The Cisco Secure ACS user database is crucial for the authorization
process. Regardless of whether a user is authenticated by the internal user
database or by an external user database, Cisco Secure ACS authorizes network
services for users based upon group membership and specific user settings found
in the Cisco Secure ACS user database. Thus, all users authenticated by Cisco
Secure ACS, even those authenticated by an external user database, have an
account in the Cisco Secure ACS user database.
 |
NOTE:
External user databases can only be used to authenticate users and to
determine which group Cisco Secure ACS assigns a user to. The Cisco Secure ACS
user database, internal to Cisco Secure ACS for Windows Server, provides all
authorization services. With few exceptions, Cisco Secure ACS cannot retrieve
authorization data from external user databases.
|
The Cisco Secure ACS user database draws information from several
data sources, including a memory-mapped, hash-indexed file, VarsDB.MDB, and the
Windows Registry. VarsDB.MDB is a Microsoft Jet database formatted file that
yields very fast lookup times. This structure enables the Cisco Secure ACS user
database to authenticate users quickly.
Unless Cisco Secure ACS is
configured to authenticate users with an external user database, Cisco Secure
ACS uses usernames and passwords in the Cisco Secure ACS user database during
authentication.
There are five ways to create user accounts in the in
Cisco Secure ACS for Windows 2000 Servers. Of these, RDBMS Synchronization and
CSUtil.exe support importing user accounts from external sources.
- Cisco Secure ACS HTML interface – The HTML interface provides the ability
to create user accounts manually, one user at a time. Regardless of how a user
account was created, a user account can be edited by using the HTML
interface.
- Unknown User Policy – The Unknown User Policy enables Cisco Secure ACS to
add users automatically when a user without an account in the CiscoSecure user
database is found in an external user database. The creation of a user account
in the CiscoSecure user database occurs only when the user attempts to access
the network and is successfully authenticated by an external user
database.
- RDBMS Synchronization – RDBMS Synchronization enables an administrator to
create large numbers of user accounts and to configure many settings for these
accounts. This feature is recommended whenever it is necessary to import users
by bulk.
- CSUtil.exe – The CSUtil.exe command-line utility provides a simple means of
creating basic user accounts. When compared to RDBMS Synchronization, the
functionality is limited. However, it is simple to prepare for importing basic
user accounts and assigning users to groups.
- Database Replication – Database Replication creates user accounts on a
secondary Cisco Secure ACS by overwriting all existing user accounts on a
secondary Cisco Secure ACS with the user accounts from the primary Cisco Secure
ACS. Any user accounts unique to a secondary Cisco Secure ACS are lost in the
replication.