Filter
Top Products
B-34
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Appendix B Authentication in ACS 5.3
Machine Authentication
• For automatic downloading, you define the amount of time before the CRL file expires, should ACS
download it. The CRL expiration time is taken from the CRL nextUpdate field.
For both modes, if the download somehow fails, you can define the amount of time that ACS will wait
before trying to redownload the CRL file.
ACS verifies that the downloaded CRL file is signed correctly by any one of the CAs in the trust store,
for each downloaded CRL file and whether they are trusted. ACS uses the CRL file only if the signature
verification passes. The verified CRL file replaces the previous CRL file issued by the same CA.
Note CRL files are not kept persistent, and should be re-downloaded when you restart ACS.
The configuration of URLs and their association to CA's is distributed to the entire ACS domain. The
downloaded CRLs are not distributed and are autonomously populated in parallel in each ACS server.
Machine Authentication
ACS supports the authentication of computers that are running the Microsoft Windows operating
systems that support EAP computer authentication. Machine authentication, also called computer
authentication, allows networks services only for computers known to Active Directory.
This feature is especially useful for wireless networks, where unauthorized users outside the physical
premises of your workplace can access your wireless access points.
When machine authentication is enabled, there are three different types of authentications. When starting
a computer, the authentications occur in this order:
• Machine authentication—ACS authenticates the computer prior to user authentication. ACS
checks the credentials that the computer provides against the Windows identity store.
If you use Active Directory and the matching computer account in AD has the same credentials, the
computer gains access to Windows domain services.
• User domain authentication—If machine authentication succeeded, the Windows domain
authenticates the user. If machine authentication failed, the computer does not have access to
Windows domain services and the user credentials are authenticated by using cached credentials that
the local operating system retains.
In this case, the user can log in to only the local system. When a user is authenticated by cached
credentials, instead of the domain, the computer does not enforce domain policies, such as running
login scripts that the domain dictates.
Tip If a computer fails machine authentication and the user has not successfully logged in to the
domain by using the computer since the most recent user password change, the cached
credentials on the computer will not match the new password. Instead, the cached credentials
will match an older password of the user, provided that the user once successfully logged in to
the domain from this computer.
• User network authentication—ACS authenticates the user, allowing the user to have network
connectivity. If the user exists, the identity store that is specified is used to authenticate the user.
While the identity store is not required to be the Windows identity store, most Microsoft clients can
be configured to automatically perform network authentication by using the same credentials used
for user domain authentication. This method allows for a single sign-on.