[Cisco ISE] What is CACS?

david.ausl · ‎11-07-2014

Dear Sir,

Here is the operation>Authentication detail on my Cisco ISE:

Result

State ReauthSession:0a01010100077000545c5b8a

Class OU=VPN-USER2

Class CACS:0a01010100077000545c5b8a:psn/203756592/237

I searched many documents, but none of them could tell me what is the meaning of CACS.

In my authorization profile result, I only configured following:

Access Type = ACCESS_ACCEPT

Class = OU=VPN-USER2;

It seemed that the CACS was some kind of session code, auto-generated for machine processing.

(1)Hope somebody could help clarify “What is CACS”

(2) My colleague in network team concern CACS in auth response would lead to some unwanted result in ASA VPN authentication and assigning Gp policy to VPN user. To relive his concern, could we clear out the CACS from auth response?

Million thanks for your kind help.

david.ausl · ‎11-11-2014

Anyone could help?

nspasov · ‎11-12-2014

Hi David. I did some research but could not find much outside of this being a Cisco specific Radius attribute that is also used by ACS. With that being said, I don't think that this is something that you need to worry about. I don't think an ACS/ISE attribute can trigger a GP policy update on your endpoints. I have done many VPN deployments where the endpoints are authenticating against ISE or ACS and I have never had any problems nor I had the need to filter any attributes.

Feel free to reach out to Cisco TAC for more details as that is all I have :) Also, feel free to have your network team chime and provide more details with regards to their concerns. You can also test this with some test workstations and confirm weather or not you will see any undesirable results :)

I hope this helps!

Thank you for rating helpful posts!