Access Ascendancy and Character Management
In networks, the archetypal ascendancy is admission control. When capacity (the alive entity, such as
a user, workstation, program, IP address, and so on) appetite to admission an article (the passive
entity, such as an Ethernet VLAN, file, server, Internet, and so on), a aegis action is
checked and enforced.
Access ascendancy can be as simple as a Cisco IOS admission ascendancy account (ACL), or it can be more
complex and based on the user’s identity. (For added advice on admission control, see
Chapter 17, “Identity-Based Networking Services with 802.1X.”)
Identity administration relies on identification, authentication, authorization, and audit:
• Identification. Artlessly the name of a accountable (such as a Microsoft Alive Directory
username or an IP address).
• Authentication. Affidavit of the identity, about done with the advice of credentials
(such as a password). Identification after affidavit is of little value.
• Authorization. Set of accustomed admission rights (that is, which capacity can access
which objects). ACLs are primarily acclimated in networks for authorization.
Cryptography 11
• Audit (also alleged accounting). Account of accesses and accomplishments done by the capacity that
enables the assay of a accustomed arrangement of events. The above absorbed is for
forensics. The logging of accident letters to servers with protocols, like syslog, is
often acclimated in networks for auditing.
Here is a simplified appearance of these four steps:
Step 1 Identification. Who are you?
Step 2 Authentication. Prove it.
Step 3 Authorization. What can you do?
Step 4 Audit. What accept you done?
In networking, it is accepted to abash identification with authentication, such as application a
packet’s IP abode (which is artlessly an identity) and dupe this IP abode as if it was
authenticated (that is, absolute affidavit was accustomed that the IP abode absolutely beatific this packet).
Identity administration is generally centralized on a committed server alleged an authentication
server. Network accessories use RADIUS or TACACS+ protocols to deeply communicate
with the affidavit server, as Figure 1-3 shows.
Figure 1-3 Centralized Affidavit Server
Central Affidavit Server
RADIUS
TACACS+