One: ACS Description:
The Secure access control server provides an identity-based, comprehensive access control solution for Cisco Intelligent information Networks. Secure ACS (ACS) is a highly scalable, high-performance access control server that can be run as a centralized radius and tacacs+ server. Cisco Secure ACS combines authentication, user access, and administrator access with policy controls in a centralized identification network solution, thus increasing the flexibility, mobility, security, and user productivity, thereby further enhancing access security. By using a centralized database for all user accounts, Cisco Secure ACS centrally controls all user rights and assigns them to hundreds of or even thousands of access points on the network. For accounting services, Cisco Secure ACS provides specific reporting and monitoring capabilities for the behavior of network users and records each access connection and device configuration change across the network. Cisco Secure ACS supports a wide range of access connections, including wired and wireless LANs, broadband, content, storage, voice on IP (VoIP), firewalls, and VPNs. It is based on Remote Authentication Dial-In User Service (RADIUS)
Two: The RADIUS (Remote authentication Dial in User Service) protocol is defined in the RFC2865 and 2866 of the IETF. RADIUS is a client/server protocol based on UDP. A RADIUS client is a network access server, which is typically a router, switch, or wireless access point. A RADIUS server is typically a monitoring program that runs on UNIX or Windows 2000 servers. The authentication port for the RADIUS protocol is 1812 and the billing port is 1813.
RADIUS's working process:
1, user input user name, password and other information to the client or connect to the NAS;
2. The client or NAS generates an "Access request (Access-request)" Message to the RADIUS server, which includes the user name, password, client (NAS) ID, and the ID of the user access port. The password is encrypted by the MD5 algorithm.
3, RADIUS server to authenticate the user;
4, if the authentication succeeds, the RADIUS server sends the Access packet (ACCESS-ACCEPT) to the client or the NAS, otherwise sends the refusal to add the Access packet (Access-reject);
5. If the client or the NAS receives the allowed access packet, it establishes the connection for the user, authorizes and provides the service to the user, and transfers to 6; If the access packet is received, the user's connection request is rejected and the negotiation process is terminated;
6. The client or the NAS sends the billing request packet to the RADIUS server;
7. The RADIUS server starts billing after receiving the billing request package, and sends back the billing response packet to the client or the NAS;
8, the user disconnected, the client or NAS send stop billing packet to the RADIUS server;
9, the RADIUS server received stop billing, and to the client or NAS loopback billing response packet, complete the user's one-time billing, recording billing information.
Three: Cases:
Unified management of a company, the device's account and password unified to ACS Server management, easy to manage unified management of administrators
Topology Scenario:
Configuration:
One: Install ACS on Windows Server 2003: