Administration, Http port allocation for administrative sessions – Cisco 3.3 User Manual
Page 63
1-23
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Chapter 1 Overview
AAA Server Functions and Concepts
Administration
To configure, maintain, and protect its AAA functionality, Cisco Secure ACS
provides a flexible administration scheme. You can perform nearly all
administration of Cisco Secure ACS through its HTML interface. For more
information about the HTML interface, including steps for accessing the HTML
interface, see
Cisco Secure ACS HTML Interface, page 1-25
.
This section contains the following topics:
•
HTTP Port Allocation for Administrative Sessions, page 1-23
•
Network Device Groups, page 1-24
•
Other Administration-Related Features, page 1-24
HTTP Port Allocation for Administrative Sessions
The HTTP port allocation feature allows you to configure the range of TCP ports
used by Cisco Secure ACS for administrative HTTP sessions. Narrowing this
range with the HTTP port allocation feature reduces the risk of unauthorized
access to your network by a port open for administrative sessions.
We do not recommend that you administer Cisco Secure ACS through a firewall.
Doing so requires that you configure the firewall to permit HTTP traffic over the
range of HTTP administrative session ports that Cisco Secure ACS uses. While
narrowing this range reduces the risk of unauthorized access, a greater risk of
attack remains if you allow administration of Cisco Secure ACS from outside a
firewall. A firewall configured to permit HTTP traffic over the Cisco Secure ACS
administrative port range must also permit HTTP traffic through port 2002,
because this is the port a web browser must address to initiate an administrative
session.
Note
A broad HTTP port range could create a security risk. To prevent accidental
discovery of an active administrative port by unauthorized users, keep the HTTP
port range as narrow as possible. Cisco Secure ACS tracks the IP address
associated with each administrative session. An unauthorized user would have to
impersonate, or “spoof”, the IP address of the legitimate remote host to make use
of the active administrative session HTTP port.