General authentication of unknown users – Cisco 3.3 User Manual

Page 615

Advertising
background image

15-5

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Chapter 15 Unknown User Policy

Authentication and Unknown Users

The Unknown User Policy enables Cisco Secure ACS to use a variety of external
databases to attempt authentication of unknown users. This feature provides the
foundation for a basic single sign-on capability through Cisco Secure ACS.
Because the incoming authentication requests are handled by external user
databases, there is no need for you to maintain within Cisco Secure ACS the
credentials of users, such as passwords. This provides two advantages:

Eliminates the necessity of entering every user multiple times.

Prevents data-entry errors inherent to manual procedures.

General Authentication of Unknown Users

If you have configured the Unknown User Policy in Cisco Secure ACS,
Cisco Secure ACS attempts to authenticate unknown users as follows:

1.

Cisco Secure ACS checks its internal user database. If the user exists in the
CiscoSecure user database (that is, is a known or discovered user),
Cisco Secure ACS tries to authenticate the user with the authentication
protocol of the request and the database specified in the user account.
Authentication either passes or fails.

2.

If the user does not exist in the CiscoSecure user database (that is, is an
unknown user), Cisco Secure ACS tries each external user database that
supports the authentication protocol of the request, in the order specified in
the Selected Databases list. If authentication with one of the external user
databases passes, Cisco Secure ACS automatically adds the user to the
CiscoSecure user database, with a pointer to use the external user database
that succeeded on this authentication attempt. Users added by unknown user
authentication are flagged as such within the CiscoSecure user database and
are called discovered users.

The next time the discovered user tries to authenticate, Cisco Secure ACS
authenticates the user against the database that was successful the first time.
Discovered users are treated the same as known users.

3.

If the unknown user fails authentication with all configured external
databases, the user is not added to the CiscoSecure user database and the
authentication fails.

The scenario given above is handled differently if the user accounts with identical
usernames exist in separate Windows domains. For more information, see

Windows Authentication of Unknown Users, page 15-6

.

Advertising