8-47
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 8 Managing Users and Identity Stores
Managing External Identity Stores
Dial-in Support Attributes
The user attributes on Active Directory are supported on the following servers:
• Windows server 2003
• Windows server 2003 R2
• Windows server 2008
• Windows server 2008 R2
ACS does not support Dial-in users on Windows 2000.
ACS Response
If you enable the dial-in check on ACS Active Directory and the user's dial-in option is 'Deny Access'
on Active Directory, the authentication request is rejected with a message in the log, indicating that
dial-in access is denied. If a user fails an MSCHAP v1/v2 authentication if the dial-in is not enabled,
ACS should set on the EAP response a proper error code (NT error = 649).
In case that the callback options are enabled, the ACS RADIUS response contains the returned Service
Type and Callback Number attributes as follows:
• If callback option is Set by Caller or Always Callback To, the service-type attribute should be
queried on Active Directory during the user authentication. The service-type can be the following:
–
3 = Callback Login
–
4 = Callback Framed
–
9 = Callback NAS Prompt
This attribute should be returned to the device on Service-type RADIUS attribute. If ACS is already
configured to return service-type attribute on the RADIUS response, the service-type value queried
for the user on Active Directory replaces it.
• If the Callback option is Always Callback To, the callback number should also be queried on the
Active Directory user. This value is set on the RADIUS response on the Cisco-AV-Pair attribute with
the following values:
–
cisco-av-pair=lcp:callback-dialstring=[callback number value]
–
cisco-av-pair=Shell:callback-dialstring=[callback number value]
–
cisco-av-pair=Slip:callback-dialstring=[callback number value]
–
cisco-av-pair=Arap:callback-dialstring=[callback number value]
The callback number value is also returned on the RADIUS response, using the RADIUS attribute
CallbackNumber (#19).
• If callback option is Set by Caller, the RADIUS response contains the following attributes with no
value:
–
cisco-av-pair=lcp:callback-dialstring=
–
cisco-av-pair=Shell:callback-dialstring=
–
cisco-av-pair=Slip:callback-dialstring=
–
cisco-av-pair=Arap:callback-dialstring=