The ACS can forward requests to another Radius server using the feature of "LEAP Proxy Radius Server". However this feature only supports MS-CHAP so the radius server must be configured to accept MS-CHAPv1 and v2 requests.
To configure LEAP Proxy Radius server, go to the ACS, go to External User Databases --> Database Configuration and select "LEAP Proxy Radius server".
Note: By default VPN authentication requests use the "PAP" protocol, to conver the requests in MS-CHAPv2, on the VPN concentrator we have to use "Radius-with Expiry" and on the ASA, go to the Tunnel group and issue the command "password-management".
We have tried configuring RADIUS Token Server External User Database connector, but it didn’t work.
Maybe it’s because we already have Windows AD connector configured on Cisco ACS 4.2? Maybe it is not possible to have in the same time, both connectors: to Windows AD and to RADIUS Token Server External User Database (meaning CAT AS)?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...