Cisco Systems OL-24201-01 manual Identity Groups, Certificate-Based Authentication

Chapter 8 Managing Users and Identity Stores

Overview

Identity Stores with Two-Factor Authentication

You can use the RSA SecurID Token Server and RADIUS Identity Server to provide two-factor authentication. These external identity stores use an OTP that provides greater security. The following additional configuration options are available for these external identity stores:

•Identity caching—You can enable identity caching for ACS to use the identity store while processing a request in cases where authentication is not performed. Unlike LDAP and AD, for which you can perform a user lookup without user authentication, the RSA SecurID Token Server and RADIUS Identity Server does not support user lookup.

For example, in order to authorize a TACACS+ request separately from the authentication request, taking into account that it is not possible for the identity store to retrieve the data because authentication is not performed, you can enable identity caching to cache results and attributes retrieved from the last successful authentication for the user. You can use this cache to authorize the request.

•Treat authentication rejects as—The RSA and RADIUS identity stores do not differentiate between the following results when an authentication attempt is rejected:

–Authentication Failed

–User Not Found

This classification is very important when you determine the fail-open operation. A configuration option is available, allowing you to define which result must be used.

Identity Groups

Identity groups are logical entities that are defined within a hierarchy and are associated with users and hosts. These identity groups are used to make policy decisions. For internal users and hosts, the identity group is defined as part of the user or host definition.

When external identity stores are used, the group mapping policy is used to map attributes and groups retrieved from the external identity store to an ACS identity group. Identity groups are similar in concept to Active Directory groups but are more basic in nature.

Certificate-Based Authentication

Users and hosts can identify themselves with a certificate-based access request. To process this request, you must define a certificate authentication profile in the identity policy.

The certificate authentication profile includes the attribute from the certificate that is used to identify the user or host. It can also optionally include an LDAP or AD identity store that can be used to validate the certificate present in the request. For more information on certificates and certificate-based authentication, see:

•Configuring CA Certificates, page 8-68

•Configuring Certificate Authentication Profiles, page 8-72

User Guide for Cisco Secure Access Control System 5.3