User Guide for Cisco Secure ACS Solution Engine 4.0 - User Databases [Cisco Secure Access Control Server Solution Engine]

Table Of Contents

User Databases

ACS Internal Database

About the ACS Internal Database

User Import and Creation

About External User Databases

Authenticating with External User Databases

External User Database Authentication Process

Windows User Database

Windows User Database Support

Authentication with Windows User Databases

Trust Relationships

Windows Dial-Up Networking Clients

Windows Dial-Up Networking Clients with a Domain Field

Windows Dial-Up Networking Clients without a Domain Field

Usernames and Windows Authentication

Username Formats and Windows Authentication

Nondomain-Qualified Usernames

Domain-Qualified Usernames

UPN Usernames

EAP and Windows Authentication

EAP-TLS Domain Stripping

Machine Authentication

Machine Access Restrictions

Microsoft Windows and Machine Authentication

Enabling Machine Authentication

User-Changeable Passwords with Windows User Databases

Preparing Users for Authenticating with Windows

Selecting Remote Agents for Windows Authentication

Windows User Database Configuration Options

Configuring a Windows External User Database

Generic LDAP

ACS Authentication Process with a Generic LDAP User Database

Multiple LDAP Instances

LDAP Organizational Units and Groups

Domain Filtering

LDAP Failover

Successful Previous Authentication with the Primary LDAP Server

Unsuccessful Previous Authentication with the Primary LDAP Server

LDAP Admin Logon Connection Management

Distinguished Name Caching

LDAP Configuration Options

Configuring a Generic LDAP External User Database

Downloading a Certificate Database

LEAP Proxy RADIUS Server Database

Configuring a LEAP Proxy RADIUS Server External User Database

Token Server User Databases

About Token Servers and ACS

Token Servers and ISDN

RADIUS-Enabled Token Servers

About RADIUS-Enabled Token Servers

Token Server RADIUS Authentication Request and Response Contents

Configuring a RADIUS Token Server External User Database

Deleting an External User Database Configuration

User Databases

The Cisco Secure Access Control Server Release 4.0 Solution Engine, hereafter referred to as ACS, authenticates users against one of several possible databases, including its internal database. You can configure ACS to authenticate users with more than one type of database. With this flexibility you can use user account data that is collected in different locations without having to explicitly import the users from each external user database into the ACS internal database. You can also apply different databases to different types of users, depending on the security requirements that are associated with user authorizations on your network. For example, a common configuration is to use a Windows user database for standard network users and a token server for network administrators.

Note For information about the Unknown User Policy and group mapping features, see Chapter 16, "Unknown User Policy" and Chapter 17, "User Group Mapping and Specification."

This chapter contains the following topics:

•ACS Internal Database

•About External User Databases

•Windows User Database

•Generic LDAP

•LEAP Proxy RADIUS Server Database

•Token Server User Databases

•Deleting an External User Database Configuration

ACS Internal Database

The ACS internal database supports authentication by using:

•American Standard Code for Information Interchange (ASCII)

•Password Authentication Protocol (PAP)

•Challenge Handshake Authentication Protocol (CHAP)

•Microsoft-Challenge Handshake Authentication Protocol (MS-CHAP)

•AppleTalk Remote Access Protocol (ARAP)

•Lightweight and Efficient Application Protocol (LEAP)

•Extensible Authentication Protocol-Message Digest 5 (EAP-MD5)

•Extensible Authentication Protocol-Transport Layer Security (EAP-TLS)

•Protected Extensible Authentication Protocol (PEAP) Extensible Authentication Protocol-Generic Token Card (EAP-GTC)

•Protected Extensible Authentication Protocol (PEAP) Extensible Authetication Protocol-Microsoft-Challenge Handshake Authentication Protocol (EAP-MS-CHAPv2)

•Extensible Authentication Protocol-Flexible Authentication via Secure Tunnelling (EAP-FAST) (phase zero and phase two)

The ACS internal database is crucial for the authorization process. Regardless of whether a user is authenticated by the internal user database or by an external user database, ACS authorizes network services for users based on group membership and specific user settings in the ACS internal database. Thus, all users that ACS authenticates, even those authenticated by an external user database, have an account in the ACS internal database.

About the ACS Internal Database

For users who are authenticated by using the ACS internal database, ACS stores user passwords in a database which is protected by an administration password and encrypted by using the AES 128 algorithm. For users who are authenticated with external user databases, ACS does not store passwords in the ACS internal database.

Unless you have configured ACS to authenticate users with an external user database, ACS uses usernames and passwords in the ACS internal database during authentication. For more information about specifying an external user database for authentication of a user, see Adding a Basic User Account, page 7-3.

User Import and Creation

Of the four ways to create user accounts in ACS, Relational Database Management System (RDBMS) Synchronization supports importing user accounts from external sources. The four ways are:

•ACS web interface—The web interface provides the ability to create user accounts manually, one user at a time. Regardless of how a user account was created, you can edit a user account by using the web interface. For detailed steps, see Adding a Basic User Account, page 7-3.

•Unknown User Policy—The Unknown User Policy enables ACS to add users automatically when it finds a user without an account in an external user database. The creation of a user account in ACS occurs only when the user attempts to access the network and is successfully authenticated by an external user database. For more information, see Chapter 16, "Unknown User Policy."

If you use the Unknown User Policy, you can also configure group mappings so that each time a user who was added to ACS by the Unknown User Policy is authenticated, the user group assignment is made dynamically. For some external user database types, user group assignment is based on group membership in the external user database. For other database types, all users who were authenticated by a given database are assigned to a single ACS user group. For more information about group mapping, see Chapter 17, "User Group Mapping and Specification."

•RDBMS Synchronization—You can use RDBMS Synchronization to create large numbers of user accounts and configure many settings for user accounts. We recommend that you use this feature whenever you need to import users by bulk; however, setting up RDBMS Synchronization for the first time requires several important decisions and time to implement them. For more information, see RDBMS Synchronization, page 9-16.

•Database Replication—Database Replication creates user accounts on a secondary ACS by overwriting all existing user accounts on a secondary ACS with the user accounts from the primary ACS. Any user accounts that are unique to a secondary ACS are lost in the replication. For more information, see ACS Internal Database Replication, page 9-1.

About External User Databases

You can configure ACS to forward authentication of users to one or more external user databases. Support for external user databases means that ACS does not require that you create duplicate user entries in the user database. In organizations in which a substantial user database already exists, ACS can leverage the work already invested in building the database without any additional input.

In addition to performing authentication for network access, ACS can perform authentication for TACACS+ enabling privileges by using external user databases. For more information about TACACS+ enable passwords, see Setting TACACS+ Enable Password Options for a User, page 7-23.

Note You can only use external user databases to authenticate users and to determine the group to which ACS assigns a user. The ACS internal database provides all authorization services. With few exceptions, ACS cannot retrieve authorization data from external user databases. Exceptions are noted where applicable in the discussions of specific databases in this chapter. For more information about group mapping for unknown users, see Chapter 17, "User Group Mapping and Specification."

Users can be authenticated by using the following databases:

•Windows User Database (for ACS for Windows or for the ACS Solution Engine remote agent for Windows)

•Generic Lightweight Directory Access Protocol (LDAP)

•Novell NetWare Directory Services (NDS) (through Generic LDAP support)

•LEAP Proxy Remote Access Dial-In User Service (RADIUS) servers

•RADIUS-compliant token servers

For ACS to interact with an external user database, ACS requires an API for the third-party authentication source. The ACS communicates with the external user database using the API.

Authenticating with External User Databases

Authenticating users with an external user database requires more than configuring ACS to communicate with an external user database. Performing one of the configuration procedures in this chapter for an external database does not, on its own, instruct ACS to authenticate any users with that database.

After you have configured ACS to communicate with an external user database, you can configure ACS to authenticate users with the external user database in one of two ways:

•By Specific User Assignment—You can configure ACS to authenticate specific users with an external user database. To do this, the user must exist in the ACS internal database and you must set the Password Authentication list in User Setup to the external user database that ACS should use to authenticate the user.

While setting the Password Authentication for every user account is time-consuming, this method of determining which users are authenticated with an external user database is secure because it requires explicit definition of who should authenticate by using the external user database. In addition, the users may be placed in the desired ACS group and thereby receive the applicable access profile.

•By Unknown User Policy—You can configure ACS to attempt authentication of users who are not in the ACS internal database by using an external user database. You do not need to define new users in the ACS internal database for this method. For more information about the Unknown User Policy, see About Unknown User Authentication, page 16-3.

You can also configure ACS with both of the previous methods; these two methods are not mutually exclusive.

External User Database Authentication Process

When ACS attempts user authentication with an external user database, it forwards the user credentials to the external user database. The external user database passes or fails the authentication request from ACS. On receiving the response from the external user database, ACS instructs the requesting AAA client to grant or deny the user access, depending on the response from the external user database. Figure 13-1 shows a AAA configuration with an external user database.

Figure 13-1 A Simple AAA Scenario

The specifics of the method that is used to communicate with the external user database vary with the database type. For LDAP and Novell NDS, ACS uses TCP connections. For Windows user databases, ACS uses the authentication API provided in the Windows operating system. ACS communicates with token servers by using RADIUS.

For more information, see the section regarding the database type in which you are interested.

Windows User Database

You can configure ACS to use a Windows user database to authenticate users.

This section contains the following topics:

•Windows User Database Support

•Authentication with Windows User Databases

•Trust Relationships

•Windows Dial-Up Networking Clients

–Windows Dial-Up Networking Clients with a Domain Field

–Windows Dial-Up Networking Clients without a Domain Field

•Usernames and Windows Authentication

–Username Formats and Windows Authentication

–Nondomain-Qualified Usernames

–Domain-Qualified Usernames

–UPN Usernames

•EAP and Windows Authentication

–EAP-TLS Domain Stripping

–Machine Authentication

–Machine Access Restrictions

–Microsoft Windows and Machine Authentication

–Enabling Machine Authentication

•User-Changeable Passwords with Windows User Databases

•Preparing Users for Authenticating with Windows

•Windows User Database Configuration Options

•Configuring a Windows External User Database

Windows User Database Support

ACS supports the use of Windows external user databases for:

•User Authentication— ACS supports ASCII, PAP, MS-CHAP (versions 1 and 2), LEAP, PEAP (EAP-GTC), PEAP (EAP-MS-CHAPv2), and EAP-FAST (phase zero and phase two) authentication with Windows Security Accounts Manager (SAM) database or a Windows Active Directory database. ACS also supports EAP-TLS authentication with a Windows Active Directory database. Windows external databases support no other authentication protocols.

Note A different external user database might support authentication protocols that are not supported with Windows external user databases. For more information about authentication protocols and the external database types that support them, see Authentication Protocol-Database Compatibility, page 1-7.

•Machine Authentication—ACS supports machine authentication with EAP-TLS and PEAP (EAP-MS-CHAPv2). For more information, see EAP and Windows Authentication.

•Group Mapping for Unknown Users— ACS supports group mapping for unknown users by requesting group membership information from Windows user databases. For more information about group mapping for users authenticated with a Windows user database, see Group Mapping by Group Set Membership, page 17-3.

•Password-Aging— ACS supports password aging for users who are authenticated by a Windows user database. For more information, see User-Changeable Passwords with Windows User Databases.

•Dial-in Permissions—ACS supports use of dial-in permissions from Windows user databases. For more information, see Preparing Users for Authenticating with Windows.

•Callback Settings—ACS supports use of callback settings from Windows user databases. For information about configuring ACS to use Windows callback settings, see Setting the User Callback Option, page 7-6.

Authentication with Windows User Databases

ACS forwards user credentials to a Windows database by passing the user credentials to the Windows operating system of the computer that is running the remote agent. The Windows database passes or fails the authentication request from ACS. When receiving the response from the Windows database, the remote agent forwards the response to ACS, and ACS instructs the requesting AAA client to grant or deny the user access, depending on the response from the Windows database.

ACS grants authorization based on the ACS group to which the user is assigned. While you can determine the group to which a user is assigned information from the Windows database, it is ACS that grants authorization privileges.

To further control access by a user, you can configure ACS to also check the setting for granting dial-in permission to the user. This setting is labeled Grant dialin permission to user in Windows NT and Allow access in the Remote Access Permission area in Windows 2000 and Windows 2003. If this feature is disabled for the user, access is denied; even if the username and password are typed correctly.

Trust Relationships

ACS can take advantage of trust relationships established between Windows domains. If the domain that contains the computer running the Windows remote agent trusts another domain, ACS can authenticate users whose accounts reside in the other domain. ACS can also reference the Grant dialin permission to user setting across trusted domains.

Note If the ACS Solution Engine remote agent is running on a member server, rather than a domain controller, taking advantage of trust relationships depends on proper configuration of the remote agent at installation. For more information, see "Configuring for Member Server Authentication" in the Installation and Configuration Guide for Cisco Secure ACS Remote Agents 4.0.

ACS can take advantage of indirect trusts for Windows authentication. Consider the example of Windows domains A, B, and C, where the remote agent resides on a server in domain A. Domain A trusts domain B, but no trust relationship is established between domain A and domain C. If domain B trusts domain C, the remote agent in domain A can authenticate users whose accounts reside in domain C, making use of the indirect trust of domain C.

For more information on trust relationships, refer to your Microsoft Windows documentation.

Windows Dial-Up Networking Clients

The dial-up networking clients for Windows NT/2000/2003/XP Professional and Windows 95/98/Millennium Edition (ME)/XP Home enable users to connect to your network remotely; but the fields that are provided differ.

Windows Dial-Up Networking Clients with a Domain Field

If users dial in to your network by using the dial-up networking client that is provided with Windows NT, Windows 2000, Windows 2003, or Windows XP Professional, three fields appear:

•username—Type your username.

•password—Type your password.

•domain—Type your valid domain name.

Note For more information about the implications of completing or leaving the domain box blank, see Nondomain-Qualified Usernames.

Windows Dial-Up Networking Clients without a Domain Field

If users access your network by using the dial-up networking client that is provided with Windows 95, Windows 98, Windows ME, or Windows XP Home, two fields appear:

•username—Type your username.

Note You can also prefix your username with the name of the domain in to which you want to log. For more information about the implications of prefixing or not prefixing the domain name before the username, see Nondomain-Qualified Usernames.

•password—Type your password.

Usernames and Windows Authentication

This section contains the following topics:

•Username Formats and Windows Authentication

•Nondomain-Qualified Usernames

•Domain-Qualified Usernames

•UPN Usernames

Username Formats and Windows Authentication

ACS supports Windows authentication for usernames in a variety of formats. When ACS attempts Windows authentication, it first determines the username format and submits the username to Windows in the applicable manner. To implement reliable Windows authentication with ACS, you must understand how ACS determines a username format, how it supports each of these formats, and how the types of support are related.

To determine the format of a username that is submitted for Windows authentication, ACS searches the username for the:

•At symbol (@)

•Backslash (\)

Based on the presence and position of these two characters in the username, ACS determines username format by using the following logic:

1. If the username does not contain a backslash (\) and does not contain an at symbol (@), ACS considers the username to be nondomain qualified. For example, the username cyril.yang is nondomain qualified. For more information, see Nondomain-Qualified Usernames.

2. If the username contains a backslash (\) that precedes any at characters, ACS considers the username to be domain qualified. For example, ACS considers the following usernames to be domain qualified:

–MAIN\cyril.yang

–MAIN\cyril.yang@central-office

For more information, see Domain-Qualified Usernames.

3. If the username contains an at symbol (@) that does not follow a backslash (\), ACS considers the username to be in User Principal Name (UPN) format. For example, ACS considers the following usernames to be UPN usernames:

–cyril.yang@example.com

–cyril.yang@main.example.com

–cyril.yang@main

–cyril.yang@central-office@example.com

–cyril.yang@main\example.com

For more information, see UPN Usernames.

Nondomain-Qualified Usernames

ACS supports Windows authentication of usernames that are not domain qualified, provided the username does not contain an at symbol (@). Users with at symbols (@) in their usernames must submit the username in UPN format or in a domain-qualified format. Examples of nondomain-qualified usernames are cyril.yang and msmith.

In Windows environments with multiple domains, authentication results with nondomain-qualified usernames can vary. This variance occurs because Windows, not ACS, determines which domains are used to authenticate a nondomain-qualified username. If Windows does not find the username in its local domain database, it then checks all trusted domains. If the remote agent runs on a member server and the username is not found in trusted domains, Windows also checks its local accounts database. Windows attempts to authenticate a user with the first occurrence of the username that it finds.

When Windows authentication for a nondomain-qualified username succeeds, the privileges that are assigned during authentication will be those that are associated with the Windows user account in the first domain with a matching username and password. This condition also illustrates the importance of removing usernames from a domain when the user account is no longer needed.

Note If the credentials that the user submits do not match the credentials that are associated with the first matching username that Windows finds, authentication fails. Thus, if different users in different domains share the same exact username, logging in with a nondomain-qualified username can result in inadvertent authentication failure.

Use of the Domain List is not required to support Windows authentication, but it can alleviate authentication failures that nondomain-qualified usernames cause. If you have configured the Domain List in the Windows User Database Configuration page of the External User Databases section, ACS submits the username and password to each domain in the list in a domain-qualified format until it successfully authenticates the user. If ACS has tried each domain in the Domain List or if no trusted domains have been configured in the Domain List, ACS stops attempting to authenticate the user and does not grant that user access.

Note If your Domain List contains domains and your Windows Security Account Manager (SAM) or Active Directory user databases are configured to lock out users after a number of failed attempts, users can be inadvertently locked out because ACS tries each domain in the Domain List explicitly, resulting in failed attempts for identical usernames that reside in different domains.

Domain-Qualified Usernames

The most reliable method of authenticating users against a specific domain is to require users to submit the domains that they should be authenticated against along with their usernames. Authentication of a domain-qualified username is directed to a specific domain; rather than depending on Windows to attempt authentication with the correct domain or on using the Domain List to direct ACS to submit the username repeatedly in a domain-qualified format.

Domain-qualified usernames have the following format:
DOMAIN\user 
For example, the domain-qualified username for user Mary Smith (msmith) in Domain10 would be Domain10\msmith.

For usernames containing an at symbol (@), such as cyril.yang@central-office, using a domain-qualified username format is required. For example, MAIN\cyril.yang@central-office. If a username containing an at symbol (@) is received in a nondomain-qualified format, ACS perceives it as a username in UPN format. For more information, see UPN Usernames.

UPN Usernames

ACS supports authentication of usernames in UPN format, such as cyril.yang@example.com or cyril.yang@central-office@example.com.

If the authentication protocol is EAP-TLS, by default, ACS submits the username to Windows in UPN format; however, you can configure ACS to strip from the username all characters after and including the last at symbol (@). For more information, see EAP-TLS Domain Stripping.

For all other authentication protocols that it can support with Windows databases, ACS submits the username to Windows that is stripped of all characters after and including the last at symbol (@). This behavior allows for usernames that contain an at symbol (@). For example:

•If the username received is cyril.yang@example.com, ACS submits to Windows an authentication request containing the username cyril.yang.

•If the username received is cyril.yang@central-office@example.com, ACS submits to Windows an authentication request containing the username cyril.yang@central-office.

Note ACS cannot tell the difference between a nondomain-qualified username that contains an at symbol (@) and a UPN username; all usernames containing an at symbol (@) that do not follow a backslash (\) are submitted to Windows with the final at symbol (@) and the characters that follow it removed. Users with at symbols (@) in their usernames must submit the username in UPN format or in a domain-qualified format.

EAP and Windows Authentication

This section contains information about Windows-specific EAP features that you can configure on the Windows User Database Configuration page.

This section contains the following topics:

•EAP-TLS Domain Stripping

•Machine Authentication

•Machine Access Restrictions

•Microsoft Windows and Machine Authentication

•Enabling Machine Authentication

EAP-TLS Domain Stripping

If you use Windows Active Directory to authenticate users with EAP-TLS, you can use ACS to strip the domain name from the username that is stored in the Subject Alternative Name (SAN) field of the user certificate. Performing domain name stripping can speed EAP-TLS authentication when the domain that must authenticate a user is not the domain represented in the SAN field.

For example, a user's SAN field might contain jsmith@corporation.com but jsmith might need to authenticate by using the domain controller for a subdomain named engineering. Stripping @corporation.com from the username eliminates the needless attempt at authenticating jsmith against the corporation.com domain controller. Without stripping the domain name, only after jsmith cannot be found in corporation.com will ACS use the Domain List and find the user in the engineering domain. The additional delay could be several seconds. For more information about the Domain List, see Nondomain-Qualified Usernames.

You can enable EAP-TLS domain name stripping on the Windows User Database Configuration page.

Note EAP-TLS domain name stripping operates independently of support for UPN-formatted usernames. For information about support for Windows authentication of UPN-formatted usernames, see UPN Usernames.

Machine Authentication

ACS supports the authentication of computers that are running the Microsoft Windows operating systems that support EAP computer authentication, such as Windows XP with Service Pack 1. Machine authentication, also called computer authentication, allows networks services only for computers known to Active Directory. This feature is especially useful for wireless networks, where unauthorized users outside the physical premises of your workplace can access your wireless access points.

When machine authentication is enabled, there are three different types of authentications. When starting a computer, the authentications occur in this order:

•Machine authentication—ACS authenticates the computer prior to user authentication. ACS checks the credentials that the computer provides against the Windows user database. If you use Active Directory and the matching computer account in Active Directory has the same credentials, the computer gains access to Windows domain services.

•User domain authentication—If machine authentication succeeded, the Windows domain authenticates the user. If machine authentication failed, the computer does not have access to Windows domain services and the user credentials are authenticated by using cached credentials that the local operating system retains. In this case, the user can log in to only the local system. When a user is authenticated by cached credentials instead of the domain, the computer does not enforce domain policies, such as running login scripts that the domain dictates.

