Cisco Access Control Security : AAA Administration Services (Paperback)
暫譯: Cisco 存取控制安全:AAA 管理服務 (平裝本)

Brandon James Carroll

Cisco Access Control Security : AAA Administration Services (Paperback)
  • 出版商: Cisco Press
  • 出版日期: 2004-06-06
  • 售價: $2,630
  • 貴賓價: 9.5$2,499
  • 語言: 英文
  • 頁數: 456
  • 裝訂: Paperback
  • ISBN: 1587051249
  • ISBN-13: 9781587051241
  • 相關分類: Cisco資訊安全

    • 已絕版

買這商品的人也買了...

相關主題

商品描述

Description:

Hands-on techniques for enabling authentication, authorization, and accounting

  • Understand the security concepts behind the AAA framework
  • Learn message formats, communication, and message encryption using the TACACS+ and RADIUS protocols
  • Configure and troubleshoot AAA on Cisco routers
  • Understand where to position and install the CSACS in your network
  • Explore and customize the CSACS interface
  • Configure CSACS user accounts, user groups, and shared profile components
  • Add AAA clients and manage network connections
  • Configure external databases and perform database replication and backup
  • Explore the various reports and logs available in CSACS
  • Learn how AAA models apply to service provider environments
  • Install and configure Cisco Access Registrar

As network infrastructures evolve, it is increasingly important that access to vital corporate resources is vigilantly monitored and controlled. The Cisco identity management solutions, including Cisco Secure Access Control Server (CSACS), address this requirement, enabling security, control, and administration of the growing population of users that connect to corporate networks. CSACS, an essential component of the Cisco Identity Based Networking Services (IBNS) architecture, extends access security by combining authentication, user and administrator access, and policy control from a centralized identity-networking framework. This allows greater flexibility and mobility, increased security, and user productivity gains.

Cisco Access Control Security provides you with the skills needed to configure authentication, authorization, and accounting (AAA) services on Cisco devices. Separated into three parts, this book presents hard-to-find configuration details of centralized identity networking solutions. Part I provides an overview of the AAA architecture, complete with discussions of configuring Cisco routers for AAA. Part II addresses enterprise AAA management with CSACS, including installation, configuration, and management details. Part III looks at service provider AAA management with Cisco Access Registrar.

Full of detailed overviews, diagrams, and step-by-step instructions for enabling essential access control solutions, Cisco Access Control Security is a practical tool that can help enforce assigned access policies and simplify user management.

"This book manages the rare combination of being highly accurate and technically astute, while maintaining an easy readability and flow. It is a great guide for system administrators looking to design or manage a reliable, scalable, and secure Access Control deployment for any size organization."
-Jeremy Steiglitz, ACS Group Product Manager, Cisco Systems

This book is part of the Networking Technology Series from Cisco Press, which offers networking professionals valuable information for constructing efficient networks, understanding new technologies, and building successful careers.

 

Table of Contents:

I. AAA OVERVIEW.

1. Authentication, Authorization, and Accounting Overview.

Authentication Overview. Authentication Example. Authorization Overview. Authorization Example. Accounting Overview. Connection Accounting. EXEC Accounting. System Accounting. Command Accounting. Resource Accounting. Accounting Example. Cisco Device Support for AAA. Summary. End Notes.

2. TACACS+ and RADIUS.

A Brief Overview of TACACS+. A Brief Overview of RADIUS. TACACS+ in Detail. TACACS+ Communication. TACACS+ Format and Header Values. Encrypting TACACS+. TACACS+ Operation. TACACS+ and Authorization. TACACS+ Accounting. RADIUS in Detail. RADIUS Encryption. RADIUS Authentication and Authorization. RADIUS Accounting. Summary. End Notes.

3. Authentication Configuration on Cisco Routers.

Local Authentication. Method Lists. Authentication Configurations Using Cisco Secure ACS for Windows Server and Cisco Secure ACS Solution Engine. Debugging Authentication. Authentication Command References. Summary.

