Why Use Cisco ACS?
Most midsize and large companies using Cisco equipment are also going to use ACS servers so that they can centrally manage the users and control what those users are authorized to do. By configuring users locally on the ACS server, and then having the dozens or hundreds of routers and switches act as clients to the ACS server, you can use the Cisco ACS server as a central clearinghouse for the authentication of users. This way, you can create a user account one time on the ACS server, and configure the routers and switches to use the ACS server for any type of user, whether an administrator trying to access the router for configuration or an end user who just needs access through a router for some network application or service such as browsing the web. If all your network devices use the ACS server, you can avoid having to create that same user account on each of the individual routers’ and switches’ local database (in their running config).
Most companies using ACS servers have many users, and it is time-consuming to create all the user accounts manually in ACS. One convenient feature of an ACS server is that all the users do not have to be locally configured on the ACS server, either; instead, the ACS server can use an external database that already exists that contains the usernames and passwords. An example is Microsoft Active Directory, where all the users and their credentials are already in place. The chain of events goes something like this: A user connects to a router, and the router prompts the user for authentication. In this example, assume it is an administrator who wants CLI access to the router. The router being configured to use the ACS server prompts the user for his username and password. After getting the username and password, the router sends those credentials to the AAA server (in this case, the ACS server) and waits for a reply. At the ACS server, if it is configured to use an external database such as Microsoft Active Directory, the ACS server makes an inquiry out to Active Directory to validate whether the username and password that the user provided are accurate. If they are, Active Directory can indicate that to the ACS server, and the ACS server in turn can indicate that the credentials are correct back to the router, and then the router can provide the access to the user. If there were no Active Directory, the ACS server would consult its own local configuration to verify the username and password instead of handing it off to Active Directory. That’s it in a nutshell. ACS could use multiple external databases for these lookups, and the basic concept is that if the users are already defined in some database, ACS can leverage that database and not have to re-create all users.