Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ACS - RADIUS (Cisco VPN 3000 and IETF)

We have an issue where ACS denies Authentication because the RADIUS Session counter has been exceeded by the user, however the user has no active sessions with ACS.

The only way to get the users authenticated is to Purge all Logged in users for that AAA Client in order to reset the RADIUS Session Records.

All Groups related to the users are configured to allow the user one session.

RADIUS Accounting reports a start and stop record for the previous attempts by these users.

Its as if the Session Records for those users are not decrementing by one when the session is no longer active.

3 REPLIES
Silver

Re: ACS - RADIUS (Cisco VPN 3000 and IETF)

When you look at the passed auths and radius accounting reports, is there the same unique nas-port value in all three records?

ACS gets very picky about this.. It sounds like the accounting stop perhaps has either no nas-port or it doesnt match the auth/acct start values.

Also, it may depend of which version of ACS you have since there have been multiple fixes over the years.

New Member

Re: ACS - RADIUS (Cisco VPN 3000 and IETF)

For all successful RADIUS start/stops the NAS port matches throughout all logs.

In some instances where RADIUS auth failed, the nas port was either blank or it matched the user name or there was no log entry for NAS port.

Silver

Re: ACS - RADIUS (Cisco VPN 3000 and IETF)

Hmm, very odd. I assume there are no "nas port re-used" messages in the passed auths csv either?

Session tracking info is held in the registry under HKLM/SW/Cisco/CiscoAAAvX.Y/Network Model/NAS

To reset things you could (at a quiet time) re-start csauth and at the same time delete all the sub-keys under Network Model/NAS.

This would reset everthing, although its possible over time that it might go wrong again.

Ill trawl the care system and see what I can find.

286
Views
0
Helpful
3
Replies
CreatePlease to create content