cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
931
Views
0
Helpful
3
Replies

SSG with TAL + prepaid feature

v.prokofiev
Level 1
Level 1

Good day.

We having troubles with the subject.

The issue is that with transparent autologon(TAL) there is no username in prepaid quota access-request packet, which makes impossible to unique user session identification. This is how access-request packet looks like in RADIUS debug:

rad_recv: Access-Request packet from host xx.xx.xx.222 port 1645, id=107, length=69
        User-Password = "cisco"
        Service-Type = Framed-User
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 0
        NAS-Port-Id = "SSG"
        NAS-IP-Address = xx.xx.xx.222
So all quota request packets looks the same for RADIUS and it becomes impossible to give unique quotas for each user. There's no such issue with SESM for authentication, without TAL - quota reqest packets have username that way.
This is true for any software/harware combination we've tried so far(2811, 6500/7600, 7200 series, 12.2, 12.4 mainline, 12.4T, etc)
I'm not sure if this is a bug, or am I missing something?

1 Accepted Solution

Accepted Solutions

Atif Awan
Cisco Employee
Cisco Employee

I am assuming the Access-Request you are talking about here is the authorization for the prepaid service, the initial Access-Request is fine. Correct?

If that is the case then try explicitly putting in a User-Name attribute (Attribute 1) in the TAL user's profile on the AAA server and re-test.

Atif

View solution in original post

3 Replies 3

Atif Awan
Cisco Employee
Cisco Employee

I am assuming the Access-Request you are talking about here is the authorization for the prepaid service, the initial Access-Request is fine. Correct?

If that is the case then try explicitly putting in a User-Name attribute (Attribute 1) in the TAL user's profile on the AAA server and re-test.

Atif

Yes, it's exactly what I needed. Thank you.

I wonder, was this anywhere in SSG manuals? I was looking all over them, and didn't find any mention about sending username in access accept reply.

Glad to hear it worked out. I am not sure if this is documented on CCO or not.

Atif