Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Nas-port attribute in ACSNT 3.0

Hello,

I Have a NAS from other vendor (not Cisco) and I know that it always sends the NAS-Port attribute with the same value for all requests to the Radius. Besides I need that the RADIUS server provides the ip addresses for the NAS clients from a pool.

My question is if this is going to work fine with ACS for NT, because I found the next BUG in 2.3:

CSCdk75671and it's state is closed and not solved.

Symptom: User max-sessions and logged-in users lists are cleared

Conditions: A user profile is configured for address-pool that doesn''t exist on the NAS.

Because the pool is non-existent, the radius NAS will then query the ACS for the pool name using as userid= pools-<as5300-csnt> and uses the same port-name as the dial-in user. In this example, it is port 38. Port 38 is then re-used, thus clearing rhuang1 max-sessions and logged-in user list.

Workaround: The work around for this DDTS is to not configure the NAS to request the IP pool definition from the ACS but to continue to enter it locally on the NAS. Existing CSNT users will not be affected by this DDTS as this feature is not implemented in versions of CSNT prior to v2.3

Further Problem Description: the special sequence of events utilized by the NAS conflicts with CSNT''s routines for processing logged on user information - the NAS sends a special authentication request for a ''pseudo'' user on the same NAS port as the real user is connected on. This event causes CSNT to believe that the real user on that NAS port has disconnected and so CSNT removes them from the logged on user list. Having removed them, it will then function incorrectly when performing any processing that depends upon that user being registered as logged on. Affected functionality includes but is not limited to:

* Token caching for ISDN OTP users

* Max sessions limitations

* Password ageing

* ACS IP pools (unlikely to be in use if this feature is implemented on the NAS)

2 REPLIES
Bronze

Re: Nas-port attribute in ACSNT 3.0

If you follow the workaround to enter the pool definition locally on the NAS and don't configure the NAS to request the IP pool definition from ACS you should be fine.

Re: Nas-port attribute in ACSNT 3.0

Ok,

My problem is that I can't provide the pool definition on the NAS

Do you know if this is going to work providing the IPs from the pool in the ACS?

85
Views
0
Helpful
2
Replies