Tip If a computer fails machine authentication and the user has not successfully logged in to the domain by using the computer since the most recent user password change, the cached credentials on the computer will not match the new password. Instead, the cached credentials will match an older password of the user, provided that the user once logged in to the domain successfully from this computer.

•User network authentication—ACS authenticates the user, allowing the user to have network connectivity. If the user profile exists, the user database that is specified is used to authenticate the user. While the user database is not required to be the Windows user database, most Microsoft clients can be configured to automatically perform network authentication by using the same credentials used for user domain authentication. This method allows for a single sign-on.

Note Microsoft PEAP clients may also initiate machine authentication whenever a user logs off. This feature prepares the network connection for the next user login. Microsoft PEAP clients may also initiate machine authentication when a user has selected to shutdown or restart the computer; rather than just logging off.

ACS supports EAP-TLS and PEAP (EAP-MS-CHAPv2) for machine authentication. You can enable each separately on the Windows User Database Configuration page, which allows a mix of computers that authenticate with EAP-TLS or PEAP (EAP-MS-CHAPv2). Microsoft operating systems that perform machine authentication might limit the user authentication protocol to the same protocol that is used for machine authentication. For more information about Microsoft operating systems and machine authentication, see Microsoft Windows and Machine Authentication.

The Unknown User Policy supports machine authentication. Computers that were previously unknown to ACS are handled similarly to users. If the Unknown User Policy is enabled and an Active Directory external user database is included on the Selected Databases list on the Configure Unknown User Policy page, machine authentication succeeds; provided that the machine credentials presented to Active Directory are valid.

On a computer that is configured to perform machine authentication, machine authentication occurs when the computer started. Provided that the AAA client sends RADIUS accounting data to ACS, when a computer is started and before a user logs in on that computer, the computer appears on the Logged-In Users List in the Reports and Activity section. Once user authentication begins, the computer no longer appears on the Logged-In Users List.

PEAP-based machine authentication uses PEAP (EAP-MS-CHAPv2) and the password for the computer established automatically when it was added to the Microsoft Windows domain. The computer sends its name as the username and the format is:
host/computer.domain 
where computer is the name of the computer and domain is the domain to which the computer belongs. The domain segment might also include subdomains, if they are used; so that the format may be:
host/computer.subdomain.domain 
The usernames of computers that are authenticated must appear in the ACS internal database. If you enable unknown user processing, ACS adds them automatically once they authenticate successfully. During authentication, the domain name is not used.

EAP-TLS-based machine authentication uses EAP-TLS to authenticate the computer that is using a client certificate. The certificate that the computer uses can be one installed automatically when the computer was added to the domain or one that was added to the local machine storage later. As with PEAP-based machine authentication, the computer name must appear in the ACS internal database in the format contained in the computer client certificate and the user profile corresponding to the computer name must be configured to authenticate by using the Windows external user database. If you enable unknown user processing, ACS adds the computer names to the ACS internal database automatically; once they authenticate successfully. It also automatically configures the user profiles that are created to use the external user database in which the user was found. For machine authentication, this will always be the Windows external user database.

Machine Access Restrictions

You can use the machine access restrictions (MAR) feature as an additional means of controlling authorization for Windows-authenticated EAP-TLS, EAP-FASTv1a, and Microsoft PEAP users, based on machine authentication of the computer used to access the network.

When you enable the feature:

•For every successful machine authentication, ACS caches the value that was received in the Internet Engineering Task Force (IETF) RADIUS Calling-Station-Id attribute (31) as evidence of the successful machine authentication. ACS stores each Calling-Station-Id attribute value for the number of hours that is specified on the Windows User Database Configuration page before deleting it from the cache.

•When a user authenticates with an EAP-TLS, EAP-FASTv1a, or Microsoft PEAP end-user client, ACS searches the cache of Calling-Station-Id values from successful machine authentications for the Calling-Station-Id value received in the user authentication request. Whether ACS finds the user-authentication Calling-Station-Id value in the cache affects how ACS assigns the user requesting authentication to a user group.

–Calling-Station-Id value found in the cache—ACS assigns the user to a user group by normal methods, which include manual specification of a group in the user profile, group mapping, or RADIUS-based group specification. For example, if a user logs in with a computer that was successfully authenticated and the user profile indicates that the user is a member of group 137, ACS applies to the user session the authorization that were settings specified in group 137.

–Calling-Station-Id value not found in the cache—ACS assigns the user to the user group specified by Group map for successful user authentication without machine authentication list. This can include the <No Access> group.

Note User profile settings always override group profile settings. If a user profile grants an authorization that is denied by the group specified in the Group map for successful user authentication without machine authentication list, ACS grants the authorization.

The MAR feature supports full EAP-TLS, EAP-FASTv1a, and Microsoft PEAP authentication, as well as resumed sessions for EAP-TLS and Microsoft PEAP and fast reconnections for Microsoft PEAP.

The MAR feature has the following limitations and requirements:

•Machine authentication must be enabled.

•Users must authenticate with EAP-TLS, EAP-FASTv1a, or a Microsoft PEAP client. MAR does not apply to users who are authenticated by other protocols, such as EAP-FAST, LEAP, or MS-CHAP.

•The AAA client must send a value in the IETF RADIUS Calling-Station-Id attribute (31).

•ACS does not replicate the cache of Calling-Station-Id attribute values from successful machine authentications.

•Users that are authenticated through dial-up will always be treated according to the MAR configuration, since there is no machine authentication when by using dial up. A user will be mapped to a specific group, as defined in the External User Databases > Database Group Mappings > Windows Database settings, when machine authentication occurs. If group mapping is not configured, the user will be mapped to the default group.

Setting Up a MAR Exception List

You might need to set up a MAR exception list if you need to set up specific users (for example managers and administrators) to have access to the network; regardless of whether they pass machine authentication. This feature allows you to select user groups that would be exempt from the MAR.

Before You Begin

So that users can immediately authenticate as part of the MAR exception list, you should set up the required number of groups and permissions before changing your Windows database settings. To manage your group settings, see Group TACACS+ Settings, page 6-2 and Listing Users in a User Group, page 6-40.

To set up a MAR exception list for selected user groups:

Step 1 From the navigation bar, choose External User Databases > Database Configuration > Windows Database.

Step 2 Click Configure.

Step 3 In the Windows User Database Configuration page, enable the correct machine authentication settings and move the user groups that you want to include in the MAR exemption list to the Selected Groups list.

Step 4 Click Submit.

The exception list is based on ACS user groups to which the relevant NT groups would map. You can create exceptions for several user groups, and map different authorization permission to each group.

Microsoft Windows and Machine Authentication

ACS supports machine authentication with Active Directory in Windows 2000 and 2003. To enable machine authentication support in Windows Active Directory you must:

1. Apply Service Pack 4 to the computer that is running Active Directory.

2. Complete the steps in Microsoft Knowledge Base Article 306260: Cannot
Modify Dial-In Permissions for Computers That Use Wireless Networking.

Client operating systems that support machine authentication are:

•Microsoft Windows XP with Service Pack 1 applied.

•Microsoft Windows 2000 with:

–Service Pack 4 applied.

–Patch Q313664 applied (available from Microsoft.com).

•Microsoft Windows 2003

The following list describes the essential details of enabling machine authentication on a client computer with a Cisco Aironet 350 wireless adapter. For more information about enabling machine authentication in Microsoft Windows operating systems, please refer to Microsoft documentation.

1. Ensure that the wireless network adapter is installed correctly. For more information, see the documentation that is provided with the wireless network adapter.

2. Ensure that the certification authority (CA) certificate of the CA that issued the ACS server certificate is stored in machine storage on client computers. User storage is not available during machine authentication; therefore, if the CA certificate is in user storage, machine authentication fails.

3. Select the wireless network:

–In Windows XP, you can choose Windows Network Connection > Properties > Network Connection Properties.

–In Windows 2000, you can manually enter the Service Set Identifier (SSID) of the wireless network. Use the Advanced tab of the properties dialog box for the wireless network adapter.

4. To enable PEAP machine authentication, configure the Authentication tab. In Windows XP, the Authentication tab is available from the properties of the wireless network. In Windows 2000, it is available from the properties of the wireless network connection. To configure the Authentication tab:

a. Check the Enable network access control using IEEE 802.1X check box.

b. Check the Authenticate as computer when computer information is available check box.

c. From the EAP type list, select Protected EAP (PEAP).

d. On the Protected EAP Properties dialog box, you can enforce that ACS has a valid server certificate by checking the Validate server certificate check box. If you do check this check box, you must also select the applicable Trusted Root Certification Authorities.

e. Also open the PEAP properties dialog box, from the Select Authentication Method list, select Secured password (EAP-MS-CHAP v2).

5. To enable EAP-TLS machine authentication, configure the Authentication tab. In Windows XP, the Authentication tab is available from the properties of the wireless network. In Windows 2000, it is available from the properties of the wireless network connection.

a. Check the Enable network access control using IEEE 802.1X check box.

b. Check the Authenticate as computer when computer information is available check box.

c. From the EAP type list, select Smart Card or other Certificate.

d. On the Smart Card or other Certificate Properties dialog box, select the Use a certificate on this computer option.

e. Also on the Smart Card or other Certificate Properties dialog box, you can enforce that ACS has a valid server certificate by checking the Validate server certificate check box. If you check this check box, you must also select the applicable Trusted Root Certification Authorities.

If you have a Microsoft certification authority server that is configured on the domain controller, you can configure a policy in Active Directory to produce a client certificate automatically when a computer is added to the domain. For more information, see the Microsoft Knowledge Base Article 313407, HOW TO: Create Automatic Certificate Requests with Group Policy in Windows.

Enabling Machine Authentication

This procedure contains an overview of the detailed procedures required to configure ACS to support machine authentication.

Note You must configure end-user client computers and the applicable Active Directory to support machine authentication. This procedure is specific to configuration of ACS only. For information about configuring Microsoft Windows operating systems to support machine authentication, see Microsoft Windows and Machine Authentication.

Before You Begin

Windows authentication requires that you install at least one ACS Remote Agent for Windows and complete the steps in Adding a Remote Agent, page 4-21. For information about installing the ACS Remote Agent for Windows, see the Installation and Configuration Guide for Cisco Secure ACS Remote Agents 4.0.

To enable ACS to perform machine authentication:

Step 1 Install a server certificate in ACS. PEAP (EAP-MS-CHAPv2) and EAP-TLS require a server certificate. ACS uses a single certificate to support both protocols. For detailed steps, see Installing an ACS Server Certificate, page 10-25.

Note If you have installed a certificate to support EAP-TLS or PEAP user authentication or to support HTTPS protection of remote ACS administration, you do not need to perform this step. A single server certificate will support all certificate-based ACS services and remote administration.

Step 2 For EAP-TLS machine authentication, if certificates on end-user clients are issued by a different CA than the CA that issued the server certificate on ACS, you must edit the certification trust list so that CAs that issue end-user client certificates are trusted. If you do not perform this step and the CA of the server certificate is not the same as the CA of an end-user client certificate CA, EAP-TLS will operate normally; but reject the EAP-TLS machine authentication because it does not trust the correct CA. For detailed steps, see Editing the Certificate Trust List, page 10-29.

Step 3 Enable the applicable protocols on the Global Authentication Setup page:

•To support machine authentication with PEAP, enable the PEAP (EAP-MS-CHAPv2) protocol.

•To support machine authentication with EAP-TLS, enable the EAP-TLS protocol.

Note If you are using a Network Access Profile (NAP), the same protocols must be enabled in the NAP configuration.

You can use ACS to complete this step only after you have successfully completed Step 1. For detailed steps, see Configuring Authentication Options, page 10-19.

Step 4 Configure a Windows external user database and enable the applicable types of machine authentication on the Windows User Database Configuration page:

•To support machine authentication with PEAP, check the Permit PEAP machine authentication check box.

•To support machine authentication with EAP-TLS, check the Permit EAP-TLS machine authentication check box.

•To require machine authentication in addition to user authentication, check the Enable machine access restrictions check box.

Note If you already have a Windows external user database configured, modify its configuration to enable the applicable machine authentication types.

For detailed steps, see Configuring a Windows External User Database.

Note Windows authentication requires an ACS Remote Agent for Windows.

ACS is ready to perform machine authentication for computers whose names exist in the ACS internal database.

Step 5 If you have not already enabled the Unknown User Policy and added the Windows external user database to the Selected Databases list, consider doing so to allow computers that are not known to ACS to authenticate. For detailed steps, see Configuring the Unknown User Policy, page 16-8.

Note Enabling the Unknown User Policy to support machine authentication also enables the Unknown User Policy for user authentication. ACS makes no distinction in unknown user support between computers and users.

Step 6 If you have users to whom you want to allow access to the network, even if they do not pass machine authentication, you might want to set up a list of user groups that are exempt from the MAR. For detailed steps, see Machine Access Restrictions.

ACS is ready to perform machine authentication for computers; regardless of whether the computer names exist in ACS internal database.

User-Changeable Passwords with Windows User Databases

For network users who are authenticated by a Windows user database, ACS supports user-changeable passwords on password expiration. You can enable this feature in the MS-CHAP Settings and Windows EAP Settings tables on the Windows User Database Configuration page in the External User Databases section. The use of this feature in your network requires that:

•Users must be present in the Windows Active Directory or SAM user database.

•User accounts in ACS must specify the Windows user database for authentication.

•End-user clients must be compatible with MS-CHAP, PEAP (EAP-GTC), PEAP (EAP-MS-CHAPv2), or EAP-FAST.

•The AAA client that the end-user clients connect to must support the applicable protocols:

–For MS-CHAP password aging, the AAA client must support RADIUS-based MS-CHAP authentication.

–For PEAP (EAP-MS-CHAPv2), PEAP (EAP-GTC), and EAP-FAST password aging, the AAA client must support EAP.

When the previous conditions are met and this feature is enabled, users receive a dialog box prompting them to change their passwords on their first successful authentication after their passwords have expired. The dialog box is the same as Windows presents to users when a user with an expired password accesses a network via a remote-access server.

For more information about password aging support in ACS, see Enabling Password Aging for Users in Windows Databases, page 6-19.

Preparing Users for Authenticating with Windows

Before using the Windows user database for authentication:

Step 1 Ensure that the username exists in the Windows user database.

Step 2 In Windows, for each user account, clear the following User Properties check boxes:

•User must change password at next logon

•Account disabled

Step 3 If you want to control dial-in access from within Windows NT, click Dial-in and select Grant dialin permission to user. In Windows 2000 and Windows 2003, access the User Properties dialog box, select the Dial-In tab, and in the Remote Access area, click Allow access. You must also configure the option to reference this feature under Database Group Mappings in the External User Databases section of ACS.

Selecting Remote Agents for Windows Authentication

Before you can configure ACS to authenticate users with a Windows external user database, you must select a primary remote agent that is to deliver authentication requests to the Windows operating system. You may also select a secondary remote agent for ACS to use if the primary remote agent is unavailable.

Before You Begin

To complete this procedure, you must have installed at least one ACS Remote Agent for Windows and completed the steps in Adding a Remote Agent, page 4-21.

To select remote agents for Windows authentication:

Step 1 In the navigation bar, click External User Databases.

Step 2 Click Database Configuration.

ACS displays a list of all possible external user database types.

Step 3 Click Windows Database.

ACS displays the External User Database Configuration page.

Step 4 Click Configure.

ACS displays the Windows Remote Agent Selection lists.

Step 5 From the Primary list, select the remote agent that ACS should always use to authenticate users, provided that the remote agent is available.

Step 6 From the Secondary list, select the remote agent that ACS should use to authenticate users when the remote agent selected in the Primary list is unavailable.

Note If you do not want to use a secondary remote agent, from the Secondary list, choose None.

Step 7 Click Submit.

ACS saves the remote agent selections that you made. The Windows User Database Configuration page appears.

Windows User Database Configuration Options

The Windows User Database Configuration page contains:

•Dialin Permission—You can restrict network access to users whose Windows accounts have Windows dial-in permission. The Grant dialin permission to user check box controls this feature.

Note This feature applies to all users when ACS authenticates with a Windows external user database; despite the name of the feature, it is not limited to users who access the network with a dial-up client but is applied regardless of client type. For example, if you have configured a PIX Firewall to authenticate Telnet sessions by using ACS as a RADIUS server, a user authenticated by a Windows external user database would be denied Telnet access to the PIX Firewall if the Dialin Permission feature is enabled and the Windows user account does not have dial-in permission.

Tip Windows dial-in permission is enabled in the Dialin section of user properties in Windows NT and on the Dial-In tab of the user properties in Windows 2000 and Windows 2003.

•Windows Callback—You should enable this setting if you have Windows users that require dial-up access with callback and the User Setup or Group Setup callback setting is configured for Windows Database Callback. If dial-in access with callback is not required or is not configured for Windows Database Callback, then do not enable this setting.

Note If you disable the Windows Callback option, be certain to disable the callback options in the User Setup or Group Setup callback settings. If the settings contain inconsistencies, the client will not receive the callback number.

•Unknown User Policy—If the unknown user policy contains additional external databases and the Windows database is not the last database on the Selected Databases list, you might enable this option. For example, If a user does not exist in the Windows database, or has typed an incorrect password, the error 1326(bad username or password) is returned. ACS treats this error as a wrong password error and does not default to another external database. You should enable this option when additional external databases appear after the Windows database in the Selected Databases list. When enabled, ACS searches for the unknown user in the other external databases.

•Configure Domain List—Use this option only when all the following occur:

–You are using PAP or MSCHAP.

–Usernames are not domain-prefixed.

–Duplicate usernames exist; for example, administrator.

When usernames are not domain-prefixed, and the same username occurs multiple times across the entire network, if no domains are in the Domain List, Windows can try to authenticate the wrong credentials. When Windows rejects the initial user-authentication request, ACS stops attempting to authenticate the user. For more information, see Nondomain-Qualified Usernames. If domains are in the Domain List, ACS qualifies the username with a domain from the list and submits the domain-qualified username to Windows, once for each domain in the Domain List, until each domain has rejected the user or until one of the domains authenticates the user.

In all other cases, leave the Domain List empty as it might cause performance problems if you use it when you do not need to. Also, each time ACS uses the Domain List and checks the wrong account, Windows counts that as a failed login for that user, which can cause an account lockout.

•MS-CHAP Settings—You can control whether ACS supports MS-CHAP-based password changes for Windows user accounts. You can use the Permit password changes by checking the MS-CHAP version N check boxes to specify which versions of MS-CHAP ACS supports.

Note The check boxes under MS-CHAP Settings do no affect password aging for Microsoft PEAP, EAP-FAST, or machine authentication.

For more information about Windows password changes, see Enabling Password Aging for Users in Windows Databases, page 6-19.

•Windows EAP Settings:

–Enable password change inside PEAP or EAP-FAST—The Permit password change inside PEAP or EAP-FAST check box controls whether ACS supports PEAP-based or EAP-FAST-based password changes for Windows user accounts. PEAP password changes are supported only when the end-user client uses PEAP (EAP-MS-CHAPv2) for user authentication. For EAP-FAST, ACS supports password changes in phase zero and phase two.

–EAP-TLS Strip Domain Name—The EAP-TLS Strip Domain Name check box controls whether ACS removes the domain name from a username that is derived from the Subject Alternative Name (SAN) field in an end-user certificate.

Performing domain name stripping can speed EAP-TLS authentication when the domain that must authenticate a user is not the domain that is represented in the SAN field. For example, a user's SAN field might contain jsmith@corporation.com but jsmith might need to authenticate by using the domain controller for a subdomain named engineering. Stripping @corporation.com from the username eliminates the needless attempt at authenticating jsmith against the corporation.com domain controller. Without stripping the domain name, only after jsmith cannot be found in corporation.com will ACS use the Domain List and find the user in the engineering domain. The additional delay could last several seconds.

–Enable PEAP machine authentication—This check box controls whether ACS performs machine authentication by using a machine name and password with PEAP (EAP-MS-CHAPv2). For more information about machine authentication, see Machine Authentication.

–Enable EAP-TLS machine authentication—This check box controls whether ACS performs machine authentication by using a machine name and password with EAP-TLS. For more information about machine authentication, see Machine Authentication.

–EAP-TLS and PEAP machine authentication name prefix—This box defines the string of characters that ACS adds to the beginning of any machine name being authenticated. By default, the end-user client prefixes machine names with host/. If the PEAP machine authentication name prefix box contains any text, ACS prefixes the machine name with this text instead.

Note If you configure the EAP-TLS and PEAP machine authentication name prefix box with a string other than host/, authentication might fail.

–Enable machine access restrictions—If you enable PEAP or EAP-TLS machine authentication, the Enable machine access restrictions check box controls whether ACS restricts network access of users who access the network with a computer that fails machine authentication. For more information about the MAR feature, see Machine Access Restrictions.

Note Ensure that you have enabled the types of machine authentication that your Windows computers are configured to use: PEAP machine authentication or EAP-TLS authentication, or both. If the MAR feature is enabled but ACS does not perform machine authentication for a computer, EAP-TLS and Microsoft PEAP users who access the network with that computer will be assigned to the group that is specified in the Group map for successful user authentication without machine authentication list.

Tip To enable machine access restrictions, you must specify a number greater than zero (0) in the Aging time (hours) box.

–Aging time (hours)—This box specifies the number of hours that ACS caches IETF RADIUS Calling-Station-Id attribute values from successful machine authentications, for use with the MAR feature. The default value is 12 hours, which means that ACS does not cache Calling-Station-Id values.

Note If you do not change the value of the Aging time (hours) box to something other than zero (0), all EAP-TLS and Microsoft PEAP users whose computers perform machine authentication are assigned to the group that is specified in the Group map for successful user authentication without machine authentication list.

Tip To clear the cache of Calling-Station-Id values, type zero (0) in the Aging time (hours) box and click Submit.

–Group map for successful user authentication without machine authentication—This list specifies the group profile that ACS applies to a user who accesses the network from a computer that has not passed machine authentication for longer than the number of hours specified in the Aging time (hours) box. To deny such users any access to the network, select <No Access> (which is the default setting).

