Filter
Top Products
4-5
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
78-13751-01, Version 3.0
Chapter 4 Setting Up and Managing Network Configuration
Proxy in Distributed Systems
Note When a Cisco Secure ACS receives a TACACS+ authentication request
forwarded by proxy, any Network Access Restrictions for TACACS+ requests
are applied to the IP address of the forwarding AAA server, not to the IP
address of the originating AAA client.
Note In a network that uses more than one type of RADIUS protocol,
Cisco Secure ACS accepts only IETF attributes. All other attributes, such as
proprietary attributes, are not interpreted. If the AAA protocol for RADIUS is
configured uniformly with the same attributes, all attributes are recognized.
For example, a Cisco Secure ACS receives an authentication request for
mary.smith@corporate.com, where “@corporate.com” is a character string
defined in the server’s distribution table as being associated with another specific
AAA server. The Cisco Secure ACS server receiving the authentication request
for mary.smith@corporate.com then forwards the request to the AAA server with
which the character string is associated. The entry in the Proxy Distribution Table
defines the association.
Administrators with geographically dispersed networks can configure and
manage the user profiles of employees within their immediate location or
building. This enables the administrator to manage the policies of just their users
and allows all authentication requests from other users within the company to be
forwarded to their respective AAA server for authentication. Not every user
profile needs to reside on every AAA server. This saves administration time and
server space, and facilitates end users receiving the same privileges regardless of
which access device they connect through.
Fallback on Failed Connection
You can configure the order in which Cisco Secure ACS checks remote
AAA servers upon the failure of the network connection to the primary
AAA server. If an authentication request cannot be sent to the first listed server,
because of a network failure for example, the next listed server is checked. This
continues, in order, down the list until a AAA server handles the authentication