Cisco Systems OL-24201-01 manual Overview of Device Administration

Chapter 4 Common Scenarios Using ACS

Overview of Device Administration

Cisco Secure Access Control System (ACS) allows you to centrally manage access to your network services and resources (including devices, such as IP phones, printers, and so on). ACS 5.3 is a policy-based access control system that allows you to create complex policy conditions and helps you to comply with the various Governmental regulations.

When you deploy ACS in your network, you must choose an appropriate authentication method that determines access to your network.

This chapter provides guidelines for some of the common scenarios. This chapter contains:

•Overview of Device Administration, page 4-2

•Password-Based Network Access, page 4-5

•Certificate-Based Network Access, page 4-9

•Agentless Network Access, page 4-12

•VPN Remote Network Access, page 4-20

•ACS and Cisco Security Group Access, page 4-23

•RADIUS and TACACS+ Proxy Requests, page 4-29

Overview of Device Administration

Device administration allows ACS to control and audit the administration operations performed on network devices, by using these methods:

•Session administration—A session authorization request to a network device elicits an ACS response. The response includes a token that is interpreted by the network device which limits the commands that may be executed for the duration of a session. See Session Administration, page 4-3.

•Command authorization—When an administrator issues operational commands on a network device, ACS is queried to determine whether the administrator is authorized to issue the command. See Command Authorization, page 4-4.

Device administration results can be shell profiles or command sets.

Shell profiles allow a selection of attributes to be returned in the response to the authorization request for a session, with privilege level as the most commonly used attribute. Shell profiles contain common attributes that are used for shell access sessions and user-defined attributes that are used for other types of sessions.

ACS 5.3 allows you to create custom TACACS+ authorization services and attributes. You can define:

•Any A-V pairs for these attributes.

•The attributes as either optional or mandatory.

•Multiple A-V pairs with the same name (multipart attributes).

ACS also supports task-specific predefined shell attributes. Using the TACACS+ shell profile, you can specify custom attributes to be returned in the shell authorization response. See TACACS+ Custom Services and Attributes, page 4-5.

Command sets define the set of commands, and command arguments, that are permitted or denied. The received command, for which authorization is requested, is compared against commands in the available command sets that are contained in the authorization results.

User Guide for Cisco Secure Access Control System 5.3