Windows authentication of unknown users, Domain-qualified unknown windows users – Cisco 3.3 User Manual

Page 616

Advertising
background image

Chapter 15 Unknown User Policy

Authentication and Unknown Users

15-6

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Note

Because usernames in the CiscoSecure user database must be unique,
Cisco Secure ACS supports a single instance of any given username across all
databases that it is configured to use. For example, assume every external user
database contains a user account with the username John. Each account is for a
different user, but they each, coincidentally, have the same username. After the
first John attempts to access the network and has authenticated through the
unknown user process, Cisco Secure ACS retains a discovered user account for
that John and only that John. Now, Cisco Secure ACS tries to authenticate
subsequent attempts by any user named John using the same external user
database that originally authenticated John. Assuming their passwords are
different than the password for the John who authenticated first, the other Johns
are unable to access the network.

Windows Authentication of Unknown Users

Because there can be multiple occurrences of the same username across the
trusted Windows domains against which Cisco Secure ACS authenticates users,
Cisco Secure ACS treats authentication with a Windows user database as a special
case.

To perform authentication, Cisco Secure ACS communicates with the Windows
operating system of the computer running Cisco Secure ACS. Windows uses its
built-in facilities to forward the authentication requests to the appropriate domain
controller.

This section contains the following topics:

Domain-Qualified Unknown Windows Users, page 15-6

Windows Authentication with Domain Qualification, page 15-7

Multiple User Account Creation, page 15-8

Domain-Qualified Unknown Windows Users

When a domain name is supplied as part of a authentication request, Cisco Secure
ACS detects that a domain name was supplied and tries the authentication
credentials against the specified domain. The dial-up networking clients provided

Advertising
Popular Brands
Popular manuals