User Guide for Cisco Secure ACS for Windows Server 3.2
Unknown User Policy

Table Of Contents

Unknown User Policy

Unknown User Processing

Known, Unknown, and Discovered Users

General Authentication Request Handling and Rejection Mode

Authentication Request Handling and Rejection Mode with the Windows User Database

Windows Authentication with a Domain Specified

Windows Authentication with Domain Omitted

Performance of Unknown User Authentication

Added Latency

Authentication Timeout Value on AAA clients

Network Access Authorization

Unknown User Policy

Database Search Order

Configuring the Unknown User Policy

Turning off External User Database Authentication

Unknown User Policy


After you have configured CiscoSecure AccessControlServer (ACS) for WindowsServer to communicate with an external user database, you can decide how to implement other CiscoSecure ACS features related to external user databases. These features are the Unknown User Policy and user group mapping. This chapter addresses the Unknown User Policy feature, found in the External User Databases section of CiscoSecure ACS.

For information about user group mapping, see "User Group Mapping and Specification"

For information about the databases supported by CiscoSecure ACS and how to configure CiscoSecure ACS to communicate with an external user database, see "User Databases"

This chapter contains the following topics:

Unknown User Processing

Known, Unknown, and Discovered Users

General Authentication Request Handling and Rejection Mode

Authentication Request Handling and Rejection Mode with the Windows User Database

Performance of Unknown User Authentication

Network Access Authorization

Unknown User Policy

Unknown User Processing

Unknown users are users who are not listed in the CiscoSecure ACS database. The Unknown User feature is a form of authentication forwarding. In essence, this feature is an extra step in the authentication process. In this additional step of the authentication process, if the username does not exist in the CiscoSecure ACS database, CiscoSecure ACS forwards the authentication request of an incoming username and password to external databases with which it is configured to communicate.

The Unknown User feature enables CiscoSecure ACS to use a variety of external databases in addition to its own internal database to authenticate incoming user requests. With this feature, CiscoSecure ACS provides the foundation for a basic single sign-on capability by integrating network and host-level access control. Because the incoming usernames and passwords of users dialing in can be authenticated with external user databases, there is no need for the network administrator to maintain a duplicate list within CiscoSecure ACS. This provides two advantages to the CiscoSecure ACS administrator:

Eliminates the necessity of entering every user multiple times.

Prevents data-entry errors that are inherent to manual procedures.

The Unknown User feature also enables phase one of PEAP authentication to succeed when the username provided in phase one is unknown. For more information, see PEAP and the Unknown User Policy.

Known, Unknown, and Discovered Users

The Unknown User feature implements three categories of users in CiscoSecure ACS.

Known Users —Users explicitly added, either manually or automatically, into the CiscoSecure ACS database.

These are users added through User Setup in the HTML interface, by the RDBMS Synchronization feature, by the Database Replication feature, or by the CSUtil.exe utility. For more information about CSUtil.exe, see "RDBMS Synchronization Import Definitions."

CiscoSecure ACS attempts to authenticate a known user with the single database that the user is associated with. If the user database is the CiscoSecure user database and the user does not represent a Voice-over-IP (VoIP) user account, a password is required for the user. If the user database is an external user database or if the user represents a VoIP user account, CiscoSecure ACS does not have to store a user password in the CiscoSecure user database.

Unknown Users —Users who have no account entry in the CiscoSecure user database.

Such users never have authenticated with CiscoSecure ACS. If the Unknown User Policy is configured, CiscoSecure ACS attempts to authenticate these users with external user databases.

Discovered Users —Users whose accounts were created in the CiscoSecure user database when CiscoSecure ACS successfully authenticated them using the Unknown User Policy. When CiscoSecure ACS creates a discovered user, the user account contains only the username, a Password Authentication list setting that reflects the external user database that authenticated the user, and a "Group to which the user is assigned" list setting of Mapped By External Authenticator, which enables group mapping. Using the CiscoSecure ACS HTML interface, you can further configure the user account as needed. For example, after a discovered user is created in CiscoSecure ACS, you can assign user-specific network access restrictions to the discovered user.


