Cisco Systems OL-24201-01 manual Identity Policy, Related Topics

Chapter 3 ACS 5.x Policy Model

Access Services

ACS can simultaneously act as a proxy server to multiple external RADIUS and TACACS+ servers. For ACS to act as a proxy server, you must configure a RADIUS or TACACS+ proxy service in ACS. See Configuring General Access Service Properties, page 10-13for information on how to configure a RADIUS proxy service.

For more information on proxying RADIUS and TACACS+ requests, see RADIUS and TACACS+ Proxy Requests, page 4-29.

Related Topics

•Policy Terminology, page 3-3

•Types of Policies, page 3-5

•Flows for Configuring Services and Policies, page 3-19

Identity Policy

Two primary mechanisms define the mechanism and source used to authenticate requests:

•Password-based—Authentication is performed against databases after the user enters a username and password. Hosts can bypass this authentication by specifying a MAC address. However, for identity policy authentication, host lookup is also considered to be password-based.

•Certificate-based—A client presents a certificate for authentication of the session. In ACS 5.3, certificate-based authentication occurs when the PEAP-TLS or EAP-TLS protocol is selected.

In addition, databases can be used to retrieve attributes for the principal in the request.

The identity source is one result of the identity policy and can be one of the following types:

•Deny Access—Access to the user is denied and no authentication is performed.

•Identity Database—Single identity database. When a single identity database is selected as the result of the identity policy, either an external database (LDAP or AD) or an internal database (users or hosts) is selected as the result.

The database selected is used to authenticate the user/host and to retrieve any defined attributes stored for the user/host in the database.

•Certificate Authentication Profile—Contains information about the structure and content of the certificate, and specifically maps certificate attribute to internal username. For certificate-based authentication, you must select a certificate authentication profile.

For certificate based requests, the entity which identifies itself with a certificate holds the private key that correlates to the public key stored in the certificate. The certificate authentication profile extends the basic PKI processing by defining the following:

–The certificate attribute used to define the username. You can select a subset of the certificate attributes to populate the username field for the context of the request. The username is then used to identify the user for the remainder of the request, including the identification used in the logs.

–The LDAP or AD database to use to verify the revocation status of the certificate. When you select an LDAP or AD database, the certificate data is retrieved from the LDAP or AD database and compared against the data entered by the client in order to provide additional verification of the client certificate.

User Guide for Cisco Secure Access Control System 5.3