Authorization of unknown users, Unknown user policy options – Cisco 3.3 User Manual
Page 623
15-13
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Chapter 15 Unknown User Policy
Authorization of Unknown Users
Authorization of Unknown Users
Although the Unknown User Policy allows authentication and posture validation
requests to be processed by databases configured in the External User Database
section, Cisco Secure ACS is responsible for all authorizations sent to AAA
clients and end-user clients. Posture validation and unknown user authentication
work with Cisco Secure ACS user group mapping features to assign unknown
users to user groups you have already configured and, therefore, to assign
authorization to all NAC clients and to unknown users who pass authentication.
For more information, see
Chapter 16, “User Group Mapping and Specification”
.
Unknown User Policy Options
On the Configure Unknown User Policy page you can specify what Cisco Secure
ACS does for posture validation and unknown user authentication. The options for
configuring the Unknown User Policy are as follows:
•
Fail the attempt—Disables unknown user authentication; therefore,
Cisco Secure ACS rejects authentication requests for users not found in the
CiscoSecure user database. Selecting this option excludes the use of the
“Check the following external user databases” option.
Note
The “Fail the attempt” option does not apply to posture validation
requests. For every posture validation request, Cisco Secure ACS
always applies the Unknown User Policy.
•
Check the following external user databases—Enables unknown user
authentication; therefore, Cisco Secure ACS uses the databases in the
Selected Databases list to provide unknown user authentication.
Note
For authentication requests, Cisco Secure ACS applies the Unknown
User Policy to unknown users only. Cisco Secure ACS does not
support fallback to unknown user authentication when known or
discovered users fail authentication.
Selecting this option excludes the use of the “Fail the attempt” option.