Cisco Secure Access Control Server for Windows
The Cisco Secure ACS user database

The Cisco Secure ACS user database is crucial for the authorization process. Regardless of whether a user is authenticated by the internal user database or by an external user database, Cisco Secure ACS authorizes network services for users based upon group membership and specific user settings found in the Cisco Secure ACS user database. Thus, all users authenticated by Cisco Secure ACS, even those authenticated by an external user database, have an account in the Cisco Secure ACS user database.

NOTE:

External user databases can only be used to authenticate users and to determine which group Cisco Secure ACS assigns a user to. The Cisco Secure ACS user database, internal to Cisco Secure ACS for Windows Server, provides all authorization services. With few exceptions, Cisco Secure ACS cannot retrieve authorization data from external user databases.

The Cisco Secure ACS user database draws information from several data sources, including a memory-mapped, hash-indexed file, VarsDB.MDB, and the Windows Registry. VarsDB.MDB is a Microsoft Jet database formatted file that yields very fast lookup times. This structure enables the Cisco Secure ACS user database to authenticate users quickly.

Unless Cisco Secure ACS is configured to authenticate users with an external user database, Cisco Secure ACS uses usernames and passwords in the Cisco Secure ACS user database during authentication.

There are five ways to create user accounts in the in Cisco Secure ACS for Windows 2000 Servers. Of these, RDBMS Synchronization and CSUtil.exe support importing user accounts from external sources.

  • Cisco Secure ACS HTML interface – The HTML interface provides the ability to create user accounts manually, one user at a time. Regardless of how a user account was created, a user account can be edited by using the HTML interface.
  • Unknown User Policy – The Unknown User Policy enables Cisco Secure ACS to add users automatically when a user without an account in the CiscoSecure user database is found in an external user database. The creation of a user account in the CiscoSecure user database occurs only when the user attempts to access the network and is successfully authenticated by an external user database.
  • RDBMS Synchronization – RDBMS Synchronization enables an administrator to create large numbers of user accounts and to configure many settings for these accounts. This feature is recommended whenever it is necessary to import users by bulk.
  • CSUtil.exe – The CSUtil.exe command-line utility provides a simple means of creating basic user accounts. When compared to RDBMS Synchronization, the functionality is limited. However, it is simple to prepare for importing basic user accounts and assigning users to groups.
  • Database Replication – Database Replication creates user accounts on a secondary Cisco Secure ACS by overwriting all existing user accounts on a secondary Cisco Secure ACS with the user accounts from the primary Cisco Secure ACS. Any user accounts unique to a secondary Cisco Secure ACS are lost in the replication.