Support User Manuals

Cisco Systems Servers Server User Manual

Open as PDF

of 654

12-5

Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide

78-13751-01, Version 3.0

Chapter 12 Administering External User Databases

Unknown User Processing

NT/2000 database, Cisco Secure ACS caches the username in the CiscoSecure

user database in the form domain\user. The combination of username and domain

makes this cached user unique in the Cisco Secure ACS database.

Note Cisco Secure ACS does not support the user@domain form of qualified

usernames.

Note We recommend removing a username from a database when the privileges

associated with that username are no longer required.

Windows Authentication with Domain Omitted

If the appropriate domain identifier is not supplied as part of the authentication

process, as with the Windows 95/98 dial-up networking client or with

Windows NT/2000 in a workgroup environment, the Windows NT/2000

operating system of the Cisco Secure ACS server follows a more complex

authentication process. It first attempts to authenticate the user against its local

domain controller. If the user does not exist in the local domain controller’s user

database, it progresses down the list of all its trusted domains, trying the username

against each one. If Windows NT/2000 does not find the username, it tries the

credentials against its local accounts database. If it does not find the username in

the local accounts database, it rejects the authentication request. If authentication

succeeds against the local domain, any of the trusted domains, or the local

Windows NT/2000 accounts database, the user is granted access and

Cisco Secure ACS ceases further attempts to find the user in other domains.

If the username exists in the local domain or any of the trusted domains but the

password does not match the one supplied as part of the authentication

credentials, Windows NT/2000 returns a rejection message to Cisco Secure ACS.

You can circumvent this difficulty by using the Domain List in the

Cisco Secure ACS configuration for the Windows NT/2000 database. If you have

configured the Domain List with a list of trusted domains, Cisco Secure ACS

submits the username and password to each domain in the list, using a

domain-qualified format, until Cisco Secure ACS successfully authenticates the

user. If Cisco Secure ACS has tried each domain listed in the Domain List, or if

no trusted domains have been configured in the Domain List, Cisco Secure ACS

fails the authentication request for that user.

previous next