Re: Problems with ACS like Proxy

p.sorin · ‎03-07-2003

Product: CiscoSecure ACS 2.6 for Windows 2000/NT.

Problem 1:

It seems that we encountered a timeout problem...

Setup:

ACS configured with a distribution table to proxy certain requests to

another (rfc compliant) radius server (not ACS). If this server replies

within 2-3 seconds or so, all is OK. If it takes longer to process the

proxied request (e.g. backend database taking much longer than, say, 5

seconds), then the reply of the radius server hits an icmp port

unreachable when the radius server tries to send the reply back to ACS

on the same udp port that it received the packet from... Thus, the reply

never reaches back to ACS and the NAS timeouts and rejects the user...

It seems that ACS only listens for replies to proxied requests for a

mere 2-3 seconds, on the same udp port that it sent it on in the first

place. We then tried to find a setting to correct this behaviour, but

failed miserably... Is there a way to configure this timeout when

proxying a request to a slower radiusd server?

Problem 2:

It seems that in any case, accounting packets forwarded to the same

radius server based on a distribution list are rejected by it with an

error about invalid signature... Are proxied accounting packets

constructed by ACS in such a way that they don't pass certain

integrity/validity tests performed by rfc compliant radius servers? Has

anyone else seen this problem before?

Thanking you in advance,

r-simpson · ‎03-13-2003

I think ACS does not have a parameter to change the Radius timeout, but you can change it on the NAS which is shared by the ACS.

If a cisco router is used as a NAS you can configure this value using the command

radius-server timeout 10