03-06-2003 05:02 AM - edited 03-10-2019 07:10 AM
- A firewall bound to the internet sends all radius requests to a Cisco ACS 3.0
- When an username has @.... it gets forwarded to an ACS v3.1
- The 3.0 ACS has the cisco 3.1 server in the proxy table with suffix @...
- The 3.1 ACS is defined as an AAA server on the Cisco v3.0 server
- The 3.0 ACS is defined as an AAA client on the ACS 3.1 server
- All shared secrets are the same
- The 3.1 ACS accepts the AAA client 3.0 ACS with a radius test program
- The accounts on the 3.0 ACS are correctly verified for internet users
- The accounts on the 3.1 ACS are not correctly verified for internet users
- The accounts on the 3.1 ACS work correctly for dial-in users
The problem is that the ACS 3.0 doesn't forward the radius requests to the 3.1 ACS
03-10-2003 08:49 PM
Do you see anything in the Failed Attempts or Passed Authentications logs in either server, especially the v3.1 one?
Is the AAA Server defined as a CSNT server, and traffic is defined as inbound/outbound? Are you stripping the domain name off before you send the request off, or is the username left the same? Can you actually check with a Sniffer to see if anything is being sent from the v3.0 server to the v3.1 server?
04-03-2003 11:40 AM
Hello, I'm having the same symptoms as the one that was described. I have a 3.1 server on 2000 server and a 3.0 server on NT. Everything matches the descriptions, and I put a windump on each machine to see if any of them receives traffic from the other. The answer is no. Users belonging to the local database of each of the ACS's are able to authenticate, but users belongig to the other one aren't.
what do you mean by CSNT?
has any one found a workaround?
Thank you
Gustavo
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide