Cisco Systems 3.3 Manual De Usuario
Chapter 13 User Databases
Windows User Database
13-26
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Preparing Users for Authenticating with Windows
Before using the Windows user database for authentication, follow these steps:
Step 1
Make sure the username exists in the Windows user database.
Step 2
In Windows, for each user account, clear the following User Properties check
boxes:
boxes:
•
User must change password at next logon
•
Account disabled
Step 3
If you want to control dial-in access from within Windows NT, click Dial-in and
select Grant dialin permission to user. In Windows 2000, access the User
Properties dialog box, select the Dial-In tab, and in the Remote Access area, click
Allow access. You must also configure the option to reference this feature under
Database Group Mappings in the External User Databases section of Cisco Secure
ACS.
select Grant dialin permission to user. In Windows 2000, access the User
Properties dialog box, select the Dial-In tab, and in the Remote Access area, click
Allow access. You must also configure the option to reference this feature under
Database Group Mappings in the External User Databases section of Cisco Secure
ACS.
Windows User Database Configuration Options
The Windows User Database Configuration page contains the following
configuration options:
configuration options:
•
Dialin Permission—You can restrict network access to users whose
Windows accounts have Windows dialin permission. The Grant dialin
permission to user check box controls this feature.
Windows accounts have Windows dialin permission. The Grant dialin
permission to user check box controls this feature.
Note
This feature applies to all users authenticated by Cisco Secure ACS
with a Windows external user database; despite the name of the
feature, it is not limited to users who access the network with a dialup
client but is applied regardless of client type. For example, if you have
configured a PIX Firewall to authenticate Telnet sessions using
Cisco Secure ACS as a RADIUS server, a user authenticated by a
Windows external user database would be denied Telnet access to the
PIX Firewall if the Dialin Permission feature is enabled and the
Windows user account does not have dialin permission.
with a Windows external user database; despite the name of the
feature, it is not limited to users who access the network with a dialup
client but is applied regardless of client type. For example, if you have
configured a PIX Firewall to authenticate Telnet sessions using
Cisco Secure ACS as a RADIUS server, a user authenticated by a
Windows external user database would be denied Telnet access to the
PIX Firewall if the Dialin Permission feature is enabled and the
Windows user account does not have dialin permission.