Cisco Systems Servers Proxy in an Enterprise

Chapter4 Se tting Up and Managing Network Configuration

Proxy in Distributed Systems

4-6

Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide

78-13751-01, Version 3.0

request. If Cisco Secure ACS cannot connect to any server in the list,

authentication fails. Failed connections are detected by failure of the nominated

server to respond within a specified time period. That is, the request is timed out.

Cisco Secure ACS forwards authentication requests using a configurable set of

characters with a delimiter, such as dots (.), slashes (/), backslashes (\), and

hyphens (-). When configuring the Cisco Secure ACS character string to match,

you must specify whether the character string is the prefix or suffix. For example,

you can use “domain.us” as a suffix character string in username*domain.us,

where * represents any delimiter. An example of a prefix character string is

domain*username, where the * would be used to detect the “\” character.

Stripping allows Cisco Secure ACS to remove, or strip, the matched character

string from the username. When you enable stripping, Cisco Secure ACS

examines each authentication request for matching information. When

Cisco Secure ACS finds a match by character string in the Proxy Distribution

Table, as described above, CiscoSecure ACS strips off the character string if you

have configured it to do so. For example, in the proxy example that follows, the

character string that accompanies the username establishes the ability to forward

the request to another AAA server. If the user must enter the user ID of

mary@corporate.com to be forwarded correctly to the AAA server for

authentication, Cisco Secure ACS might find a match on the “@corporate.com”

character string, and strip the “@corporate.com”, leaving a username of just

“mary” which may be the username format that the destination AAA Server

requires to identify the correct entry in its database.

Proxy in an Enterprise

This section presents a scenario of proxy used in an enterprise system. Mary is an

employee with an office in the corporate headquarters in Los Angeles. Her

username is mary@la.corporate.com. When Mary needs access to the network,

she accesses the network locally and authenticates her username and password.

Because Mary works in the Los Angeles office, her user profile, which defines her

authentication and authorization privileges, resides on the local Los Angeles