Cisco Systems 3.3

15-15

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Chapter 15 Unknown User Policy

Database Search Order

•Posture validation—The Unknown User Policy supports all posture

validation requests using the following logic:

a. Of the NAC database in the Selected Databases list, find the first database

whose mandatory credential types are satisfied by the credentials

received in the posture validation request. If the credentials in the request

do not match the mandatory credentials of any database in the list, reject

the posture validation request.

b. Use the NAC database found in Step 1 to perform posture validation for

the NAC client.

c. If Cisco Secure ACS does not have a user profile matching the name

provided in the PEAP EAP-Identity field of the posture validation

request, create the discovered user account, using the value from the

EAP-Identity field as the username. For more information about the

effects of using the EAP-Identity field for the username, see NAC and the

Unknown User Policy, page 15-10.

d. Perform group mapping and apply the authorizations specified in the

mapped group to the NAC client.

When you specify the order of databases in the Selected Databases list, we

recommend placing as near to the top of the list as possible databases that:

•Process the most requests.

•Process requests that are associated with particularly time-sensitive AAA

clients or authentication protocols.

•Require the most restrictive mandatory credential types (applies to NAC

databases only).

As a user authentication example, if wireless LAN users access your network with

PEAP, arrange the databases in the Selected Databases list so that unknown user

authentication takes less than the timeout value specified on the Cisco Aironet

Access Point.

As a posture validation example, if some NAC clients send more credential types

in their posture validation requests than other NAC clients, place higher on the

Selected Databases list the NAC databases with the more mandatory credential

types; otherwise, Cisco Secure ACS may use a NAC database whose policies do

not evaluate client posture using the additional credential types sent by the NAC

client.