II. ENTERPRISE AAA AND CISCO SECURE ACCESS CONTROL SERVER.

4. Enterprise Authentication Servers.

Cisco Secure Access Control Server Software and Versions. Cisco Secure ACS for Windows Server Version 2.1. Cisco Secure ACS for Windows Server Version 2.3. Cisco Secure ACS for Windows Server Version 2.4 and 2.5. Cisco Secure ACS for Windows Server Version 2.6. Cisco Secure ACS for Windows Server Version 3.0. Cisco Secure ACS for Windows Server Version 3.1. Cisco Secure ACS for Windows Server Version 3.2. Cisco Secure Solution Engine. Summary.

5. Deploying Cisco Secure Access Control Server for Windows Server.

What Is ACS? How to Obtain ACS. Requirements to Run ACS Version 3.2. Installing ACS. Reinstalling ACS and Using an Existing ACS Database. Positioning ACS in Your Network. Virtual Private Networks. Wireless Deployment. Other Deployments. Summary.

6. Getting Familiar with CSACS.

Navigating the HTML Interface. Group Setup. Shared Profile Components. Network Configuration. System Configuration. Interface Configuration. Administration Control. External User Database. Reports and Activity. Online Documentation. Starting Point for Configuring Your Server. Configuring Your Interface. Advanced Options. Preparing to Add Users. Summary.

7. Configuring User Accounts.

Adding Users to the Database. Adding a New AAA Client. User Changeable Passwords. Preparing ACS for UCP. Enabling SSL on the Web Server. Installing the UCP Module. Authenticating Users to a Windows NT/2000 Database. Authentication and Password Options. User Callback and Client IP Assignment. Advanced Configurations. Configuring Switches. Enable an Administrative Policy. Summary. End Notes.

8. Configuring User Groups.

Group-Level Configuration of ACS. Configuring Voice over IP Support. Configuring Time-of-Day Access Settings. PPP Callback Configuration. Configuring Network Access Restrictions. Configuring the NAR. Applying a NAR to a User. A Look at Shared Network Access Restrictions. Max Sessions, Usage Quotas, and Password Aging Rules. Usage Quotas. Password Aging Rules. IP Assignment and Downloadable ACLs. Downloadable IP ACLs. Using TACACS+ for Group Configuration. Shell Command Authorization Sets. User-Level Authorization. Summary. End Notes.

9. Managing Network Configurations.

Configuring a Distributed System. Configuring Network Device Groups. Configuring Proxy Distribution Tables. Using Remote Accounting. Using Network Device Searches. Creating a Complete Distributed Network. Client Configuration. Cisco IOS Switches. Cisco Set-Based Switches. Cisco PIX Firewalls. Cisco 3000 Series VPN Concentrators. Cisco Wireless Access Points. Troubleshooting Network Configurations. Summary.

10. Configuring Shared Profile Components.

Downloadable ACLs. Creating an ACL. Working with ACLs After They Are Created. Network Access Restrictions. Working with NARs. Non-IP-Based NARs. Configuring Network Access Restrictions. Configuration Details and Tips. Creating a Non-IP-Based NAR. Editing Shared NARs. Deleting a Shared NAR. Command Authorization Sets. PIX Command Authorization Sets Versus Shell Command Authorization Sets. Configuration Considerations for Command Authorization Sets. PIX Firewall Preparation for Command Authorization. Configuring Shared Profile Components for Command Authorization. Deleting Command Authorization Sets. Editing Shell Command Authorization Sets. Configuring the Group Profile. Configuring the User Profile. Testing Command Authorization. Troubleshooting Extended Configurations. Troubleshooting Existing Downloadable ACL Configurations. Troubleshooting New NAR Configurations. Troubleshooting Existing NAR Configurations. Troubleshooting New Command Authorization Set Configurations. Troubleshooting Existing Command Authorization Set Configurations. Common Issues of Network Access Restrictions. And Do Not Forget the Importance of Documentation. Summary.

11. System Configuration.

How Users Interact with Your External Database Configuration. External Database Configuration. Windows NT/2000. Novell NDS. Generic LDAP. External ODBC Database. LEAP Proxy RADIUS Server. RADIUS Token Server. VASCO Token Server. ActivCard Token Server. PassGo Defender Token Server. CRYPTOCard Token Server. SafeWord Token Server. RSA SecurID Token Server. Database Group Mappings. Unknown User Policy. Database Replication. Understanding Database Replication. Replication Versus Backup. Configuring the Primary Server. Configuring a Secondary Server. Immediate Replication. Backing Up the Cisco Secure Database. Manual Backups. Scheduled Backups. Canceling a Scheduled Backup. Recovering ACS from a Backup file. Synchronization of ACS Devices. Components of Synchronization. accountActions Table. CSDBSync and accountActions Table Working Together. Preparing for Synchronization. RDBMS Synchronization Options. Summary. End Notes.

