Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1041
Views
5
Helpful
6
Replies

ACS 4.1 - Dynamic User automatic purging?

brian.emil.harris
Level 1
Level 1

‎05-08-2013 09:14 AM - edited ‎03-10-2019 08:24 PM

How often does ACS 4.1 purge dynamic users from it's user group after inactivity?

We're trying to disable access to certain resources via a NAR, and finding that some users are not in the ACS dynamic user database, despite that, at one point in the past, they have used it.

Am I correct in assuming that a user that has never authenticated via an ACS-controlled resource would not be in the database?

Labels:
0 Helpful
6 Replies 6

Jatin Katyal
Cisco Employee
Cisco Employee

‎05-08-2013 09:46 AM

ACS doesn't purge dynamic users automatically. Most of the times when you make changes in the "external database" section, below the submit tab, it says Submitting the configuration changes removes the dynamic users linked to the  database.

Or

You can go to user setup and manualy delete the dynamic users using "Remove Dynamic Users"

Let me know if you have any questions.

Jatin Katyal


- Do rate helpful posts -

~Jatin

Jatin Katyal
Cisco Employee
Cisco Employee
In response to Jatin Katyal

‎05-08-2013 10:02 AM

If the user does not exist in the CS ACS local database, CSACS marks that user as unknown and checks for an unknown user policy.  If the unknown user policy is to fail the user, CS ACS fails the user. Otherwise, if external database is configured, CS ACS forwards that information to the configured external user database. CS ACS tries each external user database until the user succeeds or fails. If the authentication is successful, the user information goes into the cache of CSACS, which has a pointer for using the external user database. This user is known as a dynamic user.

The next time the dynamic user tries to authenticate, Cisco Secure ACS authenticates the user against the database that was successful the first time. These cached user entries are used to speed up the authentication process. Dynamic users are treated in the same way as known users.

If the unknown user fails authentication with all configured external databases, the user is not added to the Cisco Secure user database and the authentication fails.

NOTE: In ACS 4.2 we have a controlled on this feature

Under External user database > unknown user policy.

Use this option to disable the creation of dynamic users while using an external  database for authentication

Disable dynamic user

Jatin Katyal


- Do rate helpful posts -

~Jatin
0 Helpful

brian.emil.harris
Level 1
Level 1
In response to Jatin Katyal

‎05-08-2013 10:03 AM

OK, then, how would a user be automatically removed from the Dynamic Users group?

I can pretty much ensure that nobody has manually removed this particular dynamic user, and based on the "Passed Authentications" logs, I know that the user has authenticated at some point.

However, this user is no longer part of any group of users, no account on ACS, so I'm not able to utilize the NAR to block auth attempts from a particular source for this user.

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to brian.emil.harris

‎05-08-2013 10:48 AM

so if you go to user setup and type the name of the user, do you even see user exist on ACS?

In few cases if you make changes to a dynamic user parameters /settings, it start appearing as a static users.

It is recommended to configure everything on a group to which they belong?

Jatin Katyal


- Do rate helpful posts -

~Jatin
0 Helpful

brian.emil.harris
Level 1
Level 1
In response to Jatin Katyal

‎05-08-2013 11:52 AM

So, as an example:

I need to enable and configure a "Per User Defined Network Access Restriction" for a "Denied Calling/Point of Access Locations" to:

AAA Client - server1

Port - *

Address - *

for username1, I have configured this, and it has not changed the user from dynamic to static:

Group:  Dynamic mapping [Currently: Default Group (5201 users)].

for username2, I want to configure this, but when I try to find this user, I get "No users matching:  username2"

username2 has successfully authenticated via this ACS system several months ago.

I don't wish to create any groups at this time, as my method of disabling their authentication access to this single AAA client is working how I wish it to, and it's not making these users static, so I think we're clear there.

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to brian.emil.harris

‎05-08-2013 04:42 PM

That's good to know that NAR settings doesn't affect the user type. As far as I know the above could be a possible causes of deletion of dynamic user.

Let's see if someone else has some more inputs on this thread/discussion.

Jatin Katyal


- Do rate helpful posts -

~Jatin
0 Helpful
Customers Also Viewed These Support Documents