Note CiscoSecure ACS does not import passwords for a discovered user; rather, CiscoSecure ACS creates the user account with the Password Authentication list set to the external user database that originally authenticated the user.


All discovered users were once unknown users. The authentication process for discovered users is identical to the authentication process for known users who are authenticated with external user databases and whose CiscoSecure ACS group membership is determined by group mapping.


Note We recommend removing a username from a database when the privileges associated with that username are no longer required.


General Authentication Request Handling and Rejection Mode

If you have configured the Unknown User Policy in CiscoSecure ACS, CiscoSecure ACS attempts to authenticate users as follows:

1. CiscoSecure ACS checks its internal user database. If the user exists in the CiscoSecure user database (that is, is a known or discovered user), CiscoSecure ACS tries to authenticate the user with the specified password type against the specified database. Authentication for that user either passes or fails, depending on other procedures in the normal authentication process.

2. If the user does not exist in the CiscoSecure user database (that is, is an unknown user), CiscoSecure ACS tries each configured external database in the order specified in the Selected Databases list. If the user passes authentication against one of the external databases, CiscoSecure ACS automatically adds the user to the CiscoSecure user database, with a pointer to use the password type and database that succeeded on this authentication attempt. Users added by unknown user processing are flagged as such within the CiscoSecure user database and are called discovered users.

The next time the discovered user tries to authenticate, CiscoSecure ACS authenticates the user against the database that was successful the first time. Discovered users are treated the same as known users.

3. If the unknown user fails authentication with all configured external databases, the user is not added to the CiscoSecure user database, and the authentication request is rejected.

Because usernames in the CiscoSecure user database must be unique, CiscoSecure ACS supports a single instance of any given username across all the databases it is configured to use. For example, assume every external user database contains a user account with the username John. Each account is for a different user, but they each, coincidentally, have the same username. After the first John attempts to access the network and has authenticated through the unknown user process, CiscoSecure ACS retains a discovered user account for that John and only that John. Now, CiscoSecure ACS tries to authenticate subsequent attempts by any user named John using the same external user database that originally authenticated John. Assuming their passwords are different than the password for the John who authenticated first, the other Johns are unable to access the network.


Note The scenario given above is handled differently if the user accounts with identical usernames exist in separate Windows domains. For more information, see Authentication Request Handling and Rejection Mode with the Windows User Database.


Authentication Request Handling and Rejection Mode with the Windows User Database

Because it is a native Windows application, CiscoSecure ACS treats authentication with a Windows user database as a special case. Windows can provide added functionality to the remote access authentication process. Perhaps the most important aspect of this added functionality is support for multiple occurrences of the same username across the trusted domains against which CiscoSecure ACS authenticates access requests.

CiscoSecure ACS communicates with the Windows operating system of the computer running CiscoSecure ACS to perform authentications. Windows uses its built-in facilities to forward the authentication requests to the appropriate domain controller. There are two possible scenarios to consider, as discussed in this section.

This section contains the following topics:

Windows Authentication with a Domain Specified

Windows Authentication with Domain Omitted

Windows Authentication with a Domain Specified

When a domain name is supplied as part of a authentication request, CiscoSecure ACS detects that a domain name was supplied and tries the authentication credentials against the specified domain. The dial-up networking clients provided with various Windows versions differ in the method by which users can specify their domains. For more information, see Windows Dial-up Networking Clients.

If the domain controller rejects the authentication request, CiscoSecure ACS logs the request as a failed attempt.

For Windows 95, Windows 98, Windows ME, and Windows XP Home, the dial-up networking client provided with Windows only allows users to specify their domains by submitting the usernames in a domain-qualified format, that is, DOMAIN\username. Using a domain-qualified username allows CiscoSecure ACS to differentiate a user from multiple instances of the same username in different domains. For unknown users who provide domain-qualified usernames and who are authenticated by a Windows user database, CiscoSecure ACS creates their user accounts in the CiscoSecure user database in the form DOMAIN\username. The combination of username and domain makes this user unique in the CiscoSecure ACS database.