12. Reports and Logging for Windows Server.

ACS Reports. Logging Attributes in ACS Reports. User-Defined Attributes. Access Device. Network Device Group. Device Command Set. Filter Information. ExtDB Info. ACS Reports. Accounting Reports. RADIUS Accounting. VoIP Accounting. Failed Attempts Report. Passed Authentications Report. Administrative Reports. TACACS+ Administration Report. Logged-In Users and Disabled Accounts Reports. System Reports. RDBMS Synchronization. Database Replication. Administration Audit. User Password Changes. ACS Service Monitoring. Remote Logging with ACS. Configuring the Remote ACS to Send Logging Information. Disabling Remote Logging. Additional Logs Maintained by ACS. Configuring Service Log Options. Summary.

13. Exploring TACACS+ Attribute Values.

TACACS+ AV Pairs Overview. Attributes of TACACS+ AV Pairs. acl=. addr=. addr-pool=. autocmd=. callback-dialstring=, callback-line=, and callback-rotary=. cmd=. cmd-arg=. dns-servers=. gw-password=. idletime=. inacl#n. inacl=. interface-config#<n>. ip-addresses=. link-compression=. load-threshold=n. max-links=n. nas-password. nocallback-verify. noescape=. nohangup=. old-prompts=. outacl=. outacl#n. pool-def#n. pool-timeout=. ppp-vj-slot-compression=. priv-lvl=. protocol=. route=. route#n. routing=. rte-ftr-in#n. rte-ftr-out#n. sap-fltr-in#n. sap-fltr-out#n. sap#n. service=. source-ip=. timeout=. tunnel-id. wins-servers=. zonelist=. AV Pair Example PPP Network. Applying an ACL to the Dial Interface. Understanding TACACS+ AV Pairs in the ACS Interface. AV Pair Discussion #2. AV Pair Discussion #3. AV Pair Discussion #4. AV Pair Discussion #5. Summary.

III. SERVICE PROVIDER AAA AND THE CISCO ACCESS REGISTRAR.

14. Service Provider AAA and the Cisco CNS Access Registrar.

Service Provider (SP) Model. Service Provider Challenge. Value Added Services. Cisco CNS Access Registrar. Options of AR. AR's Architecture. Policy Engine. Extension Points. Extension Point Scripting Examples. Proxy AAA. AAA. Installation Requirements for AR on Solaris 8. Installing AR. AR's Subdirectories. Configuring Cisco CNS AR. Summary. End Notes.

15. Configuring the Cisco Access Registrar.

Using aregcmd to Configure AR. Categories of aregcmd Commands. Object Commands. Property Commands. Server Commands. Application Commands. Session Management Commands. AR's Server Object Hierarchy. Configuring the ACE ISP as a Basic Site. Configuring AR's Administrators. Configuring the RADIUS Server. Checking the System-Level Defaults. Displaying the UserLists. Working with Users. Displaying and Configuring UserGroups. Configuring AAA Clients in AR. Configuring Profiles. Validating and Saving Your Changes to AR. Testing Your Configuration. Troubleshooting Your Configuration with trace. Summary. End Notes.

IV. APPENDIX.

Appendix A: RADIUS Attribute Tables.

商品描述(中文翻譯)

描述:


