Cisco 3.3 User Manual
Page 625
15-15
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Chapter 15 Unknown User Policy
Database Search Order
•
Posture validation—The Unknown User Policy supports all posture
validation requests using the following logic:
a.
Of the NAC database in the Selected Databases list, find the first database
whose mandatory credential types are satisfied by the credentials
received in the posture validation request. If the credentials in the request
do not match the mandatory credentials of any database in the list, reject
the posture validation request.
b.
Use the NAC database found in Step 1 to perform posture validation for
the NAC client.
c.
If Cisco Secure ACS does not have a user profile matching the name
provided in the PEAP EAP-Identity field of the posture validation
request, create the discovered user account, using the value from the
EAP-Identity field as the username. For more information about the
effects of using the EAP-Identity field for the username, see
Unknown User Policy, page 15-10
.
d.
Perform group mapping and apply the authorizations specified in the
mapped group to the NAC client.
When you specify the order of databases in the Selected Databases list, we
recommend placing as near to the top of the list as possible databases that:
•
Process the most requests.
•
Process requests that are associated with particularly time-sensitive AAA
clients or authentication protocols.
•
Require the most restrictive mandatory credential types (applies to NAC
databases only).
As a user authentication example, if wireless LAN users access your network with
PEAP, arrange the databases in the Selected Databases list so that unknown user
authentication takes less than the timeout value specified on the Cisco Aironet
Access Point.
As a posture validation example, if some NAC clients send more credential types
in their posture validation requests than other NAC clients, place higher on the
Selected Databases list the NAC databases with the more mandatory credential
types; otherwise, Cisco Secure ACS may use a NAC database whose policies do
not evaluate client posture using the additional credential types sent by the NAC
client.