Guest

Preview Tool

Cisco Bug: CSCuo34507 - ISG not sending CoA NACK even if we put wrong credentials in Web portal

Last Modified

Jan 30, 2017

Products (1)

  • Cisco ASR 1000 Series Aggregation Services Routers

Known Affected Releases

15.1(2)S1.1

Description (partial)

Symptom:
Customer is using ASR1004 as ISG and doing L4Redirect .  ISG is Re- directing all the web Request to a Broadhop Device(web portal) for providing the Credentials , but  according to the Customer , even if users enter wrong credentials , ISG is not sending the CoA NACK to web portal server after receiving an Access-Reject, so CoA timeout errors are thrown at the portal. Customer is using Broadhop QNS/QPS .

Conditions:
Call Flow:

when a subscriber attaches to the SSID, it tries to authenticate against the Free RADIUS server.  If the subscriber's MAC address is not found in the database, the subscriber is redirected to the QPS portal and then ,

1.  QPS sends a CoA account-logon to ISG (directly)

2.  ISG sends Access-Request to QPS (via Free RADIUS server)

3.  QPS sends Access-Reject (via Free RADIUS server)

4.  ISG does not send CoA NACK for account-logon to QPS
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.