Support User Manuals

Cisco Systems OL-24201-01 Camera Accessories User Manual

Open as PDF

of 650

8-47

User Guide for Cisco Secure Access Control System 5.3

OL-24201-01

Chapter 8 Managing Users and Identity Stores

Managing External Identity Stores

Dial-in Support Attributes

The user attributes on Active Directory are supported on the following servers:

• Windows server 2003

• Windows server 2003 R2

• Windows server 2008

• Windows server 2008 R2

ACS does not support Dial-in users on Windows 2000.

ACS Response

If you enable the dial-in check on ACS Active Directory and the user's dial-in option is 'Deny Access'

on Active Directory, the authentication request is rejected with a message in the log, indicating that

dial-in access is denied. If a user fails an MSCHAP v1/v2 authentication if the dial-in is not enabled,

ACS should set on the EAP response a proper error code (NT error = 649).

In case that the callback options are enabled, the ACS RADIUS response contains the returned Service

Type and Callback Number attributes as follows:

• If callback option is Set by Caller or Always Callback To, the service-type attribute should be

queried on Active Directory during the user authentication. The service-type can be the following:

–

3 = Callback Login

–

4 = Callback Framed

–

9 = Callback NAS Prompt

This attribute should be returned to the device on Service-type RADIUS attribute. If ACS is already

configured to return service-type attribute on the RADIUS response, the service-type value queried

for the user on Active Directory replaces it.

• If the Callback option is Always Callback To, the callback number should also be queried on the

Active Directory user. This value is set on the RADIUS response on the Cisco-AV-Pair attribute with

the following values:

–

cisco-av-pair=lcp:callback-dialstring=[callback number value]

–

cisco-av-pair=Shell:callback-dialstring=[callback number value]

–

cisco-av-pair=Slip:callback-dialstring=[callback number value]

–

cisco-av-pair=Arap:callback-dialstring=[callback number value]

The callback number value is also returned on the RADIUS response, using the RADIUS attribute

CallbackNumber (#19).

• If callback option is Set by Caller, the RADIUS response contains the following attributes with no

value:

–

cisco-av-pair=lcp:callback-dialstring=

–

cisco-av-pair=Shell:callback-dialstring=

–

cisco-av-pair=Slip:callback-dialstring=

–

cisco-av-pair=Arap:callback-dialstring=

previous next