Cisco Systems Servers Benutzerhandbuch
Chapter 4 Setting Up and Managing Network Configuration
Proxy in Distributed Systems
4-6
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
78-13751-01, Version 3.0
request. If Cisco Secure ACS cannot connect to any server in the list,
authentication fails. Failed connections are detected by failure of the nominated
server to respond within a specified time period. That is, the request is timed out.
authentication fails. Failed connections are detected by failure of the nominated
server to respond within a specified time period. That is, the request is timed out.
Character String
Cisco Secure ACS forwards authentication requests using a configurable set of
characters with a delimiter, such as dots (.), slashes (/), backslashes (\), and
hyphens (-). When configuring the Cisco Secure ACS character string to match,
you must specify whether the character string is the prefix or suffix. For example,
you can use “domain.us” as a suffix character string in username*domain.us,
where * represents any delimiter. An example of a prefix character string is
domain*username, where the * would be used to detect the “\” character.
characters with a delimiter, such as dots (.), slashes (/), backslashes (\), and
hyphens (-). When configuring the Cisco Secure ACS character string to match,
you must specify whether the character string is the prefix or suffix. For example,
you can use “domain.us” as a suffix character string in username*domain.us,
where * represents any delimiter. An example of a prefix character string is
domain*username, where the * would be used to detect the “\” character.
Stripping
Stripping allows Cisco Secure ACS to remove, or strip, the matched character
string from the username. When you enable stripping, Cisco Secure ACS
examines each authentication request for matching information. When
Cisco Secure ACS finds a match by character string in the Proxy Distribution
Table, as described above, Cisco Secure ACS strips off the character string if you
have configured it to do so. For example, in the proxy example that follows, the
character string that accompanies the username establishes the ability to forward
the request to another AAA server. If the user must enter the user ID of
mary@corporate.com to be forwarded correctly to the AAA server for
authentication, Cisco Secure ACS might find a match on the “@corporate.com”
character string, and strip the “@corporate.com”, leaving a username of just
“mary” which may be the username format that the destination AAA Server
requires to identify the correct entry in its database.
string from the username. When you enable stripping, Cisco Secure ACS
examines each authentication request for matching information. When
Cisco Secure ACS finds a match by character string in the Proxy Distribution
Table, as described above, Cisco Secure ACS strips off the character string if you
have configured it to do so. For example, in the proxy example that follows, the
character string that accompanies the username establishes the ability to forward
the request to another AAA server. If the user must enter the user ID of
mary@corporate.com to be forwarded correctly to the AAA server for
authentication, Cisco Secure ACS might find a match on the “@corporate.com”
character string, and strip the “@corporate.com”, leaving a username of just
“mary” which may be the username format that the destination AAA Server
requires to identify the correct entry in its database.
Proxy in an Enterprise
This section presents a scenario of proxy used in an enterprise system. Mary is an
employee with an office in the corporate headquarters in Los Angeles. Her
username is mary@la.corporate.com. When Mary needs access to the network,
she accesses the network locally and authenticates her username and password.
Because Mary works in the Los Angeles office, her user profile, which defines her
authentication and authorization privileges, resides on the local Los Angeles
employee with an office in the corporate headquarters in Los Angeles. Her
username is mary@la.corporate.com. When Mary needs access to the network,
she accesses the network locally and authenticates her username and password.
Because Mary works in the Los Angeles office, her user profile, which defines her
authentication and authorization privileges, resides on the local Los Angeles