01-28-2011 10:53 AM - edited 03-10-2019 05:46 PM
I am new to ACS.
What I want to do is talk to another radius server (safeword) and authenticate users against it on a linux host using pam_radius.
What is the minimum steps to do this? (setup groups/policy/users) Using radtest, I can authenticate a local user but
I haven't got it to autthenticate anything using radius proxy.
It does not seem as easy as I think it should be.
01-28-2011 05:18 PM
Implementing Proxy Radius server:
ACS 5.1 can act as radius proxy server, it accepts the authentication, accounting, authorization request from the NAS and forwards it to external radius server. It accepts the failure or success results of the requests and sends back to NAS.
ACS can simultaneously act as a proxy server to multiple external RADIUS servers.
Steps to create proxy server:
Go to Network Resources > External RADIUS Servers> create > click the external radius server name and edit
Name----external radius server
Ip address: x.x.x.
Shared secret key: cisco123
Advance options:
Authentication port:1812
Acct port:1813
Server timeout: default is 5 sec (can vary from 1 to 120 sec)
Connection attempts: default is 3 (can vary from 1 to 10)
Go to access policy> create a new service using (User Selected Service Type—RADIUS Proxy) (don’t user predefined template) > Select the external RADIUS servers to be used for proxy and move them to the Selected External RADIUS Servers list.
Before you do above mentioned steps, please do verify that you can ping the external radius server through ACS 5.1
Go to launch monitoring and reports > connectivity > type in ip address of radius server and ping.
HTH
Regds,
Jatin
Do rate helpful posts~
02-01-2011 10:02 AM
Yes, I've done that before. What is missing is how do you
link a user to actually authenticate to that service? When
I define a "internal user" in the identiy store, it does not have an option to link to the
external radius service, it simply has a settings of a a password. I have access
to a 4.2 ACS, and you can plainly see that once the external store is defined you
can setup an individual user to use it. But on mine, it doesn't have any way to link it in.
Am I running a broken copy of the software? I can probably revert to 5.1.
02-01-2011 01:16 PM
02-01-2011 02:51 PM
Uggh. I just saw more docs and I realized that access policies drive everything, one doesn't put
the methods where they were previously, like in 4.2
Okay, let me read this to see if I can get it to work.
02-03-2011 09:18 AM
Finally got this to work. I did not have the Access Policies defined to use the Radius Proxy.
I'd wish examples were written to go start to finish from one type of authentication, through all
the changes that need to be made, start to finish. Like AD, proxy radius, secureid, etc. Or even
a summary report that states for host X and user Y, what policies and restrictions are in play. Like
for Host X, proxy radius and local auth are on and you have acess between hours A-B on day Z.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide