Table of Contents
Advertisement
Chapter 15
Unknown User Policy
Authorization of Unknown Users
Unknown User Policy Options
78-16592-01
Although the Unknown User Policy allows authentication and posture validation
requests to be processed by databases configured in the External User Database
section, Cisco Secure ACS is responsible for all authorizations sent to AAA
clients and end-user clients. Posture validation and unknown user authentication
work with Cisco Secure ACS user group mapping features to assign unknown
users to user groups you have already configured and, therefore, to assign
authorization to all NAC clients and to unknown users who pass authentication.
For more information, see
On the Configure Unknown User Policy page you can specify what Cisco Secure
ACS does for posture validation and unknown user authentication. The options for
configuring the Unknown User Policy are as follows:
Fail the attempt—Disables unknown user authentication; therefore,
•
Cisco Secure ACS rejects authentication requests for users not found in the
CiscoSecure user database. Selecting this option excludes the use of the
"Check the following external user databases" option.
The "Fail the attempt" option does not apply to posture validation
Note
requests. For every posture validation request, Cisco Secure ACS
always applies the Unknown User Policy.
Check the following external user databases—Enables unknown user
•
authentication; therefore, Cisco Secure ACS uses the databases in the
Selected Databases list to provide unknown user authentication.
For authentication requests, Cisco Secure ACS applies the Unknown
Note
User Policy to unknown users only. Cisco Secure ACS does not
support fallback to unknown user authentication when known or
discovered users fail authentication.
Selecting this option excludes the use of the "Fail the attempt" option.
Chapter 16, "User Group Mapping and
User Guide for Cisco Secure ACS for Windows Server
Authorization of Unknown Users
Specification".
15-13
Advertisement
Table of Contents
Troubleshooting
