Cisco Systems 3.3 Manual De Usuario
1-19
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Chapter 1 Overview
AAA Server Functions and Concepts
Quotas can be either absolute or based on daily, weekly, or monthly periods. To
grant access to users who have exceeded their quotas, you can reset session quota
counters as needed.
grant access to users who have exceeded their quotas, you can reset session quota
counters as needed.
To support time-based quotas, we recommend enabling accounting update packets
on all AAA clients. If update packets are not enabled, the quota is updated only
when the user logs off and the accounting stop packet is received from the AAA
client. If the AAA client through which the user is accessing your network fails,
the session information is not updated. In the case of multiple sessions, such as
with ISDN, the quota would not be updated until all sessions terminate, which
means that a second channel will be accepted even if the first channel has
exhausted the quota allocated to the user.
on all AAA clients. If update packets are not enabled, the quota is updated only
when the user logs off and the accounting stop packet is received from the AAA
client. If the AAA client through which the user is accessing your network fails,
the session information is not updated. In the case of multiple sessions, such as
with ISDN, the quota would not be updated until all sessions terminate, which
means that a second channel will be accepted even if the first channel has
exhausted the quota allocated to the user.
For more information about usage quotas, see
and
.
Shared Profile Components
Cisco Secure ACS provides a means for specifying authorization profile
components that you can apply to multiple user groups and users. For example,
you may have multiple user groups that have identical network access restrictions.
Rather than configuring the network access restrictions several times, once per
group, you can configure a network access restriction set in the Shared Profile
Components section of the HTML interface, and then configure each group to use
the network access restriction set you created.
components that you can apply to multiple user groups and users. For example,
you may have multiple user groups that have identical network access restrictions.
Rather than configuring the network access restrictions several times, once per
group, you can configure a network access restriction set in the Shared Profile
Components section of the HTML interface, and then configure each group to use
the network access restriction set you created.
For information about the types of shared profile components supported by
Cisco Secure ACS, see
Cisco Secure ACS, see
.
Support for Cisco Device-Management Applications
Cisco Secure ACS supports Cisco device-management applications, such as, by
providing command authorization for network users who are using the
management application to configure managed network devices. Support for
command authorization for management application users is accomplished by
using unique command authorization set types for each management application
configured to use Cisco Secure ACS for authorization.
providing command authorization for network users who are using the
management application to configure managed network devices. Support for
command authorization for management application users is accomplished by
using unique command authorization set types for each management application
configured to use Cisco Secure ACS for authorization.
Cisco Secure ACS uses TACACS+ to communicate with management
applications. For a management application to communicate with Cisco Secure
ACS, the management application must be configured in Cisco Secure ACS as a
applications. For a management application to communicate with Cisco Secure
ACS, the management application must be configured in Cisco Secure ACS as a