cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2187
Views
0
Helpful
2
Replies
Highlighted
Beginner

ACS 5.1 - RADIUS Proxy Accounting Logs

Recently I'm using ACS 5.1 to support external RADIUS Servers, and read the manauls to process with the following workflow.

Install Linux RADIUS Service (this part was tested)

  1. Install FreeRADIUS Service
  2. Add new linux user account

Cisco ACS 5.1

  1. Add External RADIUS servers
    1. Network Resources -> External RADIUS Servers
    2. Add informations.
  2. Add RADIUS Proxy Serivce
    1. Access Policies -> Access Services
    2. Create with User Selected Service Type , RADIUS Proxy
    3. Advanced Options -> Accounting
    4. Remote Accounting and Local Accounting enabled
    5. Access Policies -> Access Services -> Service Selection Rules
    6. Create #1 rule , Conditions : match Radius , Results : RADIUS Service
  3. Add Network Resources for accepting network
      1. Network Device Groups -> Network Devices and AAA Clients

    Enable RADIUS Debug Messages

    1. System Administration > Configuration > Log Configuration  > Logging Categories > Global > Edit: "RADIUS Diagnostics"
    2. Configure Log Category Log Severity : DEBUG

    Add 3GPP VSA

    ACS.png

    Send out Radius Accounting Packet to ACS

    acc_chart.png

    3gpp_set2.png

    ACS got the Packet, but didn't redirect to External Radius Server

    I got this message from ACS 5.1

    3gpp_set3.png

    Others is 'Failed to forward request to current remote RADIUS server; an invalid response was received.' in the iv.csv file.

    There are two problem.

    1. RADIUS Accounting Packets didn't redirect to external server, but it works without proxy. (Auth is ok.)
    2. Other Attributes didn't collect all informations, and even the debug is enabled.
    2 REPLIES 2
    Highlighted
    Cisco Employee

    Hi Shang-Pin,

    Looking through the logs, it appears as though your service selection rules are being matched correctly, however ACS is getting an error message back when trying to send the request to the external RADIUS server.

    Could you please confirm that the shared secret is correctly set between the two servers, and if you are seeing any corresponding error messages on your external server?

    Thanks,

    Steve.

    Highlighted

    Hi Steve,

    The shared secret is 100% correct.

    Finally I find out that there may be some white lists for attributes.

    If I keep NAS-Identifier , it will work.

    But it can't pass all VSA (3GPP sub-attributes) , it only shows one or three in BOTH ACS and RADIUS Server.

    The other is the RADIUS VSA User Define Options (which is in SA > C > D > P > RADIUS > RADIUS VSA > Edit ) .

    When 'Vendor Length Field Size' changes to 0 , All sub-attributes pass thought ACS .

    The RADIUS Server gets the message from NSA.

    Of course, there is the Proxy-State attribute.

    In this condition, the ACS has incorrect output in the sub-attribute.

    Now I try 5.2 to see the problem exist or not.