Chapter11 Working with User Databases
Windows NT/2000 User Database
11-6
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
78-13751-01, Version 3.0
After you have configured CiscoSecure ACS to communicate with an external
user database, you can configure Cisco Secure ACS to authenticate users with the
external user database in one of two ways:
By Specific User AssignmentYou can configure CiscoSecure ACS to
authenticate specific users with an external user database. To do this, the user
must exist in the CiscoSecure user database and the Password Authentication
list in User Setup must be set to the external user database that
Cisco Secure ACS is to use to authenticate the user.
While setting the Password Authentication for every user account is time
consuming, this method of determining which users are authenticated with an
external user database is secure because it requires explicit definition of who
is to authenticate using the external user database. In addition, the users may
be placed in the desired Cisco Secure ACS group and thereby receive the
applicable access profile.
By Unknown User PolicyYou can configure CiscoSecure ACS to attempt
authentication of users not found in the CiscoSecure user database by using
an external user database. Users do not need to be defined in the CiscoSecure
user database for this method. For more information about the Unknown User
Policy, see the Unknown User Processing section on page12-1.
You can also configure CiscoSecure ACS with both methods above; these two
methods are not mutually exclusive.
Windows NT/2000 User Database
Cisco Secure ACS supports PAP and MS-CHAP authentication with Windows
NT 4.0 Security Accounts Manager (SAM) database or a Windows 2000 Active
Directory database. Cisco Secure ACS supports EAP-TLS authentication with a
Windows 2000 Active Directory database. You can configure Cisco Secure ACS
to authenticate usernames and passwords against those already in a
WindowsNT/2000 user database. In organizations in which a substantial
WindowsNT/2000 user database already exists, Cisco Secure ACS can leverage
the work already invested in building the database without any additional input.
This eliminates the need for separate databases.