External user database authentication process – Cisco 3.3 User Manual

Chapter 13 User Databases

About External User Databases

13-6

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

•

By Unknown User Policy—You can configure Cisco Secure ACS to attempt
authentication of users not found in the CiscoSecure user database by using
an external user database. Users do not need to be defined in the CiscoSecure
user database for this method. For more information about the Unknown User
Policy, see

About Unknown User Authentication, page 15-4

.

You can also configure Cisco Secure ACS with both methods above; these two
methods are not mutually exclusive.

External User Database Authentication Process

When Cisco Secure ACS attempts user authentication with an external user
database, it forwards the user credentials to the external user database. The
external user database either passes or fails the authentication request from
Cisco Secure ACS. Upon receiving the response from the external user database,
Cisco Secure ACS instructs the requesting AAA client to grant or deny the user
access, depending upon the response from the external user database.

Figure 13-1

shows a AAA configuration with an external user database.

Figure 13-1 A Simple AAA Scenario

The specifics of the method used to communicate with the external user database
vary with the database type. For LDAP and Novell NDS, Cisco Secure ACS uses
TCP connections. For Windows user databases, Cisco Secure ACS uses the
authentication API provided in the Windows operating system. With the exception
of RSA token servers, Cisco Secure ACS communicates with token servers using
RADIUS. For RSA token servers, Cisco Secure ACS acts an RSA client in order
to use the RSA proprietary interface.

For more information, see the section regarding the database type you are
interested in.

67472

End-user client

AAA client

Cisco Secure
Access Control Server

External user
database