Cisco Cisco Transport Manager 9.0 Technical References
3
Cisco Transport Manager Release 9.0 Basic External Authentication
OL-15571-01
Overview
•
Grants users access to only the applications to which they are authorized.
•
Typically runs on a Windows or Solaris operating system and performs the following security
operations:
operations:
–
Authentication—Supports a wide range of authentication methods, such as username and
password, tokens, authentication forms, and public-key certificates.
password, tokens, authentication forms, and public-key certificates.
–
Authorization—Enforces access control rules established by the policy server administrator.
These rules define the operations that are allowed for each protected resource.
These rules define the operations that are allowed for each protected resource.
–
Administration—Enables you to configure the policy server using the policy server user
interface. The administration service of the policy server allows the user interface to record
configuration information in the policy store.
interface. The administration service of the policy server allows the user interface to record
configuration information in the policy store.
CTM Implementation of the SiteMinder Agent
The CTM agent implements the authentication process using the SiteMinder 4.x and 5.x authentication
protocols. The CTM agent does not implement the Authorization and Administration processes using the
SiteMinder protocols.
protocols. The CTM agent does not implement the Authorization and Administration processes using the
SiteMinder protocols.
SiteMinder agents enable SiteMinder to manage access to applications and content according to
predefined security policies.
predefined security policies.
In a SiteMinder environment, an agent is a network entity that acts as a filter to enforce network access
control. An agent monitors requests for resources. If a user requests a protected resource, the agent
prompts the user for credentials based on an authentication schema, and sends the credentials to the
policy server.
control. An agent monitors requests for resources. If a user requests a protected resource, the agent
prompts the user for credentials based on an authentication schema, and sends the credentials to the
policy server.
The policy server determines whether to authenticate the user based on the credentials, and whether the
user is authorized for the requested resource. The policy server then communicates with the CTM agent,
which allows or denies access to the requested resource.
user is authorized for the requested resource. The policy server then communicates with the CTM agent,
which allows or denies access to the requested resource.
The SiteMinder suite includes the following services, which are not available for the CTM agent:
•
Web agents
•
Affiliate agents
•
Enterprise Java bean (EJB) agents
•
Servlet agents
All other agents (including the CTM agent) are considered custom agents that must be created using the
agent application program interfaces (APIs). Once created, you can configure custom agents in the
policy server user interface.
agent application program interfaces (APIs). Once created, you can configure custom agents in the
policy server user interface.
To connect to the policy server, the CTM server must implement the SiteMinder agent APIs and open a
secure connection for all CTM user login requests.
secure connection for all CTM user login requests.
RADIUS Access Servers
An access server is a centralized network server that stores user and credential information. Network
devices such as routers, switches, NEs, and software applications request permission from the access
server. If a user wants access to a network device, the network device sends an Access-Request to the
access server. The access server replies with one of the following responses:
devices such as routers, switches, NEs, and software applications request permission from the access
server. If a user wants access to a network device, the network device sends an Access-Request to the
access server. The access server replies with one of the following responses:
•
Access-Accept—The user can log into the network device.
•
Access-Reject—User access is denied.