Authorization – Cisco 3.3 User Manual
Page 57
1-17
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Chapter 1 Overview
AAA Server Functions and Concepts
•
Configurable character string stripping from proxied authentication requests
(see
•
Self-signed server certificates (see
Using Self-Signed Certificates,
).
•
Certificate revocation list checking during EAP-TLS authentication (see
Managing Certificate Revocation Lists, page 10-40
Authorization
Authorization determines what a user is allowed to do. Cisco Secure ACS can
send user profile policies to a AAA client to determine the network services the
user can access. You can configure authorization to give different users and
groups different levels of service. For example, standard dial-up users might not
have the same access privileges as premium customers and users. You can also
differentiate by levels of security, access times, and services.
The Cisco Secure ACS access restrictions feature enables you to permit or deny
logins based on time-of-day and day-of-week. For example, you could create a
group for temporary accounts that can be disabled on specified dates. This would
make it possible for a service provider to offer a 30-day free trial. The same
authorization could be used to create a temporary account for a consultant with
login permission limited to Monday through Friday, 9 A.M. to 5 P.M.
You can restrict users to a service or combination of services such as PPP,
AppleTalk Remote Access (ARA), Serial Line Internet Protocol (SLIP), or
EXEC. After a service is selected, you can restrict Layer 2 and Layer 3 protocols,
such as IP and IPX, and you can apply individual access lists. Access lists on a
per-user or per-group basis can restrict users from reaching parts of the network
where critical information is stored or prevent them from using certain services
such as File Transfer Protocol (FTP) or Simple Network Management Protocol
(SNMP).
One fast-growing service being offered by service providers and adopted by
corporations is a service authorization for Virtual Private Dial-Up Networks
(VPDNs). Cisco Secure ACS can provide information to the network device for a
specific user to configure a secure tunnel through a public network such as the
Internet. The information can be for the access server (such as the home gateway
for that user) or for the home gateway router to validate the user at the customer
premises. In either case, Cisco Secure ACS can be used for each end of the VPDN.