11-15
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
78-13751-01, Version 3.0
Chapter11 Working with User Databases Generic LDAP
This section contains the following topics:
Cisco Secure ACS Authentication Process with a Generic LDAP User
Database, page 11-15
Multiple LDAP Instances, page 11-16
LDAP Organizational Units and Groups, page 11-17
Directed Authentications, page 11-17
LDAP Failover, page11-17
Configuring a Generic LDAP External User Database, page11-19
Cisco Secure ACS Authentication Process with a Generic LDAP User Database
Cisco Secure ACS forwards user authentication requests to an LDAP database in
one of two scenarios. The first scenario is when the users account in the
CiscoSecure user database lists an LDAP configuration as the authentication
method. The second is when the user is unknown to the CiscoSecure user database
and the Unknown User Policy dictates that an LDAP databa se is the ne x t ext ernal
user database to try.
In either case, Cisco Secure ACS forwards the username and password to the
LDAP database. The LDAP database either passes or fails the authentication
request from Cisco Secure ACS. Upon receiving the response from the LDAP
database, Cisco Secure ACS instructs the requesting AAA client to grant or deny
the user access, depending upon the response from the LDAP server.
Cisco Secure ACS grants authorization based on the Cisco Secure ACS group to
which the user is assigned. While the group to which a user is assigned can be
determined by information from the LDAP server, it is CiscoSecure ACS that
grants authorization privileges. See Figure11-3 on page 11-16.