Cisco Systems OL-24201-01 Camera Accessories User Manual


 
4-5
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 4 Common Scenarios Using ACS
Password-Based Network Access
TACACS+ Custom Services and Attributes
This topic describes the configuration flow to define TACACS+ custom attributes and services.
Step 1 Create a custom TACACS+ condition to move to TACACS+ service on request. To do this:
a. Go to Policy Elements > Session Conditions > Custom and click Create.
b. Create a custom TACACS+ condition. See Creating, Duplicating, and Editing a Custom Session
Condition, page 9-5.
Step 2 Create an access service for Device Administration with the TACACS+ shell profile as the result. See
Configuring Shell/Command Authorization Policies for Device Administration, page 10-34.
Step 3 Create custom TACACS+ attributes. See Creating, Duplicating, and Editing a Shell Profile for Device
Administration, page 9-23.
Password-Based Network Access
This section contains the following topics:
Overview of Password-Based Network Access, page 4-5
Password-Based Network Access Configuration Flow, page 4-7
For more information about password-based protocols, see Appendix B, “Authentication in ACS 5.3.”
Overview of Password-Based Network Access
The use of a simple, unencrypted username and password is not considered a strong authentication
mechanism but can be sufficient for low authorization or privilege levels such as Internet access.
Encryption reduces the risk of password capture on the network. Client and server access-control
protocols, such as RADIUS encrypt passwords to prevent them from being captured within a network.
However, RADIUS operates only between the AAA client and ACS. Before this point in the
authentication process, unauthorized persons can obtain clear-text passwords, in these scenarios:
The communication between an end-user client dialing up over a phone line
An ISDN line terminating at a network-access server
Over a Telnet session between an end-user client and the hosting device
ACS supports various authentication methods for authentication against the various identity stores that
ACS supports. For more information about authentication protocol identity store compatibility, see
Authentication Protocol and Identity Store Compatibility, page B-35.
Passwords can be processed by using these password-authentication protocols based on the version and
type of security-control protocol used (for example, RADIUS), and the configuration of the AAA client
and end-user client.
You can use different levels of security with ACS concurrently, for different requirements. Password
Authentication Protocol (PAP) provides a basic security level. PAP provides a very basic level of
security, but is simple and convenient for the client. MSCHAPv2 allows a higher level of security for
encrypting passwords when communicating from an end-user client to the AAA client.