實作技術以啟用身份驗證、授權和會計



  • 了解AAA框架背後的安全概念

  • 學習使用TACACS+和RADIUS協議的消息格式、通信和消息加密

  • 在Cisco路由器上配置和故障排除AAA

  • 了解在您的網絡中放置和安裝CSACS的位置

  • 探索和自定義CSACS介面

  • 配置CSACS用戶帳戶、用戶組和共享配置元件

  • 添加AAA客戶端並管理網絡連接

  • 配置外部數據庫並執行數據庫複製和備份

  • 探索CSACS中可用的各種報告和日誌

  • 了解AAA模型如何應用於服務提供商環境

  • 安裝和配置Cisco Access Registrar


隨著網絡基礎設施的演變,對於重要企業資源的訪問進行嚴格監控和控制變得越來越重要。Cisco身份管理解決方案,包括Cisco Secure Access Control Server (CSACS),滿足了這一需求,能夠對連接到企業網絡的日益增長的用戶群進行安全、控制和管理。CSACS是Cisco基於身份的網絡服務(IBNS)架構的重要組成部分,通過將身份驗證、用戶和管理員訪問以及政策控制結合在一個集中式身份網絡框架中,擴展了訪問安全性。這提供了更大的靈活性和流動性、增強的安全性以及用戶生產力的提升。


Cisco Access Control Security提供了在Cisco設備上配置身份驗證、授權和會計(AAA)服務所需的技能。本書分為三個部分,介紹了集中式身份網絡解決方案中難以找到的配置細節。第一部分提供了AAA架構的概述,並討論了如何為AAA配置Cisco路由器。第二部分涉及使用CSACS的企業AAA管理,包括安裝、配置和管理細節。第三部分探討了使用Cisco Access Registrar的服務提供商AAA管理。


本書充滿了詳細的概述、圖表和逐步指導,以啟用基本的訪問控制解決方案,Cisco Access Control Security是一個實用的工具,可以幫助強制執行分配的訪問政策並簡化用戶管理。


「這本書成功地結合了高度準確和技術敏銳,同時保持易讀性和流暢性。對於希望設計或管理可靠、可擴展和安全的訪問控制部署的系統管理員來說,這是一本很好的指南。」
-Jeremy Steiglitz,Cisco Systems ACS集團產品經理


本書是Cisco Press的網絡技術系列的一部分,為網絡專業人士提供有價值的信息,以構建高效的網絡、理解新技術並建立成功的職業生涯。


 


目錄:


I. AAA 概述。


1. 身份驗證、授權和會計概述。


身份驗證概述。身份驗證示例。授權概述。授權示例。會計概述。連接會計。EXEC會計。系統會計。命令會計。資源會計。會計示例。Cisco設備對AAA的支持。摘要。附註。


2. TACACS+和RADIUS。


TACACS+簡介。RADIUS簡介。TACACS+詳細信息。TACACS+通信。TACACS+格式和標頭值。加密TACACS+。TACACS+操作。TACACS+和授權。TACACS+會計。RADIUS詳細信息。RADIUS加密。RADIUS身份驗證和授權。RADIUS會計。摘要。附註。


3. 在Cisco路由器上配置身份驗證。


本地身份驗證。方法列表。使用Cisco Secure ACS for Windows Server和Cisco Secure ACS Solution Engine的身份驗證配置。調試身份驗證。身份驗證命令參考。摘要。


II. 企業AAA和Cisco Secure Access Control Server。


4. 企業身份驗證伺服器。


Cisco Secure Access Control Server軟體和版本。Cisco Secure ACS for Windows Server版本2.1。Cisco Secure ACS for Windows Server版本2.3。Cisco Secure ACS for Windows Server版本2.4和2.5。Cisco Secure ACS for Windows Server版本2.6。Cisco Secure ACS for Windows Server版本3.0。Cisco Secure ACS for Windows Server版本3.1。Cisco Secure ACS for Windows Server版本3.2。Cisco Secure Solution Engine。摘要。


5. 為Windows Server部署Cisco Secure Access Control Server。


什麼是ACS?如何獲取ACS。運行ACS版本3.2的要求。安裝ACS。重新安裝ACS並使用現有的ACS數據庫。在您的網絡中定位ACS。虛擬私人網絡。無線部署。其他部署。摘要。


6. 熟悉CSACS。


導航HTML介面。組設置。共享配置元件。網絡配置。系統配置。介面配置。管理控制。外部用戶數據庫。報告和活動。在線文檔。配置伺服器的起始點。配置您的介面。進階選項。準備添加用戶。摘要。


7. 配置用戶帳戶。


將用戶添加到數據庫。添加新的AAA客戶端。用戶可更改的密碼。為UCP準備ACS。在Web伺服器上啟用SSL。安裝UCP模組。對Windows NT/2000數據庫進行用戶身份驗證。身份驗證和密碼選項。用戶回撥和客戶端IP分配。進階配置。配置交換機。啟用管理政策。摘要。附註。


