Chapter 15 Unknown User Policy - Cisco 3.3 User Manual

Chapter 15 Unknown User Policy
•
•
78-16592-01
Cisco Secure ACS does not support failover authentication. If
authentication fails with the database that the user is associated with,
Cisco Secure ACS uses no other means to authenticate the user and
Cisco Secure ACS informs the AAA client of the authentication failure.
Posture validation—Cisco Secure ACS always uses the Unknown User
–
Policy to determine which Network Admission Control (NAC) database
to use for a posture validation request. For more information, see
Validation and the Unknown User Policy, page
Unknown Users—Users who do not have a user account in the CiscoSecure
user database. This either means that the user has not received authentication
or posture validation services from Cisco Secure ACS or that the user account
was deleted. Cisco Secure ACS handles authentication and posture validation
requests for unknown users as specified by your configuration of the
Unknown User Policy.
Authentication—For details about unknown user authentication, see
–
General Authentication of Unknown Users, page
Posture validation—Cisco Secure ACS always uses the Unknown User
–
Policy to determine which NAC database to use for a posture validation
request. For more information, see
User Policy, page
Discovered Users—Users whose accounts Cisco Secure ACS created in the
CiscoSecure user database after successful authentication or posture
validation using the Unknown User Policy. All discovered users were
unknown users. When Cisco Secure ACS creates a discovered user, the user
account contains only the username, a Password Authentication list setting
that reflects the database that provided authentication or posture validation
service for the user, and a "Group to which the user is assigned" list setting
of Mapped By External Authenticator, which enables group mapping. Using
the Cisco Secure ACS HTML interface or RDBMS Synchronization, you can
further configure the user account as needed. For example, after a discovered
user is created in Cisco Secure ACS, you can assign user-specific network
access restrictions to the discovered user.
Cisco Secure ACS does not import credentials (such as passwords,
Note
certificates, or NAC credential types) for a discovered user.
User Guide for Cisco Secure ACS for Windows Server
Known, Unknown, and Discovered Users
Posture Validation and the Unknown
15-10.
Posture
15-10.
15-5.
15-3