Authentication considerations – Cisco 3.3 User Manual

Page 49

Advertising
background image

1-9

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Chapter 1 Overview

AAA Server Functions and Concepts

There is a fundamental implicit relationship between authentication and
authorization. The more authorization privileges granted to a user, the stronger the
authentication should be. Cisco Secure ACS supports this relationship by
providing various methods of authentication.

This section contains the following topics:

Authentication Considerations, page 1-9

Authentication and User Databases, page 1-10

Authentication Protocol-Database Compatibility, page 1-10

Passwords, page 1-11

Other Authentication-Related Features, page 1-16

Authentication Considerations

Username and password is the most popular, simplest, and least expensive method
used for authentication. No special equipment is required. This is a popular
method for service providers because of its easy application by the client. The
disadvantage is that this information can be told to someone else, guessed, or
captured. Simple unencrypted username and password is not considered a strong
authentication mechanism but can be sufficient for low authorization or privilege
levels such as Internet access.

To reduce the risk of password capturing on the network, use encryption. Client
and server access control protocols such as TACACS+ and RADIUS encrypt
passwords to prevent them from being captured within a network. However,
TACACS+ and RADIUS operate only between the AAA client and the access
control server. Before this point in the authentication process, unauthorized
persons can obtain clear-text passwords, such as the communication between an
end-user client dialing up over a phone line or an ISDN line terminating at a
network access server, or over a Telnet session between an end-user client and the
hosting device.

Network administrators who offer increased levels of security services, and
corporations that want to lessen the chance of intruder access resulting from
password capturing, can use an OTP. Cisco Secure ACS supports several types of
OTP solutions, including PAP for Point-to-Point Protocol (PPP) remote-node
login. Token cards are considered one of the strongest OTP authentication
mechanisms.

Advertising