4-7
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Chapter 4 Network Configuration
Proxy in Distributed Systems
Because Mary works in the Los Angeles office, her user profile, which defines her
authentication and authorization privileges, resides on the local Los Angeles
AAA server. However, Mary occasionally travels to a division within the
corporation in New York, where she still needs to access the corporate network to
get her e-mail and other files. When Mary is in New York, she dials in to the New
York office and logs in as [email protected]. Her username is not
recognized by the New York Cisco Secure ACS, but the Proxy Distribution Table
contains an entry, “@la.corporate.com”, to forward the authentication request to
the Los Angeles Cisco Secure ACS. Because the username and password
information for Mary reside on that AAA server, when she authenticates correctly,
the authorization parameters assigned to her are applied by the AAA client in the
New York office.
Remote Use of Accounting Packets
When proxy is employed, Cisco Secure ACS can dispatch AAA accounting
packets in one of three ways:
•
Log them locally.
•
Forward them to the destination AAA server.
•
Log them locally and forward copies to the destination AAA server.
Sending accounting packets to the remote Cisco Secure ACS offers several
benefits. When Cisco Secure ACS is configured to send accounting packets to the
remote AAA server, the remote AAA server logs an entry in the accounting report
for that session on the destination server. Cisco Secure ACS also caches the user
connection information and adds an entry in the List Logged on Users report. You
can then view the information for users that are currently connected. Because the
accounting information is being sent to the remote AAA server, even if the
connection fails, you can view the Failed Attempts report to troubleshoot the
failed connection.
Sending the accounting information to the remote AAA server also enables you
to use the Max Sessions feature. The Max Sessions feature uses the Start and Stop
records in the accounting packet. If the remote AAA server is a Cisco Secure ACS
and the Max Sessions feature is implemented, you can track the number of
sessions allowed for each user or group.