Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Radius Proxy Analysis on ACS 5.3




    To clear the whole confusion of proxy, I did some research and a recreate of a Proxy scenario and was able to collect some data.

    Lab Setup

    Client-->radius authentication request(ACCESS REQUEST)-->ACS(Proxy sender)-->External Radius Sever(Proxy Receiver)

    Packet from Client to ACS

    Packet from 25.1(CLIENT) to ACS


    Packet from ACS to Radius Server

    Now, This is the same packet going from ACS to 65.5(radius Server)


    This shows that ACS does not interfere with the packet content, it proxies it as it is.

    Now about your next question, does ACS send back the packet to the client as it is also?

    Packet Capture Output

    I got a packet capture and here is the answer:



    65.5-External radius Server

    I got it on the same capture as I was using a VM interface.

    Radius Server Configuration

    This is what I configured on the radius server:

    Just for Testing I put in some random attributes:


    Packet capture - Radius to ACS

    This capture is what the radius server sent to the ACS:

    You can see those attributes coming back to the ACS from radius server.


    Class is hashed so you can’t see it exactly how it is.

    Service type-Administrative(value- 6)


    Packet capture - ACS to User

    Now here is what ACS sent back to the User:

    You can see that it stripped the proxy attribute as proxy ended on the ACS, it forwarded the rest of that packet as it is. 



    In addition to this, Here are the logs from the External radius server:


    Client address []
    NAS address []
    Realm = (null)
    User = test
    Code = Access request
    ID = 4
    Length = 124
    Authenticator = 0x8B1441D49975680D8C3ABC428667A18B
    User-Name = test
    User-Password = 0xA4E99FD5142C7CEE11E3494012A5ADD9
    NAS-IP-Address =
    Class = xx
    Proxy-State = Cisco Secure ACSa24d1b92-fdd2-11e0-c000-000000000000-3058681568-4197 


    Client address []
    NAS address []
    Realm = def
    User = test
    Code = Access accept
    ID = 4
    Length = 0
    Authenticator = 0x8B1441D49975680D8C3ABC428667A18B
    Class = Hello
    Filter-Id = "29"
    Service-Type = Administrative

    So to summarize, as of now ACS does not log anything, you can check the hit count on the Access service to see whether the packet was received by the ACS, rest you can only capture it using a Sniffer or a simply observe logging on the radius server.

    Note: The behaviour has changed in ACS 5.4 and ISE:

    The proxy requests are logged in ACS view. However, The failure reasons are shown empty. 
    In ISE, the failure reason is thrown as "Please review the logs on External server to determine the precise Failure reason.


    User Guide for Cisco Secure Access Control System 5.3 - Managing Network Resources

    Please post comments if there are any queries and rate if useful.

    Version history
    Revision #:
    2 of 2
    Last update:
    ‎08-29-2017 02:49 AM
    Updated by:
    Labels (1)