Cisco Security Appliance version 6.2

The “Foundation Summary” provides a convenient review of many key concepts in this
chapter. If you are already comfortable with the topics in this chapter, this summary can help
you recall a few details. If you just read this chapter, this review should help solidify some
key facts. If you are doing your final preparation before the exam, this summary provides a
convenient way to review the day before the exam.
Authentication, authorization, and accounting are three separate functions performed by
AAA servers to allow access to resources. Each of these functions has a specific goal. If you
are using AAA, then authenticating the user is key. No access is granted if the requestor is
not authenticated. The use of authorization and accounting are dependant on authentication,
but it is not necessary to configure either authorization or accounting to make authentication
function properly. This list defines each of the components of AAA:
■ Authentication—Identifies the entity (user)
■ Authorization—Gives the user access based on his or her profile
■ Accounting—Maintains a record of user access
Cisco Security Appliance version 6.2 can maintain an internal user database for console
authentication and command authorization or connect to an external AAA server. The
Security Appliance supports RADIUS, TACACS+, SDI, NT, Kerberos, and LDAP
authentication technologies. Figure 17-20 shows the steps that the AAA server takes during
the entire AAA process.
Figure 17-20 AAA Server Steps
Cisco Secure ACS is available for Windows Server and can be configured for TACACS+ and
RADIUS. The Cisco Secure ACS installation on Windows is an easy, step-by-step wizard
installation.
Step 1: User initiates connection to web server and is prompted for username/password.
Step 5: The firewall allows the connection.
Step 2: NAS forwards user
information to AAA for
authentication.
Step 3: AAA servers returns
authentication and authorization to NAS.
Step 4: AAA server logs
the connection (by user).