Table of Contents

Administering External User Databases

After you have configured Cisco Secure Access Control Server (Cisco Secure ACS) for Windows Server version 3.1 to communicate with an external user database, you can decide how to implement other Cisco Secure ACS features related to external user databases. To address these features, this chapter contains the following sections:

For information about the databases supported by Cisco Secure ACS and how to configure Cisco Secure ACS to communicate with an external user database, see "Working with User Databases."

Unknown User Processing

Unknown users are users who are not listed in the Cisco Secure ACS database. The Unknown User feature is a form of authentication forwarding. In essence, this feature is an extra step in the authentication process. In this additional step of the authentication process, if the username does not exist in the Cisco Secure ACS database, Cisco Secure ACS forwards the authentication request of an incoming username and password to external databases with which it is configured to communicate.

The Unknown User feature enables Cisco Secure ACS to use a variety of external databases in addition to its own internal database to authenticate incoming user requests. With this feature, Cisco Secure ACS provides the foundation for a basic single sign-on capability by integrating network and host-level access control. Because the incoming usernames and passwords of users dialing in can be authenticated with external user databases, there is no need for the network administrator to maintain a duplicate list within Cisco Secure ACS. This provides two advantages to the Cisco Secure ACS administrator:

Known, Unknown, and Discovered Users

The Unknown User feature implements three categories of users in Cisco Secure ACS.

These are users added through User Setup in the HTML interface, by the RDBMS Synchronization feature, by the Database Replication feature, or by the CSUtil.exe utility. For more information about CSUtil.exe, see "Cisco Secure ACS Command-Line Database Utility."

Cisco Secure ACS attempts to authenticate a known user with the single database that the user is associated with. If the user database is the CiscoSecure user database and the user does not represent a Voice over IP (VoIP) user account, a password is required for the user. If the user database is an external user database or if the user represents a VoIP user account, Cisco Secure ACS does not have to store a user password in the CiscoSecure user database.

Such users never have previously authenticated with Cisco Secure ACS. If the Unknown User Policy is configured, Cisco Secure ACS attempts to authenticate these users with external user databases.

---

Note    Cisco Secure ACS does not import passwords for a discovered user; rather, Cisco Secure ACS creates the user account with the Password Authentication list set to the external user database that originally authenticated the user.

---

All discovered users were once unknown users. The authentication process for discovered users is identical to the authentication process for known users who are authenticated with external user databases and whose Cisco Secure ACS group membership is determined by group mapping.

Note   We recommend removing a username from a database when the privileges associated with that username are no longer required.

General Authentication Request Handling and Rejection Mode

If you have configured the Unknown User Policy in Cisco Secure ACS, Cisco Secure ACS attempts to authenticate users as follows:

1. Cisco Secure ACS checks its internal user database. If the user exists in the CiscoSecure user database (that is, is a known or discovered user), Cisco Secure ACS tries to authenticate the user with the specified password type against the specified database. Authentication for that user either passes or fails, depending on other procedures in the normal authentication process.

2. If the user does not exist in the CiscoSecure user database (that is, is an unknown user), Cisco Secure ACS tries each configured external database in the order specified in the Selected Databases list. If the user passes authentication against one of the external databases, Cisco Secure ACS automatically adds the user to the CiscoSecure user database, with a pointer to use the password type and database that succeeded on this authentication attempt. Users added by unknown user processing are flagged as such within the CiscoSecure user database and are called discovered users.

The next time the discovered user tries to authenticate, Cisco Secure ACS authenticates the user against the database that was successful the first time. Discovered users are treated the same as known users.

3. If the unknown user fails authentication with all configured external databases, the user is not added to the CiscoSecure user database, and the authentication request is rejected.

