Chapter 12 Administering External User Databases
Unknown User Processing
12-6
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
78-13751-01, Version 3.0
Note If your network has multiple occurrences of a username across domains (for
example, every domain has a user called Administrator) or if users dialing in
do not provide their domains as part of their authentication credentials, be sure
to configure the Domain List for the Windows NT/2000 database in the
External User Databases section. If not, only the user whose account
Windows NT/2000 happens to check first authenticates successfully. The
Domain List is the only way that Cisco Secure ACS controls the order in
which Windows NT/2000 checks domains. The most reliable method of
supporting multiple instances of a username across domains is to require users
to supply their domain memberships as part of the authentication request.
Performance of Unknown User Authentication
Authentication requests that use the Unknown User authentication feature require
slightly more time. This small delay may require additional configuration on the
AAA clients through which unknown users may attempt to access your network.
Added Latency
Adding external databases against which to process unknown users can
significantly increase the time needed for each individual authentication. At best,
the time needed for each authentication is the time taken by the external database
to authenticate, plus some latency for Cisco Secure ACS processing. In some
circumstances (for example, when using a Windows NT/2000 user database), the
extra latency introduced by an external database can be as much as tens of
seconds. If you have configured multiple databases, this number is multiplied by
the time taken for each one to complete.
Authentication Timeout Value on AAA clients
Be sure to increase the AAA client timeout to accommodate the longer
authentication time required for Cisco Secure ACS to pass the authentication
request to the external databases. If the AAA client timeout value is not set high
enough to account for the delay required by unknown user authentication, the
AAA client times out the request and every unknown user authentication fails.