I searched many documents, but none of them could tell me what is the meaning of CACS.
In my authorization profile result, I only configured following:
Access Type = ACCESS_ACCEPT
Class = OU=VPN-USER2;
It seemed that the CACS was some kind of session code, auto-generated for machine processing.
(1)Hope somebody could help clarify “What is CACS”
(2) My colleague in network team concern CACS in auth response would lead to some unwanted result in ASA VPN authentication and assigning Gp policy to VPN user. To relive his concern, could we clear out the CACS from auth response?
Hi David. I did some research but could not find much outside of this being a Cisco specific Radius attribute that is also used by ACS. With that being said, I don't think that this is something that you need to worry about. I don't think an ACS/ISE attribute can trigger a GP policy update on your endpoints. I have done many VPN deployments where the endpoints are authenticating against ISE or ACS and I have never had any problems nor I had the need to filter any attributes.
Feel free to reach out to Cisco TAC for more details as that is all I have :) Also, feel free to have your network team chime and provide more details with regards to their concerns. You can also test this with some test workstations and confirm weather or not you will see any undesirable results :)
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...