Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
1371
Views
10
Helpful
0
Comments

Radius Proxy Analysis on ACS 5.3

edwjames
Level 3
Level 3

‎04-26-2013 01:19 PM - edited ‎02-21-2020 09:59 PM

     

     

    Introduction

    To clear the whole confusion of proxy, I did some research and a recreate of a Proxy scenario and was able to collect some data.

    Lab Setup

    Client-->radius authentication request(ACCESS REQUEST)-->ACS(Proxy sender)-->External Radius Sever(Proxy Receiver)

    Packet from Client to ACS

    Packet from 25.1(CLIENT) to ACS

    Capture1.JPG

    Packet from ACS to Radius Server

    Now, This is the same packet going from ACS to 65.5(radius Server)

    Capture2.JPG

    This shows that ACS does not interfere with the packet content, it proxies it as it is.

    Now about your next question, does ACS send back the packet to the client as it is also?

    Packet Capture Output

    I got a packet capture and here is the answer:

    Capture3.JPG

     

    25.1-client
25.5-ACS
65.5-External radius Server

    I got it on the same capture as I was using a VM interface.

    Radius Server Configuration

    This is what I configured on the radius server:

    Just for Testing I put in some random attributes:

    Capture4.JPG

    Packet capture - Radius to ACS

    This capture is what the radius server sent to the ACS:

    You can see those attributes coming back to the ACS from radius server.

    Filterid-29

    Class is hashed so you can’t see it exactly how it is.

    Service type-Administrative(value- 6)

    Capture5.JPG

    Packet capture - ACS to User

    Now here is what ACS sent back to the User:

    You can see that it stripped the proxy attribute as proxy ended on the ACS, it forwarded the rest of that packet as it is. 

    Capture6.JPG

    Access-Request

    In addition to this, Here are the logs from the External radius server:

    ACCESS-REQUEST:

    Client address [192.168.25.5]

NAS address [192.168.25.1]

UniqueID=7

Realm = (null)

User = test

Code = Access request

ID = 4

Length = 124

Authenticator = 0x8B1441D49975680D8C3ABC428667A18B

User-Name = test

User-Password = 0xA4E99FD5142C7CEE11E3494012A5ADD9

NAS-IP-Address = 192.168.25.1

Class = xx

Proxy-State = Cisco Secure ACSa24d1b92-fdd2-11e0-c000-000000000000-3058681568-4197 

    ACCESS-ACCEPT

    Client address [192.168.25.5]

NAS address [192.168.25.1]

UniqueID=8

Realm = def

User = test

Code = Access accept

ID = 4

Length = 0

Authenticator = 0x8B1441D49975680D8C3ABC428667A18B

Class = Hello

Filter-Id = "29"

Service-Type = Administrative

    So to summarize, as of now ACS does not log anything, you can check the hit count on the Access service to see whether the packet was received by the ACS, rest you can only capture it using a Sniffer or a simply observe logging on the radius server.

    Note: The behaviour has changed in ACS 5.4 and ISE:

    The proxy requests are logged in ACS view. However, The failure reasons are shown empty. 
In ISE, the failure reason is thrown as "Please review the logs on External server to determine the precise Failure reason.

    Reference

    User Guide for Cisco Secure Access Control System 5.3 - Managing Network Resources

    Please post comments if there are any queries and rate if useful.

    Labels:
    Getting Started

    Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

    Customers Also Viewed These Support Documents