Cisco Systems OL-24201-01 Camera Accessories User Manual


 
4-2
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 4 Common Scenarios Using ACS
Overview of Device Administration
Cisco Secure Access Control System (ACS) allows you to centrally manage access to your network
services and resources (including devices, such as IP phones, printers, and so on). ACS 5.3 is a
policy-based access control system that allows you to create complex policy conditions and helps you to
comply with the various Governmental regulations.
When you deploy ACS in your network, you must choose an appropriate authentication method that
determines access to your network.
This chapter provides guidelines for some of the common scenarios. This chapter contains:
Overview of Device Administration, page 4-2
Password-Based Network Access, page 4-5
Certificate-Based Network Access, page 4-9
Agentless Network Access, page 4-12
VPN Remote Network Access, page 4-20
ACS and Cisco Security Group Access, page 4-23
RADIUS and TACACS+ Proxy Requests, page 4-29
Overview of Device Administration
Device administration allows ACS to control and audit the administration operations performed on
network devices, by using these methods:
Session administration—A session authorization request to a network device elicits an ACS
response. The response includes a token that is interpreted by the network device which limits the
commands that may be executed for the duration of a session. See Session Administration, page 4-3.
Command authorization—When an administrator issues operational commands on a network
device, ACS is queried to determine whether the administrator is authorized to issue the command.
See Command Authorization, page 4-4.
Device administration results can be shell profiles or command sets.
Shell profiles allow a selection of attributes to be returned in the response to the authorization request
for a session, with privilege level as the most commonly used attribute. Shell profiles contain common
attributes that are used for shell access sessions and user-defined attributes that are used for other types
of sessions.
ACS 5.3 allows you to create custom TACACS+ authorization services and attributes. You can define:
Any A-V pairs for these attributes.
The attributes as either optional or mandatory.
Multiple A-V pairs with the same name (multipart attributes).
ACS also supports task-specific predefined shell attributes. Using the TACACS+ shell profile, you can
specify custom attributes to be returned in the shell authorization response. See TACACS+ Custom
Services and Attributes, page 4-5.
Command sets define the set of commands, and command arguments, that are permitted or denied. The
received command, for which authorization is requested, is compared against commands in the available
command sets that are contained in the authorization results.