Chapter 8 Managing Users and Identity Stores

Configuring CA Certificates

Configuring Shell Prompts, page 8-66

Configuring Advanced Options, page 8-68

Configuring Advanced Options

In the Advanced tab, you can do the following:

Define what an access reject from a RADIUS identity server means to you.

Enable identity caching.

Table 8-18describes the fields in the Advanced tab of the RADIUS Identity Servers page.

Table 8-18 RADIUS Identity Server - Advanced Tab

Option

Description

This Identity Store does not differentiate between 'authentication failed' and 'user not found' when an authentication attempt is rejected. From the options below, select how such an authentication reject from the Identity Store should be interpreted by ACS for Identity Policy processing and reporting.

Treat Rejects as 'authentication failed'

Click this option to consider all ambiguous access reject attempts as failed

 

authentications.

 

 

Treat Rejects as 'user not found'

Click this option to consider all ambiguous access reject attempts as

 

unknown users.

 

 

Identity caching is used to allow processing of requests that do not perform authentication against the server. The cache retains the results and attributes retrieved from the last successful authentication for the subject.

Enable identity caching

Check this check box to enable identity caching. If you enable identity

 

caching, you must enter the time in minutes for which you want ACS to

 

retain the identity cache.

 

 

Aging Time n Minutes

Enter the time in minutes for which you want ACS to retain the identity

 

cache. Valid options are from 1 to 1440.

 

 

Click Submit to save the RADIUS Identity Server.

Related Topics

RADIUS Identity Stores, page 8-60

Creating, Duplicating, and Editing RADIUS Identity Servers, page 8-63

Configuring CA Certificates

When a client uses the EAP-TLS protocol to authenticate itself against the ACS server, it sends a client certificate that identifies itself to the server. To verify the identity and correctness of the client certificate, the server must have a preinstalled certificate from the Certificate Authority (CA) that has digitally signed the client certificate.

If ACS does not trust the client’s CA certificate, then you must install in ACS the entire chain of successively signed CA certificates, all the way to the top-level CA certificate that ACS trusts. CA certificates are also known as trust certificates.

 

User Guide for Cisco Secure Access Control System 5.3

8-68

OL-24201-01

Page 220
Image 220
Cisco Systems OL-24201-01 manual Configuring CA Certificates, Configuring Shell Prompts, Configuring Advanced Options