AppendixH Cisco Secure ACS Internal Architecture
CSAuth
H-4
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
78-13751-01, Version 3.0
Cisco Secure ACS can check the user database to authenticate first-time logins. If
the username is not in the CiscoSecure user database, Cisco Secure ACS does not
deny authentication yet; it forwards the request to the configured unknown user
database to see if it can authenticate the user. If it can, authentication is granted.
Note With unknown user databases such as WindowsNT/2000 and Novell NDS,
only PAP passwords are supported.
There are several user database options:
•CiscoSecure user database—The first database option provides the fastest
response time for authentication. Locating the username and checking the
password against the local CiscoSecure user database is a single step.
Because this occurs internally to Cisco Secure ACS, there is no delay while
Cisco Secure ACS waits for a response from an external user database.
•Windows NT/2000 user database—This option makes use of the work
invested in the WindowsN T/2000 us er database. C SAuth p asses the
username and password to Windows NT/2000 for authentication.
WindowsNT/2000 then provides a response approving or denying validation.
If the response is approval, CSAuth knows that the user should be allowed to
authenticate.
If the response is denial and the username was submitted to
Cisco Secure ACS in an unqualified format (that is, without a domain name
preceding the username), CSAuth tries each Windows NT domain in the
order they are configured in the Domain List list box in External User
Databases: Windows NT/2000: Configure.
•Novell NDS option—This option allows CiscoSecure ACS to use the Novell
NDS service to authenticate users. Cisco Secure ACS supports one Tree, but
the Tree can have multiple Containers and Contexts. To support this
compatibility, the Novell requester must be installed on the same
Windows NT/2000 server as Cisco Secure ACS.
•Third-party token servers—Cisco Secure ACS supports several third-party
token servers, such as RSA SecurID, SafeWord AXENT, and any
hexadecimal X.909 token card such as CRYPTOCard. For some token
servers, Cisco Secure ACS acts as a client to the token server. For others, it
uses the token server’s RADIUS interface for authentication requests. As
with the WindowsNT/2000 database, after the username is located in the
CiscoSecure user database, CSAuth can check the selected token server to