Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Dazed and confuzed!

Has anyone tried to use the ACS as a RADIUS proxy to a OTP system with an AD user database on backend?

This is so confusing i'm not even sure how to ask the right question.

I'm trying to setup a centralised SSL VPN with multiple domains and it works fine if i'm using pure RADIUS but it breaks when the OTP is introduced.

The really badly written OTP system says it's RADIUS compliant but it doesn't understand or like RADIUS class attributes except the username.

I need the AD group name returned to the VPN so I can allocate VPN groups. I'm having to find a workaround and it's driving me crazy. I know nothing about AD and LDAP or how to set it up on ACS or that I even need to.

anyone have a clue?

  • AAA Identity and NAC

Re: Dazed and confuzed!

This is probably "pushing the envelope".. in fact Im not sure its possible.

Parts are possible.. for example you can (in ACS) map AD groups to ACS groups. In each ACS group you can stick the AD group name into something the VPN server might look at. There's probably a VSA for it. However, this doesnt scale if you have more than a few groups.

ACS will not support authentication to an OTP server and authorisation from somewhere else (eg AD) has to do both in the same place.

Not sure I can help on the RADIUS proxy part - is that ACS proxy or another product?


New Member

Re: Dazed and confuzed!

Using Network Access Profiles you can possibly send authentication requests to different databases for the same ACS user, however, once the authentication database is selected, choice of group mapping is limited to that database (AD or OTP).

It is also possible in network device aaa configuration to send authentication requests and authorization requests to different servers, example, when using machine authentication in a MS AD environment, machine authentication requests can be sent to MS IAS whereas user authenticaiton requests are sent to ACS.

It will be helpful to know if your OTP has its own RADIUS server or what OTP system you are using.