Filter
Top Products
15-5
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Chapter 15 Unknown User Policy
Authentication and Unknown Users
The Unknown User Policy enables Cisco Secure ACS to use a variety of external
databases to attempt authentication of unknown users. This feature provides the
foundation for a basic single sign-on capability through Cisco Secure ACS.
Because the incoming authentication requests are handled by external user
databases, there is no need for you to maintain within Cisco Secure ACS the
credentials of users, such as passwords. This provides two advantages:
• Eliminates the necessity of entering every user multiple times.
• Prevents data-entry errors inherent to manual procedures.
General Authentication of Unknown Users
If you have configured the Unknown User Policy in Cisco Secure ACS,
Cisco Secure ACS attempts to authenticate unknown users as follows:
1. Cisco Secure ACS checks its internal user database. If the user exists in the
CiscoSecure user database (that is, is a known or discovered user),
Cisco Secure ACS tries to authenticate the user with the authentication
protocol of the request and the database specified in the user account.
Authentication either passes or fails.
2. If the user does not exist in the CiscoSecure user database (that is, is an
unknown user), Cisco Secure ACS tries each external user database that
supports the authentication protocol of the request, in the order specified in
the Selected Databases list. If authentication with one of the external user
databases passes, Cisco Secure ACS automatically adds the user to the
CiscoSecure user database, with a pointer to use the external user database
that succeeded on this authentication attempt. Users added by unknown user
authentication are flagged as such within the CiscoSecure user database and
are called discovered users.
The next time the discovered user tries to authenticate, Cisco Secure ACS
authenticates the user against the database that was successful the first time.
Discovered users are treated the same as known users.
3. If the unknown user fails authentication with all configured external
databases, the user is not added to the CiscoSecure user database and the
authentication fails.
The scenario given above is handled differently if the user accounts with identical
usernames exist in separate Windows domains. For more information, see
Windows Authentication of Unknown Users, page 15-6.