Cisco Systems OL-9971-01 manual Remote Use of Accounting Packets, Character String

Page 5

Chapter 3 Network Configuration

Proxy in Distributed Systems

continues, in order, down the list, until the AAA servers handles the authentication request. (Failed connections are detected by failure of the nominated server to respond within a specified time period. That is, the request is timed out.) If ACS cannot connect to any server in the list, authentication fails.

Character String

ACS forwards authentication requests by using a configurable set of characters with a delimiter, such as periods (.), slashes (/), or hyphens (-). When configuring the ACS character string, you must specify whether the character string is the prefix or suffix. For example, you can use domain.us as a suffix character string in username*domain.us, where the asterisk (*) represents any delimiter. An example of a prefix character string is domain.*username, where the asterisk (*) would be used to detect the slash(/).

Stripping

Stripping allows ACS to remove, or strip, the matched character string from the username. When you enable stripping, ACS examines each authentication request for matching information. When ACS finds a match by character string in the Proxy Distribution Table, as described in the example under Proxy in Distributed Systems, page 3-3, ACS strips off the character string if you have configured it to do so. For example, in the following proxy example, the character string that accompanies the username establishes the ability to forward the request to another AAA server. If the user must enter the user ID of mary@corporate.com to be forwarded correctly to the AAA server for authentication, ACS might find a match on the @corporate.com character string, and strip the @corporate.com, leaving a username of mary, which might be the username format that the destination AAA server requires to identify the correct entry in its database.

Note Realm stripping does not work with Extensible Authentication Protocol (EAP)-based authentication protocols, such as Protected Extensible Authentication Protocol (PEAP) or Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST). For example, if you are using Protected Extensible Authentication Protocol Microsoft Challenge Authentication Handshake Protocol (PEAP MSCHAP), authentication will fail if a realm is stripped by proxy.

Remote Use of Accounting Packets

When proxy is employed, ACS can dispatch AAA accounting packets in one of three ways:

Log them locally.

Forward them to the destination AAA server.

Log them locally and forward copies to the destination AAA server. Sending accounting packets to the remote ACS offers several benefits.

When ACS is configured to send accounting packets to the remote AAA server, the remote

AAA server logs an entry in the accounting report for that session on the destination server. ACS also caches the user connection information and adds an entry in the List Logged on Users report. You can then view the information for users that are currently connected. Because the accounting information is sent to the remote AAA server, even if the connection fails, you can view the Failed Attempts report to troubleshoot the failed connection.

User Guide for Cisco Secure Access Control Server

 

OL-9971-01

3-5

 

 

 

Page 4 Page 6
Image 5
Page 4 Page 6
Contents About Network Configuration Network ConfigurationAAA Servers in Distributed Systems About ACS in Distributed SystemsProxy in Distributed Systems Default Distributed System SettingsProxy Feature An Example Fallback on Failed ConnectionCharacter String Remote Use of Accounting PacketsNetwork Device Search Criteria Other Features Enabled by System DistributionNetwork Device Searches Searching for Network Devices AAA Client Configuration Options Configuring AAA ClientsNetwork Configuration Configuring AAA Clients Network Configuration Configuring AAA Clients Before You Begin Adding AAA ClientsEditing AAA Clients Follow the steps for Adding AAA Clients, Configuring a Default AAA ClientDeleting AAA Clients Configuring AAA ServersAAA Server Configuration Options Adding AAA Servers Editing AAA Servers Deleting AAA Servers Configuring Remote Agents ACS Solution Engine OnlyAbout Remote Agents Remote Agent Configuration OptionsAdding a Remote Agent Editing a Remote Agent Configuration Deleting a Remote Agent Configuration Configuring Network Device Groups Adding a Network Device Group Reassigning AAA Clients or AAA Servers to an NDG Assigning an Unassigned AAA Client or AAA Server to an NDGNDG properties are changed Editing a Network Device GroupDeleting a Network Device Group Configuring Proxy Distribution TablesAdding a New Proxy Distribution Table Entry About the Proxy Distribution TableNetwork Configuration Configuring Proxy Distribution Tables Deleting a Proxy Distribution Table Entry Editing a Proxy Distribution Table Entry
Top Page Image Contents