ACS Authentication via Internal DB vs External DB

Unanswered Question
Dec 9th, 2009

All,

I designing an FCAPS solution for my client and I have a few questions about authentication via interal DB vs external DB.

Can ACS be configured to do authentication via external DB first and fallback to the internal DB if the external DB is unavailable?

If I configure ACS for external authentication via Windows AD, can my devices (AAA client) still use TACACS+?  From what I read in the users guide to communication between Windows AD and ACS is RADIUS but I'm not sure if that means the communication between ACS and the devices has to be RADIUS as well.

Please advise.

Stephanie

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
kush.sri2001 Wed, 12/09/2009 - 20:25

Hi,

When an authentication request comes to the ACS, first the ACS Internal Database is checked and if the user is not found in the Internal Database then the request is forwarded to the ACS "Unknown User Policy" and if you have configured your Active Directory to work with the ACS, the request would be sent to it.

If you are using the ACS 3.x/4.x, you can go to http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/UnknUsr.html


You can configure the devices to use Radius/tacacs even if the User is authenticated through the Active Directory.


The ACS communicates to the Active Directory in the following manner:


When ACS authenticates to Windows it uses standard API calls to send the username/password
to the local member server that ACS is installed on.  That member server then forwards the
authentication request to the local domain controller.  The local domain controller checks
it's local SAM database and if the user does not exist there, it forwards requests to all
trusted domains until it gets a success


To check the different Databases supported, you can go to http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/UsrDb.html#wp353636

Regards,
Kush

slcornish Thu, 12/10/2009 - 07:21

Kush,

Can ACS be configured to do authentication via external DB first and fallback to the internal DB if the external DB is unavailble?

Can ACS send and event/trap when an unknown user is discovered?

Stephanie

ansalaza Thu, 12/10/2009 - 08:59

"Internal database lookup" can be configured first only when your network devices are authenticating using Radius Protocol. This is possible using an ACS feature called Network Access Profiles.

I would not considered at the Internal Database as a fallback of AD, ACS keeps  track of the existing AD users because the ACS or Remote Agent (Installed on a Windows AD Member Server) is part of the AD Domain.

The ACS creates a dynamic entry for each user, but still looks up the User's Password against the AD database.

Back to your original question, ACS does not talk to AD (Installed on a Windows AD Member Server) using Radius and your Network Devices can be configured to talk Radius or Tacacs to ACS.

Actions

This Discussion

Related Content