Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
777
Views
0
Helpful
3
Replies

SSG with TAL + prepaid feature

Go to solution
v.prokofiev
Level 1
Level 1

‎12-09-2010 10:59 AM - edited ‎03-01-2019 02:23 PM

Good day.

We having troubles with the subject.

The issue is that with transparent autologon(TAL) there is no username in prepaid quota access-request packet, which makes impossible to unique user session identification. This is how access-request packet looks like in RADIUS debug:

rad_recv: Access-Request packet from host xx.xx.xx.222 port 1645, id=107, length=69
        User-Password = "cisco"
        Service-Type = Framed-User
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 0
        NAS-Port-Id = "SSG"
        NAS-IP-Address = xx.xx.xx.222
So all quota request packets looks the same for RADIUS and it becomes impossible to give unique quotas for each user. There's no such issue with SESM for authentication, without TAL - quota reqest packets have username that way.
This is true for any software/harware combination we've tried so far(2811, 6500/7600, 7200 series, 12.2, 12.4 mainline, 12.4T, etc)
I'm not sure if this is a bug, or am I missing something?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Atif Awan
Cisco Employee
Cisco Employee

‎12-09-2010 08:12 PM

I am assuming the Access-Request you are talking about here is the authorization for the prepaid service, the initial Access-Request is fine. Correct?

If that is the case then try explicitly putting in a User-Name attribute (Attribute 1) in the TAL user's profile on the AAA server and re-test.

Atif

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Atif Awan
Cisco Employee
Cisco Employee

‎12-09-2010 08:12 PM

I am assuming the Access-Request you are talking about here is the authorization for the prepaid service, the initial Access-Request is fine. Correct?

If that is the case then try explicitly putting in a User-Name attribute (Attribute 1) in the TAL user's profile on the AAA server and re-test.

Atif

0 Helpful

Go to solution
v.prokofiev
Level 1
Level 1
In response to Atif Awan

‎12-10-2010 04:09 AM

Yes, it's exactly what I needed. Thank you.

I wonder, was this anywhere in SSG manuals? I was looking all over them, and didn't find any mention about sending username in access accept reply.

0 Helpful

Go to solution
Atif Awan
Cisco Employee
Cisco Employee
In response to v.prokofiev

‎12-10-2010 07:30 AM

Glad to hear it worked out. I am not sure if this is documented on CCO or not.

Atif

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents