Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2647
Views
0
Helpful
2
Replies

ACS 5.1 - RADIUS Proxy Accounting Logs

dreamer_chen
Level 1
Level 1

‎11-18-2010 06:35 PM - edited ‎03-10-2019 05:35 PM

Recently I'm using ACS 5.1 to support external RADIUS Servers, and read the manauls to process with the following workflow.

Install Linux RADIUS Service (this part was tested)

  1. Install FreeRADIUS Service
  2. Add new linux user account

Cisco ACS 5.1

  1. Add External RADIUS servers
    1. Network Resources -> External RADIUS Servers
    2. Add informations.
  2. Add RADIUS Proxy Serivce
    1. Access Policies -> Access Services
    2. Create with User Selected Service Type , RADIUS Proxy
    3. Advanced Options -> Accounting
      4. Remote Accounting and Local Accounting enabled
    4. Access Policies -> Access Services -> Service Selection Rules
    5. Create #1 rule , Conditions : match Radius , Results : RADIUS Service
  3. Add Network Resources for accepting network
      1. Network Device Groups -> Network Devices and AAA Clients

    Enable RADIUS Debug Messages

    1. System Administration > Configuration > Log Configuration  > Logging Categories > Global > Edit: "RADIUS Diagnostics"
    2. Configure Log Category Log Severity : DEBUG

    Add 3GPP VSA

    ACS.png

    Send out Radius Accounting Packet to ACS

    acc_chart.png

    3gpp_set2.png

    ACS got the Packet, but didn't redirect to External Radius Server

    I got this message from ACS 5.1

    3gpp_set3.png

    Others is 'Failed to forward request to current remote RADIUS server; an invalid response was received.' in the iv.csv file.

    There are two problem.

    1. RADIUS Accounting Packets didn't redirect to external server, but it works without proxy. (Auth is ok.)
    2. Other Attributes didn't collect all informations, and even the debug is enabled.
    Labels:
    75576-iv.csv.zip
    0 Helpful
    2 Replies 2

    slawford
    Cisco Employee
    Cisco Employee

    ‎11-24-2010 10:58 PM

    Hi Shang-Pin,

    Looking through the logs, it appears as though your service selection rules are being matched correctly, however ACS is getting an error message back when trying to send the request to the external RADIUS server.

    Could you please confirm that the shared secret is correctly set between the two servers, and if you are seeing any corresponding error messages on your external server?

    Thanks,

    Steve.

    0 Helpful

    dreamer_chen
    Level 1
    Level 1
    In response to slawford

    ‎11-25-2010 12:44 AM

    Hi Steve,

    The shared secret is 100% correct.

    Finally I find out that there may be some white lists for attributes.

    If I keep NAS-Identifier , it will work.

    But it can't pass all VSA (3GPP sub-attributes) , it only shows one or three in BOTH ACS and RADIUS Server.

    The other is the RADIUS VSA User Define Options (which is in SA > C > D > P > RADIUS > RADIUS VSA > Edit ) .

    When 'Vendor Length Field Size' changes to 0 , All sub-attributes pass thought ACS .

    The RADIUS Server gets the message from NSA.

    Of course, there is the Proxy-State attribute.

    In this condition, the ACS has incorrect output in the sub-attribute.

    Now I try 5.2 to see the problem exist or not.

    0 Helpful
    Customers Also Viewed These Support Documents