12-3
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
78-13751-01, Version 3.0
Chapter12 Administering External User Databases Unknown User Processing
General Authentication Request Handling and Rejection ModeIf you have configured the Unknown User Policy in CiscoSecure ACS,
Cisco Secure ACS attempts to authenticate users as follows:
1. Cisco Secure ACS checks its internal user database. If the user exists in the
CiscoSecure user database (that is, is a known or cached user),
Cisco Secure ACS tries to authenticate the user with the specified password
type against the specified database. Authentication for that user either passes
or fails, depending on other procedures in the normal authentication process.
2. If the user does not exist in the CiscoSecure user database (that is, is an
unknown user), Cisco Secure ACS tries each configured external database in
the order specified in the Selected Databases list. If the user passes
authentication against one of the external databases, Cisco Secure ACS
automatically adds the user to the CiscoSecure user database, with a pointer
to use the password type and database that succeeded on this authentication
attempt. Users added by unknown user processing are flagged as such within
the CiscoSecure user database and are called cached users.
The next time the cached user tries to authenticate, Cisco Secure ACS
authenticates the user against the database that was successful the first time.
Cached users are treated the same as known users.
3. If the unknown user fails authentication with all configured external
databases, the user is not added to the CiscoSecure user database, and the
authentication request is rejected.
Because usernames in the CiscoSecure user database must be unique,
Cisco Secure ACS supports a single instance of any given username across all the
databases it is configured to use. For example, assume every external user
database contains a user account with the username John. Each account is for a
different user, but they each, coincidentally, have the same exact username. After
the first John attempts to access the network and has authenticated through the
unknown user process, Cisco Secure ACS retains a cached user account for that
John and only that John. Now, CiscoSecure ACS tries to authenticate subsequent
attempts by any user named John using the same external user database that
originally authenticated John. Assuming their passwords are different than the
password for the John who authenticated first, the other Johns are unable to access
the network.