Table of Contents
Advertisement
Chapter 11
Working with User Databases
Cisco Secure ACS Authentication Process with a Generic LDAP
User Database
78-13751-01, Version 3.0
This section contains the following topics:
Cisco Secure ACS Authentication Process with a Generic LDAP User
•
Database, page 11-15
Multiple LDAP Instances, page 11-16
•
LDAP Organizational Units and Groups, page 11-17
•
•
Directed Authentications, page 11-17
LDAP Failover, page 11-17
•
Configuring a Generic LDAP External User Database, page 11-19
•
Cisco Secure ACS forwards user authentication requests to an LDAP database in
one of two scenarios. The first scenario is when the user's account in the
CiscoSecure user database lists an LDAP configuration as the authentication
method. The second is when the user is unknown to the CiscoSecure user database
and the Unknown User Policy dictates that an LDAP database is the next external
user database to try.
In either case, Cisco Secure ACS forwards the username and password to the
LDAP database. The LDAP database either passes or fails the authentication
request from Cisco Secure ACS. Upon receiving the response from the LDAP
database, Cisco Secure ACS instructs the requesting AAA client to grant or deny
the user access, depending upon the response from the LDAP server.
Cisco Secure ACS grants authorization based on the Cisco Secure ACS group to
which the user is assigned. While the group to which a user is assigned can be
determined by information from the LDAP server, it is Cisco Secure ACS that
grants authorization privileges. See
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
Figure 11-3 on page
11-16.
Generic LDAP
11-15
Advertisement
Table of Contents
Troubleshooting