Because usernames in the CiscoSecure user database must be unique, Cisco Secure ACS supports a single instance of any given username across all the databases it is configured to use. For example, assume every external user database contains a user account with the username John. Each account is for a different user, but they each, coincidentally, have the same username. After the first John attempts to access the network and has authenticated through the unknown user process, Cisco Secure ACS retains a discovered user account for that John and only that John. Now, Cisco Secure ACS tries to authenticate subsequent attempts by any user named John using the same external user database that originally authenticated John. Assuming their passwords are different than the password for the John who authenticated first, the other Johns are unable to access the network.

Note   The scenario given above is handled differently if the user accounts with identical usernames exist in separate Windows domains. For more information, see Authentication Request Handling and Rejection Mode with the Windows NT/2000 User Database 12-4.

Authentication Request Handling and Rejection Mode with the Windows NT/2000 User Database

Because it is a native Windows application, Cisco Secure ACS treats authentication with a Windows NT/2000 user database as a special case. Windows can provide added functionality to the remote access authentication process. Perhaps the most important aspect of this added functionality is support for multiple occurrences of the same username across the trusted domains against which Cisco Secure ACS authenticates access requests.

Cisco Secure ACS communicates with the Windows operating system of the Cisco Secure ACS server to perform authentications. Windows uses its built-in facilities to forward the authentication requests to the appropriate domain controller. There are two possible scenarios to consider:

Windows Authentication with a Domain Specified

When a domain name is supplied as part of a authentication request, Cisco Secure ACS detects that a domain name was supplied and tries the authentication credentials against the specified domain. The dial-up networking clients provided with various Windows versions differ in the method by which users can specify their domains. For more information, see Windows Dial-up Networking Clients.

If the domain controller rejects the authentication request, Cisco Secure ACS logs the request as a failed attempt.

For Windows 95, Windows 98, Windows ME, and Windows XP Home, the dial-up networking client provided with Windows only allows users to specify their domains by submitting the usernames in a domain-qualified format, that is, DOMAIN\username. Using a domain-qualified username allows Cisco Secure ACS to differentiate a user from multiple instances of the same username in different domains. For unknown users who provide domain-qualified usernames and who are authenticated by a Windows NT/2000 database, Cisco Secure ACS creates their user accounts in the CiscoSecure user database in the form DOMAIN\username. The combination of username and domain makes this user unique in the Cisco Secure ACS database.

Note   Cisco Secure ACS does not support the user@domain form of qualified usernames.

It is possible for unknown user processing to create more than one user account for the same network user. For example, if a user provides a domain-qualified username and successfully authenticates, Cisco Secure ACS creates an account in the format DOMAIN\username. If the same user successfully authenticates without prefixing the domain name to the username, Cisco Secure ACS creates an account in the format username. If you rely on groups rather than individual user settings, both accounts should receive the same privileges. Regardless of whether the user prefixes the domain name, group mapping will assign the user to the same Cisco Secure ACS user group, because both Cisco Secure ACS user accounts correspond to a single Windows user account.

Windows Authentication with Domain Omitted

If a domain identifier is not supplied as part of the authentication process, the Windows operating system of the server running Cisco Secure ACS follows a more complex authentication order that Cisco Secure ACS cannot control. Though the order of resources used can differ, when searching for a non-domain qualified username, Windows usually follows the order in the list below

Windows attempts to authenticate the user with the first account it finds whose username matches the one passed to Windows by Cisco Secure ACS. Whether authentication fails or succeeds, Windows does not search for other accounts with the same username; therefore, Windows can fail to authenticate a user who supplies valid credentials because Windows may check the supplied credentials against the wrong account that coincidentally has an identical username.

You can circumvent this difficulty by using the Domain List in the Cisco Secure ACS configuration for the Windows NT/2000 database. If you have configured the Domain List with a list of trusted domains, Cisco Secure ACS submits the username and password to each domain in the list, using a domain-qualified format, until Cisco Secure ACS successfully authenticates the user or until Cisco Secure ACS has tried each domain listed in the Domain List.

