Solved: AAA & VPN

learnsec · ‎04-12-2013

hello,

AAA server is nowadays an essential product on nowadays enterprises to control network equipments, and provides Authentication, Authorisation, and Accounting over all network devices. AAA is part of the management policy.

In parallel, the same server can be used for VPN users.

so do you think each company must ship two ACS servers to the company or we can uses the same server for both services? (but this way the administrators of the ACS server will be the same people so they can grant themselve access to any network equipments)

can i have a clear analysis about this critical issue?

Amjad Abdullah · ‎04-14-2013

AFAIK it is not possible to restrict the admin from adding/deleting/modifying users or groups by specific criteria. Once the admin got the privilege to add/remote groups for example then s/he can do that for all groups.

You can have two ACS servers for:
- Redundancy. If one goes down the users can still authenticate via the other one.

- load balancing. If you have large number of users you can load-balance them between two -or more- ACS servers.

Regards,

Amjad

Rating useful replies is more useful than saying "Thank you"

View solution in original post

Amjad Abdullah · ‎04-13-2013

Hello,

You can never prevent a "Full" administrator on a AAA server from providing himself an access. The full privilege admin will be able at any time to create users and get access to whatever network resources that available.
What management can do it to monitor the admin activity reports to see what the admin is diong and there should be a company policy that the admin is not creating any config change on the AAA server without management approval.

Another thing that can be done is role-based administrators. some AAA servers allows you to create an admin user that has access to some of the AAA functionalities, but not all of them. For example, you can create an admin that can do network devices change but can not create or modify users.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

learnsec · ‎04-14-2013

thx amjad,

in the role-based, can i allow certain ACS administrator(i.e. admin1) to create users and groups for VPN access, but this administrator (adimin1) cannot grant himself access to a certain network device (i.e. firewall A) ?

if this is feasable, then i can have two groups of adinistrators on the ACS, a group can manage the AAA service for network devices management, and another group for managing the users and groups of VPN users.

is this surely feasable through ACS role-based?

and finally, is there anything i can benefit from if i implement two different ACS Servers!!!!!

Amjad Abdullah · ‎04-14-2013

AFAIK it is not possible to restrict the admin from adding/deleting/modifying users or groups by specific criteria. Once the admin got the privilege to add/remote groups for example then s/he can do that for all groups.

You can have two ACS servers for:
- Redundancy. If one goes down the users can still authenticate via the other one.

- load balancing. If you have large number of users you can load-balance them between two -or more- ACS servers.

Regards,

Amjad

Rating useful replies is more useful than saying "Thank you"

learnsec · ‎04-15-2013

yes you are right, as having two ACS appliances within the same cluster for redundancy and load balancing is the correct solution. As i cant find any meaning to have two diferrent clusters (4 servers) for two different services, where each cluster (2servers) serve an independent service.

it is not the big deal to allow the network administrator to be granted access to all network devices espcially with accountibility enabled. this is not a constraint.

the right architecture for me is one cluster (containing two acs servers) to do both jobs.

thx amjad

Note: what is "AFAIK"?

Amjad Abdullah · ‎04-15-2013

I will tell you what AFAIK if you rate my answers above.

kidding, I will tell you. but I really apprecaite if you mark this thread as answered and rate the above answers.