Filter
Top Products
4-29
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
Chapter 4 Common Scenarios Using ACS
RADIUS and TACACS+ Proxy Requests
RADIUS and TACACS+ Proxy Requests
You can use ACS to act as a proxy server that receives authentication RADIUS requests and
authentication and authorization TACACS+ requests from a network access server (NAS) and forwards
them to a remote server. ACS then receives the replies for each forwarded request from the remote
RADIUS or TACACS+ server and sends them back to the client.
ACS uses the service selection policy to differentiate between incoming authentication and accounting
requests that must be handled locally and those that must be forwarded to a remote RADIUS or
TACACS+ server.
When ACS receives a proxy request from the NAS, it forwards the request to the first remote RADIUS
or TACACS+ server in its list. ACS processes the first valid or invalid response from the remote RADIUS
server and does the following:
• If the response is valid for RADIUS, such as Access-Challenge, Access-Accept, or Access-Reject,
ACS returns the response back to the NAS.
• If ACS does not receive a response within the specified time period, then after the specified number
of retries, or after a specified network timeout, it forwards the request to the next remote RADIUS
server in the list.
• If the response is invalid, ACS proxy performs failover to the next remote RADIUS server. When
the last failover remote RADIUS server in the list is reached without getting reply, ACS drops the
request and does not send any response to the NAS.
ACS processes the first valid or invalid response from the remote TACACS+ server and does the
following:
• If the response is valid for TACACS+, such as TAC_PLUS_AUTHEN (REPLY) or
TAC_PLUS_AUTHOR(RESPONSE), ACS returns the response back to the NAS.
• If ACS does not receive a response within the specified time period, after the specified number of
retries, or after specified network timeout it forwards the request to the next remote TACACS+
server in the list.
• If the response is invalid, ACS proxy performs failover to the next remote TACACS+ server. When
the last failover remote TACACS+ server in the list is reached without getting reply, ACS drops the
request and does not send any response to the NAS.
You can configure ACS to strip the prefix, suffix, and both from a username (RADIUS) or user
(TACACS+). For example, from a username acme\smith@acme.com, you can configure ACS to extract
only the name of the user, smith by specifying \ and @ as the prefix and suffix separators respectively.
ACS can perform local accounting, remote accounting, or both. If you choose both, ACS performs local
accounting and then moves on to remote accounting. If there are any errors in local accounting, ACS
ignores them and moves on to remote accounting.
During proxying, ACS:
1. Receives the following packets from the NAS and forwards them to the remote RADIUS server:
• Access-Request
2. Receives the following packets from the remote RADIUS server and returns them to the NAS:
• Access-Accept
• Access-Reject
• Access-Challenge
3. Receives the following packets from the NAS and forwards them to the remote TACACS+ server: