cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
661
Views
0
Helpful
3
Replies

ACS standard reports: Need to see attrib [04] "NAS-IP-Address"

j.docio
Level 1
Level 1

Hello,

we have the following topology.

NAS-->other vendor radius (proxy)-->ACS 4.0

Auth works fine, but we have problems with standard reports offered by ACS.

On passed auth report we need to see the original NAS IP address, attrib [04]. The third party radius (acting as proxy) send the attrib as expected (we check it using sniffer captures on ACS).

what selection must we use to see this attrib on report?

thnks

Juan

1 Accepted Solution

Accepted Solutions

darpotter
Level 5
Level 5

ahhh. I see the problem.

The "Passed authenications" report uses the ACS internal dictionary (which handles both RADIUS & TACACS+).

When CSRadius writes an entry its using the ip address of the AAA client (ie the peer address) as the value for NAS IP rather than the actual NAS-IP-Address attribute.

It was years ago that I coded that part and I cant remember why I chose to use the peer address instead of the nas-ip-address. I suspect its because in the network config you add the peer (procy) address and not the originating device. If the passed auths log had the orginating device ip it wouldnt match the network config.

I think this can be fixed, ACS has an attribute called "Source NAS" which I think was added but never used. The CSRadius service could stuff the nas-ip-address there.

But of course I dont work for Cisco any more - so you'll have to ask them to make the change!

Darran

View solution in original post

3 Replies 3

darpotter
Level 5
Level 5

ahhh. I see the problem.

The "Passed authenications" report uses the ACS internal dictionary (which handles both RADIUS & TACACS+).

When CSRadius writes an entry its using the ip address of the AAA client (ie the peer address) as the value for NAS IP rather than the actual NAS-IP-Address attribute.

It was years ago that I coded that part and I cant remember why I chose to use the peer address instead of the nas-ip-address. I suspect its because in the network config you add the peer (procy) address and not the originating device. If the passed auths log had the orginating device ip it wouldnt match the network config.

I think this can be fixed, ACS has an attribute called "Source NAS" which I think was added but never used. The CSRadius service could stuff the nas-ip-address there.

But of course I dont work for Cisco any more - so you'll have to ask them to make the change!

Darran

Thank you very much for your answer...

I will try to solve it with our local system engineer.

thanks...

Hi again Darran,

do you remember what Radius attribs are mapped to the report records?

Thanks

Juan

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: