Cisco Systems Servers Manuale Utente

Pagina di 654
Chapter 12      Administering External User Databases
Unknown User Processing
12-2
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
78-13751-01, Version 3.0
The Unknown User feature enables Cisco Secure ACS to use a variety of external 
databases in addition to its own internal database to authenticate incoming user 
requests. With this feature, Cisco Secure ACS provides the foundation for a basic 
single sign-on capability by integrating network and host-level access control. 
Because the incoming usernames and passwords of users dialing in can be 
authenticated with external user databases, there is no need for the network 
administrator to maintain a duplicate list within Cisco Secure ACS. This provides 
two advantages to the Cisco Secure ACS administrator:
Eliminates the necessity of entering every user multiple times
Prevents data-entry errors that are inherent to manual procedures
Known, Unknown, and Cached Users
 The Unknown User feature implements three categories of users in 
Cisco Secure ACS. Each category is treated differently:
Known Users explicitly added, either manually or automatically, into the 
Cisco Secure ACS database.
These are users added through User Setup in the HTML interface, by the 
RDBMS Synchronization feature, by the Database Replication feature, or 
through by the CSUtil.exe utility. For more information about CSUtil.exe
see 
 In 
the CiscoSecure user database, each user must have an assigned password and 
must be explicitly associated with a particular authentication database.
Unknown Users—Users who have no account entry in the CiscoSecure user 
database.
Such users never have previously authenticated with Cisco Secure ACS. If 
the Unknown User Policy is configured in Cisco Secure ACS, 
Cisco Secure ACS attempts to authenticate these users with external user 
databases.
Cached Users—Users whose accounts were automatically added to the 
Cisco Secure ACS database when Cisco Secure ACS successfully 
authenticated them using the Unknown User Policy.
All cached users were once unknown users. The authentication process for 
cached users is identical to the authentication process for known users.