Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Problems with ACS like Proxy

Product: CiscoSecure ACS 2.6 for Windows 2000/NT.

Problem 1:

It seems that we encountered a timeout problem...


ACS configured with a distribution table to proxy certain requests to

another (rfc compliant) radius server (not ACS). If this server replies

within 2-3 seconds or so, all is OK. If it takes longer to process the

proxied request (e.g. backend database taking much longer than, say, 5

seconds), then the reply of the radius server hits an icmp port

unreachable when the radius server tries to send the reply back to ACS

on the same udp port that it received the packet from... Thus, the reply

never reaches back to ACS and the NAS timeouts and rejects the user...

It seems that ACS only listens for replies to proxied requests for a

mere 2-3 seconds, on the same udp port that it sent it on in the first

place. We then tried to find a setting to correct this behaviour, but

failed miserably... Is there a way to configure this timeout when

proxying a request to a slower radiusd server?

Problem 2:

It seems that in any case, accounting packets forwarded to the same

radius server based on a distribution list are rejected by it with an

error about invalid signature... Are proxied accounting packets

constructed by ACS in such a way that they don't pass certain

integrity/validity tests performed by rfc compliant radius servers? Has

anyone else seen this problem before?

Thanking you in advance,

New Member

Re: Problems with ACS like Proxy

I think ACS does not have a parameter to change the Radius timeout, but you can change it on the NAS which is shared by the ACS.

If a cisco router is used as a NAS you can configure this value using the command

radius-server timeout 10

CreatePlease login to create content