Chapter2 De ploying CiscoSecure ACS
Suggested Deployment Sequence
2-18
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
78-13751-01, Version 3.0
Network Speed and Reliability
Network speed, also referred to as network latency, and network reliability are
also important factors in how Cisco Secure ACS is deployed. Delays in
authentication can result in timeouts at the end user’s client side or the AAA
client.
The general rule for large, extended networks, such as a globally dispersed
corporation, is to have at least one Cisco Secure ACS deployed in each region.
This may not be adequate without a reliable, high-speed connection between sites.
Many corporations are now using secure VPN connections between sites, using
the Internet to provide the link. This saves time and money, but does not provide
the speed and reliability that a dedicated frame relay or T1 link would provide. If
authentication is critical to maintain business functionality, as in the case with a
store having cash registers linked via a wireless LAN, the loss of the WAN
connection to a remote Cisco Secure ACS could be catastrophic.
The same issue can be applied to an external database used by Cisco Secure ACS.
The database should be deployed in proximity near enough to the
Cisco Secure ACS installation to ensure reliable and timely access. Using a local
Cisco Secure ACS with a remote database can result in the same problems as
using a remote Cisco Secure ACS. Another possible problem in this scenario is
that a user may experience timeout problems. The AAA client would be able to
contact Cisco Secure ACS, but Cisco Secure ACS would wait for a reply from the
external user database that might be delayed or never arrive. If the
Cisco Secure ACS were remote, the AAA client would time out and try an
alternative method to authenticate the user, but in the latter case it is likely the end
user client would time out first.
Suggested Deployment SequenceWhile there is no single, one-size-fits-all process for all CiscoSecure ACS
deployments, you should consider following the sequence, keyed to the high-level
functions represented in the navigation toolbar. Also bear in mind that many of
these deployment activities are iterative in nature; you may find that you
repeatedly return to such tasks as interface configuration as your deployment
proceeds.