Filter
Top Products
3-7
Configuration Guide for Cisco Secure ACS 4.2
OL-14390-02
Chapter 3 Configuring New Features in ACS 4.2
Option to Not Log or Store Dynamic Users
Option to Not Log or Store Dynamic Users
When ACS authenticates users by using external databases, such as Active Directory or LDAP, and a
user is successfully authenticated with the external database, then, by default, ACS stores the
information for the user in the ACS internal database. The users that ACS creates in this manner are
called dynamic users.
With ACS 4.2, you can configure ACS not to not create or store data on dynamic users.
To disable creation of dynamic users in the ACS internal database:
Step 1 In the navigation bar, choose External User Databases > Unknown User Policy.
The Configure Unknown User Policy page opens.
Step 2 Scroll down to the Configure Caching Unknown Users section, shown in Figure 3-4:
Figure 3-4 Disabling Creation of Dynamic Users
Step 3 Check the Disable Dynamic users check box.
Step 4 Click Submit.
Active Directory Multi-Forest Support
ACS supports machine authentication in a multi-forest environment. Machine authentications succeed
as long as an appropriate trust relation exists between the primary ACS forest and the requested domain's
forest. When a requested user's or machine's domain is part of a trusted forest, machine authentication
will succeed.
ACS supports user authentication between multiple forests for EAP-FAST, version1a with PEAP,
MSPEAP, and for EAP-TLS.
Note The multi-forest feature works only where the username contains the domain information.
Configuring Syslog Time Format in ACS 4.2
ACS SE 4.2 provides a new option for configuring the time format that ACS uses to send messages to
syslog servers.