beautypg.com

Cisco 3.3 User Manual

Page 511

background image

13-27

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Chapter 13 User Databases

Windows User Database

Tip

Windows dialin permission is enabled in the Dialin section of user properties in
Windows NT and on the Dial-In tab of the user properties in Windows 2000.

Configure Domain List—The Domain List controls what Cisco Secure ACS
does when user authentication is requested for a username that is not
domain-qualified. If no domains are in the Domain List and the initial user
authentication request is rejected by Windows, Cisco Secure ACS stops
attempting to authenticate the user. If domains are in the Domain List,
Cisco Secure ACS qualifies the username with a domain from the list and
submits the domain-qualified username to Windows, once for each domain in
the Domain List, until each domain has rejected the user or until one of the
domains authenticates the user.

Note

Configuring the Domain List list is optional. For more information
about the Domain List, see

Non-domain-qualified Usernames,

page 13-13

.

Caution

If your Domain List contains domains and your Windows SAM or Active
Directory user databases are configured to lock out users after a number of failed
attempts, users can be inadvertently locked out because Cisco Secure ACS tries
each domain in the Domain List explicitly, resulting in failed attempts for
identical usernames that reside in different domains.

Available Domains—This list represents the domains that Cisco Secure
ACS does not send domain-qualified authentication requests to.

Domain List—This list represents the domains that Cisco Secure
ACS does send domain-qualified authentication requests to.

MS CHAP Settings—You can control whether Cisco Secure ACS supports
MS-CHAP-based password changes for Windows user accounts. The Permit
password changes using MS-CHAP version N check boxes enable you to
specify which versions of MS CHAP Cisco Secure ACS supports password
changes using.