Filter
Top Products
8-63
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 8 Managing Users and Identity Stores
Managing External Identity Stores
Safeword token servers support both the formats. ACS works with various token servers. While
configuring a Safeword server, you must check the Safeword Server check box for ACS to parse the
username and convert it to the specified format.
This conversion is done in the RADIUS token server identity store before the request is sent to the
RADIUS token server.
User Attribute Cache
RADIUS token servers, by default, do not support user lookups. However, the user lookup functionality
is essential for the following ACS features:
• PEAP session resume—Happens after successful authentication during EAP session establishment
• EAP/FAST fast reconnect—Happens after successful authentication during EAP session
establishment
• T+ Authorization—Happens after successful T+ Authentication
ACS caches the results of successful authentications to process user lookup requests for these features.
For every successful authentication, the name of the authenticated user and the retrieved attributes are
cached. Failed authentications are not written to the cache.
The cache is available in the memory at runtime and is not replicated between ACS nodes in a distributed
deployment. You can configure the time to live (TTL) limit for the cache through the ACS web interface.
You must enable the identity caching option and set the aging time in minutes. The cache is available in
the memory for the specified amount of time.
Creating, Duplicating, and Editing RADIUS Identity Servers
ACS 5.3 supports the RADIUS identity server as an external identity store for the increased security that
one-time passwords provide. RADIUS identity servers provide two-factor authentication to ensure the
authenticity of the users.
To authenticate users against a RADIUS identity store, you must first create the RADIUS identity server
in ACS and configure the settings for the RADIUS identity store. ACS 5.3 supports the following
authentication protocols:
• RADIUS PAP
• TACACS+ ASCII\PAP
• PEAP with inner EAP-GTC
• EAP-FAST with inner EAP-GTC
For a successful authentication with a RADIUS identity server, ensure that:
• The gateway devices between the RADIUS identity server and ACS allow communication over the
UDP port.
• The shared secret that you configure for the RADIUS identity server on the ACS web interface is
identical to the shared secret configured on the RADIUS identity server.
To create, duplicate, or edit a RADIUS Identity Server:
Step 1 Choose Users and Identity Stores > External Identity Stores > RADIUS Identity Servers.
The RADIUS Identity Servers page appears with a list of RADIUS external identity servers.