Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACS standard reports: Need to see attrib [04] "NAS-IP-Address"

Hello,

we have the following topology.

NAS-->other vendor radius (proxy)-->ACS 4.0

Auth works fine, but we have problems with standard reports offered by ACS.

On passed auth report we need to see the original NAS IP address, attrib [04]. The third party radius (acting as proxy) send the attrib as expected (we check it using sniffer captures on ACS).

what selection must we use to see this attrib on report?

thnks

Juan

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: ACS standard reports: Need to see attrib [04] "NAS-IP-Addres

ahhh. I see the problem.

The "Passed authenications" report uses the ACS internal dictionary (which handles both RADIUS & TACACS+).

When CSRadius writes an entry its using the ip address of the AAA client (ie the peer address) as the value for NAS IP rather than the actual NAS-IP-Address attribute.

It was years ago that I coded that part and I cant remember why I chose to use the peer address instead of the nas-ip-address. I suspect its because in the network config you add the peer (procy) address and not the originating device. If the passed auths log had the orginating device ip it wouldnt match the network config.

I think this can be fixed, ACS has an attribute called "Source NAS" which I think was added but never used. The CSRadius service could stuff the nas-ip-address there.

But of course I dont work for Cisco any more - so you'll have to ask them to make the change!

Darran

3 REPLIES
Silver

Re: ACS standard reports: Need to see attrib [04] "NAS-IP-Addres

ahhh. I see the problem.

The "Passed authenications" report uses the ACS internal dictionary (which handles both RADIUS & TACACS+).

When CSRadius writes an entry its using the ip address of the AAA client (ie the peer address) as the value for NAS IP rather than the actual NAS-IP-Address attribute.

It was years ago that I coded that part and I cant remember why I chose to use the peer address instead of the nas-ip-address. I suspect its because in the network config you add the peer (procy) address and not the originating device. If the passed auths log had the orginating device ip it wouldnt match the network config.

I think this can be fixed, ACS has an attribute called "Source NAS" which I think was added but never used. The CSRadius service could stuff the nas-ip-address there.

But of course I dont work for Cisco any more - so you'll have to ask them to make the change!

Darran

New Member

Re: ACS standard reports: Need to see attrib [04] "NAS-IP-Addres

Thank you very much for your answer...

I will try to solve it with our local system engineer.

thanks...

New Member

Re: ACS standard reports: Need to see attrib [04] "NAS-IP-Addres

Hi again Darran,

do you remember what Radius attribs are mapped to the report records?

Thanks

Juan

281
Views
0
Helpful
3
Replies