https://community.cisco.com/t5/network-access-control/proxy-state-requirement/m-p/3455430#M537532 <HTML><HEAD></HEAD><BODY><P>Not aware of way to ignore required field.&nbsp; Would be enhancement to become non-compliant!&nbsp; </P><P></P><P>Could be ugly, but how about proxying request back to ISE where strip out request and send back to ISE?&nbsp; On forward, the RADIUS source is now ISE, so can apply different policy accordingly.</P><P></P><P>Craig</P></BODY></HTML> Fri, 16 Sep 2016 19:11:06 GMT Craig Hyps 2016-09-16T19:11:06Z https://community.cisco.com/t5/network-access-control/proxy-state-requirement/m-p/3455429#M537529 <HTML><HEAD></HEAD><BODY><P>Hi Experts,</P><P>We are trying to integrate ISE with CA AuthMinder as a RADIUS Proxy Server. We can't use RADIUS Token Server due to a requirement to do username domain stripping which RADIUS Token Server doesn't support.</P><P>Our authentication attempts through ISE to AuthMinder were silently dropped, nothing in LiveLog.</P><P>Upon some investigation, we found that AuthMinder is responding with an Accept, but without any RADIUS attributes.</P><P>PRRT reports the following:</P><P>AcsLogs,2016-09-15 14:55:06,055,DEBUG,0x7f2f9584e700,cntx=0000091231,sesn=THC2EXTISE01/261438722/27,CPMSessionID=0a3440440000a00057da6fb5,user=000248933@lisa.lester,CallingStationID=107.77.199.79,Log_Message=[2016-09-15 14:55:06.054 +00:00 0000065725 11352 WARN&nbsp; <STRONG>RADIUS-Proxy: Response Proxy-State attribute validation failed</STRONG>, ConfigVersionId=188, Device IP Address=10.52.64.68, Device Port=65487, DestinationIPAddress=10.192.200.41, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=32, User-Name=000248933, NAS-IP-Address=10.52.64.68, NAS-Port=40960, Called-Station-ID=65.89.98.68, Calling-Station-ID=107.77.199.79, Proxy-State=FirstProxy=10.192.200.41, Proxy-State=Cisco Secure ACSb1d9c820-6a2a-11e6-c000-000000000000-139842593584896-16335, NAS-Port-Type=Virtual, Tunnel-Client-Endpoint=(tag=0) 107.77.199.79, cisco-av-pair=audit-session-id=0a3440440000a00057da6fb5, cisco-av-pair=ip:source-ip=107.77.199.79, cisco-av-pair=coa-push=true, CVPN3000/ASA/PIX7x-Tunnel-Group-Name=SSLClient, CVPN3000/ASA/PIX7x-Client-Type=3, AcsSessionID=THC2EXTISE01/261438722/27, SelectedAccessService=AUTH_MDL_SEQUENCE, CPMSessionID=0a3440440000a00057da6fb5, Response={RadiusPacketType=AccessAccept; },],MessageFormatter.cpp:94</P><P></P><P>RFC for RADIUS at <A href="https://tools.ietf.org/html/rfc2865#page-53" title="https://tools.ietf.org/html/rfc2865#page-53">RFC 2865 - Remote Authentication Dial In User Service (RADIUS) </A>states:</P><P>This Attribute is available to be sent by a proxy server to</P><P>&nbsp; another server when forwarding an Access-Request and <STRONG>MUST be</STRONG></P><P><STRONG>&nbsp; returned unmodified</STRONG> in the Access-Accept, Access-Reject or</P><P>&nbsp; Access-Challenge.</P><P></P><P>It's clear that Auth Minder is non-Compliant here. Is there anything that can be enabled in ISE to ignore Proxy-State? </P><P>Can you think of some other clever way to strip the username? In the example above the username comes in as <SPAN style="font-size: 13.3333px;">000248933@lisa.lester and we only need to send <SPAN style="font-size: 13.3333px;">000248933 to AuthMinder</SPAN></SPAN></P><P></P><P>Thanks</P></BODY></HTML> Thu, 15 Sep 2016 15:27:11 GMT https://community.cisco.com/t5/network-access-control/proxy-state-requirement/m-p/3455429#M537529 vibobrov 2016-09-15T15:27:11Z https://community.cisco.com/t5/network-access-control/proxy-state-requirement/m-p/3455430#M537532 <HTML><HEAD></HEAD><BODY><P>Not aware of way to ignore required field.&nbsp; Would be enhancement to become non-compliant!&nbsp; </P><P></P><P>Could be ugly, but how about proxying request back to ISE where strip out request and send back to ISE?&nbsp; On forward, the RADIUS source is now ISE, so can apply different policy accordingly.</P><P></P><P>Craig</P></BODY></HTML> Fri, 16 Sep 2016 19:11:06 GMT https://community.cisco.com/t5/network-access-control/proxy-state-requirement/m-p/3455430#M537532 Craig Hyps 2016-09-16T19:11:06Z https://community.cisco.com/t5/network-access-control/proxy-state-requirement/m-p/3455431#M537535 <HTML><HEAD></HEAD><BODY><P>Thanks, Craig,</P><P>Yeah, i was thinking about our trusty looping technique, but it does get ugly.</P><P>We asked the customer to reach out to CA to see if they can make their product be RFC compliant.</P><P></P><P>Thanks</P></BODY></HTML> Fri, 16 Sep 2016 23:59:25 GMT https://community.cisco.com/t5/network-access-control/proxy-state-requirement/m-p/3455431#M537535 vibobrov 2016-09-16T23:59:25Z