Authenticating Users

Users are authenticated against the Cisco Secure ACS database. This database may be the internal or external to Cisco Secure Server, allowing the flexibility to authenticate users based on information collected in different locations. The following are the types of user databases Cisco Secure ACS supports:

• Cisco Secure user database

• Windows AD and SAM database

• LEAP Proxy RADIUS servers

• Token servers (RSA SecurID)

• RADIUS-compliant token servers

• ODBC-compliant relational databases

The Cisco Secure ACS method of interaction with external user databases varies with the database type. In the case of a Windows user database and generic LDAP, the authentication application program interface (API) is provided via the Windows operating system. With other external databases, such as NDS and LDAP, TCP connections are used, and additional software installation is required. When the communication between the external data set and ACS is established, the user may be authenticated in one of two ways:

• Specific user assignment Cisco Secure ACS may be configured to authenticate specific users with an external user database. To do this, the user must exist in the Cisco Secure user database, and the password authentication list in the user setup must be set to the external user database that contains the user's credentials. The user may be placed in the desired Cisco Secure ACS group to receive the applicable access profile.

• Unknown user policy Cisco Secure ACS may attempt to authenticate users not found in the Cisco Secure user database via an external user database. In this method, users do not need to exist in the Cisco Secure user database to get authenticated.

A common configuration is to use a Windows user database for standard network users and a token server for network administrators.

0 0

Post a comment