Does ACS include the NAS address in the payload?

Unanswered Question
Oct 12th, 2007
User Badges:

When ACS communicates with another authentication server (eg: ACE), does it include the NAS or the user's address in the ip packet payload?

The reason for this question is that we want to use NAT between ACS and ACE. Obviously the NAT won't work if the real address is put in the payload.


Thanks in advance

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Premdeep Banga Fri, 10/12/2007 - 06:03
User Badges:
  • Gold, 750 points or more

If on ACS, ACE configured as an External Database, then ACS wont send NAS ip to ACE.

The communication between ACS and ACE will be based on Radius protocol, and ACS will be added as a Radius client on ACE.


If ACS is acting as a pure proxy radius server, and forwarding request to ACE, then payload will have NAS.


How to configure Radius Token Server as an External Database on ACS:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/UsrDb.html#wp356090


Regards,

Prem

darpotter Tue, 10/16/2007 - 00:05
User Badges:
  • Silver, 250 points or more

The definitive answer is no - not for want you need.


External authentication to RSA doesnt include anything about the end-user except credentials.


RADIUS proxy does - but then you bypass ACS authentication & authorisation completely.

Actions

This Discussion