Cisco Secure ACS Database
You can configure the Cisco Secure ACS server to use a user−defined database that is local to the server or you can configure an external user database, such as a Windows NT Server. There are advantages and disadvantages to each.
When the Cisco Secure ACS server is configured to use the local database for authentication of usernames and passwords and it receives a request from the network access server, it searches its local database for the credentials that were supplied in the REPLY packet of the GETUSER packet. If it finds a match for the GETUSER packet, it compares the values that it receives from the REPLY packet of the GETPASS packet to the locally configured password for the account. The Cisco
Secure ACS server then returns a pass or fail response to the network access server. After the user has been authenticated, the Cisco Secure ACS server sends the attributes of authorization to the network access server. The advantage to using the locally configured database is ease of administration and speed. The disadvantage is that manual configuration is needed to populate the database.
You can also configure the Cisco Secure ACS server to authenticate usernames and passwords credentials against those already defined within a Windows NT or 2000 user database. If the Cisco Secure ACS server receives a request from the network access server, it searches its local database to find a match. If it does not find a match and the server is configured to forward requests to an external user database, the username and password are forwarded to the external database for authentication. The external database forwards back to the Cisco Secure ACS server a pass or fail response. If a match is confirmed, the username is stored in the Cisco Secure user database for future authentication requests; however, the password is not stored. This allows the user to authenticate much faster for subsequent requests.
In enterprises that have a substantial Windows NT network already installed, Cisco Secure ACS can leverage the work already invested in building the database without any additional input. This eliminates the need for separate databases. An added benefit of using an external user database is that the username and password used for authentication are also used to log into the network. This allows you to configure the Cisco Secure ACS so that users need to enter their usernames and passwords only once, thus providing a single login. One of the major disadvantages of using an external database for authentication is that the Cisco Secure server cannot store any third−party passwords such as PAP and CHAP passwords. Also, in the event of a network issue that prevents the Cisco Secure ACS server from receiving a response from the external database for an authentication request, you could potentially lock yourself out of the network access server because the user never gets authenticated.