Filter
Top Products
4-30
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 4 Common Scenarios Using ACS
RADIUS and TACACS+ Proxy Requests
During proxying, ACS:
1. Receives the following packets from the NAS and forwards them to the remote RADIUS server:
• Access-Request
• Accounting-Request packets
2. Receives the following packets from the remote RADIUS server and returns them to the NAS:
• Access-Accept
• Access-Reject
• Access-Challenge
• Accounting-Response
3. Receives the following packets from the NAS and forwards them to the remote TACACS+ server:
• TAC_PLUS_AUTHOR
• TAC_PLUS_AUTHEN
4. Receives the following packets from the remote TACACS+ server and returns them back to the NAS:
This behavior is configurable.
• TAC_PLUS_ACCT
An unresponsive external RADIUS server waits for about timeout * number of retries seconds before failover
to move to the next server.
There could be several unresponsive servers in the list before the first responsive server is reached. In
such cases, each request that is forwarded to a responsive external RADIUS server is delayed for number
of previous unresponsive servers * timeout * number of retries.
This delay can sometimes be longer than the external RADIUS server timeout between two messages in
EAP or RADIUS conversation. In such a situation, the external RADIUS server would drop the request.
We can configure the number of seconds for an unresponsive external TACACS+ server waits before
failover to move to the next server.
Related Topics
• Supported Protocols, page 4-30
• Supported RADIUS Attributes, page 4-31
• Configuring Proxy Service, page 4-32
Supported Protocols
The RADIUS proxy feature in ACS supports the following protocols:
• Supports forwarding for all RADIUS protocols
• All EAP protocols
• Protocols not supported by ACS (Since ACS proxy do not interfere into the protocol conversation
and just forwards requests)
Note ACS proxy can not support protocols that use encrypted RADIUS attributes.