topic AAA & VPN in Network Access Control

AAA & VPN

learnsec — Mon, 11 Mar 2019 03:18:14 GMT

hello,

AAA server is nowadays an essential product on nowadays enterprises to control network equipments, and provides Authentication, Authorisation, and Accounting over all network devices. AAA is part of the management policy.

In parallel, the same server can be used for VPN users.

so do you think each company must ship two ACS servers to the company or we can uses the same server for both services? (but this way the administrators of the ACS server will be the same people so they can grant themselve access to any network equipments)

can i have a clear analysis about this critical issue?

AAA & VPN

Amjad Abdullah — Sat, 13 Apr 2013 07:53:41 GMT

Hello,

You can never prevent a "Full" administrator on a AAA server from providing himself an access. The full privilege admin will be able at any time to create users and get access to whatever network resources that available.
What management can do it to monitor the admin activity reports to see what the admin is diong and there should be a company policy that the admin is not creating any config change on the AAA server without management approval.

Another thing that can be done is role-based administrators. some AAA servers allows you to create an admin user that has access to some of the AAA functionalities, but not all of them. For example, you can create an admin that can do network devices change but can not create or modify users.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

Re: AAA & VPN

learnsec — Sun, 14 Apr 2013 16:24:46 GMT

thx amjad,

in the role-based, can i allow certain ACS administrator(i.e. admin1) to create users and groups for VPN access, but this administrator (adimin1) cannot grant himself access to a certain network device (i.e. firewall A) ?

if this is feasable, then i can have two groups of adinistrators on the ACS, a group can manage the AAA service for network devices management, and another group for managing the users and groups of VPN users.

is this surely feasable through ACS role-based?

and finally, is there anything i can benefit from if i implement two different ACS Servers!!!!!

Re: AAA & VPN

Amjad Abdullah — Mon, 15 Apr 2013 06:41:21 GMT

AFAIK it is not possible to restrict the admin from adding/deleting/modifying users or groups by specific criteria. Once the admin got the privilege to add/remote groups for example then s/he can do that for all groups.

You can have two ACS servers for:
- Redundancy. If one goes down the users can still authenticate via the other one.

- load balancing. If you have large number of users you can load-balance them between two -or more- ACS servers.

Regards,

Amjad

Rating useful replies is more useful than saying "Thank you"

Re: AAA & VPN

learnsec — Mon, 15 Apr 2013 08:21:02 GMT

yes you are right, as having two ACS appliances within the same cluster for redundancy and load balancing is the correct solution. As i cant find any meaning to have two diferrent clusters (4 servers) for two different services, where each cluster (2servers) serve an independent service.

it is not the big deal to allow the network administrator to be granted access to all network devices espcially with accountibility enabled. this is not a constraint.

the right architecture for me is one cluster (containing two acs servers) to do both jobs.

thx amjad

Note: what is "AFAIK"?

AAA & VPN

Amjad Abdullah — Mon, 15 Apr 2013 13:01:41 GMT

I will tell you what AFAIK if you rate my answers above.

kidding, I will tell you. but I really apprecaite if you mark this thread as answered and rate the above answers.

AFAIK = As Far As I Know.

Regards,

Amjad

Rating useful replies is more useful than saying "Thank you"