Guest

Preview Tool

Cisco Bug: CSCtd00454 - SSLVPN on IOS not forwarding Class attribute in accounting packets

Last Modified

Jan 31, 2017

Products (1)

  • Cisco IOS

Known Affected Releases

12.4(24)T1 15.0(1)M 15.1(1.12)T 15.1(1.2)PI13d 15.1(1.4)T

Description (partial)

Symptom:

Accounting START packets from IOS SSL VPN connections are missing attributes that were sent to the router in the radius access-accept, including the Class attribute (IETF 25). Per RFC the Class attribute must be forwarded out in the accounting start packet if it exists.

This appears to be due to the IOS SSL-VPN not created a unique AAA DB on the router to store the incoming attributes.

Conditions:

SSL-VPN on IOS 12.4 T line and 15.0 M line when doing clientless webvpn and also Anyconnect.

Causes issues when using accounting to do group mapping for Clean Access VPN Single Sign On (uses the incoming class attribute in the accounting start packet).
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.