Cisco Systems 3.3 Security Policy, Administrative Access Policy

2-15

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Chapter 2 Deployment Considerations

Basic Deployment Factors for Cisco Secure ACS

Cisco Secure ACS remote access policies provides control by using central

authentication and authorization of remote users. The CiscoSecure user database

maintains all user IDs, passwords, and privileges. Cisco Secure ACS access

policies can be downloaded in the form of ACLs to network access servers such

as the Cisco AS5300 Network Access Server, or by allowing access during

specific periods, or on specific access servers.

Remote access policies are part of overall corporate security policy.

Security Policy

We recommend that every organization that maintains a network develop a

security policy for the organization. The sophistication, nature, and scope of your

security policy directly affect how you deploy Cisco Secure ACS.

For more information about developing and maintaining a comprehensive security

policy, refer to the following documents:

•Network Security Policy: Best Practices White Paper

•Delivering End-to-End Security in Policy-Based Networks

•Cisco IOS Security Configuration Guide

Managing a network is a matter of scale. Providing a policy for administrative

access to network devices depends directly on the size of the network and the

number of administrators required to maintain the network. Local authentication

on a network device can be performed, but it is not scalable. The use of network

management tools can help in large networks, but if local authentication is used

on each network device, the policy usually consists of a single login on the

network device. This does not promote adequate network device security. Using

Cisco Secure ACS allows a centralized administrator database, and administrators

can be added or deleted at one location. TACACS+ is the recommended AAA

protocol for controlling AAA client administrative access because of its ability to

provide per-command control (command authorization) of AAA client

administrator access to the device. RADIUS is not well suited for this purpose

because of the one-time transfer of authorization information at time of initial

authentication.