Filter
Top Products
8-74
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 8 Managing Users and Identity Stores
Configuring Identity Store Sequences
Configuring Identity Store Sequences
An access service identity policy determines the identity sources that ACS uses for authentication and
attribute retrieval. An identity source consists of a single identity store or multiple identity methods.
When you use multiple identity methods, you must first define them in an identity store sequence, and
then specify the identity store sequence in the identity policy.
An identity store sequence defines the sequence that is used for authentication and attribute retrieval and
an optional additional sequence to retrieve additional attributes.
Authentication Sequence
An identity store sequence can contain a definition for certificate-based authentication or
password-based authentication or both.
• If you select to perform authentication based on a certificate, you specify a single Certificate
Authentication Profile, which you have already defined in ACS.
• If you select to perform authentication based on a password, you can define a list of databases to be
accessed in sequence.
When authentication succeeds, any defined attributes within the database are retrieved. You must have
defined the databases in ACS.
Attribute Retrieval Sequence
You can optionally define a list of databases from which to retrieve additional attributes. These databases
can be accessed regardless of whether you use password or certificate-based authentication. When you
use certificate-based authentication, ACS populates the username field from a certificate attribute and
then uses the username to retrieve attributes.
ACS can retrieve attributes for a user, even when:
• The user’s password is flagged for a mandatory change.
• The user’s account is disabled.
When you perform password-based authentication, you can define the same identity database in the
authentication list and the attribute retrieval list. However, if the database is used for authentication, it
will not be accessed again as part of the attribute retrieval flow.
ACS authenticates a user or host in an identity store only when there is a single match for that user or
host. If an external database contains multiple instances of the same user, authentication fails. Similarly,
ACS retrieves attributes only when a single match for the user or host exists; otherwise, ACS skips
attribute retrieval from that database.
This section contains the following topics:
• Creating, Duplicating, and Editing Identity Store Sequences, page 8-74
• Deleting Identity Store Sequences, page 8-76
Creating, Duplicating, and Editing Identity Store Sequences
To create, duplicate, or edit an identity store sequence:
Step 1 Select Users and Identity Stores > Identity Store Sequences.
The Identity Store Sequences page appears.