Note User profile settings always override group profile settings. If a user profile grants an authorization that is denied by the group that is specified in the Group map for successful user authentication without machine authentication list, ACS grants the authorization.

–User Groups that are exempt from passing machine authentication— The Selected User Group list controls what ACS does when machine authentication is not successfully completed. If the Selected User Group list contains no groups and Windows rejects the initial machine authentication, ACS stops attempting to authenticate the user. If the Selected User Group list contains groups, ACS will provide authentication and the privileges within that group to the user; even though their computers are unknown to Active Directory.

Note Configuring the User Group list is optional. For more information about the user group management, see User Group Management, page 6-1.

Caution If your User Group list contains groups and you configure your Windows SAM or Active Directory user databases to lock out users after a number of failed attempts, users can be inadvertently locked out. You should ensure that your group settings are configured properly.

•Available User Groups—This list represents the user groups for which ACS requires machine authentication.

•Selected User Groups—This list represents the user groups for which ACS do not require machine authentication to gain entry into the network.

Configuring a Windows External User Database

Before You Begin

To complete this procedure, you must have completed the steps in Selecting Remote Agents for Windows Authentication.

For information about the options that are available on the Windows User Database Configuration page, see Windows User Database Configuration Options.

To configure ACS to authenticate users against the Windows user database in the trusted domains of your network:

Step 1 In the navigation bar, click External User Databases.

Step 2 Click Database Configuration.

ACS displays a list of all possible external user database types.

Step 3 Click Windows Database.

If no Windows database configuration exists, the Database Configuration Creation table appears. Otherwise, the External User Database Configuration page appears.

Step 4 Click Configure.

The Windows User Database Configuration page appears.

Step 5 As needed, configure the options in:

•Dialin Permission

•Windows Callback

•Unknown User Policy

•Domain List

•MS-CHAP Settings

•Windows EAP Settings

For information about the options on the Windows User Database Configuration page, see Windows User Database Configuration Options.

Note All the settings on the Windows User Database Configuration page are optional and need not be enabled; unless you want to permit and configure the specific features that they support.

Step 6 Click Submit.

ACS saves the Windows user database configuration that you created. You can now add it to your Unknown User Policy or assign specific user accounts to use this database for authentication. For more information about the Unknown User Policy, see About Unknown User Authentication, page 16-3. For more information about configuring user accounts to authenticate by using this database, see Chapter 7, "User Management."

Generic LDAP

ACS supports ASCII, PAP, EAP-TLS, PEAP (EAP-GTC), and EAP-FAST (phase two only) authentication via generic Lightweight Directory Access Protocol (LDAP) databases, such as the SunOne Directory Server. Other authentication protocols are not supported with LDAP external user databases.

Note Another type of external user database might support authentication protocols that are not supported with LDAP databases. For more information about authentication protocols and the external database types that support them, see Authentication Protocol-Database Compatibility, page 1-7.

ACS supports group mapping for unknown users by requesting group membership information from LDAP user databases. For more information about group mapping for users who are authenticated with an LDAP user database, see Group Mapping by Group Set Membership, page 17-3.

Configuring ACS to authenticate against an LDAP database has no effect on the configuration of the LDAP database. To manage your LDAP database, see your LDAP database documentation.

This section contains the following topics:

•ACS Authentication Process with a Generic LDAP User Database

•Multiple LDAP Instances

•LDAP Organizational Units and Groups

•Domain Filtering

•LDAP Failover

•LDAP Admin Logon Connection Management

•Distinguished Name Caching

•LDAP Configuration Options

•Configuring a Generic LDAP External User Database

•Downloading a Certificate Database

ACS Authentication Process with a Generic LDAP User Database

ACS forwards the username and password to an LDAP database by using a Transmission Control Protocol (TCP) connection on a port that you specify. The LDAP database passes or fails the authentication request from ACS. When receiving the response from the LDAP database, ACS instructs the requesting AAA client to grant or deny the user access, depending on the response from the LDAP server.

ACS grants authorization based on the ACS group to which the user is assigned. While the group to which a user is assigned can be determined by information from the LDAP server, ACS grants authorization privileges.

Multiple LDAP Instances

You can create more than one LDAP configuration in ACS. By creating more than one LDAP configuration with different IP address or port settings, you can configure ACS to authenticate by using different LDAP servers or different databases on the same LDAP server. Each primary server IP address and port configuration, along with the secondary server IP address and port configuration, forms an LDAP instance that corresponds to one ACS LDAP configuration instance.

ACS does not require that each LDAP instance corresponds to a unique LDAP database. You can have more than one LDAP configuration set to access the same database. This method is useful when your LDAP database contains more than one subtree for users or groups. Because each LDAP configuration supports only one subtree directory for users and one subtree directory for groups, you must configure separate LDAP instances for each user directory subtree and group directory subtree combination for which ACS should submit authentication requests.

For each LDAP instance, you can add it to or omit it from the Unknown User Policy. For more information, see About Unknown User Authentication, page 16-3.

For each LDAP instance, you can establish unique group mapping. For more information, see Group Mapping by Group Set Membership, page 17-3.

Multiple LDAP instances are also important when you use domain filtering. For more information, see Domain Filtering.

LDAP Organizational Units and Groups

LDAP groups do not need the same name as their corresponding ACS groups. You can map the LDAP group to an ACS group with any name that you want to assign. For more information about how your LDAP database handles group membership, see your LDAP database documentation. For more information on LDAP group mappings and ACS, see Chapter 17, "User Group Mapping and Specification."

Domain Filtering

Using domain filtering, you can control which LDAP instance is authenticates a user based on domain-qualified usernames. Domain filtering is based on parsing the characters at the beginning or end of a username that is submitted for authentication. Domain filtering provides you with greater control over the LDAP instance to which ACS submits any given user authentication request. You can also control whether usernames are submitted to an LDAP server with their domain qualifiers intact.

For example, when EAP-TLS authentication a Windows XP client initiates, ACS receives the username in username@domainname format. When PEAP authentication is initiated by a Cisco Aironet end-user client, ACS receives the username without a domain qualifier. If both clients are to be authenticated with an LDAP database that stores usernames without domain qualifiers, ACS can strip the domain qualifier. If separate user accounts are maintained in the LDAP database—domain-qualified and nondomain-qualified user accounts—ACS can pass usernames to the LDAP database without domain filtering.

If you choose to make use of domain filtering, each LDAP configuration that you create in ACS can perform domain filtering:

•Limiting users to one domain—Per each LDAP configuration in ACS, you can require that ACS only attempts to authenticate usernames that are qualified with a specific domain name. This corresponds to the Only process usernames that are domain qualified option on the LDAP Configuration page. For more information about this option, see LDAP Configuration Options.

With this option, each LDAP configuration is limited to one domain and to one type of domain qualification. You can specify whether ACS strips the domain qualification before submitting the username to an LDAP server. If the LDAP server stores usernames in a domain-qualified format, you should not configure ACS to strip domain qualifiers.

Limiting users to one domain is useful when the LDAP server stores usernames differently per domain: by user context or how the username is stored in ACS—domain qualified or nondomain qualified. The end-user client or AAA client must submit the username to ACS in a domain-qualified format; otherwise ACS cannot determine the user's domain and does not attempt to authenticate the user with the LDAP configuration that uses this form of domain filtering.

•Allowing any domain but stripping domain qualifiers—Per each LDAP configuration in ACS, you can configure ACS to attempt to strip domain qualifiers based on common domain-qualifier delimiting characters. This method corresponds to the Process all usernames after stripping domain name and delimiter option on the LDAP Configuration page. For more information about this option, see LDAP Configuration Options.

ACS supports prefixed and suffixed domain qualifiers. A single LDAP configuration can attempt to strip both prefixed and suffixed domain qualifiers; however, you can only specify one delimiting character each for prefixed and suffixed domain qualifiers. To support more than one type of domain-qualifier delimiting character, you can create more than one LDAP configuration in ACS.

Allowing usernames of any domain but stripping domain qualifiers is useful when the LDAP server stores usernames in a nondomain-qualified format but the AAA client or end-user client submits the username to ACS in a domain-qualified format.

Note With this option, ACS submits usernames that are nondomain qualified, too. Usernames are not required to be domain qualified to be submitted to an LDAP server.

LDAP Failover

ACS supports failover between a primary LDAP server and secondary LDAP server. In the context of LDAP authentication with ACS, failover applies when an authentication request fails because ACS could not connect to an LDAP server, such as when the server is down or is otherwise unreachable by ACS. To use this feature, you must define the primary and secondary LDAP servers on the LDAP Database Configuration page. Also, you must check the On Timeout Use Secondary check box. For more information about configuring an LDAP external user database, see Configuring a Generic LDAP External User Database.

If you check the On Timeout Use Secondary check box, and if the first LDAP server that ACS attempts to contact cannot be reached, ACS always attempts to contact the other LDAP server. The first server ACS attempts to contact might not always be the primary LDAP server. Instead, the first LDAP server that ACS attempts to contact depends on the previous LDAP authentications attempt and on the value that you enter in the Failback Retry Delay box.

Successful Previous Authentication with the Primary LDAP Server

If, on the previous LDAP authentication attempt, ACS successfully connected to the primary LDAP server, ACS attempts to connect to the primary LDAP server. If ACS cannot connect to the primary LDAP server, ACS attempts to connect to the secondary LDAP server.

If ACS cannot connect with LDAP server, ACS stops attempting LDAP authentication for the user. If the user is an unknown user, ACS tries the next external user database in the Unknown User Policy list. For more information about the Unknown User Policy list, see About Unknown User Authentication, page 16-3.

Unsuccessful Previous Authentication with the Primary LDAP Server

If, on the previous LDAP authentication attempt, ACS could not connect to the primary LDAP server, whether ACS first attempts to connect to the primary server or secondary LDAP server for the current authentication attempt depends on the value in the Failback Retry Delay box. If the Failback Retry Delay box is set to zero (0), ACS always attempts to connect to the primary LDAP server first. And if ACS cannot connect to the primary LDAP server, ACS then attempts to connect to the secondary LDAP server.

If the Failback Retry Delay box is set to a number other than zero (0), ACS determines how many minutes have passed since the last authentication attempt by using the primary LDAP server. If more minutes have passed than the value in the Failback Retry Delay box, ACS attempts to connect to the primary LDAP server first. And if ACS cannot connect to the primary LDAP server, ACS then attempts to connect to the secondary LDAP server.

If fewer minutes have passed than the value in the Failback Retry Delay box, ACS attempts to connect to the secondary LDAP server first. And if ACS cannot connect to the secondary LDAP server, ACS then attempts to connect to the primary LDAP server.

If ACS cannot connect to either LDAP server, ACS stops attempting LDAP authentication for the user. If the user is an unknown user, ACS tries the next external user database in the Unknown User Policy list. For more information about the Unknown User Policy list, see About Unknown User Authentication, page 16-3.

LDAP Admin Logon Connection Management

When ACS checks authentication and authorization of a user on an LDAP server, it uses a connection with the LDAP administrator account permissions. It uses the connection to search for the user and user groups on the Directory subtree. ACS retains the administrator connections that are open for successive use and additional administrator binds are not required for each authentication request. You can limit the maximum number of concurrent administrator connections per Generic LDAP External DB configuration (primary and secondary).

Distinguished Name Caching

Searching can be an expensive LDAP operation, which introduces an element of unpredictability into the authentication. ACS takes the username that the authentication process supplies, and asks the LDAP server to search a full subtree of unknown depth, over an unknown user population.

After successful authentication ACS caches the Distinguished Name (DN) that the search returns. Reauthentications can then use the cached DN to perform an immediate lookup of the user.

A cached DN cannot appear on a screen. If a bind to a cached DN fails, ACS falls back to a full search of the data base for authenticating a user.

LDAP Configuration Options

The LDAP Database Configuration page contains many options, presented in three tables:

•Domain Filtering—This table contains options for domain filtering. The settings in this table affect all LDAP authentication that is performed by using this configuration; regardless of whether the primary or secondary LDAP server handles the authentication. For more information about domain filtering, see Domain Filtering

This table contains:

–Process all usernames—When you select this option, ACS does not perform domain filtering on usernames before submitting them to the LDAP server for authentication.

–Only process usernames that are domain qualified—When you select this option, ACS only attempts authentication for usernames that are domain-qualified for a single domain. You must specify the type of domain qualifier and the domain in the Qualified by and Domain options. ACS only submits usernames that are qualified in the method that you specify in the Qualified by option and that are qualified with the username that is specified in the Domain Qualifier box. You can also specify whether ACS removes the domain qualifier from usernames before submitting them to an LDAP server.

–Qualified by—When you select Only process usernames that are domain qualified, this option specifies the type of domain qualification. If you select Prefix, ACS only processes usernames that begin with the characters that you specify in the Domain Qualifier box. If you select Suffix, ACS only processes usernames that end in the characters that you specify in the Domain Qualifier box.

Note Regardless of the domain qualifier type that is selected, the domain name must match the domain that is specified in the Domain Qualifier box.

–Domain Qualifier—When Only process usernames that are domain qualified is selected, this option specifies the domain name and delimiting character that must qualify usernames so ACS can submit the username to an LDAP server. The Domain box accepts up to 512 characters; however, only one domain name and its delimiting character are permitted.

For example, if the domain name is mydomain, the delimiting character is the at symbol (@), and Suffix is selected on the Qualified by list, the Domain box should contain @mydomain. If the domain name is yourdomain, the delimiting character is the backslash (\), and Prefix is selected on the Qualified by list, the Domain Qualifier box should contain yourdomain\.

–Strip domain before submitting username to LDAP server—When you select Only process usernames that are domain qualified, this option specifies whether ACS removes the domain qualifier and its delimiting character before submitting a username to an LDAP server. For example, if the username is jwiedman@domain.com, the stripped username is jwiedman.

–Process all usernames after stripping domain name and delimiter—When this option is selected, ACS submits all usernames to an LDAP server after attempting to strip domain names. Usernames that are not domain qualified are processed, too. Domain name stripping occurs as specified by the following two options:

–Strip starting characters through the last X character—When you select Process all usernames after stripping domain name and delimiter, this option specifies that ACS attempts to strip a prefixed domain qualifier. If, in the username, ACS finds the delimiter character that is specified in the X box, it strips all characters from the beginning of the username through the delimiter character. If the username contains more than one of the characters that are specified in the X box, ACS strips characters through the last occurrence of the delimiter character.

For example, if the delimiter character is the backslash (\) and the username is DOMAIN\echamberlain, ACS submits echamberlain to an LDAP server.

Note The X box cannot contain the following special characters: the pound sign (#), the question mark (?), the quote ("), the asterisk (*), the right angle bracket (>), and the left angle bracket (<). ACS does not allow these characters in usernames. If the X box contains any of these characters, stripping fails.

–Strip ending characters through the first Y character—When you select Process all usernames after stripping domain name and delimiter, this option specifies that ACS attempts to strip a suffixed domain qualifier. If, in the username, ACS finds the delimiter character that is specified in the Y box, it strips all characters from the delimiter character through the end of the username. If the username contains more than one of the character specified in the Y box, ACS strips characters starting with the first occurrence of the delimiter character.

For example, if the delimiter character is the at symbol (@) and the username is jwiedman@domain, then ACS submits jwiedman to an LDAP server.

Note The Y box cannot contain the following special characters: the pound sign (#), the question mark (?), the quote ("), the asterisk (*), the right angle bracket (>), and the left angle bracket (<). ACS does not allow these characters in usernames. If the Y box contains any of these characters, stripping fails.

•Common LDAP Configuration—This table contains options that apply to all LDAP authentication that is performed by using this configuration. ACS uses the settings in this section; regardless of whether the primary or secondary LDAP server handles the authentication.

•This table contains:

–User Directory Subtree—The distinguished name (DN) for the subtree that contains all users. For example:
		ou=organizational unit[,ou=next organizational unit]o=corporation.com 
If the tree containing users is the base DN, type:
o=corporation.com 
or
dc=corporation,dc=com 
as applicable to your LDAP configuration. For more information, refer to your LDAP database documentation.

–Group Directory Subtree—The DN for the subtree that contains all groups. For example:
		ou=organizational unit[,ou=next organizational unit]o=corporation.com 
If the tree containing groups is the base DN, type:
o=corporation.com 
or
dc=corporation,dc=com 
as applicable to your LDAP configuration. For more information, refer to your LDAP database documentation.

–UserObjectType—The name of the attribute in the user record that contains the username. You can obtain this attribute name from your Directory Server. For more information, refer to your LDAP database documentation. ACS contains default values that reflect the default configuration of a Netscape Directory Server. Confirm all values for these fields with your LDAP server configuration and documentation.

–UserObjectClass—The value of the LDAP objectType attribute that identifies the record as a user. Often, user records have several values for the objectType attribute, some of which are unique to the user, some of which are shared with other object types. This box should contain a value that is not shared.

–GroupObjectType—The name of the attribute in the group record that contains the group name.

–GroupObjectClass—A value of the LDAP objectType attribute in the group record that identifies the record as a group.

–Group Attribute Name—The name of the attribute of the group record that contains the list of user records that are a member of that group.

–Server Timeout—The number of seconds that ACS waits for a response from an LDAP server before determining that the connection with that server has failed.

–On Timeout Use Secondary—Whether ACS performs failover of LDAP authentication attempts. For more information about the LDAP failover feature, see LDAP Failover.

–Failback Retry Delay—The number of minutes after the primary LDAP server fails to authenticate a user that ACS resumes sending authentication requests to the primary LDAP server first. A value of zero (0) causes ACS to always use the primary LDAP server first.

–Max. Admin Connections—The maximum number of concurrent connections (greater than zero (0)) with LDAP administrator account permissions that can run for a specific LDAP configuration. These connections are used to search the Directory for users and groups under the User Directory Subtree and Group Directory Subtree.

•Primary and Secondary LDAP Servers—You can use the Primary LDAP Server table and the Secondary LDAP Server table to identify the LDAP servers and make settings that are unique to each. You do not need to complete the Secondary LDAP Server table if you do not intend to use LDAP failover. These tables contain:

–Hostname—The name or IP address of the server that is running the LDAP software. If you are using DNS on your network, you can type the hostname instead of the IP address.

–Port—The TCP/IP port number on which the LDAP server is listening. The default is 389, as stated in the LDAP specification. If you do not know the port number, you can find this information by viewing those properties on the LDAP server. If you want to use secure authentication, port 636 is usually used.

–LDAP Version—Whether ACS uses LDAP version 3 or version 2 to communicate with your LDAP database. If you check this check box, ACS uses LDAP version 3. If it is not checked, ACS uses LDAP version 2.

–Security—Whether ACS uses SSL to encrypt communication between ACS and the LDAP server. If you do not enable SSL, user credentials are passed to the LDAP server in clear text. If you select this option, then you must select Trusted Root CA or Certificate Database Path. ACS supports only server-side authentication for SSL communication with the LDAP server. You must be sure the Port box contains the port number used for SSL on the LDAP server.

–Trusted Root CA — LDAP over SSL includes the option to authenticate by using the certificate database files other than the Netscape cert7.db file. This option uses the same mechanism as other SSL installations in the ACS environment. Select the certification authority that issued the server certificate that is installed on the LDAP server.

–Certificate DB Path—This option provides a link to the Download Certificate Database page. ACS displays information about whether the Netscape cert7.db certificate database file has been downloaded to support secure communication to the LDAP server that you specified. For information about the Download Certificate Database page, see Downloading a Certificate Database.

To perform secure authentication by using SSL with this option, you must provide a Netscape cert7.db certificate database file. ACS requires a certificate database so that it can establish the SSL connection. Since the certificate database must be local to the ACS Solution Engine, you must use FTP to transfer the certificate database to ACS.

ACS requires a Netscape cert7.db certificate database file for each LDAP server that you configure. For example, to support users distributed in multiple LDAP trees, you might configure two LDAP instances in ACS that can communicate with the same LDAP servers. Each LDAP instance then has a primary and a secondary LDAP server. Even though the two LDAP configurations share the same primary server, each LDAP configuration requires that you download a certificate database file to ACS.

Note The database must be a Netscape cert7.db certificate database file. No other filename is supported.

–Admin DN—The DN of the administrator; that is, the LDAP account which, if bound to, permits searches for all required users under the User Directory Subtree. It must contain the following information about your LDAP server:

uid=user id,[ou=organizational unit,][ou=next organizational unit]o=organization

where user id is the username, organizational unit is the last level of the tree, and next organizational unit is the next level up the tree.

For example:
uid=joesmith,ou=members,ou=administrators,o=cisco 
You can use anonymous credentials for the administrator username if the LDAP server is configured to make the group name attribute visible in searches by anonymous credentials. Otherwise, you must specify an administrator username that permits the group name attribute to be visible to searches.

Note If the administrator username that you specify does not have permission to see the group name attribute in searches, group mapping fails for users that LDAP authenticates.

–Password—The password for the administrator account that you specified in the Admin DN box. The LDAP server determines case sensitivity.

Configuring a Generic LDAP External User Database

Creating a generic LDAP configuration provides ACS information that enables it to pass authentication requests to an LDAP database. This information reflects the way that you have implemented your LDAP database and does not dictate how your LDAP database is configured or functions. For information about your LDAP database, refer to your LDAP documentation.

Note ACS supports authentication of Novell Directory Services (NDS) users by using standard LDAP.

Before You Begin

For information about the options on the LDAP Database Configuration page, see LDAP Configuration Options.

To configure ACS to use the LDAP User Database or to configure LDAP to authenticate Novell NDS Users:

Step 1 In the navigation bar, click External User Databases.

Step 2 Click Database Configuration.

ACS displays a list of all possible external user database types.

Step 3 Click Generic LDAP.

Note The user authenticates against only one LDAP database.

If no LDAP database configuration exists, only the Database Configuration Creation table appears. Otherwise, in addition to the Database Configuration Creation table, the External User Database Configuration table appears.

