Manualshelf

Technical data

ManualsBrandsCisco ManualsComputer equipment1604 - 1604 Bridge/router
141142143144145146147148149150
CHAPTER
Security Configuration 7-1
7
Security Configuration
The access service security paradigm presented in this guide uses the authentication, authorization,
and accounting (AAA) facility. Authentication requires dial-in users to prove they are who they say
they are. When you require authentication before users can access your network, you are preventing
users from either accessing lines on the access server or connecting through the lines directly to
network resources. You need to secure every access point.
Authorization prevents each user from gaining access to services and devices on the network that
they do not need to or are not supposed to access. Accounting provides records of who is connected
and how long they have been connected for billing and other recording purposes. This chapter does
not describe how to configure accounting.
This chapter describes how to configure security using a local database resident on the access server
or using a remote security database for TACACS+ and RADIUS. To understand the concept of local
versus remote authentication, refer to the section “Local Versus Remote Server Authentication” later
in this chapter.
Caution This chapter does not provide an exhaustive security overview. For example, it does not describe
how to configure TACACS, Extended TACACS, Kerberos, or access lists. It presents the most commonly used
security mechanisms to prevent unauthenticated and unauthorized access to network resources through Cisco
access servers. For a comprehensive overview of Cisco security mechanisms, refer to the Security
Configuration Guide.
Specifically, this chapter describes the following:
Local Versus Remote Server Authentication
Configuring Authentication
Configuring Authorization
Security Configuration Examples
Assumptions
This chapter assumes the following:
You know which network protocols you will allow access to your network. For example, you
know if you will be allowing clients to dial in using modems to access IP, IPX, or AppleTalk
networks, or whether clients will be using ISDN to access any of these networks.
You are not an advanced user of the Cisco AAA security facility.