Using the ACS Database

CSACS supports the use of several databases to store user login information. CSACS has an internal database in which you can configure groups and users. Or if you already have a database that contains this information, CSACS can communicate with the external database and retrieve the user's credentials. You would not have to re-create the user and group records in CSACS's internal database. Simply tell CSACS what external database is being used and where the external database is located (its IP address), and CSACS will communicate with the external database when user authentication is necessary.

Figure 5.6 shows the external databases that are supported by CSACS. By clicking the link for a specific server, you can configure attributes specific to the external database.

No matter what external database you use, the communication process is the same. A user attempts to access network resources, and a router configured for AAA intercepts that request.

The router that a user connects to is usually referred to as a NAS. It is the NAS that is configured to authenticate users via AAA, and the NAS communicates with CSACS.

The router sends the user's credentials (username and password) to CSACS via either the RADIUS protocol or the TACACS+ protocol. CSACS then forwards the user's credentials to whatever external database server that you configured. The external database server checks the user's credentials and sends a response back to CSACS. The response sent from the external database server either approves or denies the user credentials supplied. CSACS gets the response from the external database server and forwards a PASS , FAIL , or ERROR message to the router. Based on CSACS's response, the router grants access, denies access, or tries the next authentication method that you configured in the AAA authentication method list.

Know the communication process between the router (NAS), CSACS, and an external database server.