Cisco Systems OL-24201-01 Password Prompt, User Group Mapping, Groups and Attributes Mapping

Chapter 8 Managing Users and Identity Stores

Managing External Identity Stores

Failover

ACS 5.3 allows you to configure multiple RADIUS identity stores. Each RADIUS identity store can have primary and secondary RADIUS servers. When ACS is unable to connect to the primary server, it uses the secondary server.

Password Prompt

RADIUS identity stores allow you to configure the password prompt. You can configure the password prompt through the ACS web interface.

User Group Mapping

To provide the per-user group mapping feature available in ACS 4.x, ACS 5.3 uses the attribute retrieval and authorization mechanism for users that are authenticated with a RADIUS identity store.

For this, you must configure the RADIUS identity store to return authentication responses that contain the [009\001] cisco-av-pair attribute with the following value:

ACS:CiscoSecure-Group-Id=N, where N can be any ACS group number from 0 through 499 that ACS assigns to the user.

Then, this attribute is available in the policy configuration pages of the ACS web interface while creating authorization and group mapping rules.

Groups and Attributes Mapping

You can use the RADIUS attributes retrieved during authentication against the RADIUS identity store in ACS policy conditions for authorization and group mapping. You can select the attributes that you want to use in policy conditions while configuring the RADIUS identity store. These attributes are kept in the RADIUS identity store dedicated dictionary and can be used to define policy conditions.

Note You cannot query the RADIUS server for the requested attributes. You can only configure the RADIUS identity store to return the requested attributes. These attributes are available in the Access-Accept response as part of the attributes list.

You can use the attribute subscription feature of ACS 5.3 to receive RADIUS identity store attributes can on the ACS response to the device. The following RADIUS attributes are returned:

•Attributes that are listed in the RADIUS RFS

•Vendor-specific attributes

The following attribute types are supported:

•String

•Unsigned Integer

•IPv4 Address

•Enumeration

If an attribute with multiple values is returned, the value is ignored, and if a default value has been configured, that value is returned. However, this attribute is reported in the customer log as a problematic attribute.