Cisco Secure ACS forwards user authentication requests to an LDAP database in
one of two scenarios. The first scenario is when the user’s account in the
CiscoSecure user database lists an LDAP configuration as the authentication
method. The second is when the user is unknown to the CiscoSecure user database
and the Unknown User Policy dictates that an LDAP database is the next external
user database to try.

In either case, Cisco Secure ACS forwards the username and password to the
LDAP database. The LDAP database either passes or fails the authentication
request from Cisco Secure ACS. Upon receiving the response from the LDAP
database, Cisco Secure ACS instructs the requesting AAA client to grant or deny
the user access, depending upon the response from the LDAP server.

Cisco Secure ACS grants authorization based on the Cisco Secure ACS group to
which the user is assigned. While the group to which a user is assigned can be
determined by information from the LDAP server, it is Cisco Secure ACS that
grants authorization privileges. See

Figure 11-3 on page 11-16