Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Radius Proxy Analysis on ACS 5.3

     

     

    Introduction

    To clear the whole confusion of proxy, I did some research and a recreate of a Proxy scenario and was able to collect some data.

    Lab Setup

    Client-->radius authentication request(ACCESS REQUEST)-->ACS(Proxy sender)-->External Radius Sever(Proxy Receiver)

    Packet from Client to ACS

    Packet from 25.1(CLIENT) to ACS

    Capture1.JPG

    Packet from ACS to Radius Server

    Now, This is the same packet going from ACS to 65.5(radius Server)

    Capture2.JPG

    This shows that ACS does not interfere with the packet content, it proxies it as it is.

    Now about your next question, does ACS send back the packet to the client as it is also?

    Packet Capture Output

    I got a packet capture and here is the answer:

    Capture3.JPG

     

    25.1-client
    25.5-ACS
    65.5-External radius Server

    I got it on the same capture as I was using a VM interface.

    Radius Server Configuration

    This is what I configured on the radius server:

    Just for Testing I put in some random attributes:

    Capture4.JPG

    Packet capture - Radius to ACS

    This capture is what the radius server sent to the ACS:

    You can see those attributes coming back to the ACS from radius server.

    Filterid-29

    Class is hashed so you can’t see it exactly how it is.

    Service type-Administrative(value- 6)

    Capture5.JPG

    Packet capture - ACS to User

    Now here is what ACS sent back to the User:

    You can see that it stripped the proxy attribute as proxy ended on the ACS, it forwarded the rest of that packet as it is. 

    Capture6.JPG

    Access-Request

    In addition to this, Here are the logs from the External radius server:

    ACCESS-REQUEST:

    Client address [192.168.25.5]
    
    NAS address [192.168.25.1]
    
    UniqueID=7
    
    Realm = (null)
    
    User = test
    
    Code = Access request
    
    ID = 4
    
    Length = 124
    
    Authenticator = 0x8B1441D49975680D8C3ABC428667A18B
    
    User-Name = test
    
    User-Password = 0xA4E99FD5142C7CEE11E3494012A5ADD9
    
    NAS-IP-Address = 192.168.25.1
    
    Class = xx
    
    Proxy-State = Cisco Secure ACSa24d1b92-fdd2-11e0-c000-000000000000-3058681568-4197 

    ACCESS-ACCEPT

    Client address [192.168.25.5]
    
    NAS address [192.168.25.1]
    
    UniqueID=8
    
    Realm = def
    
    User = test
    
    Code = Access accept
    
    ID = 4
    
    Length = 0
    
    Authenticator = 0x8B1441D49975680D8C3ABC428667A18B
    
    Class = Hello
    
    Filter-Id = "29"
    
    Service-Type = Administrative

    So to summarize, as of now ACS does not log anything, you can check the hit count on the Access service to see whether the packet was received by the ACS, rest you can only capture it using a Sniffer or a simply observe logging on the radius server.

    Note: The behaviour has changed in ACS 5.4 and ISE:

    The proxy requests are logged in ACS view. However, The failure reasons are shown empty. 
    In ISE, the failure reason is thrown as "Please review the logs on External server to determine the precise Failure reason.

    Reference

    User Guide for Cisco Secure Access Control System 5.3 - Managing Network Resources

    Please post comments if there are any queries and rate if useful.

    Version history
    Revision #:
    2 of 2
    Last update:
    ‎08-29-2017 02:49 AM
    Updated by:
     
    Labels (1)
    Contributors