4-31
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
Chapter4 Common Scenarios Using ACS
RADIUS and TACACS+ Proxy Requests
Supported RADIUS Attributes, page 4-31
Configuring Proxy Service, page 4-32
Supported RADIUS Attributes
The following supported RADIUS attributes are encrypted:
User-Password
CHAP-Password
Message-Authenticator
MPPE-Send-Key and MPPE-Recv-Key
Tunnel-Password
LEAP Session Key Cisco AV-Pair
TACACS+ Body Encryption
When ACS receives a packet from NAS with encrypted body (flag TAC_PLUS_UNECRYPTED_FLAG
is 0x0), ACS decrypts the body with common data such as shared secret and sessionID between NAS
and ACS and then encrypts the body with common data between ACS and TACACS+ proxy server. If
the packet body is in cleartext, ACS will resend it to TACACS+ server in cleartext.
Connection to TACACS+ Server
ACS supports single connection to another TACACS+ server (flag
TAC_PLUS_SINGLE_CONNECT_FLAG is 1). If the remote TACACS+ server does not support
multiplexing TACACS+ sessions over a single TCP connection ACS will open or close connection for
each session.
Related Topics
RADIUS and TACACS+ Proxy Requests, page4-29
Supported Protocols, page 4-30
Configuring Proxy Service, page 4-32