Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Problem with radius proxy from a ACS v3.0 to v3.1 server

- A firewall bound to the internet sends all radius requests to a Cisco ACS 3.0

- When an username has @.... it gets forwarded to an ACS v3.1

- The 3.0 ACS has the cisco 3.1 server in the proxy table with suffix @...

- The 3.1 ACS is defined as an AAA server on the Cisco v3.0 server

- The 3.0 ACS is defined as an AAA client on the ACS 3.1 server

- All shared secrets are the same

- The 3.1 ACS accepts the AAA client 3.0 ACS with a radius test program

- The accounts on the 3.0 ACS are correctly verified for internet users

- The accounts on the 3.1 ACS are not correctly verified for internet users

- The accounts on the 3.1 ACS work correctly for dial-in users

The problem is that the ACS 3.0 doesn't forward the radius requests to the 3.1 ACS

  • AAA Identity and NAC
2 REPLIES
Cisco Employee

Re: Problem with radius proxy from a ACS v3.0 to v3.1 server

Do you see anything in the Failed Attempts or Passed Authentications logs in either server, especially the v3.1 one?

Is the AAA Server defined as a CSNT server, and traffic is defined as inbound/outbound? Are you stripping the domain name off before you send the request off, or is the username left the same? Can you actually check with a Sniffer to see if anything is being sent from the v3.0 server to the v3.1 server?

New Member

Re: Problem with radius proxy from a ACS v3.0 to v3.1 server

Hello, I'm having the same symptoms as the one that was described. I have a 3.1 server on 2000 server and a 3.0 server on NT. Everything matches the descriptions, and I put a windump on each machine to see if any of them receives traffic from the other. The answer is no. Users belonging to the local database of each of the ACS's are able to authenticate, but users belongig to the other one aren't.

what do you mean by CSNT?

has any one found a workaround?

Thank you

Gustavo

113
Views
0
Helpful
2
Replies