Preparing users for authenticating with windows, Windows user database configuration options, Preparing users for – Cisco 3.3 User Manual

Chapter 13 User Databases

Windows User Database

13-26

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Preparing Users for Authenticating with Windows

Before using the Windows user database for authentication, follow these steps:

Step 1

Make sure the username exists in the Windows user database.

Step 2

In Windows, for each user account, clear the following User Properties check
boxes:

•

User must change password at next logon

•

Account disabled

Step 3

If you want to control dial-in access from within Windows NT, click Dial-in and
select Grant dialin permission to user. In Windows 2000, access the User
Properties dialog box, select the Dial-In tab, and in the Remote Access area, click
Allow access. You must also configure the option to reference this feature under
Database Group Mappings in the External User Databases section of Cisco Secure
ACS.

Windows User Database Configuration Options

The Windows User Database Configuration page contains the following
configuration options:

•

Dialin Permission—You can restrict network access to users whose
Windows accounts have Windows dialin permission. The Grant dialin
permission to user check box controls this feature.

Note

This feature applies to all users authenticated by Cisco Secure ACS
with a Windows external user database; despite the name of the
feature, it is not limited to users who access the network with a dialup
client but is applied regardless of client type. For example, if you have
configured a PIX Firewall to authenticate Telnet sessions using
Cisco Secure ACS as a RADIUS server, a user authenticated by a
Windows external user database would be denied Telnet access to the
PIX Firewall if the Dialin Permission feature is enabled and the
Windows user account does not have dialin permission.