Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

feature "Proxy Distribution Table" in ACS 5.2?

Hello!

Is it possible to have something similar to the ACS 4.2 proxy distribution table in ACS 5.2?

I need to authenticate my users with ACS against AD and let guests authenticate against external radius proxies.

In 4.2 I manage this with the proxy distribution table: the suffix @ourdomain points to my ACS and the rest goes to 2 proxy radius servers.

In 5.2 I can define a Service Selection Policy with Service Type "RADIUS Proxy" but I can't define a rule to test against a realm or username and based on this result authenticate locally or send it to the proxy radius servers.

Any idea how this can be done in 5.2?

Thanks,

Wolfgang

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: feature "Proxy Distribution Table" in ACS 5.2?

I think can be done as follows driven off the user-name in the RADIUS request

1) Create definition of proxy RADIUS servers:Network Resources > External RADIUS Servers

2) Create proxy service:Access Policies > Access Services > Create:

User Selected Service Type should be "RADIUS Proxy" and select RADIUS server from option 1)

3) Create Custom conditions for user name attribute:Policy Elements > Session Conditions > Custom

Dictionary should be "RADIUS-IETF"

Attribute should be "User-Name"

4) Modify service selection policy.

Go to:Access Policies > Access Services > Service Selection Rules

Press "Customize" and select "User-Name" condition that was created in step 3). Press OK

Now add a rule to check the user name and forward to necessary proxy server

For example condition: "if User-Name ends-with @ourdomain "

                    result:  Proxy service created in step 2)

2 REPLIES
Cisco Employee

Re: feature "Proxy Distribution Table" in ACS 5.2?

I think can be done as follows driven off the user-name in the RADIUS request

1) Create definition of proxy RADIUS servers:Network Resources > External RADIUS Servers

2) Create proxy service:Access Policies > Access Services > Create:

User Selected Service Type should be "RADIUS Proxy" and select RADIUS server from option 1)

3) Create Custom conditions for user name attribute:Policy Elements > Session Conditions > Custom

Dictionary should be "RADIUS-IETF"

Attribute should be "User-Name"

4) Modify service selection policy.

Go to:Access Policies > Access Services > Service Selection Rules

Press "Customize" and select "User-Name" condition that was created in step 3). Press OK

Now add a rule to check the user name and forward to necessary proxy server

For example condition: "if User-Name ends-with @ourdomain "

                    result:  Proxy service created in step 2)

New Member

Re: feature "Proxy Distribution Table" in ACS 5.2?

Bingo!

This was the missing link. I was to much fixed on AD and haven't take a look at all the radius attributes...

Thank you very much for the advice!

1234
Views
0
Helpful
2
Replies