Filter
Top Products
8-46
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
Chapter8 Managing Users and Identity Stores
Managing External Identity Stores
The Engineers' rule is an example of MAR rule that only allows engineers access if their machine was
successfully authenticated against windows DB.
The Managers' rule is an example of an exemption from MAR.
Distributed MAR Cache
ACS 5.4 supports the Machine Access Restriction cache per ACS deployment. That is, machine
authentication results can be cached among the nodes within the deployment.
MAR Cache Distribution Groups
ACS 5.4 has the option to group ACS nodes in MAR cache distribution groups. This option is used to
control the impact of MAR cache distribution operations on ACS performance and memory usage.
A text label is assigned to each ACS node, which is called the MAR cache distribution group value. ACS
nodes are grouped based on the MAR cache distribution group value. You can perform MAR cache
distribution operations only between the ACS nodes that are assigned to the same MAR cache
distribution group.
If the group value of an ACS node is empty, then it is considered as not assigned to any MAR cache
distribution group. Such ACS nodes do not participate in any MAR cache distribution operations.
Distributed MAR Cache Operation
The ACS runtime component combines two operations to implement a distributed MAR cache:
• MAR cache replication with no guaranteed delivery
• MAR cache distributed search
MAR Cache Replication
The ACS runtime component stores a MAR entry, authenticated Calling-Station-ID, in a MAR
cache during machine authentication. At first, ACS saves the MAR entry in the local MAR cache. Then,
the ACS runtime component replicates the MAR entry to the ACS nodes that belong to the same MAR
cache distribution group.
The replication is performed based on the cache entry replication attempts and the cache entry
replication timeouts that are configured in the ACS web interface.
The replication operation is performed in the background and does not interrupt or delay the user
authentication that triggered this replication.
MAR Cache Distributed Search
At first, ACS searches for the MAR entry in the local MAR cache. If the MAR entry is not found in the
local MAR cache, then ACS queries the ACS nodes that are assigned to the same MAR cache distribution
group.
AD Group
Machine Authentication
Required … ATZ profile
Engineers Yes … VLAN X
Managers No … VLAN B
…… …DENY ACCESS