Authentication and unknown users, About unknown user authentication, About – Cisco 3.3 User Manual

Chapter 15 Unknown User Policy

Authentication and Unknown Users

15-4

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

–

Authentication—The authentication process for discovered users is
identical to the authentication process for known users who are
authenticated with external user databases and whose Cisco Secure ACS
group membership is determined by group mapping.

–

Posture Validation—Cisco Secure ACS always uses the Unknown User
Policy to determine which NAC database to use for a posture validation
request. For more information, see

Posture Validation and the Unknown

User Policy, page 15-10

.

Note

We recommend removing a username from a database when the privileges
associated with that username are no longer required. For more information about
deleting a user account, see

Deleting a User Account, page 7-57

.

Authentication and Unknown Users

This section provides information about using the Unknown User Policy with
authentication. For information about using the Unknown User Policy with NAC,
see

Posture Validation and the Unknown User Policy, page 15-10

.

This section contains the following topics:

•

About Unknown User Authentication, page 15-4

•

General Authentication of Unknown Users, page 15-5

•

Windows Authentication of Unknown Users, page 15-6

•

Performance of Unknown User Authentication, page 15-8

About Unknown User Authentication

The Unknown User Policy is a form of authentication forwarding. In essence, this
feature is an extra step in the authentication process. In this additional step, if the
username does not exist in the CiscoSecure user database, Cisco Secure ACS
forwards the authentication request of an incoming username and password to
external databases with which it is configured to communicate and which support
the authentication protocol used in the authentication request.