Filter
Top Products
8-46
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 8 Managing Users and Identity Stores
Managing External Identity Stores
The Engineers' rule is an example of MAR rule that only allows engineers access if their machine was
successfully authenticated against windows DB.
The Managers' rule is an example of an exemption from MAR.
Dial-in Permissions
The dial-in permissions of a user are checked during authentications or queries from Active Directory.
The dial-in check is supported only for user authentications and not for machines, in the following
authentication protocols:
• PAP
• MSCHAPv2
• EAP-FAST
• PEAP
• EAP-TLS.
The following results are possible:
• Allow Access
• Deny Access
• Control Access through Remote Access Policy. This option is only available for Windows 2000
native domain, Windows server 2003 domain.
• Control Access through NPS Network Policy. This is the default result. This option is only available
for Windows server 2008 and Windows 2008 R2 domains.
Callback Options for Dial-in users
If call back option is enabled, the server calls the caller back during the connection process. The phone
number that is used by the server is set either by the caller or the network administrator.
The possible callback options are:
• No callback
• Set by Caller (routing and remote access service only). This option can be used to define a series of
static IP routes that are added to the routing table of the server running the Routing and Remote
Access service when a connection is made.
• Always callback to (with an option to set a number). This option can be used to assign a specific IP
address to a user when a connection is made
The callback attributes should be returned on the RADIUS response to the device.
AD Group
Machine Authentication
Required … ATZ profile
Engineers Yes … VLAN X
Managers No … VLAN B
… … … DENY ACCESS