Authenticating with external user databases – Cisco 3.3 User Manual
Page 489
13-5
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Chapter 13 User Databases
About External User Databases
For Cisco Secure ACS to interact with an external user database, Cisco Secure
ACS requires an API for third-party authentication source. The Cisco Secure ACS
communicates with the external user database using the API. For Windows user
databases and Generic LDAP, the program interface for the external
authentication is local to Cisco Secure ACS. In these cases, no further
components are required.
In the case of Novell NDS authentication, Novell Requestor must be installed on
the same Windows server as Cisco Secure ACS.
In the case of ODBC authentication sources, in addition to the Windows ODBC
interface, the third-party ODBC driver must be installed on the Cisco Secure ACS
Windows server.
To communicate with an RSA token server, you must have installed software
components provided by RSA. For token servers by other vendors, the standard
RADIUS interface serves as the third-party API.
Authenticating with External User Databases
Authenticating users with an external user database requires more than
configuring Cisco Secure ACS to communicate with an external user database.
Performing one of the configuration procedures for an external database that are
provided in this chapter does not on its own instruct Cisco Secure ACS to
authenticate any users with that database.
After you have configured Cisco Secure ACS to communicate with an external
user database, you can configure Cisco Secure ACS to authenticate users with the
external user database in one of two ways:
•
By Specific User Assignment—You can configure Cisco Secure ACS to
authenticate specific users with an external user database. To do this, the user
must exist in the CiscoSecure user database and the Password Authentication
list in User Setup must be set to the external user database that Cisco Secure
ACS should use to authenticate the user.
While setting the Password Authentication for every user account is time
consuming, this method of determining which users are authenticated with an
external user database is secure because it requires explicit definition of who
should authenticate using the external user database. In addition, the users
may be placed in the desired Cisco Secure ACS group and thereby receive the
applicable access profile.