied per useror per group. This feature complements NAC support by enabling the enforcement of the correct ACL policy. When used in conjunction withnetwork access filters, downloadable ACLs can be applied differently per device, allowing you to tailor ACLs uniquely per user or per accessdevice.

•

Certification Revocation List (CRL) comparison

—Cisco Secure ACS 4.0 support certificate revocation using the X.509 CRL profile. A CRLis a time-stamped list identifying revoked certificates, which is signed by a certificate authority or CRL issuer and made freely available in a publicrepository. Cisco Secure ACS 4.0 periodically retrieves the CRLs from provisioned CRL distribution points, using LDAP or HTTP, and storesthem for use during EAP-Transport Layer Security (EAP-TLS) authentication. If the certificate presented by the user during an EAP-TLSauthentication is present in the retrieved CRL, Cisco Secure ACS fails the authentication and denies access to the user. This capability is extremelyimportant in view of frequent organizational changes, and protects valuable company assets in case of fraudulent network use.

•

Machine access restrictions

—Cisco Secure ACS 4.0 includes machine access restrictions as an enhancement of Windows machineauthentication. When Windows machine authentication is enabled, you can use machine access restrictions to control authorization of EAP-TLSand Microsoft Protected Extensible Authentication Protocol (PEAP) users who authenticate with a Windows external user database. Users whoaccess the network with a computer that has not passed machine authentication within a configurable length of time are given the authorizations of a user group that you specify and which you can configure to limit authorization as needed. Alternatively, you can deny network access altogether.

•

Network Access Filter (NAF)

—Cisco Secure ACS 4.0 includes NAFs as a new type of shared profile component. A NAF provides a flexible wayof applying network-access restrictions and downloadable ACLs on network device names, network device groups, or their IP addresses. NAFsapplied by IP address can use IP address ranges and wildcards. This feature introduces granular application of network access restrictions anddownloadable ACLs, both of which previously supported only the use of the same access restrictions or ACLs to all devices. NAFs allow flexiblenetwork device restriction policies to be defined, a requirement common in large environments.

•

Additional support of Cisco hardware devices

—Cisco Secure ACS 4.0 includes support for Cisco wireless LAN controllers and Cisco adaptivesecurity appliances.

of 00

Category:	Uncategorized.
Rating:	(1 Rating)
Upload Date:	01/29/2009
Copyright:	Attribution Non-commercial
Tags:	Networking Cisco security router acs Networking Cisco security router acs (fewer)

Documents

People