Cisco Systems OL-24201-01 manual Managing Internal Identity Stores, Identity Sequences

Chapter 8 Managing Users and Identity Stores

Managing Internal Identity Stores

Identity Sequences

You can configure a complex condition where multiple identity stores and profiles are used to process a request. You can define these identity methods in an Identity Sequence object. The identity methods within a sequence can be of any type.

The identity sequence is made up of two components, one for authentication and the other for retrieving attributes.

•If you choose to perform authentication based on a certificate, a single certificate authentication profile is used.

•If you choose to perform authentication on an identity database, you can define a list of identity databases to be accessed in sequence until the authentication succeeds. If the authentication succeeds, the attributes within the database are retrieved.

In addition, you can configure an optional list of databases from which additional attributes can be retrieved. These additional databases can be configured irrespective of whether you use password-based or certificate-based authentication.

If a certificate-based authentication is performed, the username is populated from a certificate attribute and this username is used to retrieve attributes from all the databases in the list. For more information on certificate attributes, see Configuring CA Certificates, page 8-68.

When a matching record is found for the user, the corresponding attributes are retrieved. ACS retrieves attributes even for users whose accounts are disabled or whose passwords are marked for change.

Note An internal user account that is disabled is available as a source for attributes, but not for authentication.

For more information on identity sequences, see Configuring Identity Store Sequences, page 8-74.

This chapter contains the following sections:

•Managing Internal Identity Stores, page 8-4

•Managing External Identity Stores, page 8-22

•Configuring CA Certificates, page 8-68

•Configuring Certificate Authentication Profiles, page 8-72

•Configuring Identity Store Sequences, page 8-74

Managing Internal Identity Stores

ACS contains an identity store for users and an identity store for hosts:

•The internal identity store for users is a repository of users, user attributes, and user authentication options.

•The internal identity store for hosts contains information about hosts for MAC Authentication Bypass (Host Lookup).

You can define each user and host in the identity stores, and you can import files of users and hosts.

The identity store for users is shared across all ACS instances in a deployment and includes for each user:

•Standard attributes

•User attributes

User Guide for Cisco Secure Access Control System 5.3