Step 4 If you are creating a configuration:

a. Click Create New Configuration.

b. Type a name for the new configuration for generic LDAP in the box provided.

c. Click Submit.

ACS lists the new configuration in the External User Database Configuration table.

Step 5 Under External User Database Configuration, select the name of the LDAP database that to configure.

Note If only one LDAP configuration exists, the name of that configuration appears instead of the list. Proceed to Step 6.

Step 6 Click Configure.

Caution If you click Delete, the configuration of the selected LDAP database is deleted.

Step 7 If you do not want ACS to filter LDAP authentication requests by username, under Domain Filtering, select Process all usernames.

Step 8 If you want to limit authentications processed by this LDAP configuration to usernames with a specific domain qualification:

Note For information about domain filtering, see Domain Filtering.

a. Under Domain Filtering, select Only process usernames that are domain qualified.

b. From the Qualified by list, select the applicable type of domain qualification, either Suffix or Prefix. Only one type of domain qualification is supported per LDAP configuration.

For example, if you want this LDAP configuration to authenticate usernames that begin with a specific domain name, select Prefix. If you want this LDAP configuration to authenticate usernames that end with a specific domain name, select Suffix.

c. In the Domain Qualifier box, type the name of the domain for which you this LDAP configuration should authenticate usernames. Include the delimiting character that separates the user ID from the domain name. Ensure that the delimiting character appears in the applicable position: at the end of the domain name if Prefix is selected on the Qualified by list; at the beginning of the domain name if Suffix is selected on the Qualified by list.

Only one domain name is supported per LDAP configuration. You can type up to 512 characters.

d. If you want ACS to remove the domain qualifier before submitting it to the LDAP database, check the Strip domain before submitting username to LDAP server check box.

e. If you want ACS to pass the username to the LDAP database without removing the domain qualifier, clear the Strip domain before submitting username to LDAP server check box.

Step 9 If you want to enable ACS to strip domain qualifiers from usernames before submitting them to an LDAP server:

a. Under Domain Filtering, select Process all usernames after stripping domain name and delimiter.

Note For information about domain filtering, see Domain Filtering.

b. If you want ACS to strip prefixed domain qualifiers, check the Strip starting characters through the last X character check box, and then type the domain-qualifier delimiting character in the X box.

c. If you want ACS to strip suffixed domain qualifiers, check the Strip ending characters from the first X character check box, and then type the domain-qualifier delimiting character in the X box.

Note The X box cannot contain the following special characters: the pound sign (#), the question mark (?), the quote ("), the asterisk (*), the right angle bracket (>), and the left angle bracket (<). ACS does not allow these characters in usernames. If the X box contains any of these characters, stripping fails.

Step 10 Under Common LDAP Configuration, in the User Directory Subtree box, type the DN of the tree containing all your users.

If you are authenticating Novell NDS users, set UserDirectorySubtree to o=lab.

Step 11 In the Group Directory Subtree box, type the DN of the subtree containing all your groups.

If you are authenticating Novell NDS users, set GroupDirectorySubtree to o=lab.

Step 12 In the User Object Type box, type the name of the attribute in the user record that contains the username. You can obtain this attribute name from your Directory Server. For more information, refer to your LDAP database documentation.

Note The default values in the UserObjectType and following fields reflect the default configuration of the Netscape Directory Server. Confirm all values for these fields with your LDAP server configuration and documentation.

If you are authenticating Novell NDS users, set the user object type to cn.

Step 13 In the User Object Class box, type the value of the LDAP uid=joesmith,ou=members,ou=administrators,o=cisco attribute that identifies the record as a user. Often, user records have several values for the objectType attribute, some of which are unique to the user, some of which are shared with other object types. Select a value that is not shared.

Step 14 In the GroupObjectType box, type the name of the attribute in the group record that contains the group name.

Step 15 In the GroupObjectClass box, type a value of the LDAP objectType attribute in the group record that identifies the record as a group.

If you are authenticating Novell NDS users, set the GroupObjectClass to groupOfNames.

Step 16 In the GroupAttributeName box, type the name of the attribute of the group record that contains the list of user records who are a member of that group.

Step 17 In the Server Timeout box, type the number of seconds that ACS waits for a response from an LDAP server before determining that the connection with that server has failed.

Step 18 To enable failover of LDAP authentication attempts, check the On Timeout Use Secondary check box. For more information about the LDAP failover feature, see LDAP Failover.

Step 19 In the Failback Retry Delay box, type the number of minutes after the primary LDAP server fails to authenticate a user that ACS resumes sending authentication requests to the primary LDAP server first.

Note To specify that ACS should always use the primary LDAP server first, type zero (0) in the Failback Retry Delay box.

Step 20 In the Max. Admin Connection box, enter the number of maximum concurrent connections with LDAP administrator account permissions.

Step 21 For the Primary LDAP Server and Secondary LDAP Server tables:

Note If you did not check the On Timeout Use Secondary check box, you do not need to complete the options in the Secondary LDAP Server table.

a. In the Hostname box, type the name or IP address of the server that is running the LDAP software. If you are using DNS on your network, you can type the hostname instead of the IP address.

b. In the Port box, type the TCP/IP port number on which the LDAP server is listening. The default is 389, as stated in the LDAP specification. If you do not know the port number, you can find this information by viewing those properties on the LDAP server. If you want to use secure authentication, port 636 is usually used.

c. To specify that ACS should use LDAP version 3 to communicate with your LDAP database, check the LDAP Version check box. If the LDAP Version check box is not checked, ACS uses LDAP version 2.

d. If you want ACS to use SSL to connect to the LDAP server, check the Use secure authentication check box and complete the next three steps. If you do not use SSL, the username and password credentials are normally passed over the network to the LDAP directory in clear text.

e. If you checked the Use Secure authentication check box, perform one of the following procedures:

–Check the Trusted Root CA check box, and in the adjacent drop-down list, select a Trusted Root CA.

–Check the Certificate Database Path check box, and download a cert7.db file.

Note To download a cert7.db certificate database file to ACS now, complete the steps in Downloading a Certificate Database, and then continue with step f. You can download a certificate database later. Until a certificate database is downloaded for the current LDAP server, secure authentication to this LDAP server fails.

f. If you checked the Use Secure authentication check box, perform one of the following procedures:

–Click the Trusted Root CA button, and in the adjacent drop-down list, select a Trusted Root CA.

–Click the Certificate Database Path button, and in the adjacent box, type the path to the Netscape cert7.db file, which contains the certificates for the server to be queried and the trusted CA.

g. The Admin DN box requires the fully qualified (DN) of the administrator; that is, the LDAP account which, if bound to, permits searches for all required users under the User Directory Subtree.

In the Admin DN box, type the following information from your LDAP server:
uid=user id,[ou=organizational unit,] 
[ou=next organizational unit]o=organization 
where user id is the username

organizational unit is the last level of the tree

next organizational unit is the next level up the tree.

For example:
uid=joesmith,ou=members,ou=administrators,o=cisco
Tip If you are using Netscape DS as your LDAP software, you can copy this information from the Netscape console.

Example-Novell NDS Server:
uid=admin.ou=Chicago.o=Corporation
You can use anonymous credentials for the administrator username if you configure the Novell NDS server to make the group name attribute visible in searches by anonymous credentials. Otherwise, you must specify an administrator username that permits the group name attribute to be visible to searches.

If the administrator username that you specified does not have permission to see the group name attribute in searches, group mapping fails for users who are authenticated by Novell NDS.

For more information, refer to your specific LDAP database documentation.

h. In the Password box, type the password for the administrator account that is specified in the Admin DN box. The server determines password case sensitivity.

Step 22 Click Submit.

ACS saves the generic LDAP configuration that you created. You can now add it to your Unknown User Policy or assign specific user accounts to use this database for authentication. For more information about the Unknown User Policy, see About Unknown User Authentication, page 16-3. For more information about configuring user accounts to authenticate by using this database, see Chapter 7, "User Management."

Downloading a Certificate Database

Before You Begin

The database must be a Netscape cert7.db certificate database file generated by a Netscape web browser. No other filename is supported. For information about generating a Netscape cert7.db file, refer to Netscape documentation.

Note Downloading a certificate database is a part of the larger process that configures an LDAP external user database. For more information, see Configuring a Generic LDAP External User Database.

To download a certificate database for a primary or a secondary LDAP server:

Step 1 To access the Download Certificate Database page:

a. Open the LDAP Database Configuration page that contains the information for the LDAP server whose certificate database file you want to download.

Note If you are already on the applicable LDAP Database Configuration page, go to Step b.

b. For the LDAP server whose certificate database file you want to download, click Download Certificate Database.

Note ACS lists a primary and secondary LDAP server for each LDAP database configuration. To support secure authentication to both servers, you must download a certificate database file twice, once for the primary LDAP server and once for the secondary LDAP server.

Step 2 In the FTP Server box, enter the IP address or hostname of the FTP server. The FTP Server box accepts a maximum of 512 characters.

Note Providing the hostname requires that DNS is correctly operating on your network.

Step 3 In the Login box, enter a valid username to enable ACS to access the FTP server. The Login box accepts a maximum of 512 characters.

Step 4 In the Password box, enter the password for the username provided in the Login box. The Password box accepts a maximum of 512 characters.

Step 5 In the Directory box, enter the path to the Netscape cert7.db file. The path is relative to the starting directory at login to the FTP server.

For example, if the Netscape cert7.db file is located in objectType and the user provided in the Login box starts its FTP sessions in c:\ACS-files\LDAPcertdb, you then type c:\.

The Directory box accepts a maximum of 512 characters.

Step 6 Click Download.

ACS downloads the Netscape cert7.db file from the FTP server. ACS displays the LDAP Database Configuration page.

LEAP Proxy RADIUS Server Database

For ACS-authenticated users who access your network via Cisco Aironet devices, ACS supports PAP based MAC Exception Handling, LEAP, and EAP-FAST (phase zero and phase two) authentication with a proxy RADIUS server. Other authentication protocols are not supported with LEAP Proxy RADIUS Server databases. This feature is useful if your own RADIUS-based user database can support MS-CHAP but not LEAP/EAP-FAST. ACS manages the LEAP/EAP-FAST protocol handling and forwards just the MS-CHAP authentication to your server.

Note Authentication protocols not supported with LEAP Proxy RADIUS Server databases might be supported by another type of external user database. For more information about authentication protocols and the external database types that support them, see Authentication Protocol-Database Compatibility, page 1-7.

ACS uses MS-CHAP Version 1 for LEAP Proxy RADIUS Server authentication. With LEAP Proxy, only the MS-CHAP authentication is proxied to the remote server in a separate RADIUS access request. To manage your proxy RADIUS database, refer to your RADIUS database documentation.

You can use the LEAP proxy RADIUS server authentication to authenticate users against existing Kerberos databases that support MS-CHAP authentication. You can use the LEAP Proxy RADIUS Server database to authenticate users with any third-party RADIUS server that supports MS-CHAP authentication.

Note The third-party RADIUS server must return Microsoft Point-to-Point Encryption (MPPE) keys in the Microsoft RADIUS vendor-specific attribute (VSA) ACS-files\LDAPcertdb. If the third-party RADIUS server does not return the MPPE keys, the authentication fails and is logged in the Failed Attempts log.

ACS supports RADIUS-based group specification for users who are authenticated by LEAP Proxy RADIUS Server databases. The RADIUS-based group specification overrides group mapping. For more information, see RADIUS-Based Group Specification, page 17-8.

ACS supports group mapping for unknown users who are authenticated by LEAP Proxy RADIUS Server databases. Group mapping is only applied to an unknown user if RADIUS-based group specification did not occur. For more information about group mapping of users who are authenticated by a LEAP Proxy RADIUS Server database, see Group Mapping by External User Database, page 17-1.

Configuring a LEAP Proxy RADIUS Server External User Database

You should install and configure your proxy RADIUS server before configuring ACS to authenticate users with it. For information about installing the proxy RADIUS server, refer to the documentation that is included with your RADIUS server.

To configure LEAP proxy RADIUS authentication:

Step 1 In the navigation bar, click External User Databases.

Step 2 Click Database Configuration.

ACS lists all possible external user database types.

Step 3 Click LEAP Proxy RADIUS Server.

If no LEAP Proxy RADIUS Server configuration exists, only the Database Configuration Creation table appears. Otherwise, in addition to the Database Configuration Creation table, the External User Database Configuration table appears.

Step 4 If you are creating a configuration:

a. Click Create New Configuration.

b. Type a name for the new configuration for the LEAP Proxy RADIUS Server in the box provided, or accept the default name in the box.

c. Click Submit.

ACS lists the new configuration in the External User Database Configuration table.

Step 5 Under External User Database Configuration, select the name of the LEAP Proxy RADIUS Server database that you configure.

Note If only one LEAP Proxy RADIUS Server configuration exists, the name of that configuration appears instead of the list. Proceed to Step 6.

Step 6 Click Configure.

Step 7 In the following boxes, type the required information:

•Primary Server Name/IP—IP address of the primary proxy RADIUS server.

•Secondary Server Name/IP—IP address of the secondary proxy RADIUS server.

•Shared Secret—The shared secret of the proxy RADIUS server. This must be identical to the shared secret with which the proxy RADIUS server is configured.

•Authentication Port—The UDP port over which the proxy RADIUS server conducts authentication sessions. If the LEAP Proxy RADIUS server is installed on the same Windows server as ACS, this port should not be the same port that ACS uses for RADIUS authentication. For more information about the ports that ACS uses for RADIUS, see RADIUS, page 1-3.

•Timeout (seconds):—The number of seconds that ACS waits before sending notification to the user that the authentication attempt has timed out.

•Retries—The number of authentication attempts ACS makes before failing over to the secondary proxy RADIUS server.

•Failback Retry Delay (minutes)—The number of minutes after which ACS attempts authentications by using a failed primary proxy RADIUS server.

Note If the primary and the secondary servers fail, ACS alternates between the servers until one responds.

Step 8 Click Submit.

ACS saves the proxy RADIUS token server database configuration that you created. You can add it to your Unknown User Policy or assign specific user accounts to use this database for authentication. For more information about the Unknown User Policy, see About Unknown User Authentication, page 16-3. For more information about configuring user accounts to authenticate by using this database, see Chapter 7, "User Management."

Token Server User Databases

ACS supports the use of token servers for the increased security that one-time passwords (OTPs) provide.

This section contains the following topics:

•About Token Servers and ACS

•RADIUS-Enabled Token Servers

About Token Servers and ACS

ACS provides ASCII, PAP, and PEAP (EAP-GTC) authentication by using token servers. Other authentication protocols are not supported with token server databases.

Note Authentication protocols that are not supported with token server databases might be supported by another type of external user database. For more information about authentication protocols and the external database types that support them, see Authentication Protocol-Database Compatibility, page 1-7.

Requests from the AAA client are first sent to ACS. If ACS has been configured to authenticate against a token server and finds the username, it forwards the authentication request to the token server. If it does not find the username, ACS checks the database that is configured to authenticate unknown users. If the request for authentication is passed, the appropriate authorizations are forwarded to the AAA client along with the approved authentication. ACS then maintains the accounting information.

ACS acts as a client to the token server. For all token servers, ACS acts as a client by using the RADIUS interface of the token server. For more information about ACS support of token servers with a RADIUS interface, see RADIUS-Enabled Token Servers.

Token Servers and ISDN

ACS supports token caching for ISDN terminal adapters and routers. One inconvenience of using token cards for OTP authentication with ISDN is that each B channel requires its own OTP. Therefore, a user must enter at least 2 OTPs, plus any other login passwords, such as those for Windows networking. If the terminal adapter supports the ability to turn on and off the second B channel, users might have to enter many OTPs each time the second B channel comes into service.

ACS caches the token to help make the OTPs easier for users. Therefore, if a token card is being used to authenticate a user on the first B channel, you can set a specified period during which the second B channel can come into service without requiring the user to enter another OTP. To lessen the risk of unauthorized access to the second B channel, you can limit the time that the second B channel is up. Furthermore, you can configure the second B channel to use the CHAP password that is specified during the first login to further lessen the chance of a security problem. When the first B channel is dropped, the cached token is erased.

RADIUS-Enabled Token Servers

This section describes support for token servers that provide a standard RADIUS interface.

This section contains the following topics:

•About RADIUS-Enabled Token Servers

•Token Server RADIUS Authentication Request and Response Contents

•Configuring a RADIUS Token Server External User Database

About RADIUS-Enabled Token Servers

ACS supports token servers by using the RADIUS server that is built into the token server. Rather than using a vendor-proprietary API, ACS sends standard RADIUS authentication requests to the RADIUS authentication port on the token server. This feature enables ACS to support any IETF RFC 2865-compliant token server.

You can create multiple instances of RADIUS token servers. For information about configuring ACS to authenticate users with one of these token servers, see Configuring a RADIUS Token Server External User Database.

ACS provides a means for specifying a user group assignment in the RADIUS response from the RADIUS-enabled token server. Group specification always takes precedence over group mapping. For more information, see RADIUS-Based Group Specification, page 17-8.

ACS also supports mapping users who are authenticated by a RADIUS-enabled token server to a single group. Group mapping only occurs if group specification does not occur. For more information, see Group Mapping by External User Database, page 17-1.

Token Server RADIUS Authentication Request and Response Contents

When ACS forwards an authentication request to a RADIUS-enabled token server, the RADIUS authentication request contains the following attributes:

•MS-CHAP-MPPE-Keys (VSA 12) (RADIUS attribute 1)

•User-Name (RADIUS attribute 2)

•User-Password (RADIUS attribute 4)

•NAS-IP-Address (RADIUS attribute 5)

•NAS-Port (RADIUS attribute 32)

ACS expects to receive one of the following three responses:

•access-accept—No attributes are required; however, the response can indicate the ACS group to which the user should be assigned. For more information, see RADIUS-Based Group Specification, page 17-8.

•access-reject—No attributes required.

•access-challenge—Attributes required, per IETF RFC, are:

–NAS-Identifier (RADIUS attribute 24)

–State (RADIUS attribute 18)

Configuring a RADIUS Token Server External User Database

Use this procedure to configure RADIUS Token Server external user databases.

Before You Begin

You should install and configure your RADIUS token server before configuring ACS to authenticate users with it. For information about installing the RADIUS token server, refer to the documentation included with your token server.

To configure ACS to authenticate users with a RADIUS Token Sever:

Step 1 In the navigation bar, click External User Databases.

Step 2 Click Database Configuration.

ACS lists all possible external user database types.

Step 3 Click RADIUS Token Server.

The Database Configuration Creation table appears. If at least one RADIUS token server configuration exists, the External User Database Configuration table also appears.

Step 4 If you are creating a configuration:

a. Click Create New Configuration.

b. Type a name for the new configuration for the RADIUS-enabled token server in the box provided, or accept the default name in the box.

c. Click Submit.

ACS lists the new configuration in the External User Database Configuration table.

Step 5 Under External User Database Configuration, select the name of the RADIUS-enabled token server that you configure.

Note If only one RADIUS-enabled token server configuration exists, the name of that configuration appears instead of the list. Proceed to Step 6.

Step 6 Click Configure.

Step 7 In the RADIUS Configuration table, type the required information in the following boxes:

•Primary Server Name/IP—The hostname or IP address of the primary RADIUS token server. If you provide the hostname, the hostname must be resolvable by DNS.

•Secondary Server Name/IP—The hostname or IP address of the secondary RADIUS token server. If you provide the hostname, the hostname must be resolvable by DNS.

•Shared Secret—The shared secret of the RADIUS server. This must be identical to the shared secret with which the RADIUS token server is configured.

•Authentication Port—The UDP port over which the RADIUS server conducts authentication sessions. If the RADIUS token server is installed on the same Windows server as ACS, this port should not be the same port that ACS uses for RADIUS authentication. For more information about the ports that ACS uses for RADIUS, see RADIUS, page 1-3.

Note For ACS to send RADIUS OTP messages to a RADIUS-enabled token server, you must ensure that gateway devices between the RADIUS-enabled token server and ACS allow communication over the UDP port that is specified in the Authentication Port box.

•Timeout (seconds):—The number of seconds that ACS waits for a response from the RADIUS token server before retrying the authentication request.

•Retries—The number of authentication attempts that ACS makes before failing over to the secondary RADIUS token server.

•Failback Retry Delay (minutes)—The number of minutes that ACS sends authentication requests to the secondary server when the primary server has failed. When this duration elapses, ACS reverts to sending authentication requests to the primary server.

Note If the primary and the secondary servers fail, ACS alternates between the servers until one responds.

Step 8 If you want to support token users who perform a shell login to a TACACS+ AAA client, you must configure the options in the TACACS+ Shell Configuration table. Perform one of the following procedures:

•If you want ACS to present a custom prompt for tokens, select Static (sync and async tokens), and then type in the Prompt box the prompt that ACS will present.

For example, if you type Enter your PassGo token in the Prompt box, users receive an Enter your PassGo token prompt rather than a password prompt.

Note If some tokens that are submitted to this server are synchronous tokens, you must click the Static (sync and async tokens) option.

•If you want ACS to send the token server a password to trigger a challenge, select From Token Server (async tokens only), and then, in the Password box, type the password that ACS will forward to the token server.

For example, if the token server requires the string challengeme in order to evoke a challenge, you should type challengeme in the Password box. Users will receive a username prompt and a challenge prompt.

Tip Most token servers accept a blank password as the trigger to send a challenge prompt.

Note You should only click the From Token Server (async tokens only) option if all tokens that are submitted to this token server are asynchronous tokens.

Step 9 Click Submit.

ACS saves the RADIUS token server database configuration that you created. You can add it to your Unknown User Policy or assign specific user accounts to use this database for authentication. For more information about the Unknown User Policy, see About Unknown User Authentication, page 16-3. For more information about configuring user accounts to authenticate by using this database, see Chapter 7, "User Management."

Deleting an External User Database Configuration

If you no longer need a particular external user database configuration, you can delete it from ACS.

