Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1070
Views
5
Helpful
2
Replies

Cisco ACS 5.3 - external proxy service user logs

andrewswanson
Level 7
Level 7

‎04-12-2012 05:45 AM - edited ‎03-10-2019 07:00 PM

Hello

We are currently using Cisco ACS 5.3.0.40.2. One of the Services Selection Policy it hosts is:

  • Receive Authentication request from a wireless controller for a wireless user
  • If the wireless user's username contains a particular domain suffix, the request is proxied to an external proxy server using an External Proxy service (configured for both local/remote accounting)
  • On receiving an Acccess-Accept from the external proxy, the user is given access and ACS 5 will start logging account packets for the username (nothing appears in the RADIUS authentication logs - ACS 5 it seems doesn't log proxied authentication requests)


The above setup works fine in most instances. We start to have problems when an external proxy server strips the domain suffix off the username in the Access-Accept packet e.g.

  • ACS 5 proxies an Access-Request to an external proxy server (with Username = someuser@somwhere.com)
  • The external proxy replies with an Access-Accept (with Username = someuser)
  • The user 'someuser' is given access but subsequent accounting attempts fail because their username (without the domain suffix) doesn't match the Service Selection Policy


Is there any way to get ACS 5.3 to log proxied authentication requests? If not, can I configure ACS 5.3 to use the username in the Access-Request packet (rather than the username in the Access-Accept packet) for accounting?

Thanks
Andy

ps i don't have any control over the external proxy servers

Labels:
0 Helpful
2 Replies 2

andrewswanson
Level 7
Level 7

‎07-09-2012 03:53 AM

ACS 5.4 will log proxied authentication requests. So in the above scenario with ACS 5.4, the proxied user someuser@somewhere.com will appear in the RADIUS authentication logs - it will still appear in the accounting logs as 'someuser' but you can you can easily match the accounting and authentication records.

Currently with ACS 5.3, i use a FreeRADIUS box to rewrite the usernames of proxied requests in case they are modified in the reply:

        update proxy-reply {

              User-Name := "%{proxy-request:User-Name}"

      

I'll be able to do this with ACS if I could manipulate Inbound RADIUS attributes - ACS 5.4 can manipulate Outbound RADIUS attributes only - Inbound manipulation will hopefully be introduced in a later version.

cheers

andy

Amjad Abdullah
VIP Alumni
VIP Alumni
In response to andrewswanson

‎04-16-2013 10:32 PM

Thanks Andy for coming back to comment on your own issue after about one year from the original post.

I hope others with same issue will find your comments useful.

+5 and keep up the good work.

Regards,

Amjad

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"
0 Helpful
Customers Also Viewed These Support Documents