Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss AAA with Cisco expert Jeremy Stieglitz. Jeremy is a Product Line Manager for Cisco Secure ACS, Cisco's high performance, high scale user authentication and access control framework. Feel free to post any questions relating to AAA.
Jeremy may not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through April 6. Visit this forum often to view responses to your questions and the questions of other community members.
Yes, historically, this was very much true. PKI as a technology was not widely adopted in some applications because of the computational requirements of performing complex, public-key operations in firmware, or constrained hardware devices. However, as computer processing and computer memory speeds improve in performance/cost over time, this barrier is removed for more and more application spaces. In fact, in just the last few years alone, PKI is starting to penetrate new markets such as voice and wireless because the cost of processing and memory power has come down enough to handle the computing requirements of PKI.
Popular question, yet rarely answered in detail:
Can you use xauth and radius to authenticated ipsec users to the pix?
I think the answer is yes.
If so, and if I want to authenticate against my Win2k or NT user database, can I use Win2k IAS or do I have to buy Cisco Secure ACS for NT 2.6?
And, if I do have to use Secure ACS, where can I get the eval that is mentioned at:
You can use Microsoft IAS, Cisco Secure ACS, Merit, etc. or any RADIUS RFC compliant server that can parse Cisco's device AV pairs. I know that this was tested with ACS, I am not sure whether it was tested/supported with IAS or not. Detailed documentation for setting this up can be found at:
http://www.cisco.com/warp/customer/110/pixcryaaa52.html (make sure that you paste the entire URL.)
The ACS v2.6 Eval will be posted to www.cisco.com/go/acs in the coming weeks. (Still working on it.) In the meantime, you can email me directly at email@example.com if you need the eval asap and I can work out download/email/ftp arrangements with you.
Product Line Manager, Cisco Secure ACS
I'm trying to use Microsoft IAS on NT Server and use 2511 router with radius and aaa for authentication. Can't get the server to authenticate username and password. My aaa/radius config on router is right out of cisco webpage. Any known problems using Microsoft IAS?
In general, performance measurements are a bit tricky because the RADIUS or TACACS+ service of ACS is affected by a wide range of variables and constraints.
- Performance and memory of ACS server installation
- Type of authentication (PAP, CHAP, MD5CHAP, OTP)
- Type of user profile (authorization complexity, group memberships, etc.)
- Degree of accounting
- Type of access server specific attributes (VSA handling)
- Type of user store (native, Win2k, NT, Active Directory, LDAP, ODBC, SQL, NDS, etc.)
- Nature of access community (once-per day (broadband VPN), once per five minutes (Aironet with rekeying)
- Network latency
- NAS latency
In general, we recommend running the ACS for Windows server on AT LEAST an Pentium II class server with 256 meg of RAM. In general, each ACS server can support up to 80,000-100,000 user limit, depending on backend data store. We do have some very large enterprises, with 250,000-500,000 users, and they tend to spread this workload across 8-20 ACS server installations with data replication and/or use of a high scale data backend such as Oracle or LDAP directory model.
This should be no problem whatsoever. Check out:http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/csnt26/usergd26/ch2.htm#xtocid129825
for sample configurations of ACE Server in dialup scenarios.
I am using AceServer on a AIX 4.3.3 platform, and do not have a TACACS+ server. From the above documentation it seems that SecurId will work only if I have a TACACS+ server ??
I could not find anywhere in the AS5350 a place to specify a location to point to the aceserver for authentication. Only options are PAP/CHAP.
The Cisco ACS RADIUS and TACACS+ servers are available on both UNIX and Windows. Both versions of ACS support AceServer using RADIUS or TACACS+.
Did you see:
AAA authorisation configuration question:
I have a 3640 with a PRI and digital modems which is used for WAN backup, analog and ISDN remote access. All access is authenticated against a CiscoSecure ACS server (v2.4) using Tacacs+
I would like to use aaa authorisation to signal callback settings, IP assignment etc. I briefly tried this with the following command:
aaa authorisation network default group tacacs+ local
This, however, caused all incoming connections to fail (authorisation failure logged on the ACS server)- as the box is heavily used all the time, and I have no way of testing the config in advance, I'm wary of trying this again.
Authentication and accounting work just fine with similar commands (e.g "aaa authentication ppp default group tacacs+ local"), so I think I must be missing something fundamental here.
Much more information would be needed. If things work till authorization is turned on, Cisco Secure is misconfigured. Maybe ppp/ip is not checked. Maybe ppp/lcp. Maybe multilink is not. The current NAS configuration and the following
debug outputs would be extremely helpful:
debug aaa authorization
debug ppp negotiation
Here's a couple of useful URLs, although it's for CS_ACS v2.6, it should still apply for v2.4:
You should also configure the appropriate TACACS+ callback attributes within CS_ACS:
Lastly, all you really need on the NAS is "ppp callback accept" under the interface(s) that will be processing the callback request.
I am involving with HUB and SPOKE type Network.We are using 7513-MX router as a backbone(CORE LAYER) router.28 nos of 3662 roter as Distribution layer router and around 230 nos of 1750/1751 router as Access layer router.Then we are providing around 1500 nos of Dial-Up connections.So,we need to configure AAA server for Security.We have an AAA server.But,it is giving a lot of problem.What should be the configuration for enabling AAA(TACACS+)in 7513 router.