Introduction
To clear the whole confusion of proxy, I did some research and a recreate of a Proxy scenario and was able to collect some data.
Lab Setup
Client-->radius authentication request(ACCESS REQUEST)-->ACS(Proxy sender)-->External Radius Sever(Proxy Receiver)
Packet from Client to ACS
Packet from 25.1(CLIENT) to ACS
Packet from ACS to Radius Server
Now, This is the same packet going from ACS to 65.5(radius Server)
This shows that ACS does not interfere with the packet content, it proxies it as it is.
Now about your next question, does ACS send back the packet to the client as it is also?
Packet Capture Output
I got a packet capture and here is the answer:
25.1-client
25.5-ACS
65.5-External radius Server
I got it on the same capture as I was using a VM interface.
Radius Server Configuration
This is what I configured on the radius server:
Just for Testing I put in some random attributes:
Packet capture - Radius to ACS
This capture is what the radius server sent to the ACS:
You can see those attributes coming back to the ACS from radius server.
Filterid-29
Class is hashed so you can’t see it exactly how it is.
Service type-Administrative(value- 6)
Packet capture - ACS to User
Now here is what ACS sent back to the User:
You can see that it stripped the proxy attribute as proxy ended on the ACS, it forwarded the rest of that packet as it is.
Access-Request
In addition to this, Here are the logs from the External radius server:
ACCESS-REQUEST:
Client address [192.168.25.5]
NAS address [192.168.25.1]
UniqueID=7
Realm = (null)
User = test
Code = Access request
ID = 4
Length = 124
Authenticator = 0x8B1441D49975680D8C3ABC428667A18B
User-Name = test
User-Password = 0xA4E99FD5142C7CEE11E3494012A5ADD9
NAS-IP-Address = 192.168.25.1
Class = xx
Proxy-State = Cisco Secure ACSa24d1b92-fdd2-11e0-c000-000000000000-3058681568-4197
ACCESS-ACCEPT
Client address [192.168.25.5]
NAS address [192.168.25.1]
UniqueID=8
Realm = def
User = test
Code = Access accept
ID = 4
Length = 0
Authenticator = 0x8B1441D49975680D8C3ABC428667A18B
Class = Hello
Filter-Id = "29"
Service-Type = Administrative
So to summarize, as of now ACS does not log anything, you can check the hit count on the Access service to see whether the packet was received by the ACS, rest you can only capture it using a Sniffer or a simply observe logging on the radius server.
Note: The behaviour has changed in ACS 5.4 and ISE:
The proxy requests are logged in ACS view. However, The failure reasons are shown empty.
In ISE, the failure reason is thrown as "Please review the logs on External server to determine the precise Failure reason.
Reference
User Guide for Cisco Secure Access Control System 5.3 - Managing Network Resources
Please post comments if there are any queries and rate if useful.