Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

ASK THE EXPERT- AAA

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss AAA with Cisco expert Jeremy Stieglitz. Jeremy is a Product Line Manager for Cisco Secure ACS, Cisco's high performance, high scale user authentication and access control framework. Feel free to post any questions relating to AAA.

Jeremy may not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through April 6. Visit this forum often to view responses to your questions and the questions of other community members.

14 REPLIES
Bronze

Re: ASK THE EXPERT- AAA

Hi Jeremy-

Does the length of PKI keys make PKI too slow and cumbersome for some applications?

TIA

New Member

Re: ASK THE EXPERT- AAA

Yes, historically, this was very much true. PKI as a technology was not widely adopted in some applications because of the computational requirements of performing complex, public-key operations in firmware, or constrained hardware devices. However, as computer processing and computer memory speeds improve in performance/cost over time, this barrier is removed for more and more application spaces. In fact, in just the last few years alone, PKI is starting to penetrate new markets such as voice and wireless because the cost of processing and memory power has come down enough to handle the computing requirements of PKI.

New Member

Re: ASK THE EXPERT- AAA

Popular question, yet rarely answered in detail:

Can you use xauth and radius to authenticated ipsec users to the pix?

I think the answer is yes.

If so, and if I want to authenticate against my Win2k or NT user database, can I use Win2k IAS or do I have to buy Cisco Secure ACS for NT 2.6?

And, if I do have to use Secure ACS, where can I get the eval that is mentioned at:

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/csnt26/index.htm

New Member

Re: ASK THE EXPERT- AAA

You can use Microsoft IAS, Cisco Secure ACS, Merit, etc. or any RADIUS RFC compliant server that can parse Cisco's device AV pairs. I know that this was tested with ACS, I am not sure whether it was tested/supported with IAS or not. Detailed documentation for setting this up can be found at:

http://www.cisco.com/warp/customer/110/pixcryaaa52.html (make sure that you paste the entire URL.)

The ACS v2.6 Eval will be posted to www.cisco.com/go/acs in the coming weeks. (Still working on it.) In the meantime, you can email me directly at jeremys@cisco.com if you need the eval asap and I can work out download/email/ftp arrangements with you.

Jeremy

Product Line Manager, Cisco Secure ACS

New Member

Re: ASK THE EXPERT- AAA

I'm trying to use Microsoft IAS on NT Server and use 2511 router with radius and aaa for authentication. Can't get the server to authenticate username and password. My aaa/radius config on router is right out of cisco webpage. Any known problems using Microsoft IAS?

New Member

Re: ASK THE EXPERT- AAA

I can’t seem to find any data on how many users ACS can handle. I guess what I’m really wondering is if it will scale for enterprise clients?

New Member

Re: ASK THE EXPERT- AAA

In general, performance measurements are a bit tricky because the RADIUS or TACACS+ service of ACS is affected by a wide range of variables and constraints.

- Performance and memory of ACS server installation

- Type of authentication (PAP, CHAP, MD5CHAP, OTP)

- Type of user profile (authorization complexity, group memberships, etc.)

- Degree of accounting

- Type of access server specific attributes (VSA handling)

- Type of user store (native, Win2k, NT, Active Directory, LDAP, ODBC, SQL, NDS, etc.)

- Nature of access community (once-per day (broadband VPN), once per five minutes (Aironet with rekeying)

- Network latency

- NAS latency

In general, we recommend running the ACS for Windows server on AT LEAST an Pentium II class server with 256 meg of RAM. In general, each ACS server can support up to 80,000-100,000 user limit, depending on backend data store. We do have some very large enterprises, with 250,000-500,000 users, and they tend to spread this workload across 8-20 ACS server installations with data replication and/or use of a high scale data backend such as Oracle or LDAP directory model.

New Member

Re: ASK THE EXPERT- AAA

Is it possible to use Securid authentication with a AS5350 box ? If so, can you send me some instructions. We have a AceServer here.

Thanks.

New Member

Re: ASK THE EXPERT- AAA

This should be no problem whatsoever. Check out:http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/csnt26/usergd26/ch2.htm#xtocid129825

for sample configurations of ACE Server in dialup scenarios.

Cheers,

Jeremy

New Member

Re: ASK THE EXPERT- AAA

I am using AceServer on a AIX 4.3.3 platform, and do not have a TACACS+ server. From the above documentation it seems that SecurId will work only if I have a TACACS+ server ??

I could not find anywhere in the AS5350 a place to specify a location to point to the aceserver for authentication. Only options are PAP/CHAP.

New Member

Re: ASK THE EXPERT- AAA

The Cisco ACS RADIUS and TACACS+ servers are available on both UNIX and Windows. Both versions of ACS support AceServer using RADIUS or TACACS+.

Did you see:

FOR UNIX http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/cs_unx/csu23ug/9_token.htm

FOR WINDOWS

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/csnt26/usergd26/userdb.htm#xtocid1719626

Jeremy

New Member

Re: ASK THE EXPERT- AAA

AAA authorisation configuration question:

I have a 3640 with a PRI and digital modems which is used for WAN backup, analog and ISDN remote access. All access is authenticated against a CiscoSecure ACS server (v2.4) using Tacacs+

I would like to use aaa authorisation to signal callback settings, IP assignment etc. I briefly tried this with the following command:

aaa authorisation network default group tacacs+ local

This, however, caused all incoming connections to fail (authorisation failure logged on the ACS server)- as the box is heavily used all the time, and I have no way of testing the config in advance, I'm wary of trying this again.

Authentication and accounting work just fine with similar commands (e.g "aaa authentication ppp default group tacacs+ local"), so I think I must be missing something fundamental here.

New Member

Re: ASK THE EXPERT- AAA

Much more information would be needed. If things work till authorization is turned on, Cisco Secure is misconfigured. Maybe ppp/ip is not checked. Maybe ppp/lcp. Maybe multilink is not. The current NAS configuration and the following

debug outputs would be extremely helpful:

debug aaa authorization

debug tacacs

debug ppp negotiation

Here's a couple of useful URLs, although it's for CS_ACS v2.6, it should still apply for v2.4:

IP Assignment:

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/csnt26/usergd26/ch3.htm#xtocid2899043

TACACS+ Settings:

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/csnt26/usergd26/ch3.htm#xtocid2899044

You should also configure the appropriate TACACS+ callback attributes within CS_ACS:

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/csnt26/usergd26/ap_tacac.htm#xtocid55022

Lastly, all you really need on the NAS is "ppp callback accept" under the interface(s) that will be processing the callback request.

Cheers,

jeremy

New Member

Re: ASK THE EXPERT- AAA

I am involving with HUB and SPOKE type Network.We are using 7513-MX router as a backbone(CORE LAYER) router.28 nos of 3662 roter as Distribution layer router and around 230 nos of 1750/1751 router as Access layer router.Then we are providing around 1500 nos of Dial-Up connections.So,we need to configure AAA server for Security.We have an AAA server.But,it is giving a lot of problem.What should be the configuration for enabling AAA(TACACS+)in 7513 router.

43
Views
0
Helpful
14
Replies