Cisco Systems OL-24201-01 Common Scenarios Using ACS

CHAPTER

4-1

User Guide for Cisco Secure Access Control System 5.3

OL-24201-01

Common Scenarios Using ACS

Network control refers to the process of controlling access to a network. Traditionally a username and

password was used to authenticate a user to a network. Now a days with the rapid technological

advancements, the traditional method of managing network access with a username and a password is

no longer sufficient.

The ways in which the users can access the network and what they can access have changed considerably.

Hence, you must define complex and dynamic policies to control access to your network.

For example, earlier, a user was granted access to a network and authorized to perform certain actions

based on the group that the user belonged to. Now, in addition to the group that the user belongs to, you

must also consider other factors, such as whether:

•The user is trying to gain access within or outside of work hours.

•The user is attempting to gain access remotely.

•The user has full or restricted access to the services and resources.

Apart from users, you also have devices that attempt to connect to your network.

When users and devices try to connect to your network through network access servers, such as wireless

access points, 802.1x switches, and VPN servers, ACS authenticates and authorizes the request before a

connection is established.

Authentication is the process of verifying the identity of the user or device that attempts to connect to a

network. ACS receives identity proof from the user or device in the form of credentials. There are two

different authentication methods:

•Password-based authentication—A simpler and easier way of authenticating users. The user enters

a username and password. The server checks for the username and password in its internal or

external databases and if found, grants access to the user. The level of access (authorization) is

defined by the rules and conditions that you have created.

•Certificate-based authentication—ACS supports certificate-based authentication with the use of the

Extensible Authentication Protocol-Transport Level Security (EAP-TLS), which uses certificates

for server authentication by the client and for client authentication by the server.

Certificate-based authentication methods provide stronger security and are recommended when

compared to password-based authentication methods.

Authorization determines the level of access that is granted to the user or device. The rule-based policy

model in ACS 5.x allows you to define complex conditions in rules. ACS uses a set of rules (policy) to

evaluate an access request and to return a decision.

ACS organizes a sequence of independent policies into an access service, which is used to process an

access request. You can create multiple access services to process different kinds of access requests; for

example, for device administration or network access.