H-5
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
78-13751-01, Version 3.0
AppendixH Ci scoSecure ACS Internal Architecture CSAuth
verify the username and token-card password. The token server then provides
a response approving or denying validation. If the response is approval,
CSAuth knows that authentication should be granted for the user.
Generic LDAPCisco Secure ACS supports authentication of users against
records kept in a directory server through the Lightweight Directory Access
Protocol (LDAP). Cisco Secure ACS interacts with the most popular
directory servers, including Novell and Netscape. Both PAP and CHAP
passwords can be used when authenticating against the LDAP database.
Cisco Secure ACS logs these transactions and displays their results in the
Reports & Activity section of the Cisco Secure ACS HTML interface.
ODBCCisco Secure ACS supports authentication via an Open Database
Connectivity (ODBC)-compliant SQL database. ODBC is a standardized API
that was first developed by Microsoft and is now used by most major database
vendors. ODBC follows the specifications of the SQL Access Group. The
benefit of ODBC in a web-based environment is easy access to data storage
programs such as Microsoft Access and SQL Server.
UNIX passwordsCisco Secure ACS includes a password import utility
you can use to import passwords from a UNIX database. From the
Cisco Secure ACS directory, type the following command:
CSUtil.exe -i filename
where filename is the name of a text file that contains the following line for
each user:
ADD:username:UNIX:DES-encrypted password
For example:
ADD:roger:UNIX:kk/amz1NUJrlM
For more information on CSUtil.exe, see Appendix E, Cisco Secure ACS
Command-Line Database Utility.
When a user has authenticated using one of the described methods,
Cisco Secure ACS obtains a set of authorizations from the user profile and the
group to which the user is assigned. This information is stored with the username
in the CiscoSecure user database. Some of the authorizations included are the
services to which the user is entitled, such as IP over PPP, IP pools from which to
draw an IP address, access lists, and password aging information. The
authorizations, with the approval of authentication, are then passed to the
CSTacacs or CSRadius modules to be forwarded to the requesting device.