Note   If your network has multiple occurrences of a username across domains (for example, every domain has a user called Administrator) or if users dialing in do not provide their domains as part of their authentication credentials, be sure to configure the Domain List for the Windows NT/2000 database in the External User Databases section. If not, only the user whose account Windows happens to check first authenticates successfully. The Domain List is the only way that Cisco Secure ACS controls the order in which Windows checks domains. The most reliable method of supporting multiple instances of a username across domains is to require users to supply their domain memberships as part of the authentication request.

Performance of Unknown User Authentication

Processing authentication requests for unknown users requires slightly more time than processing authentication requests for known users. This small delay may require additional configuration on the AAA clients through which unknown users may attempt to access your network.

Added Latency

Adding external databases against which to process unknown users can significantly increase the time needed for each individual authentication. At best, the time needed for each authentication is the time taken by the external database to authenticate, plus some latency for Cisco Secure ACS processing. In some circumstances (for example, when using a Windows NT/2000 user database), the extra latency introduced by an external database can be as much as tens of seconds. If you have configured multiple databases, this number is multiplied by the time taken for each one to complete.

You can account for added latency by setting the order of databases. If you are using an authentication protocol that is particularly time sensitive, such as PEAP, we recommend configuring unknown user processing to attempt authentication first with the database most likely to contain unknown users using the time-sensitive protocol. For more information, see Database Search Order.

Authentication Timeout Value on AAA clients

Be sure to increase the AAA client timeout to accommodate the longer authentication time required for Cisco Secure ACS to pass the authentication request to the external databases. If the AAA client timeout value is not set high enough to account for the delay required by unknown user authentication, the AAA client times out the request and every unknown user authentication fails.

The default AAA client timeout value is 5 seconds. If you have Cisco Secure ACS configured to search through several databases or if your databases are large, you might need to increase this value in your AAA client configuration file. For more information, refer to your Cisco IOS documentation.

Network Access Authorization

While the Unknown User Policy allows authentication requests to be forwarded to external user databases, all responsibility for the authorization parameters provided to the AAA client remains with Cisco Secure ACS. External user databases provide authentication services, and Cisco Secure ACS then provides the additional authorization information that is sent to the AAA client in the RADIUS or TACACS+ response packet. For more information about assignment of user authorization, see Database Group Mappings.

Unknown User Policy

You can configure how Cisco Secure ACS processes unknown users on the Configure Unknown User Policy page, in the External User Databases section of the HTML interface. The Configure Unknown User Policy page contains the following fields:

For more information about configuring your Unknown User Policy, see Configuring the Unknown User Policy.

Database Search Order

You can configure the order in which Cisco Secure ACS checks the selected external databases when Cisco Secure ACS attempts to authenticate unknown users. If the first database in the Selected Databases list fails the authentication request for the unknown user, Cisco Secure ACS checks the next database listed, and so on down the Selected Databases list, in the order listed, until the user authenticates or until Cisco Secure ACS has tried all the databases listed. Authentication with a Windows NT/2000 database is more complex. (For more information about Windows NT/2000 authentication, see The Cisco Secure ACS Authentication Process with Windows NT/2000 User Databases.) If Cisco Secure ACS does not find the user in any of the listed databases, authentication fails.

The order in which the databases appear in the Selected Databases list is important. To determine how to order databases in the Selected Databases list, follow these recommendations:

For example, if wireless LAN users access your network with PEAP, arrange the databases in the Selected Databases list so that unknown user processing takes less than the timeout value specified on the Cisco Aironet Access Point.

Configuring the Unknown User Policy

In Cisco Secure ACS, an unknown user is defined as a user for whom no account has been created within the Cisco Secure ACS database.

To specify how Cisco Secure ACS should handle users who are not in the Cisco Secure ACS database, follow these steps:

Step 2   Click Unknown User Policy.

Step 3   To deny authentication requests for any unknown user, select the Fail the attempt option.

Step 4   To allow authentication requests for unknown users, follow these steps:

Tip Place at the top of the list databases that are most likely to authenticate unknown users or those databases that are associated with AAA clients or authentications protocols that are particularly time-sensitive, such as PEAP.

