Filter
Top Products
8-44
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 8 Managing Users and Identity Stores
Managing External Identity Stores
Attribute Retrieval for Authorization
You can configure ACS to retrieve user or machine AD attributes to be used in authorization and group
mapping rules. The attributes are mapped to the ACS policy results and determine the authorization level
for the user or machine.
ACS retrieves user and machine AD attributes after a successful user or machine authentication and can
also retrieve the attributes for authorization and group mapping purposes independent of authentication.
Group Retrieval for Authorization
ACS can retrieve user or machine groups from Active Directory after a successful authentication and
also retrieve the user or machine group independent of authentication for authorization and group
mapping purposes. You can use the AD group data in the authorization and group mapping tables and
introduce special conditions to match them against the retrieved groups.
Certificate Retrieval for EAP-TLS Authentication
ACS 5.3 supports certificate retrieval for user or machine authentication that uses EAP-TLS protocol.
The user or machine record on AD includes a certificate attribute of binary data type. This can contain
one or more certificates. ACS refers to this attribute as userCertificate and does not allow you to
configure any other name for this attribute.
ACS retrieves this certificate for verifying the identity of the user or machine. The certificate
authentication profile determines the field (SAN, CN, SSN, SAN-Email, SAN-DNS, or SAN-other
name) to be used for retrieving the certificates.
After ACS retrieves the certificate, it performs a binary comparison of this certificate with the client
certificate. When multiple certificates are received, ACS compares the certificates to check if one of
them match. When a match is found, ACS grants the user or machine access to the network.
Concurrent Connection Management
After ACS connects to the AD domain, at startup, ACS creates a number of threads to be used by the AD
identity store for improved performance. Each thread has its own connection.
User and Machine Account Restrictions
While authenticating or querying a user or a machine, ACS checks whether:
• The user account disabled
• The user locked out
• The user’s account has expired
• The query run outside of the specified logon hours
If the user has one of these limitations, the AD1::IdentityAccessRestricted attribute on the AD dedicated
dictionary is set to indicate that the user has restricted access. You can use this attribute in group mapping
and authorization rules.