07-03-2006 06:56 AM - edited 03-10-2019 02:38 PM
Hello,
we have the following topology.
NAS-->other vendor radius (proxy)-->ACS 4.0
Auth works fine, but we have problems with standard reports offered by ACS.
On passed auth report we need to see the original NAS IP address, attrib [04]. The third party radius (acting as proxy) send the attrib as expected (we check it using sniffer captures on ACS).
what selection must we use to see this attrib on report?
thnks
Juan
Solved! Go to Solution.
07-04-2006 08:28 AM
ahhh. I see the problem.
The "Passed authenications" report uses the ACS internal dictionary (which handles both RADIUS & TACACS+).
When CSRadius writes an entry its using the ip address of the AAA client (ie the peer address) as the value for NAS IP rather than the actual NAS-IP-Address attribute.
It was years ago that I coded that part and I cant remember why I chose to use the peer address instead of the nas-ip-address. I suspect its because in the network config you add the peer (procy) address and not the originating device. If the passed auths log had the orginating device ip it wouldnt match the network config.
I think this can be fixed, ACS has an attribute called "Source NAS" which I think was added but never used. The CSRadius service could stuff the nas-ip-address there.
But of course I dont work for Cisco any more - so you'll have to ask them to make the change!
Darran
07-04-2006 08:28 AM
ahhh. I see the problem.
The "Passed authenications" report uses the ACS internal dictionary (which handles both RADIUS & TACACS+).
When CSRadius writes an entry its using the ip address of the AAA client (ie the peer address) as the value for NAS IP rather than the actual NAS-IP-Address attribute.
It was years ago that I coded that part and I cant remember why I chose to use the peer address instead of the nas-ip-address. I suspect its because in the network config you add the peer (procy) address and not the originating device. If the passed auths log had the orginating device ip it wouldnt match the network config.
I think this can be fixed, ACS has an attribute called "Source NAS" which I think was added but never used. The CSRadius service could stuff the nas-ip-address there.
But of course I dont work for Cisco any more - so you'll have to ask them to make the change!
Darran
07-05-2006 12:20 AM
Thank you very much for your answer...
I will try to solve it with our local system engineer.
thanks...
08-02-2006 02:56 AM
Hi again Darran,
do you remember what Radius attribs are mapped to the report records?
Thanks
Juan
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: