11-29-2010 07:28 AM - edited 03-10-2019 05:37 PM
Hello!
Is it possible to have something similar to the ACS 4.2 proxy distribution table in ACS 5.2?
I need to authenticate my users with ACS against AD and let guests authenticate against external radius proxies.
In 4.2 I manage this with the proxy distribution table: the suffix @ourdomain points to my ACS and the rest goes to 2 proxy radius servers.
In 5.2 I can define a Service Selection Policy with Service Type "RADIUS Proxy" but I can't define a rule to test against a realm or username and based on this result authenticate locally or send it to the proxy radius servers.
Any idea how this can be done in 5.2?
Thanks,
Wolfgang
Solved! Go to Solution.
11-29-2010 07:58 AM
I think can be done as follows driven off the user-name in the RADIUS request
1) Create definition of proxy RADIUS servers:Network Resources > External RADIUS Servers
2) Create proxy service:Access Policies > Access Services > Create:
User Selected Service Type should be "RADIUS Proxy" and select RADIUS server from option 1)
3) Create Custom conditions for user name attribute:Policy Elements > Session Conditions > Custom
Dictionary should be "RADIUS-IETF"
Attribute should be "User-Name"
4) Modify service selection policy.
Go to:Access Policies > Access Services > Service Selection Rules
Press "Customize" and select "User-Name" condition that was created in step 3). Press OK
Now add a rule to check the user name and forward to necessary proxy server
For example condition: "if User-Name ends-with @ourdomain "
result: Proxy service created in step 2)
11-29-2010 07:58 AM
I think can be done as follows driven off the user-name in the RADIUS request
1) Create definition of proxy RADIUS servers:Network Resources > External RADIUS Servers
2) Create proxy service:Access Policies > Access Services > Create:
User Selected Service Type should be "RADIUS Proxy" and select RADIUS server from option 1)
3) Create Custom conditions for user name attribute:Policy Elements > Session Conditions > Custom
Dictionary should be "RADIUS-IETF"
Attribute should be "User-Name"
4) Modify service selection policy.
Go to:Access Policies > Access Services > Service Selection Rules
Press "Customize" and select "User-Name" condition that was created in step 3). Press OK
Now add a rule to check the user name and forward to necessary proxy server
For example condition: "if User-Name ends-with @ourdomain "
result: Proxy service created in step 2)
11-30-2010 03:36 AM
Bingo!
This was the missing link. I was to much fixed on AD and haven't take a look at all the radius attributes...
Thank you very much for the advice!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide