Ciscosecure acs and the aaa client, Aaa protocols—tacacs+ and radius, Cisco secure acs and the aaa client – Cisco 3.3 User Manual

Chapter 1 Overview

AAA Server Functions and Concepts

1-6

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

•

Authorization, page 1-17

•

Accounting, page 1-22

•

Administration, page 1-23

•

Posture Validation, page 1-25

Cisco Secure ACS and the AAA Client

A AAA client is software running on a network device that enables the network
device to defer authentication, authorization, and logging (accounting) of user
sessions to a AAA server. AAA clients must be configured to direct all end-user
client access requests to Cisco Secure ACS for authentication of users and
authorization of service requests. Using the TACACS+ or RADIUS protocol, the
AAA client sends authentication requests to Cisco Secure ACS. Cisco Secure
ACS verifies the username and password using the user databases it is configured
to query. Cisco Secure ACS returns a success or failure response to the AAA
client, which permits or denies user access, based on the response it receives.
When the user authenticates successfully, Cisco Secure ACS sends a set of
authorization attributes to the AAA client. The AAA client then begins
forwarding accounting information to Cisco Secure ACS.

When the user has successfully authenticated, a set of session attributes can be
sent to the AAA client to provide additional security and control of privileges,
otherwise known as authorization. These attributes might include the IP address
pool, access control list, or type of connection (for example, IP, IPX, or Telnet).
More recently, networking vendors are expanding the use of the attribute sets
returned to cover an increasingly wider aspect of user session provisioning.

AAA Protocols—TACACS+ and RADIUS

Cisco Secure ACS can use both the TACACS+ and RADIUS AAA protocols.

Table 1-1

compares the two protocols.