I Have a NAS from other vendor (not Cisco) and I know that it always sends the NAS-Port attribute with the same value for all requests to the Radius. Besides I need that the RADIUS server provides the ip addresses for the NAS clients from a pool.
My question is if this is going to work fine with ACS for NT, because I found the next BUG in 2.3:
CSCdk75671and it's state is closed and not solved.
Symptom: User max-sessions and logged-in users lists are cleared
Conditions: A user profile is configured for address-pool that doesn''t exist on the NAS.
Because the pool is non-existent, the radius NAS will then query the ACS for the pool name using as userid= pools-<as5300-csnt> and uses the same port-name as the dial-in user. In this example, it is port 38. Port 38 is then re-used, thus clearing rhuang1 max-sessions and logged-in user list.
Workaround: The work around for this DDTS is to not configure the NAS to request the IP pool definition from the ACS but to continue to enter it locally on the NAS. Existing CSNT users will not be affected by this DDTS as this feature is not implemented in versions of CSNT prior to v2.3
Further Problem Description: the special sequence of events utilized by the NAS conflicts with CSNT''s routines for processing logged on user information - the NAS sends a special authentication request for a ''pseudo'' user on the same NAS port as the real user is connected on. This event causes CSNT to believe that the real user on that NAS port has disconnected and so CSNT removes them from the logged on user list. Having removed them, it will then function incorrectly when performing any processing that depends upon that user being registered as logged on. Affected functionality includes but is not limited to:
* Token caching for ISDN OTP users
* Max sessions limitations
* Password ageing
* ACS IP pools (unlikely to be in use if this feature is implemented on the NAS)
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...