To delete an external user database configuration:

Step 1 In the navigation bar, click External User Databases.

Step 2 Click Database Configuration.

ACS lists all possible external user database types.

Step 3 Click the external user database type for which you want to delete a configuration.

The External User Database Configuration table appears.

Step 4 If a list appears in the External User Database Configuration table, select the configuration to delete. Otherwise, proceed to Step 5.

Step 5 Click Delete.

A confirmation dialog box appears.

Step 6 Click OK to confirm that you want to delete the selected external user database configuration.

The external user database configuration that you selected is deleted from ACS.

	User Guide for Cisco Secure ACS Solution Engine 4.0
	User Databases
User Guide for Cisco Secure ACS Solution Engine 4.0 Preface Overview Deployment Considerations Interface Configuration Network Configuration Shared Profile Components User Group Management User Management System Configuration: Basic System Configuration: Advanced System Configuration: Authentication and Certificates Logs and Reports Administrators and Administrative Policy User Databases Posture Validation Network Access Profiles Unknown User Policy User Group Mapping and Specification Troubleshooting TACACS+ Attribute-Value Pairs RADIUS Attributes VPDN Processing RDBMS Synchronization Import Definitions Internal Architecture Index	Download this chapter User Databases Download the complete book User Guide for ACS Solution Engine (full book PDF) (PDF - 6 MB) Feedback Table Of Contents User Databases ACS Internal Database About the ACS Internal Database User Import and Creation About External User Databases Authenticating with External User Databases External User Database Authentication Process Windows User Database Windows User Database Support Authentication with Windows User Databases Trust Relationships Windows Dial-Up Networking Clients Windows Dial-Up Networking Clients with a Domain Field Windows Dial-Up Networking Clients without a Domain Field Usernames and Windows Authentication Username Formats and Windows Authentication Nondomain-Qualified Usernames Domain-Qualified Usernames UPN Usernames EAP and Windows Authentication EAP-TLS Domain Stripping Machine Authentication Machine Access Restrictions Microsoft Windows and Machine Authentication Enabling Machine Authentication User-Changeable Passwords with Windows User Databases Preparing Users for Authenticating with Windows Selecting Remote Agents for Windows Authentication Windows User Database Configuration Options Configuring a Windows External User Database Generic LDAP ACS Authentication Process with a Generic LDAP User Database Multiple LDAP Instances LDAP Organizational Units and Groups Domain Filtering LDAP Failover Successful Previous Authentication with the Primary LDAP Server Unsuccessful Previous Authentication with the Primary LDAP Server LDAP Admin Logon Connection Management Distinguished Name Caching LDAP Configuration Options Configuring a Generic LDAP External User Database Downloading a Certificate Database LEAP Proxy RADIUS Server Database Configuring a LEAP Proxy RADIUS Server External User Database Token Server User Databases About Token Servers and ACS Token Servers and ISDN RADIUS-Enabled Token Servers About RADIUS-Enabled Token Servers Token Server RADIUS Authentication Request and Response Contents Configuring a RADIUS Token Server External User Database Deleting an External User Database Configuration User Databases The Cisco Secure Access Control Server Release 4.0 Solution Engine, hereafter referred to as ACS, authenticates users against one of several possible databases, including its internal database. You can configure ACS to authenticate users with more than one type of database. With this flexibility you can use user account data that is collected in different locations without having to explicitly import the users from each external user database into the ACS internal database. You can also apply different databases to different types of users, depending on the security requirements that are associated with user authorizations on your network. For example, a common configuration is to use a Windows user database for standard network users and a token server for network administrators. Note For information about the Unknown User Policy and group mapping features, see Chapter 16, "Unknown User Policy" and Chapter 17, "User Group Mapping and Specification." This chapter contains the following topics: •ACS Internal Database •About External User Databases •Windows User Database •Generic LDAP •LEAP Proxy RADIUS Server Database •Token Server User Databases •Deleting an External User Database Configuration ACS Internal Database The ACS internal database supports authentication by using: •American Standard Code for Information Interchange (ASCII) •Password Authentication Protocol (PAP) •Challenge Handshake Authentication Protocol (CHAP) •Microsoft-Challenge Handshake Authentication Protocol (MS-CHAP) •AppleTalk Remote Access Protocol (ARAP) •Lightweight and Efficient Application Protocol (LEAP) •Extensible Authentication Protocol-Message Digest 5 (EAP-MD5) •Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) •Protected Extensible Authentication Protocol (PEAP) Extensible Authentication Protocol-Generic Token Card (EAP-GTC) •Protected Extensible Authentication Protocol (PEAP) Extensible Authetication Protocol-Microsoft-Challenge Handshake Authentication Protocol (EAP-MS-CHAPv2) •Extensible Authentication Protocol-Flexible Authentication via Secure Tunnelling (EAP-FAST) (phase zero and phase two) The ACS internal database is crucial for the authorization process. Regardless of whether a user is authenticated by the internal user database or by an external user database, ACS authorizes network services for users based on group membership and specific user settings in the ACS internal database. Thus, all users that ACS authenticates, even those authenticated by an external user database, have an account in the ACS internal database. About the ACS Internal Database For users who are authenticated by using the ACS internal database, ACS stores user passwords in a database which is protected by an administration password and encrypted by using the AES 128 algorithm. For users who are authenticated with external user databases, ACS does not store passwords in the ACS internal database. Unless you have configured ACS to authenticate users with an external user database, ACS uses usernames and passwords in the ACS internal database during authentication. For more information about specifying an external user database for authentication of a user, see Adding a Basic User Account, page 7-3. User Import and Creation Of the four ways to create user accounts in ACS, Relational Database Management System (RDBMS) Synchronization supports importing user accounts from external sources. The four ways are: •ACS web interface—The web interface provides the ability to create user accounts manually, one user at a time. Regardless of how a user account was created, you can edit a user account by using the web interface. For detailed steps, see Adding a Basic User Account, page 7-3. •Unknown User Policy—The Unknown User Policy enables ACS to add users automatically when it finds a user without an account in an external user database. The creation of a user account in ACS occurs only when the user attempts to access the network and is successfully authenticated by an external user database. For more information, see Chapter 16, "Unknown User Policy." If you use the Unknown User Policy, you can also configure group mappings so that each time a user who was added to ACS by the Unknown User Policy is authenticated, the user group assignment is made dynamically. For some external user database types, user group assignment is based on group membership in the external user database. For other database types, all users who were authenticated by a given database are assigned to a single ACS user group. For more information about group mapping, see Chapter 17, "User Group Mapping and Specification." •RDBMS Synchronization—You can use RDBMS Synchronization to create large numbers of user accounts and configure many settings for user accounts. We recommend that you use this feature whenever you need to import users by bulk; however, setting up RDBMS Synchronization for the first time requires several important decisions and time to implement them. For more information, see RDBMS Synchronization, page 9-16. •Database Replication—Database Replication creates user accounts on a secondary ACS by overwriting all existing user accounts on a secondary ACS with the user accounts from the primary ACS. Any user accounts that are unique to a secondary ACS are lost in the replication. For more information, see ACS Internal Database Replication, page 9-1. About External User Databases You can configure ACS to forward authentication of users to one or more external user databases. Support for external user databases means that ACS does not require that you create duplicate user entries in the user database. In organizations in which a substantial user database already exists, ACS can leverage the work already invested in building the database without any additional input. In addition to performing authentication for network access, ACS can perform authentication for TACACS+ enabling privileges by using external user databases. For more information about TACACS+ enable passwords, see Setting TACACS+ Enable Password Options for a User, page 7-23. Note You can only use external user databases to authenticate users and to determine the group to which ACS assigns a user. The ACS internal database provides all authorization services. With few exceptions, ACS cannot retrieve authorization data from external user databases. Exceptions are noted where applicable in the discussions of specific databases in this chapter. For more information about group mapping for unknown users, see Chapter 17, "User Group Mapping and Specification." Users can be authenticated by using the following databases: •Windows User Database (for ACS for Windows or for the ACS Solution Engine remote agent for Windows) •Generic Lightweight Directory Access Protocol (LDAP) •Novell NetWare Directory Services (NDS) (through Generic LDAP support) •LEAP Proxy Remote Access Dial-In User Service (RADIUS) servers •RADIUS-compliant token servers For ACS to interact with an external user database, ACS requires an API for the third-party authentication source. The ACS communicates with the external user database using the API. Authenticating with External User Databases Authenticating users with an external user database requires more than configuring ACS to communicate with an external user database. Performing one of the configuration procedures in this chapter for an external database does not, on its own, instruct ACS to authenticate any users with that database. After you have configured ACS to communicate with an external user database, you can configure ACS to authenticate users with the external user database in one of two ways: •By Specific User Assignment—You can configure ACS to authenticate specific users with an external user database. To do this, the user must exist in the ACS internal database and you must set the Password Authentication list in User Setup to the external user database that ACS should use to authenticate the user. While setting the Password Authentication for every user account is time-consuming, this method of determining which users are authenticated with an external user database is secure because it requires explicit definition of who should authenticate by using the external user database. In addition, the users may be placed in the desired ACS group and thereby receive the applicable access profile. •By Unknown User Policy—You can configure ACS to attempt authentication of users who are not in the ACS internal database by using an external user database. You do not need to define new users in the ACS internal database for this method. For more information about the Unknown User Policy, see About Unknown User Authentication, page 16-3. You can also configure ACS with both of the previous methods; these two methods are not mutually exclusive. External User Database Authentication Process When ACS attempts user authentication with an external user database, it forwards the user credentials to the external user database. The external user database passes or fails the authentication request from ACS. On receiving the response from the external user database, ACS instructs the requesting AAA client to grant or deny the user access, depending on the response from the external user database. Figure 13-1 shows a AAA configuration with an external user database. Figure 13-1 A Simple AAA Scenario The specifics of the method that is used to communicate with the external user database vary with the database type. For LDAP and Novell NDS, ACS uses TCP connections. For Windows user databases, ACS uses the authentication API provided in the Windows operating system. ACS communicates with token servers by using RADIUS. For more information, see the section regarding the database type in which you are interested. Windows User Database You can configure ACS to use a Windows user database to authenticate users. This section contains the following topics: •Windows User Database Support •Authentication with Windows User Databases •Trust Relationships •Windows Dial-Up Networking Clients –Windows Dial-Up Networking Clients with a Domain Field –Windows Dial-Up Networking Clients without a Domain Field •Usernames and Windows Authentication –Username Formats and Windows Authentication –Nondomain-Qualified Usernames –Domain-Qualified Usernames –UPN Usernames •EAP and Windows Authentication –EAP-TLS Domain Stripping –Machine Authentication –Machine Access Restrictions –Microsoft Windows and Machine Authentication –Enabling Machine Authentication •User-Changeable Passwords with Windows User Databases •Preparing Users for Authenticating with Windows •Windows User Database Configuration Options •Configuring a Windows External User Database Windows User Database Support ACS supports the use of Windows external user databases for: •User Authentication— ACS supports ASCII, PAP, MS-CHAP (versions 1 and 2), LEAP, PEAP (EAP-GTC), PEAP (EAP-MS-CHAPv2), and EAP-FAST (phase zero and phase two) authentication with Windows Security Accounts Manager (SAM) database or a Windows Active Directory database. ACS also supports EAP-TLS authentication with a Windows Active Directory database. Windows external databases support no other authentication protocols. Note A different external user database might support authentication protocols that are not supported with Windows external user databases. For more information about authentication protocols and the external database types that support them, see Authentication Protocol-Database Compatibility, page 1-7. •Machine Authentication—ACS supports machine authentication with EAP-TLS and PEAP (EAP-MS-CHAPv2). For more information, see EAP and Windows Authentication. •Group Mapping for Unknown Users— ACS supports group mapping for unknown users by requesting group membership information from Windows user databases. For more information about group mapping for users authenticated with a Windows user database, see Group Mapping by Group Set Membership, page 17-3. •Password-Aging— ACS supports password aging for users who are authenticated by a Windows user database. For more information, see User-Changeable Passwords with Windows User Databases. •Dial-in Permissions—ACS supports use of dial-in permissions from Windows user databases. For more information, see Preparing Users for Authenticating with Windows. •Callback Settings—ACS supports use of callback settings from Windows user databases. For information about configuring ACS to use Windows callback settings, see Setting the User Callback Option, page 7-6. Authentication with Windows User Databases ACS forwards user credentials to a Windows database by passing the user credentials to the Windows operating system of the computer that is running the remote agent. The Windows database passes or fails the authentication request from ACS. When receiving the response from the Windows database, the remote agent forwards the response to ACS, and ACS instructs the requesting AAA client to grant or deny the user access, depending on the response from the Windows database. ACS grants authorization based on the ACS group to which the user is assigned. While you can determine the group to which a user is assigned information from the Windows database, it is ACS that grants authorization privileges. To further control access by a user, you can configure ACS to also check the setting for granting dial-in permission to the user. This setting is labeled Grant dialin permission to user in Windows NT and Allow access in the Remote Access Permission area in Windows 2000 and Windows 2003. If this feature is disabled for the user, access is denied; even if the username and password are typed correctly. Trust Relationships ACS can take advantage of trust relationships established between Windows domains. If the domain that contains the computer running the Windows remote agent trusts another domain, ACS can authenticate users whose accounts reside in the other domain. ACS can also reference the Grant dialin permission to user setting across trusted domains. Note If the ACS Solution Engine remote agent is running on a member server, rather than a domain controller, taking advantage of trust relationships depends on proper configuration of the remote agent at installation. For more information, see "Configuring for Member Server Authentication" in the Installation and Configuration Guide for Cisco Secure ACS Remote Agents 4.0. ACS can take advantage of indirect trusts for Windows authentication. Consider the example of Windows domains A, B, and C, where the remote agent resides on a server in domain A. Domain A trusts domain B, but no trust relationship is established between domain A and domain C. If domain B trusts domain C, the remote agent in domain A can authenticate users whose accounts reside in domain C, making use of the indirect trust of domain C. For more information on trust relationships, refer to your Microsoft Windows documentation. Windows Dial-Up Networking Clients The dial-up networking clients for Windows NT/2000/2003/XP Professional and Windows 95/98/Millennium Edition (ME)/XP Home enable users to connect to your network remotely; but the fields that are provided differ. Windows Dial-Up Networking Clients with a Domain Field If users dial in to your network by using the dial-up networking client that is provided with Windows NT, Windows 2000, Windows 2003, or Windows XP Professional, three fields appear: •username—Type your username. •password—Type your password. •domain—Type your valid domain name. Note For more information about the implications of completing or leaving the domain box blank, see Nondomain-Qualified Usernames. Windows Dial-Up Networking Clients without a Domain Field If users access your network by using the dial-up networking client that is provided with Windows 95, Windows 98, Windows ME, or Windows XP Home, two fields appear: •username—Type your username. Note You can also prefix your username with the name of the domain in to which you want to log. For more information about the implications of prefixing or not prefixing the domain name before the username, see Nondomain-Qualified Usernames. •password—Type your password. Usernames and Windows Authentication This section contains the following topics: •Username Formats and Windows Authentication •Nondomain-Qualified Usernames •Domain-Qualified Usernames •UPN Usernames Username Formats and Windows Authentication ACS supports Windows authentication for usernames in a variety of formats. When ACS attempts Windows authentication, it first determines the username format and submits the username to Windows in the applicable manner. To implement reliable Windows authentication with ACS, you must understand how ACS determines a username format, how it supports each of these formats, and how the types of support are related. To determine the format of a username that is submitted for Windows authentication, ACS searches the username for the: •At symbol (@) •Backslash (\) Based on the presence and position of these two characters in the username, ACS determines username format by using the following logic: 1. If the username does not contain a backslash (\) and does not contain an at symbol (@), ACS considers the username to be nondomain qualified. For example, the username cyril.yang is nondomain qualified. For more information, see Nondomain-Qualified Usernames. 2. If the username contains a backslash (\) that precedes any at characters, ACS considers the username to be domain qualified. For example, ACS considers the following usernames to be domain qualified: –MAIN\cyril.yang –MAIN\cyril.yang@central-office For more information, see Domain-Qualified Usernames. 3. If the username contains an at symbol (@) that does not follow a backslash (\), ACS considers the username to be in User Principal Name (UPN) format. For example, ACS considers the following usernames to be UPN usernames: –cyril.yang@example.com –cyril.yang@main.example.com –cyril.yang@main –cyril.yang@central-office@example.com –cyril.yang@main\example.com For more information, see UPN Usernames. Nondomain-Qualified Usernames ACS supports Windows authentication of usernames that are not domain qualified, provided the username does not contain an at symbol (@). Users with at symbols (@) in their usernames must submit the username in UPN format or in a domain-qualified format. Examples of nondomain-qualified usernames are cyril.yang and msmith. In Windows environments with multiple domains, authentication results with nondomain-qualified usernames can vary. This variance occurs because Windows, not ACS, determines which domains are used to authenticate a nondomain-qualified username. If Windows does not find the username in its local domain database, it then checks all trusted domains. If the remote agent runs on a member server and the username is not found in trusted domains, Windows also checks its local accounts database. Windows attempts to authenticate a user with the first occurrence of the username that it finds. When Windows authentication for a nondomain-qualified username succeeds, the privileges that are assigned during authentication will be those that are associated with the Windows user account in the first domain with a matching username and password. This condition also illustrates the importance of removing usernames from a domain when the user account is no longer needed. Note If the credentials that the user submits do not match the credentials that are associated with the first matching username that Windows finds, authentication fails. Thus, if different users in different domains share the same exact username, logging in with a nondomain-qualified username can result in inadvertent authentication failure. Use of the Domain List is not required to support Windows authentication, but it can alleviate authentication failures that nondomain-qualified usernames cause. If you have configured the Domain List in the Windows User Database Configuration page of the External User Databases section, ACS submits the username and password to each domain in the list in a domain-qualified format until it successfully authenticates the user. If ACS has tried each domain in the Domain List or if no trusted domains have been configured in the Domain List, ACS stops attempting to authenticate the user and does not grant that user access. Note If your Domain List contains domains and your Windows Security Account Manager (SAM) or Active Directory user databases are configured to lock out users after a number of failed attempts, users can be inadvertently locked out because ACS tries each domain in the Domain List explicitly, resulting in failed attempts for identical usernames that reside in different domains. Domain-Qualified Usernames The most reliable method of authenticating users against a specific domain is to require users to submit the domains that they should be authenticated against along with their usernames. Authentication of a domain-qualified username is directed to a specific domain; rather than depending on Windows to attempt authentication with the correct domain or on using the Domain List to direct ACS to submit the username repeatedly in a domain-qualified format. Domain-qualified usernames have the following format: DOMAIN\user For example, the domain-qualified username for user Mary Smith (msmith) in Domain10 would be Domain10\msmith. For usernames containing an at symbol (@), such as cyril.yang@central-office, using a domain-qualified username format is required. For example, MAIN\cyril.yang@central-office. If a username containing an at symbol (@) is received in a nondomain-qualified format, ACS perceives it as a username in UPN format. For more information, see UPN Usernames. UPN Usernames ACS supports authentication of usernames in UPN format, such as cyril.yang@example.com or cyril.yang@central-office@example.com. If the authentication protocol is EAP-TLS, by default, ACS submits the username to Windows in UPN format; however, you can configure ACS to strip from the username all characters after and including the last at symbol (@). For more information, see EAP-TLS Domain Stripping. For all other authentication protocols that it can support with Windows databases, ACS submits the username to Windows that is stripped of all characters after and including the last at symbol (@). This behavior allows for usernames that contain an at symbol (@). For example: •If the username received is cyril.yang@example.com, ACS submits to Windows an authentication request containing the username cyril.yang. •If the username received is cyril.yang@central-office@example.com, ACS submits to Windows an authentication request containing the username cyril.yang@central-office. Note ACS cannot tell the difference between a nondomain-qualified username that contains an at symbol (@) and a UPN username; all usernames containing an at symbol (@) that do not follow a backslash (\) are submitted to Windows with the final at symbol (@) and the characters that follow it removed. Users with at symbols (@) in their usernames must submit the username in UPN format or in a domain-qualified format. EAP and Windows Authentication This section contains information about Windows-specific EAP features that you can configure on the Windows User Database Configuration page. This section contains the following topics: •EAP-TLS Domain Stripping •Machine Authentication •Machine Access Restrictions •Microsoft Windows and Machine Authentication •Enabling Machine Authentication EAP-TLS Domain Stripping If you use Windows Active Directory to authenticate users with EAP-TLS, you can use ACS to strip the domain name from the username that is stored in the Subject Alternative Name (SAN) field of the user certificate. Performing domain name stripping can speed EAP-TLS authentication when the domain that must authenticate a user is not the domain represented in the SAN field. For example, a user's SAN field might contain jsmith@corporation.com but jsmith might need to authenticate by using the domain controller for a subdomain named engineering. Stripping @corporation.com from the username eliminates the needless attempt at authenticating jsmith against the corporation.com domain controller. Without stripping the domain name, only after jsmith cannot be found in corporation.com will ACS use the Domain List and find the user in the engineering domain. The additional delay could be several seconds. For more information about the Domain List, see Nondomain-Qualified Usernames. You can enable EAP-TLS domain name stripping on the Windows User Database Configuration page. Note EAP-TLS domain name stripping operates independently of support for UPN-formatted usernames. For information about support for Windows authentication of UPN-formatted usernames, see UPN Usernames. Machine Authentication ACS supports the authentication of computers that are running the Microsoft Windows operating systems that support EAP computer authentication, such as Windows XP with Service Pack 1. Machine authentication, also called computer authentication, allows networks services only for computers known to Active Directory. This feature is especially useful for wireless networks, where unauthorized users outside the physical premises of your workplace can access your wireless access points. When machine authentication is enabled, there are three different types of