12-7
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
78-13751-01, Version 3.0
Chapter12 Administering External User Databases Unknown User Processing
The default AAA client timeout value is 5 seconds. If you have CiscoSecure ACS
configured to search through several databases or if your databases are large, you
might need to increase this value in your AAA client configuration file. For more
information, refer to your Cisco IOS documentation.
Network Access Authorization
While the Unknown User Policy allows authentication requests to be forwarded
to external user databases, all responsibility for the authorization parameters
provided to the AAA client remains with Cisco Secure ACS. External user
databases provide authentication services, and Cisco Secure ACS then provides
the additional authorization information that is sent to the AAA client in the
RADIUS or TACACS+ response packet. For more information about assignment
of user authorization, see the Database Group Mappings section on page 12-10.
Unknown User Policy
You can configure how CiscoSecure ACS processes unknown users on the
Configure Unknown User Policy page, in the External User Databases section of
the HTML interface. The Configure Unknown User Policy page contains the
following fields:
Unknown User PolicyDefines what action Cisco Secure ACS takes if it
does not find a matching username in its database. There are two options for
controlling the Unknown User Policy:
Fail the attemptDisables unknown user processing.
Cisco Secure ACS rejects authentication requests for any user not found
in the CiscoSecure user database.
Check the following external user databasesEnables unknown user
processing. Cisco Secure ACS uses databases in the Selected Databases
list to authenticate users that are not found in the CiscoSecure user
database.
External DatabasesLists the external user databases that
Cisco Secure ACS does not use to authenticate unknown users.
Selected DatabasesLists the external user databases Cisco Secure ACS
that uses to authenticate an unknown user (if the Check the following external
user databases option is selected). Cisco Secure ACS attempts authentication