Cisco Systems OL-24201-01 manual Radius Identity Store in Identity Sequence, Acs

Chapter 8 Managing Users and Identity Stores

Managing External Identity Stores

RADIUS Identity Store in Identity Sequence

You can add the RADIUS identity store for authentication sequence in an identity sequence. However, you cannot add the RADIUS identity store for attribute retrieval sequence because you cannot query the RADIUS identity store without authentication. ACS cannot distinguish between different error cases while authenticating with a RADIUS server.

RADIUS servers return an Access-Reject message for all error cases. For example, when a user is not found in the RADIUS server, instead of returning a User Unknown status, the RADIUS server returns an Access-Reject message.

You can, however, enable the Treat Rejects as Authentication Failure or User Not Found option available in the RADIUS identity store pages of the ACS web interface.

Authentication Failure Messages

When a user is not found in the RADIUS server, the RADIUS server returns an Access-Reject message. ACS provides you the option to configure this message through the ACS web interface as either Authentication Failed or Unknown User.

However, this option returns an Unknown User message not only for cases where the user is not known, but for all failure cases.

Table 8-15lists the different failure cases that are possible with RADIUS identity servers.

Username Special Format with Safeword Server

Safeword token server supports authentication with the following username format:

Username—Username, OTP

ACS parses the username and converts this to:

Username—Username