Cisco Systems OL-9971-01 Remote Use of Accounting Packets

3-5

User Guide for Cisco Secure Access Control Server

OL-9971-01

Chapter3 Network Configuration Proxy in Distributed Systems

continues, in order, down the list, until the AAA servers handles the authentication request. (Failed

connections are detected by failure of the nominated server to respond within a specified time period.

That is, the request is timed out.) If ACS cannot connect to any server in the list, authentication fails.

ACSforwards authentication requests by using a configurable set of characters with a delimiter, such as

periods (.), slashes (/), or hyphens (-). When configuring the ACS character string, you must specify

whether the character string is the prefix or suffix. For example, you can usedomain.us as a suffix

character string in username*domain.us, where the asterisk (*) represents any delimiter.An example of

a prefixcharacter string is domain.*username, where the asterisk (*) would be used to detect the slash(/).

Stripping allows ACS to remove, or strip, the matched character string from the username. When you

enable stripping, ACSexamines each authentication request for matching information. When ACS finds

a match by character string in the Proxy Distribution Table,as described in the example under Proxy in

Distributed Systems, page 3-3, ACSstrips off the character string if you have configured it to do so. For

example,in the following proxy example, the character string that accompanies the username establishes

the ability to forward the request to another AAA server. If the user must enter the user ID of

mary@corporate.com to be forwarded correctly to the AAA server for authentication, ACS might find

a match on the @corporate.com character string, and strip the @corporate.com, leavinga username of

mary, which might be the username format that the destination AAA server requires to identify the

correct entry in its database.

Note Realm stripping does not work with Extensible Authentication Protocol (EAP)-based authentication

protocols, such as Protected Extensible Authentication Protocol (PEAP) or Extensible Authentication

Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST). For example, if you are using

Protected Extensible Authentication Protocol Microsoft Challenge Authentication Handshake Protocol

(PEAP MSCHAP), authentication will fail if a realm is stripped by proxy.

Remote Use of Accounting Packets

When proxy is employed, ACS can dispatch AAA accounting packets in one of three ways:

•Log them locally.

•Forward them to the destination AAA server.

•Log them locally and forward copies to the destination AAA server.

Sending accounting packets to the remote ACS offers several benefits.

•When ACS is configured to send accounting packets to the remote AAAserver, the remote

AAA server logs an entry in the accounting report for that session on the destination server. ACS

also caches the user connection information and adds an entry in the List Logged on Users report.

You can then view the information for users that are currently connected. Because the accounting

information is sent to the remote AAA server, evenif the connection fails, you can view the Failed

Attempts report to troubleshoot the failed connection.