4-2
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
Chapter4 Common Scenarios Usin g ACS
Overview of Device Administration
ACS organizes a sequence of independent policies into an access service, which is used to process an
access request. You can create multiple access services to process different kinds of access requests; for
example, for device administration or network access.
Cisco Secure Access Control System (ACS) allows you to centrally manage access to your network
services and resources (including devices, such as IP phones, printers, and so on). ACS 5.4 is a
policy-based access control system that allows you to create complex policy conditions and helps you to
comply with the various Governmental regulations.
When you deploy ACS in your network, you must choose an appropriate authentication method that
determines access to your network.
This chapter provides guidelines for some of the common scenarios. This chapter contains:
Overview of Device Administration, page 4-2
Password-Based Network Access, page 4-5
Certificate-Based Network Access, page4-9
Agentless Network Access, page 4-12
VPN Remote Network Access, page4-20
ACS and Cisco Security Group Access, page 4-23
RADIUS and TACACS+ Proxy Requests, page4-29
Overview of Device Administration
Device administration allows ACS to control and audit the administration operat ions performed on
network devices, by using these methods:
Session administration—A session authorization request to a network device elicits an ACS
response. The response includes a token that is interpreted by the network device which limits the
commands that may be executed for the duration of a session. See Session Administration, page4-3.
Command authorization—When an administrator issues operationa l commands on a network
device, ACS is queried to determine whether the administrator is authorized to issue the command.
See Command Authorization, page 4-4.
Device administration results can be shell profiles or command sets.
Shell profiles allow a selection of attributes to be returned in the response to the authorization request
for a session, with privilege level as the most commonly used attribute. Shell profiles contain common
attributes that are used for shell access sessions and user-defined attributes that are used for other types
of sessions.
ACS 5.4 allows you to create custom TACACS+ authorization services and attributes. You can define:
Any A-V pairs for these attributes.
The attributes as either optional or mandatory.
Multiple A-V pairs with the same name (multipart attributes).
ACS also supports task-specific predefined shell attributes. Using the TACACS+ shell profile, you can
specify custom attributes to be returned in the shell authorization response. See TACACS+ Custom
Services and Attributes, page 4-5.
Command sets define the set of commands, and command arguments, that are permitted or denied. The
received command, for which authorization is requested, is compared against commands in the available
command sets that are contained in the authorization results.