4-5
User Guide for Cisco Secure ACS for Windows Server
78-14696-01, Version 3.1
Chapter 4 Setting Up and Managing Network Configuration
Proxy in Distributed Systems
Whether, and where, an authentication request is to be forwarded is defined in the
Proxy Distribution Table on the Network Configuration page. You can use
multiple Cisco Secure ACS servers throughout your network. For information
about configuring the Proxy Distribution Table, see
Proxy Distribution Table
Configuration, page 4-32
.
Cisco Secure ACS employs character strings defined by the administrator to
determine whether an authentication request should be processed locally or
forwarded, and to where. When an end user dials in to the network device and
Cisco Secure ACS finds a match for the character string defined in the Proxy
Distribution Table, Cisco Secure ACS forwards the authentication request to the
associated remote AAA server.
Note
When a Cisco Secure ACS receives a authentication request
forwarded by proxy, any Network Access Restrictions for requests are
applied to the IP address of the forwarding AAA server, not to the IP address of
the originating AAA client.
Note
When a Cisco Secure ACS proxies to a second Cisco Secure ACS, the second
Cisco Secure ACS responds to the first using only IETF attributes, no VSAs,
when it recognizes the first Cisco Secure ACS as a AAA server. Alternatively, you
can configure an Cisco Secure ACS to be seen as a AAA client by the second
Cisco Secure ACS; in this case, the second Cisco Secure ACS responses include
the RADIUS VSAs for whatever RADIUS vendor is specified in the AAA client
definition table entry—in the same manner as any other AAA client.
For example, a Cisco Secure ACS receives an authentication request for
[email protected], where “@corporate.com” is a character string
defined in the server distribution table as being associated with another specific
AAA server. The Cisco Secure ACS receiving the authentication request for
[email protected] then forwards the request to the AAA server with
which that character string is associated. The entry in the Proxy Distribution Table
defines the association.
Administrators with geographically dispersed networks can configure and
manage the user profiles of employees within their immediate location or
building. This enables the administrator to manage the policies of just their users
and allows all authentication requests from other users within the company to be
forwarded to their respective AAA server for authentication. Not every user