Authentication with windows user databases, Trust relationships – Cisco 3.3 User Manual

13-9

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Chapter 13 User Databases

Windows User Database

Authentication with Windows User Databases

Cisco Secure ACS forwards user credentials to a Windows database by passing
the user credentials to the Windows operating system of the computer running
Cisco Secure ACS. The Windows database either passes or fails the
authentication request from Cisco Secure ACS. Upon receiving the response from
the Windows database, Cisco Secure ACS instructs the requesting AAA client to
grant or deny the user access, depending upon the response from the Windows
database.

Cisco Secure ACS grants authorization based on the Cisco Secure ACS group to
which the user is assigned. While the group to which a user is assigned can be
determined by information from the Windows database, it is Cisco Secure ACS
that grants authorization privileges.

To further control access by a user, you can configure Cisco Secure ACS to also
check the setting for granting dialin permission to the user. This setting is labeled
“Grant dialin permission to user” in Windows NT and “Allow access” in the
Remote Access Permission area in Windows 2000. If this feature is disabled for
the user, access is denied, even if the username and password are typed correctly.

Trust Relationships

Cisco Secure ACS can take advantage of trust relationships that have been
established between Windows domains. If the domain that contains Cisco Secure
ACS trusts another domain, Cisco Secure ACS can authenticate users whose
accounts reside in the other domain. Cisco Secure ACS can also reference the
“Grant dialin permission to user” setting across trusted domains.

Note

If Cisco Secure ACS is running on a member server rather than a domain
controller, taking advantage of trust relationships depends upon proper
configuration of Cisco Secure ACS at installation. For more information, see
“Windows Authentication from a Member Server” in Installation Guide for
Cisco Secure ACS for Windows Server.

Cisco Secure ACS can take advantage of indirect trusts for Windows
authentication. Consider the example of Windows domains A, B, and C, where
Cisco Secure ACS resides on a server in domain A. Domain A trusts domain B,