Showing results for 
Search instead for 
Did you mean: 

ACS 5.1 - RADIUS Proxy Accounting Logs

Level 1
Level 1

Recently I'm using ACS 5.1 to support external RADIUS Servers, and read the manauls to process with the following workflow.

Install Linux RADIUS Service (this part was tested)

  1. Install FreeRADIUS Service
  2. Add new linux user account

Cisco ACS 5.1

  1. Add External RADIUS servers
    1. Network Resources -> External RADIUS Servers
    2. Add informations.
  2. Add RADIUS Proxy Serivce
    1. Access Policies -> Access Services
    2. Create with User Selected Service Type , RADIUS Proxy
    3. Advanced Options -> Accounting
    4. Remote Accounting and Local Accounting enabled
    5. Access Policies -> Access Services -> Service Selection Rules
    6. Create #1 rule , Conditions : match Radius , Results : RADIUS Service
  3. Add Network Resources for accepting network
      1. Network Device Groups -> Network Devices and AAA Clients

    Enable RADIUS Debug Messages

    1. System Administration > Configuration > Log Configuration  > Logging Categories > Global > Edit: "RADIUS Diagnostics"
    2. Configure Log Category Log Severity : DEBUG

    Add 3GPP VSA


    Send out Radius Accounting Packet to ACS



    ACS got the Packet, but didn't redirect to External Radius Server

    I got this message from ACS 5.1


    Others is 'Failed to forward request to current remote RADIUS server; an invalid response was received.' in the iv.csv file.

    There are two problem.

    1. RADIUS Accounting Packets didn't redirect to external server, but it works without proxy. (Auth is ok.)
    2. Other Attributes didn't collect all informations, and even the debug is enabled.
    2 Replies 2

    Cisco Employee
    Cisco Employee

    Hi Shang-Pin,

    Looking through the logs, it appears as though your service selection rules are being matched correctly, however ACS is getting an error message back when trying to send the request to the external RADIUS server.

    Could you please confirm that the shared secret is correctly set between the two servers, and if you are seeing any corresponding error messages on your external server?



    Hi Steve,

    The shared secret is 100% correct.

    Finally I find out that there may be some white lists for attributes.

    If I keep NAS-Identifier , it will work.

    But it can't pass all VSA (3GPP sub-attributes) , it only shows one or three in BOTH ACS and RADIUS Server.

    The other is the RADIUS VSA User Define Options (which is in SA > C > D > P > RADIUS > RADIUS VSA > Edit ) .

    When 'Vendor Length Field Size' changes to 0 , All sub-attributes pass thought ACS .

    The RADIUS Server gets the message from NSA.

    Of course, there is the Proxy-State attribute.

    In this condition, the ACS has incorrect output in the sub-attribute.

    Now I try 5.2 to see the problem exist or not.