Database search order – Cisco 3.3 User Manual
Page 624
Chapter 15 Unknown User Policy
Database Search Order
15-14
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
•
External Databases—Of the databases that you have configured in the
External User Databases section, lists the databases that Cisco Secure ACS
does not use during posture validation or unknown user authentication.
•
Selected Databases—Of the databases that you have configured in the
External User Databases section, lists the databases that Cisco Secure ACS
does use during posture validation and unknown user authentication.
Cisco Secure ACS attempts the requested service—authentication or posture
validation—using the selected databases one at a time in the order specified.
For more information about the significance of the order of selected
databases, see
Database Search Order, page 15-14
For detailed steps for configuring your Unknown User Policy, see
Unknown User Policy, page 15-16
Database Search Order
You can configure the order in which Cisco Secure ACS checks the selected
databases when Cisco Secure ACS attempts posture validation and unknown
authentication. The following processes reveal why database order in the Selected
Databases list is significant:
•
Authentication—The Unknown User Policy supports unknown user
authentication using the following logic:
a.
Find the next user database in the Selected Databases list that supports
the authentication protocol of the request. If there are no user databases
in the list that support the authentication protocol of the request, stop
unknown user authentication and deny network access to the user.
b.
Send the authentication request to the database found in Step 1.
c.
If the database responds with an “authentication succeeded” message,
create the discovered user account, perform group mapping, and grant the
user access to the network.
d.
If the database responds with an “authentication failed” message or does
not respond and other databases are listed below the current database,
return to Step 1.
e.
If there are no additional databases below the current database, deny
network access to the user.