Cisco Systems 3.3 Manual De Usuario
4-5
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Chapter 4 Network Configuration
Proxy in Distributed Systems
Note
When a Cisco Secure ACS receives a TACACS+ authentication request forwarded
by proxy, any Network Access Restrictions for TACACS+ requests are applied to
the IP address of the forwarding AAA server, not to the IP address of the
originating AAA client.
by proxy, any Network Access Restrictions for TACACS+ requests are applied to
the IP address of the forwarding AAA server, not to the IP address of the
originating AAA client.
Note
When a Cisco Secure ACS proxies to a second Cisco Secure ACS, the second
Cisco Secure ACS responds to the first using only IETF attributes, no VSAs,
when it recognizes the first Cisco Secure ACS as a AAA server. Alternatively, you
can configure an Cisco Secure ACS to be seen as a AAA client by the second
Cisco Secure ACS; in this case, the second Cisco Secure ACS responses include
the RADIUS VSAs for whatever RADIUS vendor is specified in the AAA client
definition table entry—in the same manner as any other AAA client.
Cisco Secure ACS responds to the first using only IETF attributes, no VSAs,
when it recognizes the first Cisco Secure ACS as a AAA server. Alternatively, you
can configure an Cisco Secure ACS to be seen as a AAA client by the second
Cisco Secure ACS; in this case, the second Cisco Secure ACS responses include
the RADIUS VSAs for whatever RADIUS vendor is specified in the AAA client
definition table entry—in the same manner as any other AAA client.
For example, a Cisco Secure ACS receives an authentication request for
mary.smith@corporate.com, where “@corporate.com” is a character string
defined in the server distribution table as being associated with another specific
AAA server. The Cisco Secure ACS receiving the authentication request for
mary.smith@corporate.com then forwards the request to the AAA server with
which that character string is associated. The entry in the Proxy Distribution Table
defines the association.
mary.smith@corporate.com, where “@corporate.com” is a character string
defined in the server distribution table as being associated with another specific
AAA server. The Cisco Secure ACS receiving the authentication request for
mary.smith@corporate.com then forwards the request to the AAA server with
which that character string is associated. The entry in the Proxy Distribution Table
defines the association.
Administrators with geographically dispersed networks can configure and
manage the user profiles of employees within their immediate location or
building. This enables the administrator to manage the policies of just their users
and allows all authentication requests from other users within the company to be
forwarded to their respective AAA server for authentication. Not every user
profile needs to reside on every AAA server. This saves administration time and
server space, and facilitates end users receiving the same privileges regardless of
which access device they connect through.
manage the user profiles of employees within their immediate location or
building. This enables the administrator to manage the policies of just their users
and allows all authentication requests from other users within the company to be
forwarded to their respective AAA server for authentication. Not every user
profile needs to reside on every AAA server. This saves administration time and
server space, and facilitates end users receiving the same privileges regardless of
which access device they connect through.
Fallback on Failed Connection
You can configure the order in which Cisco Secure ACS checks remote
AAA servers when a failure of the network connection to the primary AAA server
has occurred. If an authentication request cannot be sent to the first listed server,
because of a network failure for example, the next listed server is checked. This
AAA servers when a failure of the network connection to the primary AAA server
has occurred. If an authentication request cannot be sent to the first listed server,
because of a network failure for example, the next listed server is checked. This