12-11
User Guide for Cisco Secure ACS for Windows Server
78-14696-01, Version 3.1
Chapter 12 Administering External User Databases
Database Group Mappings
Turning off External User Database Authentication
You can configure Cisco Secure ACS so that users who are not in the
Cisco Secure ACS database are not permitted to authenticate.
To turn off external user database authentication, follow these steps:
Step 1
In the navigation bar, click External User Databases.
Step 2
Click Unknown User Policy.
Step 3
Select the Fail the attempt option.
Step 4
Click Submit.
Result: Unknown user processing is halted. Cisco Secure ACS does not allow
unknown users to authenticate with external user databases.
Database Group Mappings
The Database Group Mapping feature in the External User Databases section
enables you to associate unknown users with a Cisco Secure ACS group for
assigning authorization profiles. For external user databases from which
Cisco Secure ACS can derive group information, you can associate the group
memberships defined for the users in the external user database to specific
Cisco Secure ACS groups. For Windows NT/2000 user databases, group mapping
is further specified by domain, because each domain maintains its own user
database. For Novell NDS user databases, group mapping is further specified by
trees, because Cisco Secure ACS supports multiple trees in a single Novell NDS
user database.
In addition to the Database Group Mapping feature, for some database types,
Cisco Secure ACS supports RADIUS-based group specification.
This section contains the following topics:
•
Group Mapping by External User Database, page 12-12
•
Group Mapping by Group Set Membership, page 12-14
•
RADIUS-Based Group Specification, page 12-22