Cisco Systems CSACS3415K9 Manual De Usuario
16-7
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
Chapter 16 Managing System Administrators
Creating, Duplicating, Editing, and Deleting Administrator Accounts
Only appropriate administrators can configure identities and certificates. The identities configured in the
System Administration drawer are available in the Users and Identity Stores drawer, but they cannot be
modified there.
System Administration drawer are available in the Users and Identity Stores drawer, but they cannot be
modified there.
When you create a new administrator, you have an option to choose the type of identity store for the
password type. The new administrator is authenticated based on this password type. The password type
can be internal administrator, AD, or LDAP. The default value of all the existing administrators is
password type. The new administrator is authenticated based on this password type. The password type
can be internal administrator, AD, or LDAP. The default value of all the existing administrators is
AdminsIDStore
. The password type has a new association defined to create an association between the
administrator account and the identity store. During the internal administrator authentication, if the
administrator is present in the internal database, then the value in the password type field is read and
populated in the attribute list.If this attribute value is not equal to
administrator is present in the internal database, then the value in the password type field is read and
populated in the attribute list.If this attribute value is not equal to
AdminsIDStore
, then the authentication
is routed to either LDAP or an AD identity store, based on the value that is configured in the password
type field. ACS use PAP authentication to authenticate administrators against AD and LDAP.
type field. ACS use PAP authentication to authenticate administrators against AD and LDAP.
Recovery Administrator Account
ACS 5.4 requires the system administrator to keep at least one administrator account as a recovery
account. If an account is configured as a recovery account, then ACS bypasses the administrator identity
policy and authorization policy to authenticate that particular administrator. This recovery administrator
account is authenticated against the administrator internal identity store. If you try to access ACS using
the recovery account, you are authenticated against internal administrator users, and roles are assigned
statically. You can have more than one recovery account. By default, the Super Admin account is set as
a recovery account. When you create a new administrator account, ACS does not set that account as a
recovery account, but you need to configure it as a recovery account in account settings.
account. If an account is configured as a recovery account, then ACS bypasses the administrator identity
policy and authorization policy to authenticate that particular administrator. This recovery administrator
account is authenticated against the administrator internal identity store. If you try to access ACS using
the recovery account, you are authenticated against internal administrator users, and roles are assigned
statically. You can have more than one recovery account. By default, the Super Admin account is set as
a recovery account. When you create a new administrator account, ACS does not set that account as a
recovery account, but you need to configure it as a recovery account in account settings.
To configure an administrator account as a recovery account, you need to perform the following actions:
•
Assign a static role to the administrator account.
•
Assign the Super Admin role to the administrator account.
•
Do not use the password type to set an external identity store to the administrator account.
Related Topics
•
•
Creating, Duplicating, Editing, and Deleting Administrator
Accounts
Accounts
To create, duplicate, edit, or delete an administrator account:
Step 1
Choose System Administration > Administrators > Accounts.
: