beautypg.com

Cisco 3.3 User Manual

Page 544

background image

Chapter 13 User Databases

ODBC Database

13-60

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Step 4

Write the stored procedures intended to return the required authentication
information to Cisco Secure ACS. For more information about these stored
procedures, see

Implementation of Stored Procedures for ODBC Authentication,

page 13-60

.

Step 5

Set up a system DSN on the computer running Cisco Secure ACS. For steps, see

Configuring a System Data Source Name for an ODBC External User Database,
page 13-70

.

Step 6

Configure Cisco Secure ACS to authenticate users with an ODBC database. For
steps, see

Configuring an ODBC External User Database, page 13-71

.

Implementation of Stored Procedures for ODBC Authentication

When you configure Cisco Secure ACS to authenticate users against an
ODBC-compliant relational database, you must create a stored procedure to
perform the necessary query and return the values that Cisco Secure ACS expects.
The values returned and the tasks required of the stored procedure varies
depending upon the authentication protocol used.

Authentication for ASCII, PAP, or PEAP (EAP-GTC) occurs within the relational
database; that is, if the stored procedure finds a record with both the username and
the password matching the input, the user is considered authenticated.

Authentication for CHAP, MS-CHAP, ARAP, LEAP, or EAP-MD5 occurs within
Cisco Secure ACS. The stored procedure returns the fields for the record with a
matching username, including the password. Cisco Secure ACS confirms or
denies authentication based on the values returned from the procedure.

Authentication for EAP-TLS occurs within Cisco Secure ACS. The stored
procedure returns the field for the record, indicating whether it found the
username in the ODBC database. Cisco Secure ACS confirms or denies
authentication based on the values returned from the procedure and upon the
validity of the user certificate. For more information about Cisco Secure ACS
support for the EAP-TLS protocol, see

EAP-TLS Authentication, page 10-2

.

To support the three sets of protocols, Cisco Secure ACS provides different input
to, and expects different output from, the ODBC authentication request. This
requires a separate stored procedure in the relational database to support each of
the three sets of protocols.