Cisco Systems OL-24201-01 manual User Attribute Cache, Radius PAP TACACS+ ASCII\PAP

Chapter 8 Managing Users and Identity Stores

Managing External Identity Stores

Safeword token servers support both the formats. ACS works with various token servers. While configuring a Safeword server, you must check the Safeword Server check box for ACS to parse the username and convert it to the specified format.

This conversion is done in the RADIUS token server identity store before the request is sent to the RADIUS token server.

User Attribute Cache

RADIUS token servers, by default, do not support user lookups. However, the user lookup functionality is essential for the following ACS features:

•PEAP session resume—Happens after successful authentication during EAP session establishment

•EAP/FAST fast reconnect—Happens after successful authentication during EAP session establishment

•T+ Authorization—Happens after successful T+ Authentication

ACS caches the results of successful authentications to process user lookup requests for these features. For every successful authentication, the name of the authenticated user and the retrieved attributes are cached. Failed authentications are not written to the cache.

The cache is available in the memory at runtime and is not replicated between ACS nodes in a distributed deployment. You can configure the time to live (TTL) limit for the cache through the ACS web interface. You must enable the identity caching option and set the aging time in minutes. The cache is available in the memory for the specified amount of time.

Creating, Duplicating, and Editing RADIUS Identity Servers

ACS 5.3 supports the RADIUS identity server as an external identity store for the increased security that one-time passwords provide. RADIUS identity servers provide two-factor authentication to ensure the authenticity of the users.

To authenticate users against a RADIUS identity store, you must first create the RADIUS identity server in ACS and configure the settings for the RADIUS identity store. ACS 5.3 supports the following authentication protocols:

•RADIUS PAP

•TACACS+ ASCII\PAP

•PEAP with inner EAP-GTC

•EAP-FAST with inner EAP-GTC

For a successful authentication with a RADIUS identity server, ensure that:

•The gateway devices between the RADIUS identity server and ACS allow communication over the UDP port.

•The shared secret that you configure for the RADIUS identity server on the ACS web interface is identical to the shared secret configured on the RADIUS identity server.

To create, duplicate, or edit a RADIUS Identity Server:

Step 1 Choose Users and Identity Stores > External Identity Stores > RADIUS Identity Servers.

The RADIUS Identity Servers page appears with a list of RADIUS external identity servers.