Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACS 4.2 Authenticating using Radius Server


We would like to run the following scenario:

Cisco VPN client (or Any Connect, Cisco SSL VPN client) ----> Cisco ASA 5520 -----> Cisco ACS 4.2 -----> CAT Authentication Server

The CAT Authentication Server is a Radius Server.

How do we configure the Cisco ACS 4.2 to delegate the authentication query to another Radius Server.


  • AAA Identity and NAC
Everyone's tags (3)
New Member

Re: ACS 4.2 Authenticating using Radius Server

Hi Arnnie,

The ACS can forward requests to another Radius server using the feature of "LEAP Proxy Radius Server". However this feature only supports MS-CHAP so the radius server must be configured to accept MS-CHAPv1 and v2 requests.

To configure LEAP Proxy Radius server, go to the ACS, go to External User Databases --> Database Configuration and select "LEAP Proxy Radius server".

Note: By default VPN authentication requests use the "PAP" protocol, to conver the requests in MS-CHAPv2, on the VPN concentrator we have to use "Radius-with Expiry" and on the ASA, go to the Tunnel group and issue the command "password-management".



New Member

Re: ACS 4.2 Authenticating using Radius Server

Hi Kush,

We have tried configuring RADIUS Token Server External User Database connector, but it didn’t work.

Maybe it’s because we already have Windows AD connector configured on Cisco ACS 4.2? Maybe it is not possible to have in the same time, both connectors: to Windows AD and to RADIUS Token Server External User Database (meaning CAT AS)?


Re: How 2 configure ACS 4.2 to delegate authentication to radius server

This widget could not be displayed.