What's the purpose of ACS? What's the point?

huangedmc · ‎11-25-2008

We just migrated from ACS 4.0 for Windows to ACS 4.2 SE.

I'm wondering why would anyone want to make AAA traffic go through ACS if they could just make it authenticate against Windows AD directly through either LDAP or RADIUS?

Doesn't this create an extra hop and point of failure?

We're in hybrid mode of VPN solutions right now:

We have Cisco 3030 VPN concentrators that go through ACS.

We also have Juniper's SSL VPN 6500's that authenticate against the domain controllers directly.

Both work equally well. (we can define which AD groups are allowed through VPN on the Juniper box)

What's the point of having ACS?

joe19366 · ‎11-25-2008

Authenticating against LDAP or Radius directly is indeed an option for some.

For others that is too buggy and is not fully supported or working for many authentication options... I have just spent a few days working with some configs I drummed up and with TAC to get LDAP authentication working for AD group membership directly to MS active directory via LDAP.

Its buggy and not always certain to say the least.

What you have to realize is often AAA is more than just the first "A" (Authentication).

For command authorization and Accounting you are often forced into a Cisco Secure ACS model.

Many big companies (and smaller ones too) have different command sets available after authentication to different levels of administrators (do you really want your helpdesk guys having the "reload" command on certain routers :)

While you can of course implement a basic policy using local priviledge commands in IOS, there are still many reasons you would want an ACS server.

1. Time is money - how much valuable time are you and your organization going to spend getting things working that come pre-built into ACS (such as NAR, downloadable ACL's)

I dont know about you but about 1 week of my time is worth the price of an ACS server. How many weeks would a Client want to wait for me to script together some things in Freeradius, FreeTacacs or Active directory before we realized it might not be possible to get all the functionality from ACS.

2. ACS decreases complexity required to effect complex policies and changes to an organization - imagine how long it would take to change some command shell sets on 500 routers? Sure you can fire off a script, and see how that goes, but for some this is not an option (try telling your bosses at JP Morgan Chase bank your going to change all their core routers with a shell script and see how long you last there)

In closing LDAP authentication is an emerging option but not a proven one in many Cisco devices/appliances. But like Radius is really just for a Yes/No answer, not a complex set of restrictions and lists of rules applied on the fly.

Of course I'm open to being proven wrong, but I have never seen anyone limit a user to a series of IOS commands using native authorization against RADIUS/LDAP to Active Directory.

-Joe

huangedmc · ‎11-25-2008

Joe,

Sorry for not having clarified it...

Without a doubt we'll continue using ACS to manage AAA for network devices such as routers, firewalls, and switches for the exact same reasons you mentioned.

What I was mainly asking for was for end user access to the network.

Many devices such as VPN or wireless controller don't require complex sets of policies that would need the help of ACS.

Was just curious to know if we should just have those devices authenticate against AD directly instead of going through ACS.