4-31
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 4 Common Scenarios Using ACS
RADIUS and TACACS+ Proxy Requests
The TACACS+ proxy feature in ACS supports the following protocols:
• PAP
• ASCII
• CHAP
• MSCHAP authentications types
Related Topics
• RADIUS and TACACS+ Proxy Requests, page 4-29
• Supported RADIUS Attributes, page 4-31
• Configuring Proxy Service, page 4-32
Supported RADIUS Attributes
The following supported RADIUS attributes are encrypted:
• User-Password
• CHAP-Password
• Message-Authenticator
• MPPE-Send-Key and MPPE-Recv-Key
• Tunnel-Password
• LEAP Session Key Cisco AV-Pair
TACACS+ Body Encryption
When ACS receives a packet from NAS with encrypted body (flag TAC_PLUS_UNECRYPTED_FLAG
is 0x0), ACS decrypts the body with common data such as shared secret and sessionID between NAS
and ACS and then encrypts the body with common data between ACS and TACACS+ proxy server. If
the packet body is in cleartext, ACS will resend it to TACACS+ server in cleartext.
Connection to TACACS+ Server
ACS supports single connection to another TACACS+ server (flag
TAC_PLUS_SINGLE_CONNECT_FLAG is 1). If the remote TACACS+ server does not support
multiplexing TACACS+ sessions over a single TCP connection ACS will open or close connection for
each session.
Related Topics
• RADIUS and TACACS+ Proxy Requests, page 4-29
• Supported Protocols, page 4-30
• Configuring Proxy Service, page 4-32