Filter
Top Products
4-29
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 4 Common Scenarios Using ACS
RADIUS and TACACS+ Proxy Requests
To create a default policy:
Step 1 Choose Access Policies > Security Group Access Control > Egress Policy then choose Default Policy.
Step 2 Fill in the fields as in the Default Policy for Egress Policy page.
Step 3 Click Submit.
RADIUS and TACACS+ Proxy Requests
You can use ACS to act as a proxy server that receives authentication and accounting RADIUS requests
and authentication, authorization and accounting TACACS+ requests from a Network Access Server
(NAS) and forwards them to a remote server. ACS then receives the replies for each forwarded request
from the remote RADIUS or TACACS+ server and sends it back to the client.
ACS uses the service selection policy to differentiate between incoming authentication and accounting
requests that must be handled locally and those that must be forwarded to a remote RADIUS or
TACACS+ server.
When ACS receives a proxy request from the NAS, it forwards the request to the first remote RADIUS
or TACACS+ server in its list. ACS processes the first valid or invalid response from the remote RADIUS
server and does the following:
• If the response is valid for RADIUS, such as an Access-Challenge, Access-Accept, Access-Reject,
or Accounting-Response, ACS returns the response back to the NAS.
• If ACS does not receive a response within the specified time period, after the specified number of
retries, or after specified network timeout it forwards the request to the next remote RADIUS server
in the list.
• If the response is invalid, ACS proxy performs failover to the next remote RADIUS server. When
the last failover remote RADIUS server in the list is reached without getting reply, ACS drops the
request and does not send any response to the NAS.
ACS processes the first valid or invalid response from the remote TACACS+ server and does the
following:
• If the response is valid for TACACS+, such as TAC_PLUS_AUTHEN (REPLY),
TAC_PLUS_AUTHOR(RESPONSE) or TAC_PLUS_ACCT(REPLY), ACS returns the response
back to the NAS.
• If ACS does not receive a response within the specified time period, after the specified number of
retries, or after specified network timeout it forwards the request to the next remote TACACS+
server in the list.
• If the response is invalid, ACS proxy performs failover to the next remote TACACS+ server. When
the last failover remote TACACS+ server in the list is reached without getting reply, ACS drops the
request and does not send any response to the NAS.
You can configure ACS to strip the prefix, suffix, and both from a username (RADIUS) or user
(TACACS+). For example, from a username acme\smith@acme.com, you can configure ACS to extract
only the name of the user, smith by specifying \ and @ as the prefix and suffix separators respectively.
ACS can perform local accounting, remote accounting, or both. If you choose both, ACS performs local
accounting and then moves on to remote accounting. If there are any errors in local accounting, ACS
ignores them and moves on to remote accounting.