[c-nsp] Cisco VPN Client - accounting log

Piestaga piestaga at aster.pl
Thu Feb 9 06:00:12 EST 2006

Hello Oliver,

Thursday, February 9, 2006, 8:55:23 AM, you wrote:

> Piestaga <> wrote on Wednesday, February 08, 2006 4:08 PM:

>> Hi,
>> My problem is that couple of months ago, for established Cisco VPN
>> IPSec session, the NAS was sending to radius the NAS-PORT attribute.
>> Now it is not (in fact NAS sends 'zero' as a NAS-PORT).
>> It causes that every authenticated second IPSec session clears the
>> previous one what causes that I am not able to verify the number of
>> session from single User. (I need to limit the total number of
>> sessions to one from single user at a time)
>> I tried to force the NAS to send NAS-PORT using:
>> radius-server attribute nas-port format /a-e/
>> but it doesn't help in fact.
>> Still the parameter is 'zero'
>> Did you have notice is it a bug that will be repaired in next release
>> or is it going to stay working (not-working) that way ?
>> It is strange that NAS stops sending the NAS-PORT for Cisco CPN Client
>> sessions just like that.

> Which image are you using? We should be sending a NAS-Port in 12.3(11)T
> and later.. 

>         oli


I am using 12.3(14)T6 right now.

The begining of "debug crypto isakmp aaa" output says:

    ISAKMP AAA: CLI handle received from aaaaaacli_hdl = 0x80000005 and returned peer = 0x506F13A8
--> ISAKMP:(0:0:N/A:0):AAA: Nas Port ID is unavailable.
    ISAKMP AAA: Allocated session id 3 and replaced it for uid 5
    ISAKMP/aaa: unique id = 5

Line: "Nas Port ID is unavailable"
explains why the NAS Port ID is empty, but there is no info why NAS-Port is not being sent.

And why in fact both are attribs. are unavailable.


More information about the cisco-nsp mailing list