8. 配置用戶組。


ACS的組級配置。配置VoIP支持。配置時間訪問設置。PPP回撥配置。配置網絡訪問限制。配置NAR。將NAR應用於用戶。查看共享網絡訪問限制。最大會話、使用配額和密碼老化規則。使用配額。密碼老化規則。IP分配和可下載ACL。可下載IP ACL。使用TACACS+進行組配置。命令授權集。用戶級授權。摘要。附註。


9. 管理網絡配置。


配置分佈式系統。配置網絡設備組。配置代理分發表。使用遠程會計。使用網絡設備搜索。創建完整的分佈式網絡。客戶端配置。Cisco IOS交換機。Cisco基於集的交換機。Cisco PIX防火牆。Cisco 3000系列VPN集中器。Cisco無線接入點。故障排除網絡配置。摘要。


10. 配置共享配置元件。


可下載的ACL。創建ACL。創建後處理ACL。網絡訪問限制。處理NAR。非IP基礎的NAR。配置網絡訪問限制。配置細節和提示。創建非IP基礎的NAR。編輯共享NAR。刪除共享NAR。命令授權集。PIX命令授權集與Shell命令授權集的比較。命令授權集的配置考量。PIX防火牆為命令授權的準備。為命令授權配置共享配置元件。刪除命令授權集。編輯Shell命令授權集。配置組配置。配置用戶配置。測試命令授權。故障排除擴展配置。故障排除現有的可下載ACL配置。故障排除新的NAR配置。故障排除現有的NAR配置。故障排除新的命令授權集配置。故障排除現有的命令授權集配置。網絡訪問限制的常見問題。並且不要忘記文檔的重要性。摘要。


11. 系統配置。


用戶如何與您的外部數據庫配置互動。外部數據庫配置。Windows NT/2000。Novell NDS。通用LDAP。外部ODBC數據庫。LEAP代理RADIUS伺服器。RADIUS令牌伺服器。VASCO令牌伺服器。ActivCard令牌伺服器。PassGo Defender令牌伺服器。CRYPTOCard令牌伺服器。SafeWord令牌伺服器。RSA SecurID令牌伺服器。數據庫組映射。未知用戶政策。數據庫複製。理解數據庫複製。複製與備份。配置主伺服器。配置輔助伺服器。即時複製。備份Cisco Secure數據庫。手動備份。定期備份。取消定期備份。從備份文件中恢復ACS。ACS設備的同步。同步的組件。accountActions表。CSDBSync和accountActions表的協同工作。準備同步。RDBMS同步選項。摘要。附註。


12. Windows Server的報告和日誌。


ACS報告。在ACS報告中記錄屬性。用戶定義的屬性。訪問設備。網絡設備組。設備命令集。過濾信息。ExtDB信息。ACS報告。會計報告。RADIUS會計。VoIP會計。失敗嘗試報告。通過的身份驗證報告。管理報告。TACACS+管理報告。登錄用戶和禁用帳戶報告。系統報告。RDBMS同步。數據庫複製。管理審計。用戶密碼更改。ACS服務監控。使用ACS的遠程日誌。配置遠程ACS以發送日誌信息。禁用遠程日誌。ACS維護的其他日誌。配置服務日誌選項。摘要。


13. 探索TACACS+屬性值。


TACACS+ AV對的概述。TACACS+ AV對的屬性。acl=。addr=。addr-pool=。autocmd=。callback-dialstring=、callback-line=和callback-rotary=。cmd=。cmd-arg=。dns-servers=。gw-password=。idletime=。inacl#n。inacl=。interface-config#<n>。ip-addresses=。link-compression=。load-threshold=n。max-links=n。nas-password。nocallback-verify。noescape=。nohangup=。old-prompts=。outacl=。outacl#n。pool-def#n。pool-timeout=。ppp-vj-slot-compression=。priv-lvl=。protocol=。route=。route#n。routing=。rte-ftr-in#n。rte-ftr-out#n。sap-fltr-in#n。sap-fltr-out#n。sap#n。service=。source-ip=。timeout=。tunnel-id。wins-servers=。zonelist=。AV對示例PPP網絡。將ACL應用於撥號介面。

類似商品