Chapter 4 Network Configuration
Proxy in Distributed Systems
4-6
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
continues, in order, down the list until a AAA server handles the authentication
request. (Failed connections are detected by failure of the nominated server to
respond within a specified time period. That is, the request is timed out.) If
Cisco Secure ACS cannot connect to any server in the list, authentication fails.
Character String
Cisco Secure ACS forwards authentication requests using a configurable set of
characters with a delimiter, such as dots (.), slashes (/), or hyphens (-). When
configuring the Cisco Secure ACS character string to match, you must specify
whether the character string is the prefix or suffix. For example, you can use
“domain.us” as a suffix character string in username*domain.us, where *
represents any delimiter. An example of a prefix character string is
domain.*username, where the * would be used to detect the “/” character.
Stripping
Stripping allows Cisco Secure ACS to remove, or strip, the matched character
string from the username. When you enable stripping, Cisco Secure ACS
examines each authentication request for matching information. When
Cisco Secure ACS finds a match by character string in the Proxy Distribution
Table, as described in the example under Proxy in Distributed Systems, page 4-4,
Cisco Secure ACS strips off the character string if you have configured it to do so.
For example, in the proxy example that follows, the character string that
accompanies the username establishes the ability to forward the request to another
AAA server. If the user must enter the user ID of mary@corporate.com to be
forwarded correctly to the AAA server for authentication, Cisco Secure ACS
might find a match on the “@corporate.com” character string, and strip the
“@corporate.com”, leaving a username of “mary”, which may be the username
format that the destination AAA server requires to identify the correct entry in its
database.
Proxy in an Enterprise
This section presents a scenario of proxy used in an enterprise system. Mary is an
employee with an office in the corporate headquarters in Los Angeles. Her
username is mary@la.corporate.com. When Mary needs access to the network,
she accesses the network locally and authenticates her username and password.