Problem with radius proxy from a ACS v3.0 to v3.1 server

admin_2 · ‎03-06-2003

- A firewall bound to the internet sends all radius requests to a Cisco ACS 3.0

- When an username has @.... it gets forwarded to an ACS v3.1

- The 3.0 ACS has the cisco 3.1 server in the proxy table with suffix @...

- The 3.1 ACS is defined as an AAA server on the Cisco v3.0 server

- The 3.0 ACS is defined as an AAA client on the ACS 3.1 server

- All shared secrets are the same

- The 3.1 ACS accepts the AAA client 3.0 ACS with a radius test program

- The accounts on the 3.0 ACS are correctly verified for internet users

- The accounts on the 3.1 ACS are not correctly verified for internet users

- The accounts on the 3.1 ACS work correctly for dial-in users

The problem is that the ACS 3.0 doesn't forward the radius requests to the 3.1 ACS

gfullage · ‎03-10-2003

Do you see anything in the Failed Attempts or Passed Authentications logs in either server, especially the v3.1 one?

Is the AAA Server defined as a CSNT server, and traffic is defined as inbound/outbound? Are you stripping the domain name off before you send the request off, or is the username left the same? Can you actually check with a Sniffer to see if anything is being sent from the v3.0 server to the v3.1 server?

Gustavo Novais · ‎04-03-2003

Hello, I'm having the same symptoms as the one that was described. I have a 3.1 server on 2000 server and a 3.0 server on NT. Everything matches the descriptions, and I put a windump on each machine to see if any of them receives traffic from the other. The answer is no. Users belonging to the local database of each of the ACS's are able to authenticate, but users belongig to the other one aren't.

what do you mean by CSNT?

has any one found a workaround?

Thank you

Gustavo