G-3
User Guide for Cisco Secure ACS for Windows Server
78-14696-01, Version 3.1
Appendix G Cisco Secure ACS Internal Architecture
CSAuth
interoperability testing with other web servers, but unless a second web server is
configured to use either port 2002 or one of the ports within the range specified
in the HTTP Port Allocation feature, you should not encounter port conflicts for
HTTP traffic. For more information about the HTTP Port Allocation feature, see
Access Policy, page 10-11
.
Note
For more information about access to the HTML interface and network
environments, see
Network Environments and Remote Administrative Sessions,
page 1-27
.
Although you can start and stop services from within the Cisco Secure ACS
HTML interface, this does not include starting or stopping CSAdmin. If CSAdmin
stops abnormally because of an external action, you cannot access
Cisco Secure ACS from any computer other than the Windows server on which it
is running. You can start or stop CSAdmin from Windows Control Panel.
CSAdmin is multi-threaded, which enables several Cisco Secure ACS
administrators to access it at the same time. Therefore, CSAdmin is well suited
for distributed, multiprocessor environments.
CSAuth
CSAuth is the authentication and authorization service. It permits or denies access
to users by processing authentication and authorization requests. CSAuth
determines if access should be granted and defines the privileges for a particular
user. CSAuth is the Cisco Secure ACS database manager.
To authenticate users, Cisco Secure ACS can use the internal user database or one
of many external databases. When a request for authentication arrives,
Cisco Secure ACS checks the database that is configured for that user. If the user
is unknown, Cisco Secure ACS checks the database(s) configured for unknown
users. For more information about how Cisco Secure ACS handles authentication
requests for unknown users, see
Unknown User Processing, page 12-1
.
For more information about the various database types supported by
Cisco Secure ACS, see
Chapter 11, “Working with User Databases.”
When a user has authenticated, Cisco Secure ACS obtains a set of authorizations
from the user profile and the group to which the user is assigned. This information
is stored with the username in the CiscoSecure user database. Some of the