We are currently using Cisco ACS 220.127.116.11.2. One of the Services Selection Policy it hosts is:
- Receive Authentication request from a wireless controller for a wireless user
- If the wireless user's username contains a particular domain suffix, the request is proxied to an external proxy server using an External Proxy service (configured for both local/remote accounting)
- On receiving an Acccess-Accept from the external proxy, the user is given access and ACS 5 will start logging account packets for the username (nothing appears in the RADIUS authentication logs - ACS 5 it seems doesn't log proxied authentication requests)
The above setup works fine in most instances. We start to have problems when an external proxy server strips the domain suffix off the username in the Access-Accept packet e.g.
- ACS 5 proxies an Access-Request to an external proxy server (with Username = firstname.lastname@example.org)
- The external proxy replies with an Access-Accept (with Username = someuser)
- The user 'someuser' is given access but subsequent accounting attempts fail because their username (without the domain suffix) doesn't match the Service Selection Policy
Is there any way to get ACS 5.3 to log proxied authentication requests? If not, can I configure ACS 5.3 to use the username in the Access-Request packet (rather than the username in the Access-Accept packet) for accounting?
ps i don't have any control over the external proxy servers