Cisco 3.3 User Manual
Page 511
13-27
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Chapter 13 User Databases
Windows User Database
Tip
Windows dialin permission is enabled in the Dialin section of user properties in
Windows NT and on the Dial-In tab of the user properties in Windows 2000.
•
Configure Domain List—The Domain List controls what Cisco Secure ACS
does when user authentication is requested for a username that is not
domain-qualified. If no domains are in the Domain List and the initial user
authentication request is rejected by Windows, Cisco Secure ACS stops
attempting to authenticate the user. If domains are in the Domain List,
Cisco Secure ACS qualifies the username with a domain from the list and
submits the domain-qualified username to Windows, once for each domain in
the Domain List, until each domain has rejected the user or until one of the
domains authenticates the user.
Note
Configuring the Domain List list is optional. For more information
about the Domain List, see
Non-domain-qualified Usernames,
Caution
If your Domain List contains domains and your Windows SAM or Active
Directory user databases are configured to lock out users after a number of failed
attempts, users can be inadvertently locked out because Cisco Secure ACS tries
each domain in the Domain List explicitly, resulting in failed attempts for
identical usernames that reside in different domains.
–
Available Domains—This list represents the domains that Cisco Secure
ACS does not send domain-qualified authentication requests to.
–
Domain List—This list represents the domains that Cisco Secure
ACS does send domain-qualified authentication requests to.
•
MS CHAP Settings—You can control whether Cisco Secure ACS supports
MS-CHAP-based password changes for Windows user accounts. The Permit
password changes using MS-CHAP version N check boxes enable you to
specify which versions of MS CHAP Cisco Secure ACS supports password
changes using.