SolutionBase: Understanding the critical role of Cisco's Access Control Server in Cisco NAC

The Cisco ACS server is a vital part of Cisco's NAC solution. Besides being a Cisco NAC AAA server, Cisco ACS also performs AAA for wireless LAN devices, dial-up users, VPN users, and more. David Davis explains the role of the Cisco ACS server as part of its NAC solution.

Typically, you only hear about the importance of the Cisco ACS server for VPN and dial-up authentication, authorization, and accounting. However, today the Cisco ACS server is being used as the central posture server when implementing Cisco's Network Access Control (CNAC). Let's discuss the role ACS plays in NAC.

What is the Cisco ACS Server?

It's the job of Cisco Secure Access Control Server (ACS) to offer authentication, accounting, and authorization services to network devices. It includes routers, switches, Cisco PIX firewalls, and network access servers. Cisco Secure Access Control Server supports two major AAA protocols; namely, TACACS+ and RADIUS. Figure A shows an example of how Cisco ACS plays a role in the typical network for wireless network authentication.

Figure A

Cisco ACS can work with wireless network authentication.

Cisco ACS not only centralizes authentication (who you are) but also authorization (what you can access) and accounting (the logging of what when you logged in and out, as well as what you were granted access to). Traditionally, this was just needed for dial-up users over modem phone lines; later, for Internet VPN users. However, beginning with ACS version 4.0, Cisco ACS is performing the same authentication, authorization, and accounting functions for networks that are NAC-enabled.

You can obtain Cisco ACS in either a Windows version or an appliance version. The appliance version is called the Cisco ACS Solution Engine. The UNIX version of Cisco ACS has been discontinued.

What is a posture validation server?

When learning about and implementing Cisco NAC, there are some new terms that you must learn. One of many such terms is the posture validation server. Exactly what is this? The short answer is that Cisco ACS is the posture validation server.

Cisco Secure Access Control Server plays a prominent role in Cisco NAC as a policy decision point. Generally speaking, Cisco Secure Access Control Server connects with the Cisco Trust Agent to build much of the NAC framework. The Cisco Secure Access Control Server judges the state or health of the host. Additionally, you have a choice of downloading access lists and VLAN assignment to the NAD, to control the PC host.

The best part about Cisco Secure Access Control Server is that it also implements security policy verification of host credentials. This, in turn, enforces policy items like antivirus signature file version and OS patch level. You can extend the Cisco Secure Access Control Server policies by forwarding credentials to third-party servers.

There are some who believe the performance of the Cisco ACS server needs to be increased in order to support Cisco NAC; generally, this is not true. While Cisco ACS plays an important role in the Cisco NAC equation, it can do this for many thousands of users without a lot of horsepower.

To see what the Cisco ACS Web console looks like, check out Figure B.

Figure B

The Cisco ACS Web console.

Figure C shows Cisco NAC and how ACS plays a role.

Figure C

In this diagram, ACS is the Cisco Policy Server.

What are profiles and postures?

Cisco's NAC relies on the RADIUS authorization protocol to communicate the authorization information to ACS. The RADIUS request will contain VSAs, or vendor specific attributes. Back on the ACS server, there will be a NAP (network access profile) that determines what to do with the RADIUS request. That is because the ACS server is probably not only authenticating NAC hosts and NADs, but also VPN clients and other RADIUS clients.

Next, the ACS Server checks the authentication credentials against its own internal database, or Microsoft Active Directory (AD), for example. After that, the Type Length Value (TLV) and posture of the host requesting accesses is checked against the posture validation rules. These posture validation rules are a series of polices with multiple rules inside each policy. The decision that the ACS server makes about the posture of the PC host is made on a first-match basis. This means the NAC administrator must write the rules in a way that the most common rule is matched first. Usually, the first rule is that the client be healthy and is allowed access to the network.

Optionally, the ACS server can send the credentials off to a third-party posture validation server. This is primarily because the third-party validation server can have other types of validations and features that ACS does not support. For example, the Trend Micro OfficeScan solution works with Cisco ACS and the NAC framework to check a user's posture when it comes to the state of that user's antivirus client. Is that AV client up-to-date? Another similar solution is the McAfee Policy Enforcer.

What are audit servers?

While Cisco ACS can do auditing and logging of certain user activities, there are also third-party audit servers that are compatible with the NAC framework, such as the Qualsys Appliance, McAfee Policy Enforcer, and Altiris.

What's the downside to using Cisco ACS?

If you implement Cisco NAC, you are basically choosing to implement Cisco ACS as well. With that, there are some downsides that you should consider:

  • You'll most likely want to implement 802.1X. This can be complex and will require some user training.
  • You'll need Cisco routers and switches.
  • You'll have to use Cisco RADIUS for authentication and the Cisco ACS server as your authentication server.
  • The Cisco ACS server cannot protect itself from being attacked or from having malicious code loaded on it. Therefore, you must be very careful to apply Windows security patches and use a host-based firewall on the ACS Server.

In conclusion

The Cisco ACS server is a critical part of Cisco's NAC solution. With the help of Cisco Secure Access Control Server, you can decide who can login to the network based on their credentials. From there, you can decide if that device is healthy enough to be on the network: Do they have all the right patches, antivirus updates, and firewall settings? In addition, you can assign a different set of privileges to each user in the network. Finally, you can audit that user's activity of logging in and out of the network. Besides being a Cisco NAC AAA server, Cisco ACS also performs AAA for wireless LAN devices, dial-up users, VPN users, and more.