Step 5   Click Submit.

Result: Cisco Secure ACS saves and implements the Unknown User Policy configuration you created. Cisco Secure ACS attempts to authenticate unknown users using the databases in the order listed in the Selected Databases list.

Turning off External User Database Authentication

You can configure Cisco Secure ACS so that users who are not in the Cisco Secure ACS database are not permitted to authenticate.

To turn off external user database authentication, follow these steps:

Step 2   Click Unknown User Policy.

Step 3   Select the Fail the attempt option.

Step 4   Click Submit.

Result: Unknown user processing is halted. Cisco Secure ACS does not allow unknown users to authenticate with external user databases.

Database Group Mappings

The Database Group Mapping feature in the External User Databases section enables you to associate unknown users with a Cisco Secure ACS group for assigning authorization profiles. For external user databases from which Cisco Secure ACS can derive group information, you can associate the group memberships defined for the users in the external user database to specific Cisco Secure ACS groups. For Windows NT/2000 user databases, group mapping is further specified by domain, because each domain maintains its own user database. For Novell NDS user databases, group mapping is further specified by trees, because Cisco Secure ACS supports multiple trees in a single Novell NDS user database.

In addition to the Database Group Mapping feature, for some database types, Cisco Secure ACS supports RADIUS-based group specification.

This section contains the following topics:

Group Mapping by External User Database

You can map an external database to a Cisco Secure ACS group. Unknown users who authenticate using the specified database automatically belong to, and inherit the authorizations of, the group. For example, you could configure Cisco Secure ACS so that all unknown users who authenticate with a certain token server database belong to a group called Telecommuters. You could then assign a group setup that is appropriate for users who are working away from home, such as MaxSessions=1. Or you could configure restricted hours for other groups, but give unrestricted access to Telecommuters group members.

While you can configure Cisco Secure ACS to map all unknown users found in any external user database type to a single Cisco Secure ACS group, the following external user database types are the external user database types whose users you can only map to a single Cisco Secure ACS group:

For a subset of the external user database types listed above, group mapping by external database type is overridden on a user-by-user basis when the external user database specifies a Cisco Secure ACS group with its authentication response. Cisco Secure ACS supports specification of group membership for the following external user database types:

For more information about specifying group membership for users authenticated with one of these database types, see RADIUS-Based Group Specification.

Additionally, users authenticated by an ODBC external user database can also be assigned to a specified Cisco Secure ACS group. Group specification by ODBC database authentication overrides group mapping. For more information about specifying group membership for users authenticated with an ODBC database, see ODBC Database.

Creating a Cisco Secure ACS Group Mapping for a Token Server, ODBC Database, or LEAP Proxy RADIUS Server Database

To set or change a token server, ODBC, or LEAP Proxy RADIUS Server database group mapping, follow these steps:

Step 2   Click Database Group Mappings.

Step 3   Click the name of the token server, LEAP Proxy RADIUS Server, or ODBC database configuration for which you want to configure a group mapping.

Result: The Define Group Mapping table appears.

Step 4   From the Select a default group for database list, click the group to which users authenticated with this database should be assigned.

Tip The Select a default group for database list displays the number of users assigned to each group.

Step 5   Click Submit.

Result: Cisco Secure ACS assigns unknown and discovered users authenticated by the external database type you selected in Step 3 to the Cisco Secure ACS group selected in Step 4. For users authenticated by an ODBC, CRYPTOCard, Safeword, ActivCard, Vasco, PassGo, or LEAP Proxy RADIUS Server database, the mapping is only applied as a default if those databases did not specify a Cisco Secure ACS group for the user.

---

Note    For more information about group specification for RADIUS token servers, see RADIUS-Based Group Specification. For more information about group specification for ODBC databases, see Cisco Secure ACS Authentication Process with an ODBC External User Database 11-41.

