Authorization

Cisco Secure ACS can send user profile policies to a AAA client to determine the network services the user can access. You can configure authorization to give different users and groups different levels of service. For example, standard dialup users might not have the same access privileges as premium customers and users. You can also differentiate by levels of security, access times, and services.

The Cisco Secure ACS access-restrictions feature enables you to permit or deny logins based on time of day and day of week. For example, you could create a group for temporary accounts that can be disabled on specified dates. This would make it possible for a service provider to offer a 14-day free trial. The same authorization could be used to create a temporary account for a consultant with login permission limited to Monday through Friday, 9 a.m. to 5 p.m.

You can restrict users to a service or combination of services such as PPP, ARA, or Serial Line Internet Protocol (SLIP), or EXEC. After a service is selected, you can restrict Layer 2 and Layer 3 protocols, such as IP and IPX, and you can apply individual access lists. Access lists on a per-user or per-group basis can restrict users from reaching parts of the network where critical information is stored or prevent them from using certain services, such as FTP or SNMP.

Cisco Secure ACS can provide information to the network device for a specific user to configure a secure tunnel through a public network such as the Internet. The information can be for the access server, such as the home gateway for that user, or for the home gateway router to validate the user at the customer premises. In either case, Cisco Secure ACS can be used for each end of the Virtual Private Dialup Network (VPDN).

Additional authorization-related features of Cisco Secure ACS features include the following:

• Group administration of users, with support for up to 500 groups

• The capability to map a user from an external user database to a specific Cisco Secure ACS group

• Restricting access by time-of-day and day-of-week access

• Support for VoIP, including configurable logging of accounting data

• Disabling an account after a number of failed attempts, specified by the administrator

• Disabling an account on a specific date

• Restricting network access based on remote address caller line identification (CLID) and dialed number identification service (DNIS)

• Per-user and per-group RADIUS or TACACS+ attributes

• Define usage quotas by duration or total number based on daily, monthly, or weekly periods

In addition to support for standard IETF attributes, Cisco Secure ACS includes support for RADIUS vendor-specific attributes (VSA). Some of the predefined VSAs in Cisco Secure ACS include Cisco Ascend, Juniper, Microsoft, and Nortel VSAs.

Cisco Secure ACS also supports up to 10 user-definable VSAs.

0 0

Post a comment