topic ACS 4.1 - Dynamic User automatic purging? in Network Access Control

ACS 4.1 - Dynamic User automatic purging?

brian.emil.harris — Mon, 11 Mar 2019 03:24:33 GMT

How often does ACS 4.1 purge dynamic users from it's user group after inactivity?

We're trying to disable access to certain resources via a NAR, and finding that some users are not in the ACS dynamic user database, despite that, at one point in the past, they have used it.

Am I correct in assuming that a user that has never authenticated via an ACS-controlled resource would not be in the database?

ACS 4.1 - Dynamic User automatic purging?

Jatin Katyal — Wed, 08 May 2013 16:46:55 GMT

ACS doesn't purge dynamic users automatically. Most of the times when you make changes in the "external database" section, below the submit tab, it says Submitting the configuration changes removes the dynamic users linked to the database.

You can go to user setup and manualy delete the dynamic users using "Remove Dynamic Users"

Let me know if you have any questions.

Jatin Katyal

- Do rate helpful posts -

Re: ACS 4.1 - Dynamic User automatic purging?

Jatin Katyal — Wed, 08 May 2013 17:02:36 GMT

If the user does not exist in the CS ACS local database, CSACS marks that user as unknown and checks for an unknown user policy. If the unknown user policy is to fail the user, CS ACS fails the user. Otherwise, if external database is configured, CS ACS forwards that information to the configured external user database. CS ACS tries each external user database until the user succeeds or fails. If the authentication is successful, the user information goes into the cache of CSACS, which has a pointer for using the external user database. This user is known as a dynamic user.

The next time the dynamic user tries to authenticate, Cisco Secure ACS authenticates the user against the database that was successful the first time. These cached user entries are used to speed up the authentication process. Dynamic users are treated in the same way as known users.

If the unknown user fails authentication with all configured external databases, the user is not added to the Cisco Secure user database and the authentication fails.

NOTE: In ACS 4.2 we have a controlled on this feature

Under External user database > unknown user policy.

Use this option to disable the creation of dynamic users while using an external database for authentication

Disable dynamic user

Jatin Katyal

- Do rate helpful posts -

ACS 4.1 - Dynamic User automatic purging?

brian.emil.harris — Wed, 08 May 2013 17:03:44 GMT

OK, then, how would a user be automatically removed from the Dynamic Users group?

I can pretty much ensure that nobody has manually removed this particular dynamic user, and based on the "Passed Authentications" logs, I know that the user has authenticated at some point.

However, this user is no longer part of any group of users, no account on ACS, so I'm not able to utilize the NAR to block auth attempts from a particular source for this user.

Re: ACS 4.1 - Dynamic User automatic purging?

Jatin Katyal — Wed, 08 May 2013 17:48:30 GMT

so if you go to user setup and type the name of the user, do you even see user exist on ACS?

In few cases if you make changes to a dynamic user parameters /settings, it start appearing as a static users.

It is recommended to configure everything on a group to which they belong?

Jatin Katyal

- Do rate helpful posts -

ACS 4.1 - Dynamic User automatic purging?

brian.emil.harris — Wed, 08 May 2013 18:52:28 GMT

So, as an example:

I need to enable and configure a "Per User Defined Network Access Restriction" for a "Denied Calling/Point of Access Locations" to:

AAA Client - server1

Port - *

Address - *

for username1, I have configured this, and it has not changed the user from dynamic to static:

Group: Dynamic mapping [Currently: Default Group (5201 users)].

for username2, I want to configure this, but when I try to find this user, I get "No users matching: username2"

username2 has successfully authenticated via this ACS system several months ago.

I don't wish to create any groups at this time, as my method of disabling their authentication access to this single AAA client is working how I wish it to, and it's not making these users static, so I think we're clear there.

ACS 4.1 - Dynamic User automatic purging?

Jatin Katyal — Wed, 08 May 2013 23:42:47 GMT

That's good to know that NAR settings doesn't affect the user type. As far as I know the above could be a possible causes of deletion of dynamic user.

Let's see if someone else has some more inputs on this thread/discussion.

Jatin Katyal

- Do rate helpful posts -