8-44
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
Chapter8 Managing Users and Identity Stores
Managing External Identity Stores
Machine authentication happens while starting up a computer or while logging in to a computer.
Supplicants, such as Funk Odyssey perform machine authentication periodically while the supplicant is
running.
If you enable machine authentication, ACS authenticates the computer before a user authentication
request comes in. ACS checks the credentials provided by the computer against the Windows user
database. If the credentials match, the computer is given access to the network.
Attribute Retrieval for Authorization
You can configure ACS to retrieve user or machine AD attributes to be used in authorization and group
mapping rules. The attributes are mapped to the ACS policy results and determine the authorizat ion level
for the user or machine.
ACS retrieves user and machine AD attributes after a successful user or machine authentication and can
also retrieve the attributes for authorization and group mapping purposes indepe ndent of authentication.
Group Retrieval for Authorization
ACS can retrieve user or machine groups from Active Directory after a successful authentication and
also retrieve the user or machine group independent of authentication for authorization and group
mapping purposes. You can use the AD group data in the authorization and group mapping tables and
introduce special conditions to match them against the retrieved groups.
Certificate Retrieval for EAP-TLS Authentication
ACS 5.4 supports certificate retrieval for user or machine authentication that uses EAP-TLS protocol.
The user or machine record on AD includes a certificate attribute of binary data type. This can contain
one or more certificates. ACS refers to this attribute as userCertificate and does not allow you to
configure any other name for this attribute.
ACS retrieves this certificate for verifying the identity of the user or machine. The certificate
authentication profile determines the field (SAN, CN, SSN, SAN-Email, SAN-DNS, or SAN-other
name) to be used for retrieving the certificates.
After ACS retrieves the certificate, it performs a binary comparison of this certificate with the client
certificate. When multiple certificates are received, ACS compares the certificates to check if one of
them match. When a match is found, ACS grants the user or machine access to the network.
Concurrent Connection Management
After ACS connects to the AD domain, at startup, ACS creates a number of threads to be used by the AD
identity store for improved performance. Each thread has its own connection.
User and Machine Account Restrictions
While authenticating or querying a user or a machine, ACS checks whether:
The user account disabled
The user locked out
The user’s account has expired
The query run outside of the specified logon hours