---

Group Mapping by Group Set Membership

You can create group mappings for some external user databases based on the combination of external user database groups to which users belong. The following are the external user database types for which you can create group mappings based on group set membership:

When you configure a Cisco Secure ACS group mapping based on group set membership, you can add one or many external user database groups to the set. For Cisco Secure ACS to map a user to the specified Cisco Secure ACS group, the user must match all external user database groups in the set.

As an example, you could configure a group mapping for users who belong to both the Engineering and Tokyo groups and a separate one for users who belong to both Engineering and London. You could then configure separate group mappings for the combinations of Engineering-Tokyo and Engineering-London and configure different access times for the Cisco Secure ACS groups to which they map. You could also configure a group mapping that only included the Engineering group that would map other members of the Engineering group who were not members of Tokyo or London.

Group Mapping Order

Cisco Secure ACS always maps users to a single Cisco Secure ACS group, yet a user can belong to more than one group set mapping. For example, a user, John, could be a member of the group combination Engineering and California, and at the same time be a member of the group combination Engineering and Managers. If there are Cisco Secure ACS group set mappings for both these combinations, Cisco Secure ACS has to determine to which group John should be assigned.

Cisco Secure ACS prevents conflicting group set mappings by assigning a mapping order to the group set mappings. When a user authenticated by an external user database is to be assigned to a Cisco Secure ACS group, Cisco Secure ACS starts at the top of the list of group mappings for that database. Cisco Secure ACS checks the user group memberships in the external user database against each group mapping in the list sequentially. Upon finding the first group set mapping that matches the external user database group memberships of the user, Cisco Secure ACS assigns the user to the Cisco Secure ACS group of that group mapping and terminates the mapping process.

Clearly, the order of group mappings is important because it affects the network access and services allowed to users. When defining mappings for users who belong to multiple groups, make sure they are in the correct order so that users are granted the correct group settings.

For example, a user, Mary, is assigned to the three-group combination of Engineering, Marketing, and Managers. Mary should be granted the privileges of a manager rather than an engineer. Mapping A assigns users who belong to all three groups Mary is in to Cisco Secure ACS Group 2. Mapping B assigns users who belong to the Engineering and Marketing groups to Cisco Secure ACS Group 1. If Mapping B is listed first, Cisco Secure ACS authenticates Mary as a user of Group 1, and she is be assigned to Group 1, rather than Group 2 like managers should be.

No Access Group for Group Set Mappings

To prevent remote access for users assigned a group by a particular group set mapping, assign the group to the Cisco Secure ACS No Access group. For example, you could assign all members of an external user database group "Contractors" to the No Access group so they could not dial in to the network remotely.

Default Group Mapping for Windows NT/2000

For Windows NT/2000 user databases, Cisco Secure ACS includes the ability to define a default group mapping. If no other group mapping matches an unknown user authenticated by a Windows NT/2000 user database, Cisco Secure ACS assigns the user to a group based on the default group mapping.

Configuring the default group mapping for Windows NT/2000 user databases is the same as editing an existing group mapping, with one exception. When editing the default group mapping for Windows NT/2000, instead of selecting a valid domain name on the Domain Configurations page, select \DEFAULT.

For more information about editing an existing group mapping, see Editing a Windows NT/2000, Novell NDS, or Generic LDAP Group Set Mapping.

Creating a Cisco Secure ACS Group Mapping for Windows NT/2000, Novell NDS, or Generic LDAP Groups

To map a Windows NT/2000, Novell NDS, or generic LDAP group to a Cisco Secure ACS group, follow these steps:

Step 2   Click Database Group Mappings.

Step 3   Click the external user database name for which you want to configure a group mapping.

Result: If you are mapping a Windows NT/2000 group set, the Domain Configurations table appears. If you are mapping an NDS group set, the NDS Trees table appears. Otherwise, the Group Mappings for database Users table appears.

Step 4   If you are mapping a Windows NT/2000 group set for a new domain, follow these steps:

Result: The Define New Domain Configuration page appears.

Tip To clear your domain selection, click Clear Selection.

