Cisco 3.3 User Manual

Chapter 2 Deployment Considerations

Basic Deployment Factors for Cisco Secure ACS

2-16

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

The type of access is also an important consideration. If there are to be different
administrative access levels to the AAA clients, or if a subset of administrators is
to be limited to certain systems, Cisco Secure ACS can be used with command
authorization per network device to restrict network administrators as necessary.
Using local authentication restricts the administrative access policy to no login on
a device or using privilege levels to control access. Controlling access by means
of privilege levels is cumbersome and not very scalable. This requires that the
privilege levels of specific commands are altered on the AAA client device and
specific privilege levels are defined for the user login. It is also very easy to create
more problems by editing command privilege levels. Using command
authorization on Cisco Secure ACS does not require that you alter the privilege
level of controlled commands. The AAA client sends the command to
Cisco Secure ACS to be parsed and Cisco Secure ACS determines whether the
administrator has permission to use the command. The use of AAA allows
authentication on any AAA client to any user on Cisco Secure ACS and limits
access to these devices on a per-AAA client basis.

A small network with a small number of network devices may require only one or
two individuals to administer it. Local authentication on the device is usually
sufficient. If you require more granular control than that which authentication can
provide, some means of authorization is necessary. As discussed earlier,
controlling access using privilege levels can be cumbersome. Cisco Secure ACS
reduces this problem.

In large enterprise networks, with many devices to administer, the use of
Cisco Secure ACS becomes a practical necessity. Because administration of many
devices requires a larger number of network administrators, with varying levels of
access, the use of local control is simply not a viable way of keeping track of
network device configuration changes required when changing administrators or
devices. The use of network management tools, such as CiscoWorks 2000, helps
to ease this burden, but maintaining security is still an issue. Because
Cisco Secure ACS can comfortably handle up to 100,000 users, the number of
network administrators that Cisco Secure ACS supports is rarely an issue. If there
is a large remote access population using RADIUS for AAA support, the
corporate IT team should consider separate TACACS+ authentication using
Cisco Secure ACS for the administrative team. This would isolate the general user
population from the administrative team and reduce the likelihood of inadvertent
access to network devices. If this is not a suitable solution, using TACACS+ for
administrative (shell/exec) logins, and RADIUS for remote network access,
provides sufficient security for the network devices.