Cisco Systems OL-24201-01 Camera Accessories User Manual


  Open as PDF
of 650
 
B-1
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
APPENDIX
B
Authentication in ACS 5.3
Authentication verifies user information to confirm the user's identity. Traditional authentication uses a
name and a fixed password. More secure methods use cryptographic techniques, such as those used
inside the Challenge Authentication Handshake Protocol (CHAP), OTP, and advanced EAP-based
protocols. ACS supports a variety of these authentication methods.
A fundamental implicit relationship exists between authentication and authorization. The more
authorization privileges granted to a user, the stronger the authentication should be. ACS supports this
relationship by providing various methods of authentication.
Authentication Considerations
Username and password is the most popular, simplest, and least-expensive method of authentication. The
disadvantage is that this information can be told to someone else, guessed, or captured. Simple
unencrypted username and password is not considered a strong authentication mechanism but can be
sufficient for low authorization or privilege levels such as Internet access.
You should use encryption to reduce the risk of password capture on the network. Client and server
access-control protocols such as TACACS+ and RADIUS encrypt passwords to prevent them from being
captured within a network.
However, TACACS+ and RADIUS operate only between the AAA client and ACS. Before this point in
the authentication process, unauthorized persons can obtain clear-text passwords; for example, in the
following setups:
The communication between an end-user client dialing up over a phone line
An Integrated Services Digital Network (ISDN) line terminating at a network-access server
Over a TELNET session between an end-user client and the hosting device
Authentication and User Databases
ACS supports a variety of user databases. It supports the ACS internal database and several external user
databases, including:
Windows Active Directory
LDAP
RSA SecurID Servers
RADIUS Identity Servers
 previous next