ACS contains a robust internal user database where usernames and attributes applied to those usernames are stored. ACS first checks this internal database for any user-authentication request it receives. However, NAC-L2-IP and NAC-L3-IP perform no user authentication, so no users need to be defined in ACS. NAC-L2-802.1X, on the other hand requires user authentication. This is because the network admission control piece is performed on top of the normal 802.1X authentication.
For small to medium-size businesses deploying NAC-L2-802.1X, ACS's internal database will meet your needs fine. Just define new users under the User Setup button on the left navigation frame and assign passwords to them. Large enterprises might want to leverage one of their pre-existing user databases (Windows domain, Active Directory, LDAP, Token Servers, and so on) to authenticate users against. Although it is outside the scope of this chapter to cover the configuration of external user databases, it is prudent to mention the following points regarding external databases when used with NAC-L2-802.1X:
• All token servers are not supported.
• External LDAP databases are supported.
• Both Windows Active Directory and Windows SAM databases fully support NAC-L2-802.1X.
• Machine authentication is supported only with the Windows Active Directory database when performing binary certificate matching.
NOTE For more information about external database configuration, see the "User Databases" chapter of the ACS Users Guide.
Was this article helpful?