Note CiscoSecure ACS does not support the user@domain form of qualified usernames.


It is possible for unknown user processing to create more than one user account for the same network user. For example, if a user provides a domain-qualified username and successfully authenticates, CiscoSecure ACS creates an account in the format DOMAIN\username. If the same user successfully authenticates without prefixing the domain name to the username, CiscoSecure ACS creates an account in the format username. If you rely on groups rather than individual user settings, both accounts should receive the same privileges. Regardless of whether the user prefixes the domain name, group mapping will assign the user to the same CiscoSecure ACS user group, because both CiscoSecure ACS user accounts correspond to a single Windows user account.

Windows Authentication with Domain Omitted

If a domain identifier is not supplied as part of the authentication process, the Windows operating system of the server running CiscoSecure ACS follows a more complex authentication order that CiscoSecure ACS cannot control. Though the order of resources used can differ, when searching for a non-domain qualified username, Windows usually follows the order in the list below:

The local domain controller.

The domain controllers in any trusted domains.

If CiscoSecure ACS runs on a member server, the local accounts database.

Windows attempts to authenticate the user with the first account it finds whose username matches the one passed to Windows by CiscoSecure ACS. Whether authentication fails or succeeds, Windows does not search for other accounts with the same username; therefore, Windows can fail to authenticate a user who supplies valid credentials because Windows may check the supplied credentials against the wrong account that coincidentally has an identical username.

You can circumvent this difficulty by using the Domain List in the CiscoSecure ACS configuration for the Windows user database. If you have configured the Domain List with a list of trusted domains, CiscoSecure ACS submits the username and password to each domain in the list, using a domain-qualified format, until CiscoSecure ACS successfully authenticates the user or until CiscoSecure ACS has tried each domain listed in the Domain List.


Note If your network has multiple occurrences of a username across domains (for example, every domain has a user called Administrator) or if users dialing in do not provide their domains as part of their authentication credentials, be sure to configure the Domain List for the Windows user database in the External User Databases section. If not, only the user whose account Windows happens to check first authenticates successfully. The Domain List is the only way that CiscoSecure ACS controls the order in which Windows checks domains. The most reliable method of supporting multiple instances of a username across domains is to require users to supply their domain memberships as part of the authentication request.


Performance of Unknown User Authentication

Processing authentication requests for unknown users requires slightly more time than processing authentication requests for known users. This small delay may require additional configuration on the AAA clients through which unknown users may attempt to access your network.

Added Latency

Adding external databases against which to process unknown users can significantly increase the time needed for each individual authentication. At best, the time needed for each authentication is the time taken by the external database to authenticate, plus some latency for CiscoSecure ACS processing. In some circumstances (for example, when using a Windows user database), the extra latency introduced by an external database can be as much as tens of seconds. If you have configured multiple databases, this number is multiplied by the time taken for each one to complete.

You can account for added latency by setting the order of databases. If you are using an authentication protocol that is particularly time sensitive, such as PEAP, we recommend configuring unknown user processing to attempt authentication first with the database most likely to contain unknown users using the time-sensitive protocol. For more information, see Database Search Order.

Authentication Timeout Value on AAA clients

Be sure to increase the AAA client timeout to accommodate the longer authentication time required for CiscoSecure ACS to pass the authentication request to the external databases. If the AAA client timeout value is not set high enough to account for the delay required by unknown user authentication, the AAA client times out the request and every unknown user authentication fails.

The default AAA client timeout value is 5 seconds. If you have CiscoSecure ACS configured to search through several databases or if your databases are large, you might need to increase this value in your AAA client configuration file. For more information, refer to your CiscoIOS documentation.

Network Access Authorization

While the Unknown User Policy allows authentication requests to be forwarded to external user databases, all responsibility for the authorization parameters provided to the AAA client remains with CiscoSecure ACS. External user databases provide authentication services, and CiscoSecure ACS then provides the additional authorization information that is sent to the AAA client in the RADIUS or TACACS+ response packet. For more information about assignment of user authorization, see "User Group Mapping and Specification".

