Cisco Systems OL-24201-01 Camera Accessories User Manual


 
3-10
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 3 ACS 5.x Policy Model
Access Services
Identity Sequence—Sequences of the identity databases. The sequence is used for authentication
and, if specified, an additional sequence is used to retrieve only attributes. You can select multiple
identity methods as the result of the identity policy. You define the identity methods in an identity
sequence object, and the methods included within the sequence may be of any type.
There are two components to an identity sequence: one for authentication, and one for attribute
retrieval. The administrator can select to perform authentication based on a certificate or an identity
database or both.
If you choose to perform authentication based on a certificate, ACS selects a single certificate
authentication profile.
If you choose to perform authentication based on an identity database, you must define a list of
databases to be accessed in sequence until authentication succeeds. When authentication
succeeds, any defined attributes within the database are retrieved.
In addition, you can define an optional list of databases from which additional attributes are
retrieved. These additional databases can be accessed irrespective of whether password- or
certificate-based authentication was used.
When certificate-based authentication is used, the username field is populated from a certificate
attribute and is used to retrieve attributes. All databases defined in the list are accessed and, in cases
where a matching record for the user is found, the corresponding attributes, are retrieved.
Attributes can be retrieved for a user even if the user’s password is marked that it needs to be
changed or if the user account is disabled. Even when you disable a user’s account, the user’s
attributes are still available as a source of attributes, but not for authentication.
Failure Options
If a failure occurs while processing the identity policy, the failure can be one of three main types:
Authentication failed—ACS received an explicit response that the authentication failed. For
example, the wrong username or password was entered, or the user was disabled.
User/host not found—No such user/host was found in any of the authentication databases.
Process failed—There was a failure while accessing the defined databases.
All failures returned from an identity database are placed into one of the types above. For each type of
failure, you can configure the following options:
Reject—ACS sends a reject reply.
Drop—No reply is returned.
Continue—ACS continues processing to the next defined policy in the service.
The Authentication Status system attribute retains the result of the identity policy processing. If you
select to continue policy processing in the case of a failure, this attribute can be referred to as a condition
in subsequent policy processing to distinguish cases in which identity policy processing did not succeed.
Because of restrictions on the underlying protocol being used, there are cases in which it is not possible
to continue processing even if you select the Continue option. This is the case for PEAP, LEAP, and
EAP-FAST; even if you select the Continue option, the request is rejected.
The following default values are used for the failure options when you create rules:
Authentication failed—The default is reject.
User/host not found—The default is reject.
Process failure—The default is drop.