Chapter 4 Common Scenarios Using ACS

RADIUS and TACACS+ Proxy Requests

The TACACS+ proxy feature in ACS supports the following protocols:

PAP

ASCII

CHAP

MSCHAP authentications types

Related Topics

RADIUS and TACACS+ Proxy Requests, page 4-29

Supported RADIUS Attributes, page 4-31

Configuring Proxy Service, page 4-32

Supported RADIUS Attributes

The following supported RADIUS attributes are encrypted:

User-Password

CHAP-Password

Message-Authenticator

MPPE-Send-Key and MPPE-Recv-Key

Tunnel-Password

LEAP Session Key Cisco AV-Pair

TACACS+ Body Encryption

When ACS receives a packet from NAS with encrypted body (flag TAC_PLUS_UNECRYPTED_FLAG is 0x0), ACS decrypts the body with common data such as shared secret and sessionID between NAS and ACS and then encrypts the body with common data between ACS and TACACS+ proxy server. If the packet body is in cleartext, ACS will resend it to TACACS+ server in cleartext.

Connection to TACACS+ Server

ACS supports single connection to another TACACS+ server (flag

TAC_PLUS_SINGLE_CONNECT_FLAG is 1). If the remote TACACS+ server does not support multiplexing TACACS+ sessions over a single TCP connection ACS will open or close connection for each session.

Related Topics

RADIUS and TACACS+ Proxy Requests, page 4-29

Supported Protocols, page 4-30

Configuring Proxy Service, page 4-32

 

 

User Guide for Cisco Secure Access Control System 5.3

 

 

 

 

 

 

OL-24201-01

 

 

4-31

 

 

 

 

 

Page 95
Image 95
Cisco Systems OL-24201-01 manual Supported Radius Attributes, TACACS+ Body Encryption, Connection to TACACS+ Server