Chapter 15 Unknown User Policy
Authentication and Unknown Users
15-8
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Note
If your network has multiple occurrences of a username across domains (for
example, every domain has a user called Administrator) or if users do not provide
their domains as part of their authentication credentials, be sure to configure the
Domain List for the Windows user database in the External User Databases
section. If not, only the user whose account Windows happens to check first
authenticates successfully. The Domain List is the only way that Cisco Secure
ACS controls the order in which Windows checks domains. The most reliable
method of supporting multiple instances of a username across domains is to
require users to supply their domain memberships as part of the authentication
request. For more information about the effects of using the Domain List, see
Non-domain-qualified Usernames, page 13-13
.
Multiple User Account Creation
Unknown user authentication can create more than one user account for the same
user. For example, if a user provides a domain-qualified username and
successfully authenticates, Cisco Secure ACS creates an account in the format
DOMAIN
\
username
. If the same user successfully authenticates without
prefixing the domain name to the username, Cisco Secure ACS creates an account
in the format
username
. If the same user also authenticates with a UPN version of
the username, such as [email protected], Cisco Secure ACS creates a third
account.
If, to assign authorizations, you rely on groups rather than individual user settings,
all accounts that authenticate using the same Windows user account should
receive the same privileges. Regardless of whether the user prefixes the domain
name, group mapping will assign the user to the same Cisco Secure ACS user
group, because both Cisco Secure ACS user accounts correspond to a single
Windows user account.
Performance of Unknown User Authentication
Processing authentication requests for unknown users requires slightly more time
than does processing authentication requests for known users. This small delay
may require additional timeout configuration on the AAA clients through which
unknown users may attempt to access your network.