Cisco Systems OL-24201-01 Password-Based Network Access, TACACS+ Custom Services and Attributes

Chapter 4 Common Scenarios Using ACS

Password-Based Network Access

TACACS+ Custom Services and Attributes

This topic describes the configuration flow to define TACACS+ custom attributes and services.

Step 1 Create a custom TACACS+ condition to move to TACACS+ service on request. To do this:

a.Go to Policy Elements > Session Conditions > Custom and click Create.

b.Create a custom TACACS+ condition. See Creating, Duplicating, and Editing a Custom Session Condition, page 9-5.

Step 2 Create an access service for Device Administration with the TACACS+ shell profile as the result. See

Configuring Shell/Command Authorization Policies for Device Administration, page 10-34.

Step 3 Create custom TACACS+ attributes. See Creating, Duplicating, and Editing a Shell Profile for Device Administration, page 9-23.

Password-Based Network Access

This section contains the following topics:

•Overview of Password-Based Network Access, page 4-5

•Password-Based Network Access Configuration Flow, page 4-7

For more information about password-based protocols, see Appendix B, “Authentication in ACS 5.3.”

Overview of Password-Based Network Access

The use of a simple, unencrypted username and password is not considered a strong authentication mechanism but can be sufficient for low authorization or privilege levels such as Internet access.

Encryption reduces the risk of password capture on the network. Client and server access-control protocols, such as RADIUS encrypt passwords to prevent them from being captured within a network. However, RADIUS operates only between the AAA client and ACS. Before this point in the authentication process, unauthorized persons can obtain clear-text passwords, in these scenarios:

•The communication between an end-user client dialing up over a phone line

•An ISDN line terminating at a network-access server

•Over a Telnet session between an end-user client and the hosting device

ACS supports various authentication methods for authentication against the various identity stores that ACS supports. For more information about authentication protocol identity store compatibility, see Authentication Protocol and Identity Store Compatibility, page B-35.

Passwords can be processed by using these password-authentication protocols based on the version and type of security-control protocol used (for example, RADIUS), and the configuration of the AAA client and end-user client.

You can use different levels of security with ACS concurrently, for different requirements. Password Authentication Protocol (PAP) provides a basic security level. PAP provides a very basic level of security, but is simple and convenient for the client. MSCHAPv2 allows a higher level of security for encrypting passwords when communicating from an end-user client to the AAA client.

User Guide for Cisco Secure Access Control System 5.3