Filter
Top Products
A-7
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Appendix A AAA Protocols
Overview of RADIUS
ACS 5.3 as the AAA Server
A AAA server is a server program that handles user requests for access to computer resources, and for
an enterprise, provides AAA services. The AAA server typically interacts with network access and
gateway servers, and databases and directories that contain user information. The current standard by
which devices or applications communicate with an AAA server is RADIUS.
ACS 5.3 functions as a AAA server for one or more network access devices (NADs). The NADs are
clients of the ACS server. You must specify the IP address of ACS on each client NAD, to direct user
access requests to ACS by using the RADIUS protocol.
RADIUS is universally used to secure the access of end-users to network resources. A RADIUS server
can act as a proxy to other RADIUS servers or other kinds of authentication servers.
The NAD serves as the network gatekeeper and sends an Access-Request to ACS on behalf of the user.
ACS verifies the username, password, and possibly other data by using either the internal identity store,
or an externally configured LDAP or Windows Active Directory identity store.
ACS ultimately responds to the NAD with either an Access-Reject message or an Access-Accept
message that contains a set of authorization attributes.
ACS 5.3 provides network transport over UDP and implements the RADIUS protocol, including
RADIUS packet parsing and assembling, necessary data validation, and tracking of duplicate requests.
Some reasons for using UDP are:
• The processing time is only a few seconds.
• No special handling is required for rebooting or offline clients and servers.
• UDP is a connectionless protocol.
• UDP easily implements multithreaded servers to serve multiple client requests.
The UDP-assigned port number for RADIUS are:
• 1812 for access requests
• 1813 for accounting
• 1645 for access requests
• 1646 for accounting
ACS 5.3 is the entrance point to the authentication system. ACS listens on specific configurable UDP
ports. When data arrives from the network:
1. ACS tries to process the data as a RADIUS client request or proxy response packet.
2. ACS verifies that the packet arrived from the NAD that is registered in the configuration, and then
prevents duplicate packet processing.
3. ACS parses the RADIUS packet and performs the necessary validations of its contents.
4. ACS then passes the data for processing to the appropriate flow.
5. When the system is ready to respond, ACS:
a. Receives the result of the data processing.
b. Creates a corresponding response to the client.
c. Returns the response to the network.