13-17
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Chapter 13 User Databases
Windows User Database
When machine authentication is enabled, there are three different types of
authentications. Upon starting up a computer, the authentications occur in the
following order:
• Machine authentication—The computer is authenticated by Cisco Secure
ACS prior to user authentication. Cisco Secure ACS checks the credentials
provided by the computer against the Windows user database. If you use
Active Directory and the matching computer account in Active Directory has
the same credentials, the computer gains access to Windows domain services.
• User domain authentication—If machine authentication succeeded, the
user is authenticated by the Windows domain. If machine authentication
failed, the computer does not have access to Windows domain services and
the user credentials are authenticated using cached credentials kept by the
local operating system. When a user is authenticated by cached credentials
instead of the domain, the computer does not enforce domain policies, such
as running login scripts dictated by the domain.
Tip If a computer fails machine authentication and the user hasn’t successfully logged
in to the domain using the computer since the most recent user password change,
the cached credentials on the computer will not match the new password. Instead,
the cached credentials will match an older password of the user, provided that the
user once logged in to the domain successfully from this computer.
• User network authentication—The user is authenticated by Cisco Secure
ACS, allowing the user to have network connectivity. If the user profile exists,
the user database specified is used to authenticate the user. While the user
database is not required to be the Windows user database, most Microsoft
clients can be configured to automatically perform network authentication
using the same credentials used for user domain authentication. This allows
for a single sign-on.
Note Microsoft PEAP clients also initiate machine authentication whenever a user logs
off. This prepares the network connection for the next user login. Microsoft PEAP
clients may also initiate machine authentication when a user has selected to
shutdown or restart the computer rather than just logging off.