Chapter 15 Unknown User Policy
Posture Validation and the Unknown User Policy
15-10
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Posture Validation and the Unknown User Policy
This section contains the following topics:
• NAC and the Unknown User Policy, page 15-10
• Posture Validation Use of the Unknown User Policy, page 15-11
• Required Use for Posture Validation, page 15-12
NAC and the Unknown User Policy
For posture validation requests, the Unknown User Policy automates the
association of users to a NAC database that applies to the posture validation
request. This occurs regardless of user type; however, if the username sent in the
PEAP EAP-Identity field from the NAC client is unknown, Cisco Secure ACS
also creates the user account in the CiscoSecure user database.
The value sent in the PEAP EAP-Identity field is determined by the NAC client,
which is Cisco Trust Agent (CTA); therefore, Cisco Secure ACS is not in control
of the username associated with a posture validation request. CTA sends in the
EAP-Identity field a string in the following format:
hostname
:username
where hostname is the name of the NAC-client computer and username identifies
the user logged into the NAC-client computer at the time that CTA sends the
posture validation request. For example, while the user cyril.yang is logged into
the computer named yang-laptop01, posture validation requests received by
Cisco Secure ACS contain the string yang-laptop01:cyril.yang in the
EAP-Identity field. As a result of the behavior of the Unknown User Policy,
Cisco Secure ACS creates a user account named yang-laptop01:cyril.yang.
Because the username is part of the EAP-Identity field value in posture validation
requests, Cisco Secure ACS can create multiple user accounts for the same NAC
client. Continuing the example of the computer named yang-laptop01, if the user
david.fry is logged into the computer at the time of a subsequent posture
validation request, the EAP-Identity field contains the string
yang-laptop01:david.fry and Cisco Secure ACS creates a user account named
yang-laptop01:david.fry.
To Next Page
Loading...
Need help?
General