authentications. When starting a computer, the authentications occur in this order: •Machine authentication—ACS authenticates the computer prior to user authentication. ACS checks the credentials that the computer provides against the Windows user database. If you use Active Directory and the matching computer account in Active Directory has the same credentials, the computer gains access to Windows domain services. •User domain authentication—If machine authentication succeeded, the Windows domain authenticates the user. If machine authentication failed, the computer does not have access to Windows domain services and the user credentials are authenticated by using cached credentials that the local operating system retains. In this case, the user can log in to only the local system. When a user is authenticated by cached credentials instead of the domain, the computer does not enforce domain policies, such as running login scripts that the domain dictates. Tip If a computer fails machine authentication and the user has not successfully logged in to the domain by using the computer since the most recent user password change, the cached credentials on the computer will not match the new password. Instead, the cached credentials will match an older password of the user, provided that the user once logged in to the domain successfully from this computer. •User network authentication—ACS authenticates the user, allowing the user to have network connectivity. If the user profile exists, the user database that is specified is used to authenticate the user. While the user database is not required to be the Windows user database, most Microsoft clients can be configured to automatically perform network authentication by using the same credentials used for user domain authentication. This method allows for a single sign-on. Note Microsoft PEAP clients may also initiate machine authentication whenever a user logs off. This feature prepares the network connection for the next user login. Microsoft PEAP clients may also initiate machine authentication when a user has selected to shutdown or restart the computer; rather than just logging off. ACS supports EAP-TLS and PEAP (EAP-MS-CHAPv2) for machine authentication. You can enable each separately on the Windows User Database Configuration page, which allows a mix of computers that authenticate with EAP-TLS or PEAP (EAP-MS-CHAPv2). Microsoft operating systems that perform machine authentication might limit the user authentication protocol to the same protocol that is used for machine authentication. For more information about Microsoft operating systems and machine authentication, see Microsoft Windows and Machine Authentication. The Unknown User Policy supports machine authentication. Computers that were previously unknown to ACS are handled similarly to users. If the Unknown User Policy is enabled and an Active Directory external user database is included on the Selected Databases list on the Configure Unknown User Policy page, machine authentication succeeds; provided that the machine credentials presented to Active Directory are valid. On a computer that is configured to perform machine authentication, machine authentication occurs when the computer started. Provided that the AAA client sends RADIUS accounting data to ACS, when a computer is started and before a user logs in on that computer, the computer appears on the Logged-In Users List in the Reports and Activity section. Once user authentication begins, the computer no longer appears on the Logged-In Users List. PEAP-based machine authentication uses PEAP (EAP-MS-CHAPv2) and the password for the computer established automatically when it was added to the Microsoft Windows domain. The computer sends its name as the username and the format is: host/computer.domain where computer is the name of the computer and domain is the domain to which the computer belongs. The domain segment might also include subdomains, if they are used; so that the format may be: host/computer.subdomain.domain The usernames of computers that are authenticated must appear in the ACS internal database. If you enable unknown user processing, ACS adds them automatically once they authenticate successfully. During authentication, the domain name is not used. EAP-TLS-based machine authentication uses EAP-TLS to authenticate the computer that is using a client certificate. The certificate that the computer uses can be one installed automatically when the computer was added to the domain or one that was added to the local machine storage later. As with PEAP-based machine authentication, the computer name must appear in the ACS internal database in the format contained in the computer client certificate and the user profile corresponding to the computer name must be configured to authenticate by using the Windows external user database. If you enable unknown user processing, ACS adds the computer names to the ACS internal database automatically; once they authenticate successfully. It also automatically configures the user profiles that are created to use the external user database in which the user was found. For machine authentication, this will always be the Windows external user database. Machine Access Restrictions You can use the machine access restrictions (MAR) feature as an additional means of controlling authorization for Windows-authenticated EAP-TLS, EAP-FASTv1a, and Microsoft PEAP users, based on machine authentication of the computer used to access the network. When you enable the feature: •For every successful machine authentication, ACS caches the value that was received in the Internet Engineering Task Force (IETF) RADIUS `Calling-Station-Id` `attribute (31)` as evidence of the successful machine authentication. ACS stores each `Calling-Station-Id` attribute value for the number of hours that is specified on the Windows User Database Configuration page before deleting it from the cache. •When a user authenticates with an EAP-TLS, EAP-FASTv1a, or Microsoft PEAP end-user client, ACS searches the cache of `Calling-Station-Id` values from successful machine authentications for the `Calling-Station-Id` value received in the user authentication request. Whether ACS finds the user-authentication `Calling-Station-Id` value in the cache affects how ACS assigns the user requesting authentication to a user group. –Calling-Station-Id value found in the cache—ACS assigns the user to a user group by normal methods, which include manual specification of a group in the user profile, group mapping, or RADIUS-based group specification. For example, if a user logs in with a computer that was successfully authenticated and the user profile indicates that the user is a member of group 137, ACS applies to the user session the authorization that were settings specified in group 137. –Calling-Station-Id value not found in the cache—ACS assigns the user to the user group specified by Group map for successful user authentication without machine authentication list. This can include the <No Access> group. Note User profile settings always override group profile settings. If a user profile grants an authorization that is denied by the group specified in the Group map for successful user authentication without machine authentication list, ACS grants the authorization. The MAR feature supports full EAP-TLS, EAP-FASTv1a, and Microsoft PEAP authentication, as well as resumed sessions for EAP-TLS and Microsoft PEAP and fast reconnections for Microsoft PEAP. The MAR feature has the following limitations and requirements: •Machine authentication must be enabled. •Users must authenticate with EAP-TLS, EAP-FASTv1a, or a Microsoft PEAP client. MAR does not apply to users who are authenticated by other protocols, such as EAP-FAST, LEAP, or MS-CHAP. •The AAA client must send a value in the IETF RADIUS `Calling-Station-Id` `attribute (31)`. •ACS does not replicate the cache of `Calling-Station-Id` attribute values from successful machine authentications. •Users that are authenticated through dial-up will always be treated according to the MAR configuration, since there is no machine authentication when by using dial up. A user will be mapped to a specific group, as defined in the External User Databases > Database Group Mappings > Windows Database settings, when machine authentication occurs. If group mapping is not configured, the user will be mapped to the default group. Setting Up a MAR Exception List You might need to set up a MAR exception list if you need to set up specific users (for example managers and administrators) to have access to the network; regardless of whether they pass machine authentication. This feature allows you to select user groups that would be exempt from the MAR. Before You Begin So that users can immediately authenticate as part of the MAR exception list, you should set up the required number of groups and permissions before changing your Windows database settings. To manage your group settings, see Group TACACS+ Settings, page 6-2 and Listing Users in a User Group, page 6-40. To set up a MAR exception list for selected user groups: Step 1 From the navigation bar, choose External User Databases > Database Configuration > Windows Database. Step 2 Click Configure. Step 3 In the Windows User Database Configuration page, enable the correct machine authentication settings and move the user groups that you want to include in the MAR exemption list to the Selected Groups list. Step 4 Click Submit. The exception list is based on ACS user groups to which the relevant NT groups would map. You can create exceptions for several user groups, and map different authorization permission to each group. Microsoft Windows and Machine Authentication ACS supports machine authentication with Active Directory in Windows 2000 and 2003. To enable machine authentication support in Windows Active Directory you must: 1. Apply Service Pack 4 to the computer that is running Active Directory. 2. Complete the steps in Microsoft Knowledge Base Article 306260: Cannot Modify Dial-In Permissions for Computers That Use Wireless Networking. Client operating systems that support machine authentication are: •Microsoft Windows XP with Service Pack 1 applied. •Microsoft Windows 2000 with: –Service Pack 4 applied. –Patch Q313664 applied (available from Microsoft.com). •Microsoft Windows 2003 The following list describes the essential details of enabling machine authentication on a client computer with a Cisco Aironet 350 wireless adapter. For more information about enabling machine authentication in Microsoft Windows operating systems, please refer to Microsoft documentation. 1. Ensure that the wireless network adapter is installed correctly. For more information, see the documentation that is provided with the wireless network adapter. 2. Ensure that the certification authority (CA) certificate of the CA that issued the ACS server certificate is stored in machine storage on client computers. User storage is not available during machine authentication; therefore, if the CA certificate is in user storage, machine authentication fails. 3. Select the wireless network: –In Windows XP, you can choose Windows Network Connection > Properties > Network Connection Properties. –In Windows 2000, you can manually enter the Service Set Identifier (SSID) of the wireless network. Use the Advanced tab of the properties dialog box for the wireless network adapter. 4. To enable PEAP machine authentication, configure the Authentication tab. In Windows XP, the Authentication tab is available from the properties of the wireless network. In Windows 2000, it is available from the properties of the wireless network connection. To configure the Authentication tab: a. Check the Enable network access control using IEEE 802.1X check box. b. Check the Authenticate as computer when computer information is available check box. c. From the EAP type list, select Protected EAP (PEAP). d. On the Protected EAP Properties dialog box, you can enforce that ACS has a valid server certificate by checking the Validate server certificate check box. If you do check this check box, you must also select the applicable Trusted Root Certification Authorities. e. Also open the PEAP properties dialog box, from the Select Authentication Method list, select Secured password (EAP-MS-CHAP v2). 5. To enable EAP-TLS machine authentication, configure the Authentication tab. In Windows XP, the Authentication tab is available from the properties of the wireless network. In Windows 2000, it is available from the properties of the wireless network connection. a. Check the Enable network access control using IEEE 802.1X check box. b. Check the Authenticate as computer when computer information is available check box. c. From the EAP type list, select Smart Card or other Certificate. d. On the Smart Card or other Certificate Properties dialog box, select the Use a certificate on this computer option. e. Also on the Smart Card or other Certificate Properties dialog box, you can enforce that ACS has a valid server certificate by checking the Validate server certificate check box. If you check this check box, you must also select the applicable Trusted Root Certification Authorities. If you have a Microsoft certification authority server that is configured on the domain controller, you can configure a policy in Active Directory to produce a client certificate automatically when a computer is added to the domain. For more information, see the Microsoft Knowledge Base Article 313407, HOW TO: Create Automatic Certificate Requests with Group Policy in Windows. Enabling Machine Authentication This procedure contains an overview of the detailed procedures required to configure ACS to support machine authentication. Note You must configure end-user client computers and the applicable Active Directory to support machine authentication. This procedure is specific to configuration of ACS only. For information about configuring Microsoft Windows operating systems to support machine authentication, see Microsoft Windows and Machine Authentication. Before You Begin Windows authentication requires that you install at least one ACS Remote Agent for Windows and complete the steps in Adding a Remote Agent, page 4-21. For information about installing the ACS Remote Agent for Windows, see the Installation and Configuration Guide for Cisco Secure ACS Remote Agents 4.0. To enable ACS to perform machine authentication: Step 1 Install a server certificate in ACS. PEAP (EAP-MS-CHAPv2) and EAP-TLS require a server certificate. ACS uses a single certificate to support both protocols. For detailed steps, see Installing an ACS Server Certificate, page 10-25. Note If you have installed a certificate to support EAP-TLS or PEAP user authentication or to support HTTPS protection of remote ACS administration, you do not need to perform this step. A single server certificate will support all certificate-based ACS services and remote administration. Step 2 For EAP-TLS machine authentication, if certificates on end-user clients are issued by a different CA than the CA that issued the server certificate on ACS, you must edit the certification trust list so that CAs that issue end-user client certificates are trusted. If you do not perform this step and the CA of the server certificate is not the same as the CA of an end-user client certificate CA, EAP-TLS will operate normally; but reject the EAP-TLS machine authentication because it does not trust the correct CA. For detailed steps, see Editing the Certificate Trust List, page 10-29. Step 3 Enable the applicable protocols on the Global Authentication Setup page: •To support machine authentication with PEAP, enable the PEAP (EAP-MS-CHAPv2) protocol. •To support machine authentication with EAP-TLS, enable the EAP-TLS protocol. Note If you are using a Network Access Profile (NAP), the same protocols must be enabled in the NAP configuration. You can use ACS to complete this step only after you have successfully completed Step 1. For detailed steps, see Configuring Authentication Options, page 10-19. Step 4 Configure a Windows external user database and enable the applicable types of machine authentication on the Windows User Database Configuration page: •To support machine authentication with PEAP, check the Permit PEAP machine authentication check box. •To support machine authentication with EAP-TLS, check the Permit EAP-TLS machine authentication check box. •To require machine authentication in addition to user authentication, check the Enable machine access restrictions check box. Note If you already have a Windows external user database configured, modify its configuration to enable the applicable machine authentication types. For detailed steps, see Configuring a Windows External User Database. Note Windows authentication requires an ACS Remote Agent for Windows. ACS is ready to perform machine authentication for computers whose names exist in the ACS internal database. Step 5 If you have not already enabled the Unknown User Policy and added the Windows external user database to the Selected Databases list, consider doing so to allow computers that are not known to ACS to authenticate. For detailed steps, see Configuring the Unknown User Policy, page 16-8. Note Enabling the Unknown User Policy to support machine authentication also enables the Unknown User Policy for user authentication. ACS makes no distinction in unknown user support between computers and users. Step 6 If you have users to whom you want to allow access to the network, even if they do not pass machine authentication, you might want to set up a list of user groups that are exempt from the MAR. For detailed steps, see Machine Access Restrictions. ACS is ready to perform machine authentication for computers; regardless of whether the computer names exist in ACS internal database. User-Changeable Passwords with Windows User Databases For network users who are authenticated by a Windows user database, ACS supports user-changeable passwords on password expiration. You can enable this feature in the MS-CHAP Settings and Windows EAP Settings tables on the Windows User Database Configuration page in the External User Databases section. The use of this feature in your network requires that: •Users must be present in the Windows Active Directory or SAM user database. •User accounts in ACS must specify the Windows user database for authentication. •End-user clients must be compatible with MS-CHAP, PEAP (EAP-GTC), PEAP (EAP-MS-CHAPv2), or EAP-FAST. •The AAA client that the end-user clients connect to must support the applicable protocols: –For MS-CHAP password aging, the AAA client must support RADIUS-based MS-CHAP authentication. –For PEAP (EAP-MS-CHAPv2), PEAP (EAP-GTC), and EAP-FAST password aging, the AAA client must support EAP. When the previous conditions are met and this feature is enabled, users receive a dialog box prompting them to change their passwords on their first successful authentication after their passwords have expired. The dialog box is the same as Windows presents to users when a user with an expired password accesses a network via a remote-access server. For more information about password aging support in ACS, see Enabling Password Aging for Users in Windows Databases, page 6-19. Preparing Users for Authenticating with Windows Before using the Windows user database for authentication: Step 1 Ensure that the username exists in the Windows user database. Step 2 In Windows, for each user account, clear the following User Properties check boxes: •User must change password at next logon •Account disabled Step 3 If you want to control dial-in access from within Windows NT, click Dial-in and select Grant dialin permission to user. In Windows 2000 and Windows 2003, access the User Properties dialog box, select the Dial-In tab, and in the Remote Access area, click Allow access. You must also configure the option to reference this feature under Database Group Mappings in the External User Databases section of ACS. Selecting Remote Agents for Windows Authentication Before you can configure ACS to authenticate users with a Windows external user database, you must select a primary remote agent that is to deliver authentication requests to the Windows operating system. You may also select a secondary remote agent for ACS to use if the primary remote agent is unavailable. Before You Begin To complete this procedure, you must have installed at least one ACS Remote Agent for Windows and completed the steps in Adding a Remote Agent, page 4-21. To select remote agents for Windows authentication: Step 1 In the navigation bar, click External User Databases. Step 2 Click Database Configuration. ACS displays a list of all possible external user database types. Step 3 Click Windows Database. ACS displays the External User Database Configuration page. Step 4 Click Configure. ACS displays the Windows Remote Agent Selection lists. Step 5 From the Primary list, select the remote agent that ACS should always use to authenticate users, provided that the remote agent is available. Step 6 From the Secondary list, select the remote agent that ACS should use to authenticate users when the remote agent selected in the Primary list is unavailable. Note If you do not want to use a secondary remote agent, from the Secondary list, choose None. Step 7 Click Submit. ACS saves the remote agent selections that you made. The Windows User Database Configuration page appears. Windows User Database Configuration Options The Windows User Database Configuration page contains: •Dialin Permission—You can restrict network access to users whose Windows accounts have Windows dial-in permission. The Grant dialin permission to user check box controls this feature. Note This feature applies to all users when ACS authenticates with a Windows external user database; despite the name of the feature, it is not limited to users who access the network with a dial-up client but is applied regardless of client type. For example, if you have configured a PIX Firewall to authenticate Telnet sessions by using ACS as a RADIUS server, a user authenticated by a Windows external user database would be denied Telnet access to the PIX Firewall if the Dialin Permission feature is enabled and the Windows user account does not have dial-in permission. Tip Windows dial-in permission is enabled in the Dialin section of user properties in Windows NT and on the Dial-In tab of the user properties in Windows 2000 and Windows 2003. •Windows Callback—You should enable this setting if you have Windows users that require dial-up access with callback and the User Setup or Group Setup callback setting is configured for Windows Database Callback. If dial-in access with callback is not required or is not configured for Windows Database Callback, then do not enable this setting. Note If you disable the Windows Callback option, be certain to disable the callback options in the User Setup or Group Setup callback settings. If the settings contain inconsistencies, the client will not receive the callback number. •Unknown User Policy—If the unknown user policy contains additional external databases and the Windows database is not the last database on the Selected Databases list, you might enable this option. For example, If a user does not exist in the Windows database, or has typed an incorrect password, the error `1326(bad username or password)` is returned. ACS treats this error as a `wrong password` error and does not default to another external database. You should enable this option when additional external databases appear after the Windows database in the Selected Databases list. When enabled, ACS searches for the unknown user in the other external databases. •Configure Domain List—Use this option only when all the following occur: –You are using PAP or MSCHAP. –Usernames are not domain-prefixed. –Duplicate usernames exist; for example, administrator. When usernames are not domain-prefixed, and the same username occurs multiple times across the entire network, if no domains are in the Domain List, Windows can try to authenticate the wrong credentials. When Windows rejects the initial user-authentication request, ACS stops attempting to authenticate the user. For more information, see Nondomain-Qualified Usernames. If domains are in the Domain List, ACS qualifies the username with a domain from the list and submits the domain-qualified username to Windows, once for each domain in the Domain List, until each domain has rejected the user or until one of the domains authenticates the user. In all other cases, leave the Domain List empty as it might cause performance problems if you use it when you do not need to. Also, each time ACS uses the Domain List and checks the wrong account, Windows counts that as a failed login for that user, which can cause an account lockout. •MS-CHAP Settings—You can control whether ACS supports MS-CHAP-based password changes for Windows user accounts. You can use the Permit password changes by checking the MS-CHAP version N check boxes to specify which versions of MS-CHAP ACS supports. Note The check boxes under MS-CHAP Settings do no affect password aging for Microsoft PEAP, EAP-FAST, or machine authentication. For more information about Windows password changes, see Enabling Password Aging for Users in Windows Databases, page 6-19. •Windows EAP Settings: –Enable password change inside PEAP or EAP-FAST—The Permit password change inside PEAP or EAP-FAST check box controls whether ACS supports PEAP-based or EAP-FAST-based password changes for Windows user accounts. PEAP password changes are supported only when the end-user client uses PEAP (EAP-MS-CHAPv2) for user authentication. For EAP-FAST, ACS supports password changes in phase zero and phase two. –EAP-TLS Strip Domain Name—The EAP-TLS Strip Domain Name check box controls whether ACS removes the domain name from a username that is derived from the Subject Alternative Name (SAN) field in an end-user certificate. Performing domain name stripping can speed EAP-TLS authentication when the domain that must authenticate a user is not the domain that is represented in the SAN field. For example, a user's SAN field might contain jsmith@corporation.com but jsmith might need to authenticate by using the domain controller for a subdomain named engineering. Stripping @corporation.com from the username eliminates the needless attempt at authenticating jsmith against the corporation.com domain controller. Without stripping the domain name, only after jsmith cannot be found in corporation.com will ACS use the Domain List and find the user in the engineering domain. The additional delay could last several seconds. –Enable PEAP machine authentication—This check box controls whether ACS performs machine authentication by using a machine name and password with PEAP (EAP-MS-CHAPv2). For more information about machine authentication, see Machine Authentication. –Enable EAP-TLS machine authentication—This check box controls whether ACS performs machine authentication by using a machine name and password with EAP-TLS. For more information about machine authentication, see Machine Authentication. –EAP-TLS and PEAP machine authentication name prefix—This box defines the string of characters that ACS adds to the beginning of any machine name being authenticated. By default, the end-user client prefixes machine names with host/. If the PEAP machine authentication name prefix box contains any text, ACS prefixes the machine name with this text instead. Note If you configure the EAP-TLS and PEAP machine authentication name prefix box with a string other than host/, authentication might fail. –Enable machine access restrictions—If you enable PEAP or EAP-TLS machine authentication, the Enable machine access restrictions check box controls whether ACS restricts network access of users who access the network with a computer that fails machine authentication. For more information about the MAR feature, see Machine Access Restrictions. Note Ensure that you have enabled the types of machine authentication that your Windows computers are configured to use: PEAP machine authentication or EAP-TLS authentication, or both. If the MAR feature is enabled but ACS does not perform machine authentication for a computer, EAP-TLS and Microsoft PEAP users who access the network with that computer will be assigned to the group that is specified in the Group map for successful user authentication without machine authentication list. Tip To enable machine access restrictions, you must specify a number greater than zero (0) in the Aging time (hours) box. –Aging time (hours)—This box specifies the number of hours that ACS caches IETF RADIUS `Calling-Station-Id` attribute values from successful machine authentications, for use with the MAR feature. The default value is 12 hours, which means that ACS does not cache `Calling-Station-Id` values. Note If you do not change the value of the Aging time (hours) box to something other than zero (0), all EAP-TLS and Microsoft PEAP users whose computers perform machine authentication are assigned to the group that is specified in the Group map for successful user authentication without machine authentication list. Tip To clear the cache of `Calling-Station-Id` values, type zero (0) in the Aging time (hours) box and click Submit. –Group map for successful user authentication without machine authentication—This list specifies the group profile that ACS applies to a user who accesses the network from a computer that has not passed machine authentication for longer than the number of hours specified in the Aging time (hours) box. To deny such users any access to the network, select <No Access> (which is the default setting). Note User profile settings always override group profile settings. If a user profile grants an authorization that is denied by the group that is specified in the Group map for successful user authentication without machine authentication list, ACS grants the authorization. –User Groups that are exempt from passing machine authentication— The Selected User Group list controls what ACS does when machine authentication is not successfully completed. If the Selected User Group list contains no groups and Windows rejects the initial machine authentication, ACS stops attempting to authenticate the user. If the Selected User Group list contains groups, ACS will provide authentication and the privileges within that group to the user; even though their computers are unknown to Active Directory. Note Configuring the User Group list is optional. For more information about the user group management, see User Group Management, page 6-1. Caution If your User Group list contains groups and you configure your Windows SAM or Active Directory user databases to lock out users after a number of failed attempts, users can be inadvertently locked out. You should ensure that your group settings are configured properly. •Available User Groups—This list represents the user groups for which ACS requires machine authentication. •Selected User Groups—This list represents the user groups for which ACS do not require machine authentication to gain entry into the network. Configuring a Windows External User Database Before You Begin To complete this procedure, you must have completed the steps in Selecting Remote Agents for Windows Authentication. For information about the options that are available on the Windows User Database Configuration page, see Windows User Database Configuration Options. To configure ACS to authenticate users against the Windows user database in the trusted domains of your network: Step 1 In the navigation bar, click External User Databases. Step 2 Click Database Configuration. ACS displays a list of all possible external user database types. Step 3 Click Windows Database. If no Windows database configuration exists, the Database Configuration Creation table appears. Otherwise, the External User Database Configuration page appears. Step 4 Click Configure. The Windows User Database Configuration page appears. Step 5 As needed, configure the options in: •Dialin Permission •Windows Callback •Unknown User Policy •Domain List •MS-CHAP Settings •Windows EAP Settings For information about the options on the Windows User Database Configuration page, see Windows User Database Configuration Options. Note All the settings on the Windows User Database Configuration page are optional and need not be enabled; unless you want to permit and configure the specific features that they support. Step 6 Click Submit. ACS saves the Windows user database configuration that you created. You can now add it to your Unknown User Policy or assign specific user accounts to use this database for authentication. For more information about the Unknown User Policy, see About Unknown User Authentication, page 16-3. For more information about configuring user accounts to authenticate by using this database, see Chapter 7, "User Management." Generic LDAP ACS supports ASCII, PAP, EAP-TLS, PEAP (EAP-GTC), and EAP-FAST (phase two only) authentication via generic Lightweight Directory Access Protocol (LDAP) databases, such as the SunOne Directory Server. Other authentication protocols are not supported with LDAP external user databases. Note Another type of external user database might support authentication protocols that are not supported with LDAP databases. For more information about authentication protocols and the external database types that support them, see Authentication Protocol-Database Compatibility, page 1-7. ACS supports group mapping for unknown users by requesting group membership information from LDAP user databases. For more information about group mapping for users who are authenticated with an LDAP user database, see Group Mapping by Group Set Membership, page 17-3. Configuring ACS to authenticate against an LDAP database has no effect on the configuration of the LDAP database. To manage your LDAP database, see your LDAP database documentation. This section contains the following topics: •ACS Authentication Process with a Generic LDAP User Database •Multiple LDAP Instances •LDAP Organizational Units and Groups •Domain Filtering •LDAP Failover •LDAP Admin Logon Connection Management •Distinguished Name Caching •LDAP Configuration Options •Configuring a Generic LDAP External User Database •Downloading a Certificate Database ACS Authentication Process with a Generic LDAP User Database ACS forwards the username and password to an LDAP database by using a Transmission Control Protocol (TCP) connection on a port that you specify. The LDAP database passes or fails the authentication request from ACS. When receiving the response from the LDAP database, ACS instructs the requesting AAA client to grant or deny the user access, depending on the response from the LDAP server. ACS grants authorization based on the ACS group to which the user is assigned. While the group to which a user is assigned can be determined by information from the LDAP server, ACS grants authorization privileges. Multiple LDAP Instances You can create more than one LDAP configuration in ACS. By creating more than one LDAP configuration with different IP address or port settings, you can configure ACS to authenticate by using different LDAP servers or different databases on the same LDAP server. Each primary server IP address and port configuration, along with the secondary server IP address and port configuration, forms an LDAP instance that corresponds to one ACS LDAP configuration instance. ACS does not require that each LDAP instance corresponds to a unique LDAP database. You can have more than one LDAP configuration set to access the same database. This method is useful when your LDAP database contains more than one subtree for users or groups. Because each LDAP configuration supports only one subtree directory for users and one subtree directory for groups, you must configure separate LDAP instances for each user directory subtree and group directory subtree combination for which ACS should submit authentication requests. For each LDAP instance, you can add it to or omit it from the Unknown User Policy. For more information, see About Unknown User Authentication, page 16-3. For each LDAP instance, you can establish unique group mapping. For more information, see Group Mapping by Group Set Membership, page 17-3. Multiple LDAP instances are also important when you use domain filtering. For more information, see Domain Filtering. LDAP Organizational Units and Groups LDAP groups do not need the same name as their corresponding ACS groups. You can map the LDAP group to an ACS group with any name that you want to assign. For more information about how your LDAP database handles group membership, see your LDAP database documentation. For more information on LDAP group mappings and ACS, see Chapter 17, "User Group Mapping and Specification." Domain Filtering Using domain filtering, you can control which LDAP instance is authenticates a user based on domain-qualified usernames. Domain filtering is based on parsing the characters at the beginning or end of a username that is submitted for authentication. Domain filtering provides you with greater control over the LDAP instance to which ACS submits any given user authentication request. You can also control whether usernames are submitted to an LDAP server with their domain qualifiers intact. For example, when EAP-TLS authentication a Windows XP client initiates, ACS receives the username in `username@domainname` format. When PEAP authentication is initiated by a Cisco Aironet end-user client, ACS receives the username without a domain qualifier. If both clients are to be authenticated with an LDAP database that stores usernames without domain qualifiers, ACS can strip the domain qualifier. If separate user accounts are maintained in the LDAP database—domain-qualified and nondomain-qualified user accounts—ACS can pass usernames to the LDAP database without domain filtering. If you choose to make use of domain filtering, each LDAP configuration that you create in ACS can perform domain filtering: •Limiting users to one domain—Per each LDAP configuration in ACS, you can require that ACS only attempts to authenticate usernames that are qualified with a specific domain name. This corresponds to the Only process usernames that are domain qualified option on the LDAP Configuration page. For more information about this option, see LDAP Configuration Options. With this option, each LDAP configuration is limited to one domain and to one type of domain qualification. You can specify whether ACS strips the domain qualification before submitting the username to an LDAP server. If the LDAP server stores usernames in a domain-qualified format, you should not configure ACS to strip domain qualifiers. Limiting users to one domain is useful when the LDAP server stores usernames differently per domain: by user context or how the username is stored in ACS—domain qualified or nondomain qualified. The end-user client or AAA client must submit the username to ACS in a domain-qualified format; otherwise ACS cannot determine the user's domain and does not attempt to authenticate the user with the LDAP configuration that uses this form of domain filtering. •Allowing any domain but stripping domain qualifiers—Per each LDAP configuration in ACS, you can configure ACS to attempt to strip domain qualifiers based on common domain-qualifier delimiting characters. This method corresponds to the Process all usernames after stripping domain name and delimiter option on the LDAP Configuration page. For more information about this option, see LDAP Configuration Options. ACS supports prefixed and suffixed domain qualifiers. A single LDAP configuration can attempt to strip both prefixed and suffixed domain qualifiers; however, you can only specify one delimiting character each for prefixed and suffixed domain qualifiers. To support more than one type of domain-qualifier delimiting character, you can create more than one LDAP configuration in ACS. Allowing usernames of any domain but stripping domain qualifiers is useful when the LDAP server stores usernames in a nondomain-qualified format but the AAA client or end-user client submits the username to ACS in a domain-qualified format. Note With this option, ACS submits usernames that are nondomain qualified, too. Usernames are not required to be domain qualified to be submitted to an LDAP server. LDAP Failover ACS supports failover between a primary LDAP server and secondary LDAP server. In the context of LDAP authentication with ACS, failover applies when an authentication request fails because ACS could not connect to an LDAP server, such as when the server is down or is otherwise unreachable by ACS. To use this feature, you must define the primary and secondary LDAP servers on the LDAP Database Configuration page. Also, you must check the On Timeout Use Secondary check box. For more information about configuring an LDAP external user database, see Configuring a Generic LDAP External User Database. If you check the On Timeout Use Secondary check box, and if the first LDAP server that ACS attempts to contact cannot be reached, ACS always attempts to contact the other LDAP server. The first server ACS attempts to contact might not always be the primary LDAP server. Instead, the first LDAP server that ACS attempts to contact depends on the previous LDAP authentications attempt and on the value that you enter in the Failback Retry Delay box. Successful Previous Authentication with the Primary LDAP Server If, on the previous LDAP authentication attempt, ACS successfully connected to the primary LDAP server, ACS attempts to connect to the primary LDAP server. If ACS cannot connect to the primary LDAP server, ACS attempts to connect to the secondary LDAP server. If ACS cannot connect with LDAP server, ACS stops attempting LDAP authentication for the user. If the user is an unknown user, ACS tries the next external user database in the Unknown User Policy list. For more information about the Unknown User Policy list, see About Unknown User Authentication, page 16-3. Unsuccessful Previous Authentication with the Primary LDAP Server If, on the previous LDAP authentication attempt, ACS could not connect to the primary LDAP server, whether ACS first attempts to connect to the primary server or secondary LDAP server for the current authentication attempt depends on the value in the Failback Retry Delay box. If the Failback Retry Delay box is set to zero (0), ACS always attempts to connect to the primary LDAP server first. And if ACS cannot connect to the primary LDAP server, ACS then attempts to connect to the secondary LDAP server. If the Failback Retry Delay box is set to a number other than zero (0), ACS determines how many minutes have passed since the last authentication attempt by using the primary LDAP server. If more minutes have passed than the value in the Failback Retry Delay box, ACS attempts to connect to the primary LDAP server first. And if ACS cannot connect to the primary LDAP server, ACS then attempts to connect to the secondary LDAP server. If fewer minutes have passed than the value in the Failback Retry Delay box, ACS attempts to connect to the secondary LDAP server first. And if ACS cannot connect to the secondary LDAP server, ACS then attempts to connect to the primary LDAP server. If ACS cannot connect to either LDAP server, ACS stops attempting LDAP authentication for the user. If the user is an unknown user, ACS tries the next external user database in the Unknown User Policy list. For more information about the Unknown User Policy list, see About Unknown User Authentication, page 16-3. LDAP Admin Logon Connection Management When ACS checks authentication and authorization of a user on an LDAP server, it uses a connection with the LDAP administrator account permissions. It uses the connection to search for the user and user groups on the Directory subtree. ACS retains the administrator connections that are open for successive use and additional administrator binds are not required for each authentication request. You can limit the maximum number of concurrent administrator connections per Generic LDAP External DB configuration (primary and secondary). Distinguished Name Caching Searching can be an expensive LDAP operation, which introduces an element of unpredictability into the authentication. ACS takes the username that the authentication process supplies, and asks the LDAP server to search a full subtree of unknown depth, over an unknown user population. After successful authentication ACS caches the Distinguished Name (DN) that the search returns. Reauthentications can then use the cached DN to perform an immediate lookup of the user. A cached DN cannot appear on a screen. If a bind to a cached DN fails, ACS falls back to a full search of the data base for authenticating a user. LDAP Configuration Options The LDAP Database Configuration page contains many options, presented in three tables: •Domain Filtering—This table contains options for domain filtering. The settings in this table affect all LDAP authentication that is performed by using this configuration; regardless of whether the primary or secondary LDAP server handles the authentication. For more information about domain filtering, see Domain Filtering This table contains: –Process all usernames—When you select this option, ACS does not perform domain filtering on usernames before submitting them to the LDAP server for authentication. –Only process usernames that are domain qualified—When you select this option, ACS only attempts authentication for usernames that are domain-qualified for a single domain. You must specify the type of domain qualifier and the domain in the Qualified by and Domain options. ACS only submits usernames that are qualified in the method that you specify in the Qualified by option and that are qualified with the username that is specified in the Domain Qualifier box. You can also specify whether ACS removes the domain qualifier from usernames before submitting them to an LDAP server. –Qualified by—When you select Only process usernames that are domain qualified, this option specifies the type of domain qualification. If you select Prefix, ACS only processes usernames that begin with the characters that you specify in the Domain Qualifier box. If you select Suffix, ACS only processes usernames that end in the characters that you specify in the Domain Qualifier box. Note Regardless of the domain qualifier type that is selected, the domain name must match the domain that is specified in the Domain Qualifier box. –Domain Qualifier—When Only process usernames that are domain qualified is selected, this option specifies the domain name and delimiting character that must qualify usernames so ACS can submit the username to an LDAP server. The Domain box accepts up to 512 characters; however, only one domain name and its delimiting character are permitted. For example, if the domain name is mydomain, the delimiting character is the at symbol (@), and Suffix is selected on the Qualified by list, the Domain box should contain @mydomain. If the domain name is yourdomain, the delimiting character is the backslash (\), and Prefix is selected on the Qualified by list, the Domain Qualifier box should contain yourdomain\. –Strip domain before submitting username to LDAP server—When you select Only process usernames that are domain qualified, this option specifies whether ACS removes the domain qualifier and its delimiting character before submitting a username to an LDAP server. For example, if the username is jwiedman@domain.com, the stripped username is jwiedman. –Process all usernames after stripping domain name and delimiter—When this option is selected, ACS submits all usernames to an LDAP server after attempting to strip domain names. Usernames that are not domain qualified are processed, too. Domain name stripping occurs as specified by the following two options: –Strip starting characters through the last X character—When you select Process all usernames after stripping domain name and delimiter, this option specifies that ACS attempts to strip a prefixed domain qualifier. If, in the username, ACS finds the delimiter character that is specified in the X box, it strips all characters from the beginning of the username through the delimiter character. If the username contains more than one of the characters that are specified in the X box, ACS strips characters through the last occurrence of the delimiter character. For example, if the delimiter character is the backslash (\) and the username is DOMAIN\echamberlain, ACS submits echamberlain to an LDAP server. Note The X box cannot contain the following special characters: the pound sign (#), the question mark (?), the quote ("), the asterisk (), the right angle bracket (>), and the left angle bracket (<). ACS does not allow these characters in usernames. If the X box contains any of these characters, stripping fails. –Strip ending characters through the first* Y character—When you select Process all usernames after stripping domain name and delimiter, this option specifies that ACS attempts to strip a suffixed domain qualifier. If, in the username, ACS finds the delimiter character that is specified in the Y box, it strips all characters from the delimiter character through the end of the username. If the username contains more than one of the character specified in the Y box, ACS strips characters starting with the first occurrence of the delimiter character. For example, if the delimiter character is the at symbol (@) and the username is jwiedman@domain, then ACS submits jwiedman to an LDAP server. Note The Y box cannot contain the following special characters: the pound sign (#), the question mark (?), the quote ("), the asterisk (), the right angle bracket (>), and the left angle bracket (<). ACS does not allow these characters in usernames. If the Y box contains any of these characters, stripping fails. •Common LDAP Configuration—This table contains options that apply to all LDAP authentication that is performed by using this configuration. ACS uses the settings in this section; regardless of whether the primary or secondary LDAP server handles the authentication. •This table contains: –User Directory Subtree—The distinguished name (DN) for the subtree that contains all users. For example: ou=organizational unit[,ou=next organizational unit]o=corporation.com If the tree containing users is the base DN, type: o=corporation.com or dc=corporation,dc=com as applicable to your LDAP configuration. For more information, refer to your LDAP database documentation. –Group Directory Subtree—The DN for the subtree that contains all groups. For example: ou=organizational unit[,ou=next organizational unit]o=corporation.com If the tree containing groups is the base DN, type: o=corporation.com or dc=corporation,dc=com as applicable to your LDAP configuration. For more information, refer to your LDAP database documentation. –UserObjectType—The name of the attribute in the user record that contains the username. You can obtain this attribute name from your Directory Server. For more information, refer to your LDAP database documentation. ACS contains default values that reflect the default configuration of a Netscape Directory Server. Confirm all values for these fields with your LDAP server configuration and documentation. –UserObjectClass—The value of the LDAP `objectType` attribute that identifies the record as a user. Often, user records have several values for the `objectType` attribute, some of which are unique to the user, some of which are shared with other object types. This box should contain a value that is not shared. –GroupObjectType—The name of the attribute in the group record that contains the group name. –GroupObjectClass—A value of the LDAP `objectType` attribute in the group record that identifies the record as a group. –Group Attribute Name—The name of the attribute of the group record that contains the list of user records that are a member of that group. –Server Timeout—The number of seconds that ACS waits for a response from an LDAP server before determining that the connection with that server has failed. –On Timeout Use Secondary—Whether ACS performs failover of LDAP authentication attempts. For more information about the LDAP failover feature, see LDAP Failover. –Failback Retry Delay—The number of minutes after the primary LDAP server fails to authenticate a user that ACS resumes sending authentication requests to the primary LDAP server first. A value of zero (0) causes ACS to always use the primary LDAP server first. –Max. Admin Connections—The maximum number of concurrent connections (greater than zero (0)) with LDAP administrator account permissions that can run for a specific LDAP configuration. These connections are used to search the Directory for users and groups under the User Directory Subtree and Group Directory Subtree. •Primary and Secondary LDAP Servers—You can use the Primary LDAP Server table and the Secondary LDAP Server table to identify the LDAP servers and make settings that are unique to each. You do not need to complete the Secondary LDAP Server table if you do not intend to use LDAP failover. These tables contain: –Hostname—The name or IP address of the server that is running the LDAP software. If you are using DNS on your network, you can type the hostname instead of the IP address. –Port—The TCP/IP port number on which the LDAP server is listening. The default is 389, as stated in the LDAP specification. If you do not know the port number, you can find this information by viewing those properties on the LDAP server. If you want to use secure authentication, port 636 is usually used. –LDAP Version—Whether ACS uses LDAP version 3 or version 2 to communicate with your LDAP database. If you check this check box, ACS uses LDAP version 3. If it is not checked, ACS uses LDAP version 2. –Security—Whether ACS uses SSL to encrypt communication between ACS and the LDAP server. If you do not enable SSL, user credentials are passed to the LDAP server in clear text. If you select this option, then you must select Trusted Root CA* or Certificate Database Path. ACS supports only server-side authentication for SSL communication with the LDAP server. You must be sure the Port box contains the port number used for SSL on the LDAP server. –Trusted Root CA — LDAP over SSL includes the option to authenticate by using the certificate database files other than the Netscape cert7.db file. This option uses the same mechanism as other SSL installations in the ACS environment. Select the certification authority that issued the server certificate that is installed on the LDAP server. –Certificate DB Path—This option provides a link to the Download Certificate Database page. ACS displays information about whether the Netscape cert7.db certificate database file has been downloaded to support secure communication to the LDAP server that you specified. For information about the Download Certificate Database page, see Downloading a Certificate Database. To perform secure authentication by using SSL with this option, you must provide a Netscape cert7.db certificate database file. ACS requires a certificate database so that it can establish the SSL connection. Since the certificate database must be local to the ACS Solution Engine, you must use FTP to transfer the certificate database to ACS. ACS requires a Netscape cert7.db certificate database file for each LDAP server that you configure. For example, to support users distributed in multiple LDAP trees, you might configure two LDAP instances in ACS that can communicate with the same LDAP servers. Each LDAP instance then has a primary and a secondary LDAP server. Even though the two LDAP configurations share the same primary server, each LDAP configuration requires that you download a certificate database file to ACS. Note The database must be a Netscape cert7.db certificate database file. No other filename is supported. –Admin DN—The DN of the administrator; that is, the LDAP account which, if bound to, permits searches for all required users under the User Directory Subtree. It must contain the following information about your LDAP server: uid=user id,[ou=organizational unit,][ou=next organizational unit]o=organization where user id is the username, organizational unit is the last level of the tree, and next organizational unit is the next level up the tree. For example: `uid=joesmith,ou=members,ou=administrators,o=cisco` You can use anonymous credentials for the administrator username if the LDAP server is configured to make the group name attribute visible in searches by anonymous credentials. Otherwise, you must specify an administrator username that permits the group name attribute to be visible to searches. Note If the administrator username that you specify does not have permission to see the group name attribute in searches, group mapping fails for users that LDAP authenticates. –Password—The password for the administrator account that you specified in the Admin DN box. The LDAP server determines case sensitivity. Configuring a Generic LDAP External User Database Creating a generic LDAP configuration provides ACS information that enables it to pass authentication requests to an LDAP database. This information reflects the way that you have implemented your LDAP database and does not dictate how your LDAP database is configured or functions. For information about your LDAP database, refer to your LDAP documentation. Note ACS supports authentication of Novell Directory Services (NDS) users by using standard LDAP. Before You Begin For information about the options on the LDAP