beautypg.com

Windows authentication with domain qualification – Cisco 3.3 User Manual

Page 617

background image

15-7

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Chapter 15 Unknown User Policy

Authentication and Unknown Users

with various Windows versions differ in the method by which users can specify
their domains. For more information, see

Windows Dial-up Networking Clients,

page 13-10

.

Using a domain-qualified username allows Cisco Secure ACS to differentiate a
user from multiple instances of the same username in different domains. For
unknown users who provide domain-qualified usernames and who are
authenticated by a Windows user database, Cisco Secure ACS creates their user
accounts in the CiscoSecure user database in the form DOMAIN

\

username. The

combination of username and domain makes the user unique in the Cisco Secure
ACS database.

For more information about domain-qualified usernames and Windows
authentication, see

Usernames and Windows Authentication, page 13-11

.

Windows Authentication with Domain Qualification

If the username is non-domain qualified or is in UPN format, the Windows
operating system of the computer running Cisco Secure ACS follows a more
complex authentication order, which Cisco Secure ACS cannot control. Though
the order of resources used can differ, when searching for a non-domain qualified
username or UPN username, Windows usually follows the order in the list below:

1.

The local domain controller.

2.

The domain controllers in any trusted domains, in an order determined by
Windows.

3.

If Cisco Secure ACS runs on a member server, the local accounts database.

Windows attempts to authenticate the user with the first account it finds whose
username matches the one passed to Windows by Cisco Secure ACS. Whether
authentication fails or succeeds, Windows does not search for other accounts with
the same username; therefore, Windows can fail to authenticate a user who
supplies valid credentials because Windows may check the supplied credentials
against the wrong account that coincidentally has an identical username.

You can circumvent this difficulty by using the Domain List in the Cisco Secure
ACS configuration for the Windows user database. If you have configured the
Domain List with a list of trusted domains, Cisco Secure ACS submits the
username and password to each domain in the list, using a domain-qualified
format, until Cisco Secure ACS successfully authenticates the user or until
Cisco Secure ACS has tried each domain listed in the Domain List and fails the
authentication.