Filter
Top Products
8-49
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 8 Managing Users and Identity Stores
Managing External Identity Stores
Step 3 Click:
Username Predefined user in AD. AD account required for domain access in ACS should have either of
the following:
• Add workstations to domain user right in corresponding domain.
• Create Computer Objects or Delete Computer Objects permission on corresponding
computers container where ACS machine's account is precreated (created before joining
ACS machine to the domain).
We recommend that you disable the lockout policy for the ACS account and configure the AD
infrastructure to send alerts to the admin if a wrong password is used for that account. This is
because if you enter a wrong password, ACS will not create or modify its machine account
when it is necessary and therefore possibly deny all authentications.
Password Enter the user password. The password should have minimum of 8 characters with the
combination of atleast one lower case alphabet, one upper case alphabet, one numeral, and one
special character. All special characters are supported.
Test Connection Click to test the ACS connection with the AD domain for the user, domain, and password
identified in the previous fields.
A message appears informing you whether the AD server is routable within the network and
also authenticates the given AD username and password.
To join to the AD domain, ACS first attempts to create a secure connection. If this is
unsuccessful, it would then attempt to create an insecure connection.
End User Authentication Settings
Enable password change Click to allow the password to be changed.
Enable machine
authentication
Click to allow machine authentication.
Enable Machine Access
Restrictions
Click to ensure that machine authentication results are tied to user authentication and
authorization. If you enable this feature, you must set the Aging time.
Aging time (hours) time Time after a machine was authenticated that a user can be authenticated from that machine. If
this time elapses, user authentication fails.
You must set this time if you clicked the Enable Machine Access Restrictions check box.
Enable dial-in check Click to examine the user’s dial-in permissions during authentication or query. The result of
the check can cause a reject of the authentication in case the dial-in permission is denied.
The result is not stored on AD dictionary.
Enable callback support for
dial-up clients
Click to examine the user’s callback option during authentication or query. The result of the
check is returned to the device on the RADIUS response.
The result is not stored on AD dictionary
Connectivity Status
Joined to Domain (Display only.) After you save the configuration (by clicking Save Changes), shows the
domain name with which ACS is joined.
Connectivity Status (Display only.) After you save the configuration (by clicking Save Changes), shows the
connection status of the domain name with which ACS is joined.
Table 8-10 Active Directory: General Page (continued)
Option Description