Cisco Systems OL-24201-01 manual Radius and TACACS+ Proxy Requests

Chapter 4 Common Scenarios Using ACS

RADIUS and TACACS+ Proxy Requests

To create a default policy:

Step 1 Choose Access Policies > Security Group Access Control > Egress Policy then choose Default Policy.

Step 2 Fill in the fields as in the Default Policy for Egress Policy page.

Step 3 Click Submit.

RADIUS and TACACS+ Proxy Requests

You can use ACS to act as a proxy server that receives authentication and accounting RADIUS requests and authentication, authorization and accounting TACACS+ requests from a Network Access Server (NAS) and forwards them to a remote server. ACS then receives the replies for each forwarded request from the remote RADIUS or TACACS+ server and sends it back to the client.

ACS uses the service selection policy to differentiate between incoming authentication and accounting requests that must be handled locally and those that must be forwarded to a remote RADIUS or TACACS+ server.

When ACS receives a proxy request from the NAS, it forwards the request to the first remote RADIUS or TACACS+ server in its list. ACS processes the first valid or invalid response from the remote RADIUS server and does the following:

•If the response is valid for RADIUS, such as an Access-Challenge, Access-Accept, Access-Reject, or Accounting-Response, ACS returns the response back to the NAS.

•If ACS does not receive a response within the specified time period, after the specified number of retries, or after specified network timeout it forwards the request to the next remote RADIUS server in the list.

•If the response is invalid, ACS proxy performs failover to the next remote RADIUS server. When the last failover remote RADIUS server in the list is reached without getting reply, ACS drops the request and does not send any response to the NAS.

ACS processes the first valid or invalid response from the remote TACACS+ server and does the following:

•If the response is valid for TACACS+, such as TAC_PLUS_AUTHEN (REPLY),

TAC_PLUS_AUTHOR(RESPONSE) or TAC_PLUS_ACCT(REPLY), ACS returns the response back to the NAS.

•If ACS does not receive a response within the specified time period, after the specified number of retries, or after specified network timeout it forwards the request to the next remote TACACS+ server in the list.

•If the response is invalid, ACS proxy performs failover to the next remote TACACS+ server. When the last failover remote TACACS+ server in the list is reached without getting reply, ACS drops the request and does not send any response to the NAS.

You can configure ACS to strip the prefix, suffix, and both from a username (RADIUS) or user (TACACS+). For example, from a username acme\smith@acme.com, you can configure ACS to extract only the name of the user, smith by specifying \ and @ as the prefix and suffix separators respectively.

ACS can perform local accounting, remote accounting, or both. If you choose both, ACS performs local accounting and then moves on to remote accounting. If there are any errors in local accounting, ACS ignores them and moves on to remote accounting.