Cisco Secure ACS forwards user authentication requests to a Windows NT/2000
database in one of two scenarios. The first scenario is when the user’s account in
the CiscoSecure user database lists a Windows NT/2000 database configuration
as the authentication method. The second is when the user is unknown to the
CiscoSecure user database and the Unknown User Policy dictates that a Windows
NT/2000 database is the next external user database to try.

In either case, Cisco Secure ACS forwards the username and password to the
Windows NT/2000 database. The Windows NT/2000 database either passes or
fails the authentication request from Cisco Secure ACS. Upon receiving the
response from the Windows NT/2000 database, Cisco Secure ACS instructs the
requesting AAA client to grant or deny the user access, depending upon the
response from the Windows NT/2000 database.

Cisco Secure ACS grants authorization based on the Cisco Secure ACS group to
which the user is assigned. While the group to which a user is assigned can be
determined by information from the Windows NT/2000 database, it is
Cisco Secure ACS that grants authorization privileges. See

Figure 11-2 on

page 11-8