Chapter 4 Setting Up and Managing Network Configuration
Proxy in Distributed Systems
4-6
User Guide for Cisco Secure ACS for Windows Server
78-14696-01, Version 3.1
profile needs to reside on every AAA server. This saves administration time and
server space, and facilitates end users receiving the same privileges regardless of
which access device they connect through.
Fallback on Failed Connection
You can configure the order in which Cisco Secure ACS checks remote
AAA servers when a failure of the network connection to the primary AAA server
has occurred. If an authentication request cannot be sent to the first listed server,
because of a network failure for example, the next listed server is checked. This
continues, in order, down the list until a AAA server handles the authentication
request. (Failed connections are detected by failure of the nominated server to
respond within a specified time period. That is, the request is timed out.) If
Cisco Secure ACS cannot connect to any server in the list, authentication fails.
Character String
Cisco Secure ACS forwards authentication requests using a configurable set of
characters with a delimiter, such as dots (.), slashes (/), or hyphens (-). When
configuring the Cisco Secure ACS character string to match, you must specify
whether the character string is the prefix or suffix. For example, you can use
“domain.us” as a suffix character string in username*domain.us, where *
represents any delimiter. An example of a prefix character string is
domain.*username, where the * would be used to detect the “/” character.
Stripping
Stripping allows Cisco Secure ACS to remove, or strip, the matched character
string from the username. When you enable stripping, Cisco Secure ACS
examines each authentication request for matching information. When
Cisco Secure ACS finds a match by character string in the Proxy Distribution
Table, as described in the example under
Proxy in Distributed Systems, page 4-4
,
Cisco Secure ACS strips off the character string if you have configured it to do
so. For example, in the proxy example that follows, the character string that
accompanies the username establishes the ability to forward the request to another
AAA server. If the user must enter the user ID of [email protected] to be
forwarded correctly to the AAA server for authentication, Cisco Secure ACS
might find a match on the “@corporate.com” character string, and strip the