Security policy, Administrative access policy – Cisco 3.3 User Manual
Page 91
2-15
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Chapter 2 Deployment Considerations
Basic Deployment Factors for Cisco Secure ACS
Cisco Secure ACS remote access policies provides control by using central
authentication and authorization of remote users. The CiscoSecure user database
maintains all user IDs, passwords, and privileges. Cisco Secure ACS access
policies can be downloaded in the form of ACLs to network access servers such
as the Cisco AS5300 Network Access Server, or by allowing access during
specific periods, or on specific access servers.
Remote access policies are part of overall corporate security policy.
Security Policy
We recommend that every organization that maintains a network develop a
security policy for the organization. The sophistication, nature, and scope of your
security policy directly affect how you deploy Cisco Secure ACS.
For more information about developing and maintaining a comprehensive security
policy, refer to the following documents:
Administrative Access Policy
Managing a network is a matter of scale. Providing a policy for administrative
access to network devices depends directly on the size of the network and the
number of administrators required to maintain the network. Local authentication
on a network device can be performed, but it is not scalable. The use of network
management tools can help in large networks, but if local authentication is used
on each network device, the policy usually consists of a single login on the
network device. This does not promote adequate network device security. Using
Cisco Secure ACS allows a centralized administrator database, and administrators
can be added or deleted at one location. TACACS+ is the recommended AAA
protocol for controlling AAA client administrative access because of its ability to
provide per-command control (command authorization) of AAA client
administrator access to the device. RADIUS is not well suited for this purpose
because of the one-time transfer of authorization information at time of initial
authentication.