beautypg.com

Authorization of unknown users, Unknown user policy options – Cisco 3.3 User Manual

Page 623

background image

15-13

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Chapter 15 Unknown User Policy

Authorization of Unknown Users

Authorization of Unknown Users

Although the Unknown User Policy allows authentication and posture validation
requests to be processed by databases configured in the External User Database
section, Cisco Secure ACS is responsible for all authorizations sent to AAA
clients and end-user clients. Posture validation and unknown user authentication
work with Cisco Secure ACS user group mapping features to assign unknown
users to user groups you have already configured and, therefore, to assign
authorization to all NAC clients and to unknown users who pass authentication.
For more information, see

Chapter 16, “User Group Mapping and Specification”

.

Unknown User Policy Options

On the Configure Unknown User Policy page you can specify what Cisco Secure
ACS does for posture validation and unknown user authentication. The options for
configuring the Unknown User Policy are as follows:

Fail the attempt—Disables unknown user authentication; therefore,
Cisco Secure ACS rejects authentication requests for users not found in the
CiscoSecure user database. Selecting this option excludes the use of the
“Check the following external user databases” option.

Note

The “Fail the attempt” option does not apply to posture validation
requests. For every posture validation request, Cisco Secure ACS
always applies the Unknown User Policy.

Check the following external user databases—Enables unknown user
authentication; therefore, Cisco Secure ACS uses the databases in the
Selected Databases list to provide unknown user authentication.

Note

For authentication requests, Cisco Secure ACS applies the Unknown
User Policy to unknown users only. Cisco Secure ACS does not
support fallback to unknown user authentication when known or
discovered users fail authentication.

Selecting this option excludes the use of the “Fail the attempt” option.