Filter
Top Products
8-5
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 8 Managing Users and Identity Stores
Managing Internal Identity Stores
• Authentication information
Note ACS 5.3 supports authentication for internal users against the internal identity store only.
This section contains the following topics:
• Authentication Information, page 8-5
• Identity Groups, page 8-6
• Managing Identity Attributes, page 8-7
• Configuring Authentication Settings for Users, page 8-9
• Creating Internal Users, page 8-11
• Viewing and Performing Bulk Operations for Internal Identity Store Users, page 8-15
• Creating Hosts in Identity Stores, page 8-16
• Viewing and Performing Bulk Operations for Internal Identity Store Hosts, page 8-18
Authentication Information
You can configure an additional password, stored as part of the internal user record that defines the user’s
TACACS+ enable password which sets the access level to device. If you do not select this option, the
standard user password is also used for TACACS+ enable.
If the system is not being used for TACACS+ enable operations, you should not select this option.
To use the identity store sequence feature, you define the list of identity stores to be accessed in a
sequence. You can include the same identity store in authentication and attribute retrieval sequence lists;
however, if an identity store is used for authentication, it is not accessed for additional attribute retrieval.
For certificate-based authentication, the username is populated from the certificate attribute and is used
for attribute retrieval.
During the authentication process, authentication fails if more than one instance of a user or host exists
in internal identity stores. Attributes are retrieved (but authentication is denied) for users who have
disabled accounts or passwords that must be changed.
These types of failures can occur while processing the identity policy:
• Authentication failure; possible causes include bad credentials, disabled user, and so on.
• User or host does not exist in any of the authentication databases.
• Failure occurred while accessing the defined databases.
You can define fail-open options to determine what actions to take when each of these failures occurs:
• Reject—Send a reject reply.
• Drop—Do not send a reply.
• Continue—Continue processing to the next defined policy in the service.
The system attribute, AuthenticationStatus, retains the result of the identity policy processing. If you
choose to continue policy processing when a failure occurs, you can use this attribute in a condition in
subsequent policy processing to distinguish cases where identity policy processing did not succeed.
You can continue processing when authentication fails for PAP/ASCII, EAP-TLS, or EAP-MD5. For all
other authentication protocols, the request is rejected and a message to this effect is logged.