ACS 4.2 Authenticating using Radius Server

Unanswered Question
Dec 10th, 2009
User Badges:


We would like to run the following scenario:

Cisco VPN client (or Any Connect, Cisco SSL VPN client) ----> Cisco ASA 5520 -----> Cisco ACS 4.2 -----> CAT Authentication Server

The CAT Authentication Server is a Radius Server.

How do we configure the Cisco ACS 4.2 to delegate the authentication query to another Radius Server.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
kush.sri2001 Thu, 12/10/2009 - 20:34
User Badges:

Hi Arnnie,

The ACS can forward requests to another Radius server using the feature of "LEAP Proxy Radius Server". However this feature only supports MS-CHAP so the radius server must be configured to accept MS-CHAPv1 and v2 requests.

To configure LEAP Proxy Radius server, go to the ACS, go to External User Databases --> Database Configuration and select "LEAP Proxy Radius server".

Note: By default VPN authentication requests use the "PAP" protocol, to conver the requests in MS-CHAPv2, on the VPN concentrator we have to use "Radius-with Expiry" and on the ASA, go to the Tunnel group and issue the command "password-management".



arnneispeiser Fri, 12/11/2009 - 09:02
User Badges:

Hi Kush,

We have tried configuring RADIUS Token Server External User Database connector, but it didn’t work.

Maybe it’s because we already have Windows AD connector configured on Cisco ACS 4.2? Maybe it is not possible to have in the same time, both connectors: to Windows AD and to RADIUS Token Server External User Database (meaning CAT AS)?


Re: How 2 configure ACS 4.2 to delegate authentication to radius server


This Discussion

Related Content