Chapter 8 Managing Users and Identity Stores

Managing External Identity Stores

Table 8-10

Active Directory: General Page (continued)

 

 

 

 

 

 

 

Option

 

 

Description

 

 

 

 

 

 

 

Username

 

 

Predefined user in AD. AD account required for domain access in ACS should have either of

 

 

 

 

the following:

 

 

 

 

Add workstations to domain user right in corresponding domain.

 

 

 

 

Create Computer Objects or Delete Computer Objects permission on corresponding

 

 

 

 

computers container where ACS machine's account is precreated (created before joining

 

 

 

 

ACS machine to the domain).

 

 

 

 

We recommend that you disable the lockout policy for the ACS account and configure the AD

 

 

 

 

infrastructure to send alerts to the admin if a wrong password is used for that account. This is

 

 

 

 

because if you enter a wrong password, ACS will not create or modify its machine account

 

 

 

 

when it is necessary and therefore possibly deny all authentications.

 

 

 

 

 

 

 

Password

 

 

Enter the user password. The password should have minimum of 8 characters with the

 

 

 

 

combination of atleast one lower case alphabet, one upper case alphabet, one numeral, and one

 

 

 

 

special character. All special characters are supported.

 

 

 

 

 

 

 

Test Connection

 

 

Click to test the ACS connection with the AD domain for the user, domain, and password

 

 

 

 

identified in the previous fields.

 

 

 

 

A message appears informing you whether the AD server is routable within the network and

 

 

 

 

also authenticates the given AD username and password.

 

 

 

 

To join to the AD domain, ACS first attempts to create a secure connection. If this is

 

 

 

 

unsuccessful, it would then attempt to create an insecure connection.

 

 

 

 

 

 

 

End User Authentication Settings

 

 

 

 

 

 

 

 

 

Enable password change

Click to allow the password to be changed.

 

 

 

 

 

 

 

Enable machine

 

 

Click to allow machine authentication.

 

authentication

 

 

 

 

 

 

 

 

 

 

 

Enable Machine Access

Click to ensure that machine authentication results are tied to user authentication and

 

Restrictions

 

 

authorization. If you enable this feature, you must set the Aging time.

 

 

 

 

 

Aging time (hours) time

Time after a machine was authenticated that a user can be authenticated from that machine. If

 

 

 

 

this time elapses, user authentication fails.

 

 

 

 

You must set this time if you clicked the Enable Machine Access Restrictions check box.

 

 

 

 

 

 

Enable dial-in check

 

Click to examine the user’s dial-in permissions during authentication or query. The result of

 

 

 

 

the check can cause a reject of the authentication in case the dial-in permission is denied.

 

 

 

 

The result is not stored on AD dictionary.

 

 

 

 

 

Enable callback support for

Click to examine the user’s callback option during authentication or query. The result of the

 

dial-up clients

 

 

check is returned to the device on the RADIUS response.

 

 

 

 

The result is not stored on AD dictionary

 

 

 

 

 

 

 

 

Connectivity Status

 

 

 

 

 

 

 

 

 

 

 

Joined to Domain

 

(Display only.) After you save the configuration (by clicking Save Changes), shows the

 

 

 

 

domain name with which ACS is joined.

 

 

 

 

 

 

Connectivity Status

 

(Display only.) After you save the configuration (by clicking Save Changes), shows the

 

 

 

 

connection status of the domain name with which ACS is joined.

 

 

 

 

 

 

 

 

Step 3

Click:

 

 

 

 

 

 

 

 

User Guide for Cisco Secure Access Control System 5.3

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

OL-24201-01

 

 

 

 

8-49

 

 

 

 

 

 

 

Page 200 Page 202
Page 201
Image 201
Cisco Systems OL-24201-01 manual Click
Page 200 Page 202
Top Page Image Contents