Result: The new Windows NT/2000 domain appears in the list of domains in the Domain Configurations page.

Step 5   If you are mapping a Windows NT/2000 group set, click the domain name for which you want to configure a group set mapping.

Result: The Group Mappings for Domain: domainname table appears.

Step 6   If you are mapping a Novell NDS group set, click the name of the Novell NDS tree for which you want to configure group set mappings.

Result: The Group Mappings for NDS Users table appears.

Step 7   Click Add Mapping.

Result: The Create new group mapping for database page opens. The group list displays group names derived from the external user database.

Step 8   For each group to be added to the group set mapping, select the name of the applicable external user database group in the group list, and then click Add to selected.

---

Note    A user must match all the groups in the Selected list so that Cisco Secure ACS can use this group set mapping to map the user to a Cisco Secure ACS group; however, a user can also belong to other groups (in addition to the groups listed) and still be mapped to a Cisco Secure ACS group.

---

Tip To remove a group from the mapping, select the name of the group in the Selected list, and then click Remove from selected.

Result: The Selected list shows all the groups that a user must belong to in order to be mapped to a Cisco Secure ACS group.

Step 9   In the CiscoSecure group list, select the name of the Cisco Secure ACS group to which you want to map users who belong to all the external user database groups in the Selected list.

---

Note    You can also select <No Access>. For more information about the <No Access> group, see No Access Group for Group Set Mappings.

---

Step 10   Click Submit.

Result: The group set you mapped to the Cisco Secure ACS list appears at the bottom of the database groups column.

---

Note    The asterisk at the end of each set of groups indicates that users authenticated with the external user database can belong to other groups besides those in the set.

---

Editing a Windows NT/2000, Novell NDS, or Generic LDAP Group Set Mapping

You can change the Cisco Secure ACS group to which a group set mapping is mapped.

Note   The external user database groups of an existing group set mapping cannot be edited. If you want to add or remove external user database groups from the group set mapping, delete the group set mapping and create one with the revised set of groups.

To edit a Windows NT/2000, Novell NDS, or generic LDAP group mapping, follow these steps:

Step 2   Click Database Group Mappings.

Step 3   Click the external user database name for which you want to edit a group set mapping.

Result: If you are editing a Windows NT/2000 group set mapping, the Domain Configurations table appears. If you are editing an NDS group set mapping, the NDS Trees table appears. Otherwise, the Group Mappings for database Users table appears.

Step 4   If you are editing a Windows NT/2000 group set mapping, click the domain name for which you want to edit a group set mapping.

Result: The Group Mappings for Domain: domainname table appears.

Step 5   If you are editing a Novell NDS group set mapping, click the name of the Novell NDS tree for which you want to edit a group set mapping.

Result: The Group Mappings for NDS Users table appears.

Step 6   Click the group set mapping to be edited.

Result: The Edit mapping for database page opens. The external user database group or groups included in the group set mapping appear above the CiscoSecure group list.

Step 7   From the CiscoSecure group list, select the name of the group to which the set of external database groups should be mapped, and then click Submit.

---

Note    You can also select <No Access>. For more information about the <No Access> group, see No Access Group for Group Set Mappings.

---

Step 8   Click Submit.

Result: The Group Mappings for database page opens again with the changed group set mapping listed.

Deleting a Windows NT/2000, Novell NDS, or Generic LDAP Group Set Mapping

You can delete individual group set mappings.

To delete a Windows NT/2000, Novell NDS, or generic LDAP group mapping, follow these steps:

Step 2   Click Database Group Mappings.

Step 3   Click the external user database configuration whose group set mapping you need to delete.

Result: If you are deleting a Windows NT/2000 group set mapping, the Domain Configurations table appears. If you are deleting an NDS group set mapping, the NDS Trees table appears. Otherwise, the Group Mappings for database Users table appears.

Step 4   If you are deleting a Windows NT/2000 group set mapping, click the domain name whose group set mapping you want to delete.

