CHAPTE R
4-1
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
4
Common Scenarios Using ACS
Network control refers to the process of controlling access to a network. Traditionally a username and
password was used to authenticate a user to a network. Now a days with the rapid technological
advancements, the traditional method of managing network access with a username and a password is
no longer sufficient.
The ways in which the users can access the network and what they can access have changed considerably.
Hence, you must define complex and dynamic policies to control access to your network.
For example, earlier, a user was granted access to a network and authorized to perform certain actions
based on the group that the user belonged to. Now, in addition to the group that th e user belongs to, you
must also consider other factors, such as whether:
The user is trying to gain access within or outside of work hours.
The user is attempting to gain access remotely.
The user has full or restricted access to the services and resources.
Apart from users, you also have devices that attempt to connect to your network.
When users and devices try to connect to your network through network access servers, such as wireless
access points, 802.1x switches, and VPN servers, ACS authenticates and authorizes the request before a
connection is established.
Authentication is the process of verifying the identity of the user or device that attempts to connect to a
network. ACS receives identity proof from the user or device in the form of credentials. There are two
different authentication methods:
Password-based authentication—A simpler and easier way of authenticating users. The use r enters
a username and password. The server checks for the username and password in its internal or
external databases and if found, grants access to the user. The level of access (authorization) is
defined by the rules and conditions that you have created.
Certificate-based authentication—ACS supports certificate-based authentication with the use of the
Extensible Authentication Protocol-Transport Level Security (EAP-TLS) and Protected Extensible
Authentication Protocol-Transport Level Security (PEAP-TLS), which uses certificates for server
authentication by the client and for client authentication by the server.
Certificate-based authentication methods provide stronger security and are recommended when
compared to password-based authentication methods.
Authorization determines the level of access that is granted to the user or device. The rule-based policy
model in ACS 5.x allows you to define complex conditions in rules. ACS uses a set of rules (policy) to
evaluate an access request and to return a decision.