Cisco Systems CSACS3415K9 Manual De Usuario
A-2
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
Appendix A AAA Protocols
Typical Use Cases
Session Access Requests (Device Administration [TACACS+])
Note
The numbers refer to
.
For session request:
1.
An administrator logs into a network device.
2.
The network device sends a TACACS+ access request to ACS.
3.
ACS uses an identity store to validate the user's credentials.
4.
ACS sends a TACACS+ response to the network device that applies the decision. The response
includes parameters, such as the privilege level that determines the level of administrator access for
the duration of the session.
includes parameters, such as the privilege level that determines the level of administrator access for
the duration of the session.
Command Authorization Requests
Note
The numbers refer to
.
For command authorization:
1.
An administrator issues a command at a network device.
2.
The network device sends a TACACS+ access request to ACS.
3.
ACS optionally uses an identity store to retrieve user attributes for inclusion in policy processing.
4.
The TACACS+ response indicates whether the administrator is authorized to issue the command.
Network Access (RADIUS With and Without EAP)
For network access, a host connects to the network device and requests to use network resources. The
network device identifies the newly connected host, and, using the RADIUS protocol as a transport
mechanism, requests ACS to authenticate and authorize the user.
network device identifies the newly connected host, and, using the RADIUS protocol as a transport
mechanism, requests ACS to authenticate and authorize the user.
ACS 5.4 supports the following categories of network access flows, depending on the protocol that is
transported over the RADIUS protocol:
transported over the RADIUS protocol:
•
RADIUS-based protocols that do not include EAP:
–
PAP
–
CHAP
–
MSCHAPv1
–
MSCHAPv2
•
EAP family of protocols transported over RADIUS, which can be further classified as:
–
Simple EAP protocols that do not use certificates:
EAP-MD5
LEAP