Filter
Top Products
11-15
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
78-13751-01, Version 3.0
Chapter 11 Working with User Databases
Generic LDAP
This section contains the following topics:
• Cisco Secure ACS Authentication Process with a Generic LDAP User
Database, page 11-15
• Multiple LDAP Instances, page 11-16
• LDAP Organizational Units and Groups, page 11-17
• Directed Authentications, page 11-17
• LDAP Failover, page 11-17
• Configuring a Generic LDAP External User Database, page 11-19
Cisco Secure ACS Authentication Process with a Generic LDAP
User Database
Cisco Secure ACS forwards user authentication requests to an LDAP database in
one of two scenarios. The first scenario is when the user’s account in the
CiscoSecure user database lists an LDAP configuration as the authentication
method. The second is when the user is unknown to the CiscoSecure user database
and the Unknown User Policy dictates that an LDAP database is the next external
user database to try.
In either case, Cisco Secure ACS forwards the username and password to the
LDAP database. The LDAP database either passes or fails the authentication
request from Cisco Secure ACS. Upon receiving the response from the LDAP
database, Cisco Secure ACS instructs the requesting AAA client to grant or deny
the user access, depending upon the response from the LDAP server.
Cisco Secure ACS grants authorization based on the Cisco Secure ACS group to
which the user is assigned. While the group to which a user is assigned can be
determined by information from the LDAP server, it is Cisco Secure ACS that
grants authorization privileges. See Figure 11-3 on page 11-16.