Chapter2 De ploying CiscoSecure ACS
Basic Deployment Factors for CiscoSecure ACS
2-16
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
78-13751-01, Version 3.0
Separation of Administrative and General Users
It is important to keep the general network user from accessing network devices.
Even though the general user may not have any intention to hack the system,
inadvertent access could easily cause accidental disruption to network access.
Separation of the general user from the administrative user falls into the realm of
AAA and Cisco Secure ACS.
The easiest, and recommended, method to perform such separation is to use
RADIUS for the general remote access user and TACACS+ for the administrative
user. An issue that arises is that an administrator may also require remote network
access, like the general user. If you use CiscoSecure ACS this poses no problem.
The administrator can have both RADIUS and TACACS+ configurations in
Cisco Secure ACS. Using authorization, RADIUS users can have PPP (or other
network access protocols) set as the permitted protocol. Under TACACS+, only
the administrator would be configured to allow shell (exec) access.
For example, if the administrator is dialing into the network as a general user, a
AAA client would use RADIUS as the authenticating/authorizing protocol and
the PPP protocol would be authorized. In turn, if the same administrator remotely
connects to a AAA client to make configuration changes, the AAA client would
use the TACACS+ protocol for authentication/authorization. Because this
administrator is configured on Cisco Secure ACS with permission for shell under
TACACS+, he would be au thorized to log in to that device. This does require that
the AAA client have two separate configurations on CiscoSecure ACS, one for
RADIUS and one for TACACS+. An example of a AAA client configuration
under IOS that effectively separates PPP and shell logins follows:
aaa new-model
tacacs-server host ip-address
tacacs-server key secret-key
radius-server host ip-address
radius-server key secret-key
aaa authentication ppp default group radius
aaa authentication login default group tacacs+ local
aaa authentication login console none
aaa authorization network default group radius
aaa authorization exec default group tacacs+ none
aaa authorization command 15 default group tacacs+ none
username user password password
line con 0
login authentication console