Chapter12 Admin istering Extern al User Databases
Unknown User Processing
12-4
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
78-13751-01, Version 3.0
Note The scenario given above is handled differently if the user accounts with
identical usernames exist in separate Windows domains. For more
information, see the “Authentication Request Handling and Rejection Mode
with the WindowsNT/2000 User Database” section on page 12-4.
Authentication Request Handling and Rejection Mode with the Windows NT/2000 User DatabaseBecause it is a native WindowsNT/2000 application, Cisco Secure ACS treats
authentication with a WindowsNT/2000 user database as a special case. Windows
can provide added functionality to the remote access authentication process.
Perhaps the most important aspect of this added functionality is support for
multiple occurrences of the same username across the trusted domains against
which Cisco Secure ACS authenticates access requests.
Cisco Secure ACS communicates with the Windows NT/2000 operating system
of the Cisco Secure ACS server to perform authentications. Windows NT/2000
uses its built-in facilities to forward the authentication requests to the appropriate
domain controller. There are two possible scenarios to consider:
•Authentication requests in which the domain name is supplied
•Authentication requests in which the domain name is omitted
Windows Authentication with a Domain Specified
When a domain name is supplied as part of a authentication request,
Cisco Secure ACS detects that a domain name was supplied and tries the
authentication credentials against the specified domain. The dial-up networking
client provided with Window NT/2000 and Windows 95/98 differ in the method
by which users can specify their domains. For more information, see the
“Windows Dial-up Networking Clients” section on page 11-9.
If the domain controller rejects the authentication request, Cisco Secure ACS logs
the request as a failed attempt.
Specifying the domain name allows Cisco Secure ACS to differentiate a user
from multiple instances of the same username in different domains. For unknown
users who provide a domain name and who are authenticated by a Windows