Unknown User Policy

You can configure how CiscoSecure ACS processes unknown users on the Configure Unknown User Policy page, in the External User Databases section of the HTML interface. The Configure Unknown User Policy page contains the following fields:

Unknown User Policy —Defines what action CiscoSecure ACS takes if it does not find a matching username in its database. There are two options for controlling the Unknown User Policy:

Fail the attempt —Disables unknown user processing. CiscoSecure ACS rejects authentication requests for any user not found in the CiscoSecure user database.

Check the following external user databases —Enables unknown user processing. CiscoSecure ACS uses databases in the Selected Databases list to authenticate users that are not found in the CiscoSecure user database.

External Databases —Lists the external user databases that CiscoSecure ACS does not use to authenticate unknown users.

Selected Databases —Lists the external user databases that CiscoSecure ACS uses to authenticate an unknown user (if the Check the following external user databases option is selected). CiscoSecure ACS attempts authentication using the selected databases one at a time in the order specified. For more information about the significance of the order of selected databases, see Database Search Order.

For more information about configuring your Unknown User Policy, see Configuring the Unknown User Policy.

Database Search Order

You can configure the order in which CiscoSecure ACS checks the selected external databases when CiscoSecure ACS attempts to authenticate unknown users. If the first database in the Selected Databases list fails the authentication request for the unknown user, CiscoSecure ACS checks the next database listed, and so on down the Selected Databases list, in the order listed, until the user authenticates or until CiscoSecure ACS has tried all the databases listed. Authentication with a Windows user database is more complex. (For more information about Windows authentication, see The CiscoSecure ACS Authentication Process with Windows User Databases.) If CiscoSecure ACS does not find the user in any of the listed databases, authentication fails.

The order in which the databases appear in the Selected Databases list is important. To determine how to order databases in the Selected Databases list, follow these recommendations:

Place databases that will allow most authentications to succeed as near to the top of the list as possible.

Place databases associated with particularly time-sensitive AAA clients or authentication protocols as near to the top of the list as possible.

For example, if wireless LAN users access your network with PEAP, arrange the databases in the Selected Databases list so that unknown user processing takes less than the timeout value specified on the Cisco Aironet Access Point.

Configuring the Unknown User Policy

In CiscoSecure ACS, an unknown user is defined as a user for whom no account has been created within the CiscoSecure user database.

To specify how CiscoSecure ACS should handle users who are not in the CiscoSecure user database, follow these steps:


Step1 In the navigation bar, click External User Databases .

Step2 Click Unknown User Policy .

Step3 To deny authentication requests for any unknown user, select the Fail the attempt option.

Step4 To allow authentication requests for unknown users, follow these steps:

a. Select the Check the following external user databases option.

b. For each database you need Cisco Secure ACS to use when attempting to authenticate unknown users, select the database in the External Databases list and click --> (right arrow button) to move it to the Selected Databases list. To remove a database from the Selected Databases list, select the database, and then click <-- (left arrow button) to move it back to the External Databases list.

c. To assign the order in which Cisco Secure ACS should use the selected external databases when attempting to authenticate an unknown user, select a database name from the Selected Databases list and click Up or Down to move it into the position you want.


Tip Place at the top of the list databases that are most likely to authenticate unknown users or those databases that are associated with AAA clients or authentication protocols that are particularly time-sensitive, such as PEAP.


d. Repeat Step a through Step c until the selected databases are in the order needed.

Step5 Click Submit .

CiscoSecure ACS saves and implements the Unknown User Policy configuration you created. CiscoSecure ACS attempts to authenticate unknown users using the databases in the order listed in the Selected Databases list.


Turning off External User Database Authentication

You can configure CiscoSecure ACS so that users who are not in the CiscoSecure user database are not permitted to authenticate.

To turn off external user database authentication, follow these steps:


Step1 In the navigation bar, click External User Databases .

Step2 Click Unknown User Policy .

Step3 Select the Fail the attempt option.

Step4 Click Submit .

Unknown user processing is halted. CiscoSecure ACS does not allow unknown users to authenticate with external user databases.