Database Configuration page, see LDAP Configuration Options. To configure ACS to use the LDAP User Database or to configure LDAP to authenticate Novell NDS Users: Step 1 In the navigation bar, click External User Databases. Step 2 Click Database Configuration. ACS displays a list of all possible external user database types. Step 3 Click Generic LDAP. Note The user authenticates against only one LDAP database. If no LDAP database configuration exists, only the Database Configuration Creation table appears. Otherwise, in addition to the Database Configuration Creation table, the External User Database Configuration table appears. Step 4 If you are creating a configuration: a. Click Create New Configuration. b. Type a name for the new configuration for generic LDAP in the box provided. c. Click Submit. ACS lists the new configuration in the External User Database Configuration table. Step 5 Under External User Database Configuration, select the name of the LDAP database that to configure. Note If only one LDAP configuration exists, the name of that configuration appears instead of the list. Proceed to Step 6. Step 6 Click Configure. Caution If you click Delete, the configuration of the selected LDAP database is deleted. Step 7 If you do not want ACS to filter LDAP authentication requests by username, under Domain Filtering, select Process all usernames. Step 8 If you want to limit authentications processed by this LDAP configuration to usernames with a specific domain qualification: Note For information about domain filtering, see Domain Filtering. a. Under Domain Filtering, select Only process usernames that are domain qualified. b. From the Qualified by list, select the applicable type of domain qualification, either Suffix or Prefix. Only one type of domain qualification is supported per LDAP configuration. For example, if you want this LDAP configuration to authenticate usernames that begin with a specific domain name, select Prefix. If you want this LDAP configuration to authenticate usernames that end with a specific domain name, select Suffix. c. In the Domain Qualifier box, type the name of the domain for which you this LDAP configuration should authenticate usernames. Include the delimiting character that separates the user ID from the domain name. Ensure that the delimiting character appears in the applicable position: at the end of the domain name if Prefix is selected on the Qualified by list; at the beginning of the domain name if Suffix is selected on the Qualified by list. Only one domain name is supported per LDAP configuration. You can type up to 512 characters. d. If you want ACS to remove the domain qualifier before submitting it to the LDAP database, check the Strip domain before submitting username to LDAP server check box. e. If you want ACS to pass the username to the LDAP database without removing the domain qualifier, clear the Strip domain before submitting username to LDAP server check box. Step 9 If you want to enable ACS to strip domain qualifiers from usernames before submitting them to an LDAP server: a. Under Domain Filtering, select Process all usernames after stripping domain name and delimiter. Note For information about domain filtering, see Domain Filtering. b. If you want ACS to strip prefixed domain qualifiers, check the Strip starting characters through the last X character check box, and then type the domain-qualifier delimiting character in the X box. c. If you want ACS to strip suffixed domain qualifiers, check the Strip ending characters from the first X character check box, and then type the domain-qualifier delimiting character in the X box. Note The X box cannot contain the following special characters: the pound sign (#), the question mark (?), the quote ("), the asterisk (), the right angle bracket (>), and the left angle bracket (<). ACS does not allow these characters in usernames. If the X box contains any of these characters, stripping fails. Step 10* Under Common LDAP Configuration, in the User Directory Subtree box, type the DN of the tree containing all your users. If you are authenticating Novell NDS users, set UserDirectorySubtree to o=lab. Step 11 In the Group Directory Subtree box, type the DN of the subtree containing all your groups. If you are authenticating Novell NDS users, set GroupDirectorySubtree to o=lab. Step 12 In the User Object Type box, type the name of the attribute in the user record that contains the username. You can obtain this attribute name from your Directory Server. For more information, refer to your LDAP database documentation. Note The default values in the UserObjectType and following fields reflect the default configuration of the Netscape Directory Server. Confirm all values for these fields with your LDAP server configuration and documentation. If you are authenticating Novell NDS users, set the user object type to cn. Step 13 In the User Object Class box, type the value of the LDAP `uid=joesmith,ou=members,ou=administrators,o=cisco` attribute that identifies the record as a user. Often, user records have several values for the `objectType` attribute, some of which are unique to the user, some of which are shared with other object types. Select a value that is not shared. Step 14 In the GroupObjectType box, type the name of the attribute in the group record that contains the group name. Step 15 In the GroupObjectClass box, type a value of the LDAP `objectType` attribute in the group record that identifies the record as a group. If you are authenticating Novell NDS users, set the GroupObjectClass to groupOfNames. Step 16 In the GroupAttributeName box, type the name of the attribute of the group record that contains the list of user records who are a member of that group. Step 17 In the Server Timeout box, type the number of seconds that ACS waits for a response from an LDAP server before determining that the connection with that server has failed. Step 18 To enable failover of LDAP authentication attempts, check the On Timeout Use Secondary check box. For more information about the LDAP failover feature, see LDAP Failover. Step 19 In the Failback Retry Delay box, type the number of minutes after the primary LDAP server fails to authenticate a user that ACS resumes sending authentication requests to the primary LDAP server first. Note To specify that ACS should always use the primary LDAP server first, type zero (0) in the Failback Retry Delay box. Step 20 In the Max. Admin Connection box, enter the number of maximum concurrent connections with LDAP administrator account permissions. Step 21 For the Primary LDAP Server and Secondary LDAP Server tables: Note If you did not check the On Timeout Use Secondary check box, you do not need to complete the options in the Secondary LDAP Server table. a. In the Hostname box, type the name or IP address of the server that is running the LDAP software. If you are using DNS on your network, you can type the hostname instead of the IP address. b. In the Port box, type the TCP/IP port number on which the LDAP server is listening. The default is 389, as stated in the LDAP specification. If you do not know the port number, you can find this information by viewing those properties on the LDAP server. If you want to use secure authentication, port 636 is usually used. c. To specify that ACS should use LDAP version 3 to communicate with your LDAP database, check the LDAP Version check box. If the LDAP Version check box is not checked, ACS uses LDAP version 2. d. If you want ACS to use SSL to connect to the LDAP server, check the Use secure authentication check box and complete the next three steps. If you do not use SSL, the username and password credentials are normally passed over the network to the LDAP directory in clear text. e. If you checked the Use Secure authentication check box, perform one of the following procedures: –Check the Trusted Root CA check box, and in the adjacent drop-down list, select a Trusted Root CA. –Check the Certificate Database Path check box, and download a cert7.db file. Note To download a cert7.db certificate database file to ACS now, complete the steps in Downloading a Certificate Database, and then continue with step f. You can download a certificate database later. Until a certificate database is downloaded for the current LDAP server, secure authentication to this LDAP server fails. f. If you checked the Use Secure authentication check box, perform one of the following procedures: –Click the Trusted Root CA button, and in the adjacent drop-down list, select a Trusted Root CA. –Click the Certificate Database Path button, and in the adjacent box, type the path to the Netscape cert7.db file, which contains the certificates for the server to be queried and the trusted CA. g. The Admin DN box requires the fully qualified (DN) of the administrator; that is, the LDAP account which, if bound to, permits searches for all required users under the User Directory Subtree. In the Admin DN box, type the following information from your LDAP server: uid=user id,[ou=organizational unit,] [ou=next organizational unit]o=organization where user id is the username organizational unit is the last level of the tree next organizational unit is the next level up the tree. For example: uid=joesmith,ou=members,ou=administrators,o=cisco Tip If you are using Netscape DS as your LDAP software, you can copy this information from the Netscape console. Example-Novell NDS Server: uid=admin.ou=Chicago.o=Corporation You can use anonymous credentials for the administrator username if you configure the Novell NDS server to make the group name attribute visible in searches by anonymous credentials. Otherwise, you must specify an administrator username that permits the group name attribute to be visible to searches. If the administrator username that you specified does not have permission to see the group name attribute in searches, group mapping fails for users who are authenticated by Novell NDS. For more information, refer to your specific LDAP database documentation. h. In the Password box, type the password for the administrator account that is specified in the Admin DN box. The server determines password case sensitivity. Step 22 Click Submit. ACS saves the generic LDAP configuration that you created. You can now add it to your Unknown User Policy or assign specific user accounts to use this database for authentication. For more information about the Unknown User Policy, see About Unknown User Authentication, page 16-3. For more information about configuring user accounts to authenticate by using this database, see Chapter 7, "User Management." Downloading a Certificate Database Before You Begin The database must be a Netscape cert7.db certificate database file generated by a Netscape web browser. No other filename is supported. For information about generating a Netscape cert7.db file, refer to Netscape documentation. Note Downloading a certificate database is a part of the larger process that configures an LDAP external user database. For more information, see Configuring a Generic LDAP External User Database. To download a certificate database for a primary or a secondary LDAP server: Step 1 To access the Download Certificate Database page: a. Open the LDAP Database Configuration page that contains the information for the LDAP server whose certificate database file you want to download. Note If you are already on the applicable LDAP Database Configuration page, go to Step b. b. For the LDAP server whose certificate database file you want to download, click Download Certificate Database. Note ACS lists a primary and secondary LDAP server for each LDAP database configuration. To support secure authentication to both servers, you must download a certificate database file twice, once for the primary LDAP server and once for the secondary LDAP server. Step 2 In the FTP Server box, enter the IP address or hostname of the FTP server. The FTP Server box accepts a maximum of 512 characters. Note Providing the hostname requires that DNS is correctly operating on your network. Step 3 In the Login box, enter a valid username to enable ACS to access the FTP server. The Login box accepts a maximum of 512 characters. Step 4 In the Password box, enter the password for the username provided in the Login box. The Password box accepts a maximum of 512 characters. Step 5 In the Directory box, enter the path to the Netscape cert7.db file. The path is relative to the starting directory at login to the FTP server. For example, if the Netscape cert7.db file is located in `objectType` and the user provided in the Login box starts its FTP sessions in `c:\ACS-files\LDAPcertdb`, you then type `c:\`. The Directory box accepts a maximum of 512 characters. Step 6 Click Download. ACS downloads the Netscape cert7.db file from the FTP server. ACS displays the LDAP Database Configuration page. LEAP Proxy RADIUS Server Database For ACS-authenticated users who access your network via Cisco Aironet devices, ACS supports PAP based MAC Exception Handling, LEAP, and EAP-FAST (phase zero and phase two) authentication with a proxy RADIUS server. Other authentication protocols are not supported with LEAP Proxy RADIUS Server databases. This feature is useful if your own RADIUS-based user database can support MS-CHAP but not LEAP/EAP-FAST. ACS manages the LEAP/EAP-FAST protocol handling and forwards just the MS-CHAP authentication to your server. Note Authentication protocols not supported with LEAP Proxy RADIUS Server databases might be supported by another type of external user database. For more information about authentication protocols and the external database types that support them, see Authentication Protocol-Database Compatibility, page 1-7. ACS uses MS-CHAP Version 1 for LEAP Proxy RADIUS Server authentication. With LEAP Proxy, only the MS-CHAP authentication is proxied to the remote server in a separate RADIUS access request. To manage your proxy RADIUS database, refer to your RADIUS database documentation. You can use the LEAP proxy RADIUS server authentication to authenticate users against existing Kerberos databases that support MS-CHAP authentication. You can use the LEAP Proxy RADIUS Server database to authenticate users with any third-party RADIUS server that supports MS-CHAP authentication. Note The third-party RADIUS server must return Microsoft Point-to-Point Encryption (MPPE) keys in the Microsoft RADIUS vendor-specific attribute (VSA) `ACS-files\LDAPcertdb`. If the third-party RADIUS server does not return the MPPE keys, the authentication fails and is logged in the Failed Attempts log. ACS supports RADIUS-based group specification for users who are authenticated by LEAP Proxy RADIUS Server databases. The RADIUS-based group specification overrides group mapping. For more information, see RADIUS-Based Group Specification, page 17-8. ACS supports group mapping for unknown users who are authenticated by LEAP Proxy RADIUS Server databases. Group mapping is only applied to an unknown user if RADIUS-based group specification did not occur. For more information about group mapping of users who are authenticated by a LEAP Proxy RADIUS Server database, see Group Mapping by External User Database, page 17-1. Configuring a LEAP Proxy RADIUS Server External User Database You should install and configure your proxy RADIUS server before configuring ACS to authenticate users with it. For information about installing the proxy RADIUS server, refer to the documentation that is included with your RADIUS server. To configure LEAP proxy RADIUS authentication: Step 1 In the navigation bar, click External User Databases. Step 2 Click Database Configuration. ACS lists all possible external user database types. Step 3 Click LEAP Proxy RADIUS Server. If no LEAP Proxy RADIUS Server configuration exists, only the Database Configuration Creation table appears. Otherwise, in addition to the Database Configuration Creation table, the External User Database Configuration table appears. Step 4 If you are creating a configuration: a. Click Create New Configuration. b. Type a name for the new configuration for the LEAP Proxy RADIUS Server in the box provided, or accept the default name in the box. c. Click Submit. ACS lists the new configuration in the External User Database Configuration table. Step 5 Under External User Database Configuration, select the name of the LEAP Proxy RADIUS Server database that you configure. Note If only one LEAP Proxy RADIUS Server configuration exists, the name of that configuration appears instead of the list. Proceed to Step 6. Step 6 Click Configure. Step 7 In the following boxes, type the required information: •Primary Server Name/IP—IP address of the primary proxy RADIUS server. •Secondary Server Name/IP—IP address of the secondary proxy RADIUS server. •Shared Secret—The shared secret of the proxy RADIUS server. This must be identical to the shared secret with which the proxy RADIUS server is configured. •Authentication Port—The UDP port over which the proxy RADIUS server conducts authentication sessions. If the LEAP Proxy RADIUS server is installed on the same Windows server as ACS, this port should not be the same port that ACS uses for RADIUS authentication. For more information about the ports that ACS uses for RADIUS, see RADIUS, page 1-3. •Timeout (seconds):—The number of seconds that ACS waits before sending notification to the user that the authentication attempt has timed out. •Retries—The number of authentication attempts ACS makes before failing over to the secondary proxy RADIUS server. •Failback Retry Delay (minutes)—The number of minutes after which ACS attempts authentications by using a failed primary proxy RADIUS server. Note If the primary and the secondary servers fail, ACS alternates between the servers until one responds. Step 8 Click Submit. ACS saves the proxy RADIUS token server database configuration that you created. You can add it to your Unknown User Policy or assign specific user accounts to use this database for authentication. For more information about the Unknown User Policy, see About Unknown User Authentication, page 16-3. For more information about configuring user accounts to authenticate by using this database, see Chapter 7, "User Management." Token Server User Databases ACS supports the use of token servers for the increased security that one-time passwords (OTPs) provide. This section contains the following topics: •About Token Servers and ACS •RADIUS-Enabled Token Servers About Token Servers and ACS ACS provides ASCII, PAP, and PEAP (EAP-GTC) authentication by using token servers. Other authentication protocols are not supported with token server databases. Note Authentication protocols that are not supported with token server databases might be supported by another type of external user database. For more information about authentication protocols and the external database types that support them, see Authentication Protocol-Database Compatibility, page 1-7. Requests from the AAA client are first sent to ACS. If ACS has been configured to authenticate against a token server and finds the username, it forwards the authentication request to the token server. If it does not find the username, ACS checks the database that is configured to authenticate unknown users. If the request for authentication is passed, the appropriate authorizations are forwarded to the AAA client along with the approved authentication. ACS then maintains the accounting information. ACS acts as a client to the token server. For all token servers, ACS acts as a client by using the RADIUS interface of the token server. For more information about ACS support of token servers with a RADIUS interface, see RADIUS-Enabled Token Servers. Token Servers and ISDN ACS supports token caching for ISDN terminal adapters and routers. One inconvenience of using token cards for OTP authentication with ISDN is that each B channel requires its own OTP. Therefore, a user must enter at least 2 OTPs, plus any other login passwords, such as those for Windows networking. If the terminal adapter supports the ability to turn on and off the second B channel, users might have to enter many OTPs each time the second B channel comes into service. ACS caches the token to help make the OTPs easier for users. Therefore, if a token card is being used to authenticate a user on the first B channel, you can set a specified period during which the second B channel can come into service without requiring the user to enter another OTP. To lessen the risk of unauthorized access to the second B channel, you can limit the time that the second B channel is up. Furthermore, you can configure the second B channel to use the CHAP password that is specified during the first login to further lessen the chance of a security problem. When the first B channel is dropped, the cached token is erased. RADIUS-Enabled Token Servers This section describes support for token servers that provide a standard RADIUS interface. This section contains the following topics: •About RADIUS-Enabled Token Servers •Token Server RADIUS Authentication Request and Response Contents •Configuring a RADIUS Token Server External User Database About RADIUS-Enabled Token Servers ACS supports token servers by using the RADIUS server that is built into the token server. Rather than using a vendor-proprietary API, ACS sends standard RADIUS authentication requests to the RADIUS authentication port on the token server. This feature enables ACS to support any IETF RFC 2865-compliant token server. You can create multiple instances of RADIUS token servers. For information about configuring ACS to authenticate users with one of these token servers, see Configuring a RADIUS Token Server External User Database. ACS provides a means for specifying a user group assignment in the RADIUS response from the RADIUS-enabled token server. Group specification always takes precedence over group mapping. For more information, see RADIUS-Based Group Specification, page 17-8. ACS also supports mapping users who are authenticated by a RADIUS-enabled token server to a single group. Group mapping only occurs if group specification does not occur. For more information, see Group Mapping by External User Database, page 17-1. Token Server RADIUS Authentication Request and Response Contents When ACS forwards an authentication request to a RADIUS-enabled token server, the RADIUS authentication request contains the following attributes: •`MS-CHAP-MPPE-Keys (VSA 12)` (RADIUS attribute 1) •`User-Name` (RADIUS attribute 2) •`User-Password` (RADIUS attribute 4) •`NAS-IP-Address` (RADIUS attribute 5) •`NAS-Port` (RADIUS attribute 32) ACS expects to receive one of the following three responses: •access-accept—No attributes are required; however, the response can indicate the ACS group to which the user should be assigned. For more information, see RADIUS-Based Group Specification, page 17-8. •access-reject—No attributes required. •access-challenge—Attributes required, per IETF RFC, are: –`NAS-Identifier` (RADIUS attribute 24) –`State` (RADIUS attribute 18) Configuring a RADIUS Token Server External User Database Use this procedure to configure RADIUS Token Server external user databases. Before You Begin You should install and configure your RADIUS token server before configuring ACS to authenticate users with it. For information about installing the RADIUS token server, refer to the documentation included with your token server. To configure ACS to authenticate users with a RADIUS Token Sever: Step 1 In the navigation bar, click External User Databases. Step 2 Click Database Configuration. ACS lists all possible external user database types. Step 3 Click RADIUS Token Server. The Database Configuration Creation table appears. If at least one RADIUS token server configuration exists, the External User Database Configuration table also appears. Step 4 If you are creating a configuration: a. Click Create New Configuration. b. Type a name for the new configuration for the RADIUS-enabled token server in the box provided, or accept the default name in the box. c. Click Submit. ACS lists the new configuration in the External User Database Configuration table. Step 5 Under External User Database Configuration, select the name of the RADIUS-enabled token server that you configure. Note If only one RADIUS-enabled token server configuration exists, the name of that configuration appears instead of the list. Proceed to Step 6. Step 6 Click Configure. Step 7 In the RADIUS Configuration table, type the required information in the following boxes: •Primary Server Name/IP—The hostname or IP address of the primary RADIUS token server. If you provide the hostname, the hostname must be resolvable by DNS. •Secondary Server Name/IP—The hostname or IP address of the secondary RADIUS token server. If you provide the hostname, the hostname must be resolvable by DNS. •Shared Secret—The shared secret of the RADIUS server. This must be identical to the shared secret with which the RADIUS token server is configured. •Authentication Port—The UDP port over which the RADIUS server conducts authentication sessions. If the RADIUS token server is installed on the same Windows server as ACS, this port should not be the same port that ACS uses for RADIUS authentication. For more information about the ports that ACS uses for RADIUS, see RADIUS, page 1-3. Note For ACS to send RADIUS OTP messages to a RADIUS-enabled token server, you must ensure that gateway devices between the RADIUS-enabled token server and ACS allow communication over the UDP port that is specified in the Authentication Port box. •Timeout (seconds):—The number of seconds that ACS waits for a response from the RADIUS token server before retrying the authentication request. •Retries—The number of authentication attempts that ACS makes before failing over to the secondary RADIUS token server. •Failback Retry Delay (minutes)—The number of minutes that ACS sends authentication requests to the secondary server when the primary server has failed. When this duration elapses, ACS reverts to sending authentication requests to the primary server. Note If the primary and the secondary servers fail, ACS alternates between the servers until one responds. Step 8 If you want to support token users who perform a shell login to a TACACS+ AAA client, you must configure the options in the TACACS+ Shell Configuration table. Perform one of the following procedures: •If you want ACS to present a custom prompt for tokens, select Static (sync and async tokens), and then type in the Prompt box the prompt that ACS will present. For example, if you type Enter your PassGo token in the Prompt box, users receive an Enter your PassGo token prompt rather than a password prompt. Note If some tokens that are submitted to this server are synchronous tokens, you must click the Static (sync and async tokens) option. •If you want ACS to send the token server a password to trigger a challenge, select From Token Server (async tokens only), and then, in the Password box, type the password that ACS will forward to the token server. For example, if the token server requires the string challengeme in order to evoke a challenge, you should type challengeme in the Password box. Users will receive a username prompt and a challenge prompt. Tip Most token servers accept a blank password as the trigger to send a challenge prompt. Note You should only click the From Token Server (async tokens only) option if all tokens that are submitted to this token server are asynchronous tokens. Step 9 Click Submit. ACS saves the RADIUS token server database configuration that you created. You can add it to your Unknown User Policy or assign specific user accounts to use this database for authentication. For more information about the Unknown User Policy, see About Unknown User Authentication, page 16-3. For more information about configuring user accounts to authenticate by using this database, see Chapter 7, "User Management." Deleting an External User Database Configuration If you no longer need a particular external user database configuration, you can delete it from ACS. To delete an external user database configuration: Step 1 In the navigation bar, click External User Databases. Step 2 Click Database Configuration. ACS lists all possible external user database types. Step 3 Click the external user database type for which you want to delete a configuration. The External User Database Configuration table appears. Step 4 If a list appears in the External User Database Configuration table, select the configuration to delete. Otherwise, proceed to Step 5. Step 5 Click Delete. A confirmation dialog box appears. Step 6 Click OK to confirm that you want to delete the selected external user database configuration. The external user database configuration that you selected is deleted from ACS.
	Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks