Home > Cisco > Control System > Cisco Acs 57 User Guide

Cisco Acs 57 User Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual Cisco Acs 57 User Guide. The Cisco manuals for Control System are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 181

    Page 181 5 Managing Users and Identity Stores Managing External Identity Stores AD uses the “Maximum password age is N days” rule to detect password expiry. All other rules are used during attempts to change a password. ACS supports these AD domains: Windows Server 2003 Windows Server 2003 R2 Windows Server 2008 Windows Server 2008 R2 Windows Server 2012 Windows Server 2012 R2. ACS machine access restriction (MAR) features use AD to map machine authentication to user authentication and authorization,... 
    5   
Managing Users and Identity Stores
Managing External Identity Stores
AD uses the “Maximum password age is N days” rule to detect password expiry. All other rules are used during attempts to 
change a password. 
ACS supports these AD domains:
Windows Server 2003
Windows Server 2003 R2
Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2.
ACS machine access restriction (MAR) features use AD to map machine authentication to user authentication and authorization,...

    Page 182

    Page 182 5 Managing Users and Identity Stores Managing External Identity Stores If there is a firewall between ACS and AD, certain ports need to be opened in order to allow ACS to communicate with AD. The following are the default ports to be opened: Note: Dial-in users are not supported by AD in ACS. This section contains the following topics: Machine Authentication, page 52 Attribute Retrieval for Authorization, page 53 Group Retrieval for Authorization, page 57 Certificate Retrieval for EAP-TLS... 
    5
Managing Users and Identity Stores
 
Managing External Identity Stores
If there is a firewall between ACS and AD, certain ports need to be opened in order to allow ACS to communicate with AD. The 
following are the default ports to be opened: 
Note: Dial-in users are not supported by AD in ACS.
This section contains the following topics:
Machine Authentication, page 52
Attribute Retrieval for Authorization, page 53
Group Retrieval for Authorization, page 57
Certificate Retrieval for EAP-TLS...

    Page 183

    Page 183 5 Managing Users and Identity Stores Managing External Identity Stores Attribute Retrieval for Authorization You can configure ACS to retrieve Active Directory user or machine attributes to be used in authorization and group-mapping rules. The attributes are mapped to the ACS policy results and determine the authorization level for the user or machine. ACS retrieves the user and Active Directory machine attributes after a successful user or machine authentication; ACS can also retrieve the... 
    5   
Managing Users and Identity Stores
Managing External Identity Stores
Attribute Retrieval for Authorization
You can configure ACS to retrieve Active Directory user or machine attributes to be used in authorization and group-mapping 
rules. The attributes are mapped to the ACS policy results and determine the authorization level for the user or machine. 
ACS retrieves the user and Active Directory machine attributes after a successful user or machine authentication; ACS can also 
retrieve the...

    Page 184

    Page 184 5 Managing Users and Identity Stores Managing External Identity Stores Multi-Value Attribute Support in AD or LDAP ACS 5.7 allows you to configure multi-value attributes in AD or the LDAP Directory Attributes page and retrieves multi-value attributes from AD or LDAP during authentication against an AD or LDAP identity store. ACS retrieves the attributes specific to a user who is trying to authenticate against an AD or LDAP identity store. ACS supports the following AD or LDAP attribute types for... 
    5
Managing Users and Identity Stores
 
Managing External Identity Stores
Multi-Value Attribute Support in AD or LDAP
ACS 5.7 allows you to configure multi-value attributes in AD or the LDAP Directory Attributes page and retrieves multi-value 
attributes from AD or LDAP during authentication against an AD or LDAP identity store. ACS retrieves the attributes specific to 
a user who is trying to authenticate against an AD or LDAP identity store. 
ACS supports the following AD or LDAP attribute types for...

    Page 185

    Page 185 5 Managing Users and Identity Stores Managing External Identity Stores Examples Left attribute value = 11 Equals Right attribute value = {22,11,33} Result = True Left attribute value = 11 Equals Right attribute value = {22,44} Result =False Left attribute value = 11 Not Equals Right attribute value = {22,33,44} Result = True Left attribute value = 11 Not Contains Right attribute value = {22,11,33} Result = False Left attribute value = 123 Contains Right attribute value = {12,23} Result = True... 
    5   
Managing Users and Identity Stores
Managing External Identity Stores
Examples
Left attribute value = 11 Equals Right attribute value = {22,11,33}
Result = True
Left attribute value = 11 Equals Right attribute value = {22,44}
Result =False
Left attribute value = 11 Not Equals Right attribute value = {22,33,44}
Result = True
Left attribute value = 11 Not Contains Right attribute value = {22,11,33}
Result = False
Left attribute value = 123 Contains Right attribute value = {12,23}
Result = True...

    Page 186

    Page 186 5 Managing Users and Identity Stores Managing External Identity Stores Table 48 on page 56 displays the results of the conditions when you use the above operators among the multi-value, single value, and static value attribute operands. Examples Left attribute value = {11,22,33} = Right attribute value = 11 Result = True Left attribute value = {11,22,33} != Right attribute value = 11 Result = False Left attribute value = {11,22,33} > Right attribute value = 11 Result = True Left attribute value =... 
    5
Managing Users and Identity Stores
 
Managing External Identity Stores
Table 48 on page 56 displays the results of the conditions when you use the above operators among the multi-value, single 
value, and static value attribute operands. 
Examples
Left attribute value = {11,22,33} = Right attribute value = 11
Result = True
Left attribute value = {11,22,33} != Right attribute value = 11
Result = False
Left attribute value = {11,22,33} > Right attribute value = 11
Result = True
Left attribute value =...

    Page 187

    Page 187 5 Managing Users and Identity Stores Managing External Identity Stores Group Retrieval for Authorization ACS can retrieve user or machine groups from Active Directory after a successful authentication and also retrieve the user or machine group independent of authentication for authorization and group mapping purposes. You can use the AD group data in authorization and group mapping tables and introduce special conditions to match them against the retrieved groups. Certificate Retrieval for EAP-TLS... 
    5   
Managing Users and Identity Stores
Managing External Identity Stores
Group Retrieval for Authorization
ACS can retrieve user or machine groups from Active Directory after a successful authentication and also retrieve the user or 
machine group independent of authentication for authorization and group mapping purposes. You can use the AD group data 
in authorization and group mapping tables and introduce special conditions to match them against the retrieved groups.
Certificate Retrieval for EAP-TLS...

    Page 188

    Page 188 5 Managing Users and Identity Stores Managing External Identity Stores As a result of Machine Authentication, the machine's RADIUS Calling-Station-ID attribute (31) is cached as an evidence for later reference. Administrator can configure the time to live (TTL) of the above cache entries in the AD settings page. Administrator can enable or disable MAR from AD settings page. However for MAR to work the following limitations must be taken into account: —Machine authentication must be enabled in... 
    5
Managing Users and Identity Stores
 
Managing External Identity Stores
As a result of Machine Authentication, the machine's RADIUS Calling-Station-ID attribute (31) is cached as an 
evidence for later reference.
Administrator can configure the time to live (TTL) of the above cache entries in the AD settings page. 
Administrator can enable or disable MAR from AD settings page. However for MAR to work the following limitations must 
be taken into account:
—Machine authentication must be enabled in...

    Page 189

    Page 189 5 Managing Users and Identity Stores Managing External Identity Stores Distributed MAR Cache ACS 5.7 supports the Machine Access Restriction cache per ACS deployment. That is, machine authentication results can be cached among the nodes within a deployment. MAR Cache Distribution Groups ACS 5.7 has the option to group ACS nodes in MAR cache distribution group s. This opti on i s u sed to cont rol the impact of MAR cache distribution operations on ACS performance and memory usage. A text label is... 
    5   
Managing Users and Identity Stores
Managing External Identity Stores
Distributed MAR Cache
ACS 5.7 supports the Machine Access Restriction cache per ACS deployment. That is, machine authentication results can be 
cached among the nodes within a deployment. 
MAR Cache Distribution Groups
ACS 5.7 has the option to group ACS nodes in MAR cache distribution group s. This opti on i s u sed to cont rol  the impact of MAR 
cache distribution operations on ACS performance and memory usage. 
A text label is...

    Page 190

    Page 190 6 Managing Users and Identity Stores Managing External Identity Stores The distributed search option provides a fallback facility when the replication messages for some reason are not delivered. In this case, you can find the MAR cache entry on the ACS node that performs the machine authentication or on any one of the ACS nodes from the same MAR cache distribution group. The distributed search option also provides a fallback facility when the ACS node that performs the machine authentication is... 
    6
Managing Users and Identity Stores
 
Managing External Identity Stores
The distributed search option provides a fallback facility when the replication messages for some reason are not delivered. In 
this case, you can find the MAR cache entry on the ACS node that performs the machine authentication or on any one of the 
ACS nodes from the same MAR cache distribution group. The distributed search option also provides a fallback facility when 
the ACS node that performs the machine authentication is...
    Start reading Cisco Acs 57 User Guide

    Related Manuals for Cisco Acs 57 User Guide

    All Cisco manuals