Filter
Top Products
8-4
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 8 Managing Users and Identity Stores
Managing Internal Identity Stores
Identity Sequences
You can configure a complex condition where multiple identity stores and profiles are used to process a
request. You can define these identity methods in an Identity Sequence object. The identity methods
within a sequence can be of any type.
The identity sequence is made up of two components, one for authentication and the other for retrieving
attributes.
• If you choose to perform authentication based on a certificate, a single certificate authentication
profile is used.
• If you choose to perform authentication on an identity database, you can define a list of identity
databases to be accessed in sequence until the authentication succeeds. If the authentication
succeeds, the attributes within the database are retrieved.
In addition, you can configure an optional list of databases from which additional attributes can be
retrieved. These additional databases can be configured irrespective of whether you use password-based
or certificate-based authentication.
If a certificate-based authentication is performed, the username is populated from a certificate attribute
and this username is used to retrieve attributes from all the databases in the list. For more information
on certificate attributes, see Configuring CA Certificates, page 8-68.
When a matching record is found for the user, the corresponding attributes are retrieved. ACS retrieves
attributes even for users whose accounts are disabled or whose passwords are marked for change.
Note An internal user account that is disabled is available as a source for attributes, but not for authentication.
For more information on identity sequences, see Configuring Identity Store Sequences, page 8-74.
This chapter contains the following sections:
• Managing Internal Identity Stores, page 8-4
• Managing External Identity Stores, page 8-22
• Configuring CA Certificates, page 8-68
• Configuring Certificate Authentication Profiles, page 8-72
• Configuring Identity Store Sequences, page 8-74
Managing Internal Identity Stores
ACS contains an identity store for users and an identity store for hosts:
• The internal identity store for users is a repository of users, user attributes, and user authentication
options.
• The internal identity store for hosts contains information about hosts for MAC Authentication
Bypass (Host Lookup).
You can define each user and host in the identity stores, and you can import files of users and hosts.
The identity store for users is shared across all ACS instances in a deployment and includes for each user:
• Standard attributes
• User attributes