Filter
Top Products
8-62
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 8 Managing Users and Identity Stores
Managing External Identity Stores
RADIUS Identity Store in Identity Sequence
You can add the RADIUS identity store for authentication sequence in an identity sequence. However,
you cannot add the RADIUS identity store for attribute retrieval sequence because you cannot query the
RADIUS identity store without authentication. ACS cannot distinguish between different error cases
while authenticating with a RADIUS server.
RADIUS servers return an Access-Reject message for all error cases. For example, when a user is not
found in the RADIUS server, instead of returning a User Unknown status, the RADIUS server returns
an Access-Reject message.
You can, however, enable the Treat Rejects as Authentication Failure or User Not Found option available
in the RADIUS identity store pages of the ACS web interface.
Authentication Failure Messages
When a user is not found in the RADIUS server, the RADIUS server returns an Access-Reject message.
ACS provides you the option to configure this message through the ACS web interface as either
Authentication Failed or Unknown User.
However, this option returns an Unknown User message not only for cases where the user is not known,
but for all failure cases.
Table 8-15 lists the different failure cases that are possible with RADIUS identity servers.
Username Special Format with Safeword Server
Safeword token server supports authentication with the following username format:
Username—Username, OTP
ACS parses the username and converts this to:
Username—Username
Table 8-15 Error Handling
Cause of Authentication Failure Failure Cases
Authentication Failed
• User is unknown.
• User attempts to login with wrong passcode.
• User logon hours expired.
Process Failed
• RADIUS server is configured incorrectly in
ACS.
• RADIUS server is unavailable.
• RADIUS packet is detected as malformed.
• Problem during sending or receiving a packet
from the RADIUS server.
• Timeout.
Unknown User Authentication failed and the 'Fail on Reject'
option is set to false.