Network Access Authorization; Unknown User Policy - Cisco 2509 - Router - EN User Manual

Unknown User Processing

Network Access Authorization

Unknown User Policy

User Guide for Cisco Secure ACS for Windows Server
12-8
The default AAA client timeout value is 5 seconds. If you have Cisco Secure ACS
configured to search through several databases or if your databases are large, you
might need to increase this value in your AAA client configuration file. For more
information, refer to your Cisco IOS documentation.
While the Unknown User Policy allows authentication requests to be forwarded
to external user databases, all responsibility for the authorization parameters
provided to the AAA client remains with Cisco Secure ACS. External user
databases provide authentication services, and Cisco Secure ACS then provides
the additional authorization information that is sent to the AAA client in the
RADIUS or TACACS+ response packet. For more information about assignment
of user authorization, see
You can configure how Cisco Secure ACS processes unknown users on the
Configure Unknown User Policy page, in the External User Databases section of
the HTML interface. The Configure Unknown User Policy page contains the
following fields:
Unknown User Policy—Defines what action Cisco Secure ACS takes if it
•
does not find a matching username in its database. There are two options for
controlling the Unknown User Policy:
– Fail the attempt—Disables unknown user processing.
Cisco Secure ACS rejects authentication requests for any user not found
in the CiscoSecure user database.
Check the following external user databases—Enables unknown user
–
processing. Cisco Secure ACS uses databases in the Selected Databases
list to authenticate users that are not found in the CiscoSecure user
database.
External Databases—Lists the external user databases that
•
Cisco Secure ACS does not use to authenticate unknown users.
Chapter 12
Database Group Mappings, page
Administering External User Databases
12-11.
78-14696-01, Version 3.1