3-9
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
Chapter3 ACS 5.x Policy Model
Access Services
ACS can simultaneously act as a proxy server to multiple external RADIUS and TACACS+ servers. For
ACS to act as a proxy server, you must configure a RADIUS or TACACS+ proxy service in ACS. See
Configuring General Access Service Properties, page 10-13 for information on how to configure a
RADIUS proxy service.
For more information on proxying RADIUS and TACACS+ requests, see RADIUS and TACACS+ Proxy
Requests, page 4-29.
Related Topics
Policy Terminology, page3-3
Types of Policies, page3-5
Flows for Configuring Services and Policies, page 3-19
Identity Policy
Two primary mechanisms define the mechanism and source used to authenticate requests:
Password-based—Authentication is performed against databases after t he user enters a username
and password. Hosts can bypass this authentication by specifying a MAC address. However, for
identity policy authentication, host lookup is also considered to be password-based.
Certificate-based—A client presents a certificate for authentication of the session. In ACS 5.4,
certificate-based authentication occurs when the PEAP-TLS or EAP-TLS protocol is selected.
In addition, databases can be used to retrieve attributes for the principal in the request.
The identity source is one result of the identity policy and can be one of the following types:
Deny Access—Access to the user is denied and no authentica tion is performed.
Identity Database—Single identity database. When a single identity database is selected as the result
of the identity policy, either an external database (LDAP or AD) or an internal database (users or
hosts) is selected as the result.
The database selected is used to authenticate the user/host and to retrieve any defined attributes
stored for the user/host in the database.
Certificate Authentication Profile—Contains information about the structure and content of the
certificate, and specifically maps certificate attribute to internal username. For certificate-based
authentication, you must select a certificate authentication profile.
For certificate based requests, the entity which identifies itself with a certificate holds the private
key that correlates to the public key stored in the certificate. The certificate authentication profile
extends the basic PKI processing by defining the following:
The certificate attribute used to define the username. You can select a subset of the certificat e
attributes to populate the username field for the context of the request. The username is then
used to identify the user for the remainder of the request, including the identification used in the
logs.
The LDAP or AD database to use to verify the revocation status of the certificate. When you
select an LDAP or AD database, the certificate data is retrieved from the LDAP or AD database
and compared against the data entered by the client in order to provide additional verificati on
of the client certificate.