Result: The Group Mappings for Domain: domainname table appears.

Step 5   If you are deleting a Novell NDS group set mapping, click the name of the Novell NDS tree whose group set mapping you want to delete.

Result: The Group Mappings for NDS Users table appears.

Step 6   Click the group set mapping you want to delete.

Step 7   Click Delete.

Result: Cisco Secure ACS displays a confirmation dialog box.

Step 8   Click OK in the confirmation dialog box.

Result: Cisco Secure ACS deletes the selected external user database group set mapping.

Deleting a Windows NT/2000 Domain Group Mapping Configuration

You can delete an entire group mapping configuration for a Windows NT/2000 domain. When you delete a Windows domain group mapping configuration, all group set mappings in the configuration are deleted.

To delete a Windows NT/2000 group mapping, follow these steps:

Step 2   Click Database Group Mappings.

Step 3   Click the name of the Windows NT/2000 external user database.

Step 4   Click the domain name whose group set mapping you want to delete.

Step 5   Click Delete Configuration.

Result: Cisco Secure ACS displays a confirmation dialog box.

Step 6   Click OK in the confirmation dialog box.

Result: Cisco Secure ACS deletes the selected external user database group mapping configuration.

Changing Group Set Mapping Order

You can change the order in which Cisco Secure ACS checks group set mappings for users authenticated by Windows NT/2000, Novell NDS, and generic LDAP databases. To order group mappings, you must have already mapped them. For more information about creating group mappings, see Creating a Cisco Secure ACS Group Mapping for Windows NT/2000, Novell NDS, or Generic LDAP Groups.

To change the order of group mappings for a Windows NT/2000, Novell NDS, or generic LDAP group mapping, follow these steps:

Step 2   Click Database Group Mappings.

Step 3   Click the external user database name for which you want to configure group set mapping order.

Result: If you are ordering Windows NT/2000 group set mappings, the Domain Configurations table appears. If you are ordering NDS group set mappings, the NDS Trees table appears. Otherwise, the Group Mappings for database Users table appears.

Step 4   If you are configuring Windows NT/2000 group mapping order, click the domain name for which you want to configure group set mapping order.

Result: The Group Mappings for Domain: domainname table appears.

Step 5   If you are configuring Novell NDS group set mapping order, click the name of the Novell NDS tree for which you want to configure group set mapping order.

Result: The Group Mappings for NDS Users table appears.

Step 6   Click Order mappings.

---

Note    The Order mappings button appears only if more than one group set mapping exists for the current database.

---

Result: The Order mappings for database page appears. The group mappings for the current database appear in the Order list.

Step 7   Select the name of a group set mapping you want to move, and then click Up or Down until it is in the position you want.

Step 8   Repeat Step 7 until the group mappings are in the order you need.

Step 9   Click Submit.

Result: The Group Mappings for database page displays the group set mappings in the order you defined.

RADIUS-Based Group Specification

For some types of external user databases, Cisco Secure ACS supports the assignment of users to specific Cisco Secure ACS groups based upon the RADIUS authentication response from the external user database. This is provided in addition to the unknown user group mapping described in Group Mapping by External User Database. RADIUS-based group specification overrides group mapping. The database types that support RADIUS-based group specification are as follows:

Cisco Secure ACS supports per-user group mapping for users authenticated with a LEAP Proxy RADIUS Server database. This is provided in addition to the default group mapping described in Group Mapping by External User Database.

To enable per-user group mapping, configure the external user database to return authentication responses that contain the Cisco IOS/PIX RADIUS attribute 1, [009\001] cisco-av-pair with the following value:

where N is the Cisco Secure ACS group number (0 through 499) to which Cisco Secure ACS should assign the user. For example, if the LEAP Proxy RADIUS Server authenticated a user and included the following value for the Cisco IOS/PIX RADIUS attribute 1, [009\001] cisco-av-pair:

Cisco Secure ACS assigns the user to group 37 and applies authorization associated with group 37.