8-8
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
Chapter8 Managing Users and Identity Stores
Managing Internal Identity Stores
Standard Attributes
Table 8 -1 describes the standard attributes in the internal user record.
User Attributes
Administrators can create and add user-defined attributes from the set of identity attributes. You can then
assign default values for these attributes for each user in the internal identity store and define whether
the default values are required or optional.
You need to define users in ACS, which includes associating each internal user with an identity group,
a description (optional), a password, an enable password (opti onal), and internal and external user
attributes.
Internal users are defined by two components: fixed and configurable. Fixed components consist of these
attributes:
Name
Description
Password
Enabled or disabled status
Identity group to which they belong
Configurable components consist of these attributes:
Enable password for TACACS+ authentication
Sets of identity attributes that determine how the user definition is displayed and entered
Cisco recommends that you configure identity attributes before you create users. When identity
attributes are configured:
You can enter the corresponding values as part of a user definition.
They are available for use in policy decisions when the user authenticates.
Internal user identity attributes are applied to the user for the duration of the user’s session.
Internal identity stores contain the internal user attributes and credential information used to authenticate
internal users (as defined by you within a policy).
External identity stores are external databases on which to perform credential and authentication
validations for internal and external users (as defined by you within a policy).
Table8-1 Standard Attributes
Attribute Description
Username ACS compares the username against the username in the authentication request.
The comparison is case-insensitive.
Status Enabled status indicates that the account is active.
Disabled status indicates that authentications for the username will fail.
Description Text description of the attribute.
Identity Group ACS associates each user to an identity group. See Managing Identity Attributes,
page 8-7 for information.