Chapter11 Working with User Databases
Windows NT/2000 User Database
11-8
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
78-13751-01, Version 3.0
Figure 11-2 Using the Windows NT/2000 User Database for Authentication
To further control access by a user from within the WindowsNT User Manager or
the Windows2000 Active Directory Users and Computers, you can configure
Cisco Secure ACS to also check the setting for granting dialin permission to user.
This setting is labeled “Grant dialin permission to user” in WindowsNT and
“Allow access” in the Remote Access Permission area in Windows2000. If this
feature is disabled for the user, access is not permitted, even if the username and
password are typed correctly.
For the most secure authentication with Windows NT/2000 user databases, us e
MS-CHAP.
Trust RelationshipsCisco Secure ACS can take advantage of trust relationships that have been
established between WindowsNT/2000 servers. If the domain that contains the
Cisco Secure ACS server trusts another domain, Cisco Secure ACS can
authenticate users whose accounts reside in the other domain. Cisco Secure ACS
can also reference the Grant dialin permission to user setting across trusted
domains.
If your domains are Windows 2000 domains, CiscoSecure ACS can take
advantage of indirect trusts for Windows authentication. Consider the e xample of
Windows 2000 domains A, B, and C, where CiscoSecure ACS resides on a