Solucionado: ASR 1004 - CoA server not enabled

camilochaux · ‎08-03-2023

Hello,

We have a problem with the coa requests.

We want to be able to handle coa-request on a cisco ASR 1004, but it says that it is not enabled. We have verified the official documentation on Cisco CoA and it should be enabled.

We send a coa request and "debug aaa coa" shows us the following:

COA: server not enabled. Dropping COA packet

The aaa configuration is:
aaa new-model

aaa server radius dynamic-author
server-key 7 secret
auth-type any
ignore session-key
ignore server-key

The PoD requests are accepted and processed correctly but the CoA request not work.

Is there a other way to enable coa in asr 1004?

the ios version is: IOS XE Version 03.16.06.S - IOS SoftwareVersion 15.5(3)S6

Thanks for you help

camilochaux · ‎08-04-2023

Hello M02@rt37

Ok, i found the problem.

It is necessary to specify the configuration of the RADIUS client.
The problem with this is that any RADIUS client that is not specified will stop working for PoD disconnect requests.

It is strange that for disconnect PoDs it is not necessary to specify the client radius but for CoAs it is. I understand that it will be for security reasons but it would be nice if it were specified in the documentation.

This example works:

aaa server radius dynamic-author
client x.x.x.x
client y.y.y.y
server-key secret
auth-type any
ignore session-key
ignore server-key

Thanks for the help.

Regards.

Ver la solución en mensaje original publicado

M02@rt37 · ‎08-03-2023

Hello @camilochaux,

You do not specify port?

Make sure to configure port with the correct port number used by your RADIUS server for CoA requests. In many cases, the default port for CoA is 3799, but you should verify this with your RADIUS server configuration.

After making this configuration change, if it is not OK, check the "debug aaa coa" output again.

Thanks.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

camilochaux · ‎08-03-2023

Hello M02@rt37

Thanks for answering.

If I send from radclient against port 3799, "debug aaa coa" directly shows nothing.

But if I point to port 1700, "debug aaa coa" shows me the message that the coa server is not enabled.

If I set port 3799 to "dynamic-author", for example:

aaa server radius dynamic-author

server-key secret
auth-type any
ignore session-key
port 3799

exactly the same thing happens. COA server not enabled.

Apparently I need enable the CoA server on a Cisco ASR 1004 but I can't find the documentation that indicates how to do it.

I find this command: "subscriber service coa-rfc-compliant" could it be this?

Regards

M02@rt37 · ‎08-03-2023

Hello @camilochaux,

On Cisco ASR 1000 Series routers, CoA functionality should be enabled by default, and you do not need to explicitly enable it. When CoA packets are received on the router, the "debug aaa coa" command should display information about the incoming CoA packets.

No Firewall on the road between Radiuq serveur and your ASR 1004?

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

M02@rt37 · ‎08-03-2023

@camilochaux,

Yes try this command.

By using the "subscriber service coa-rfc-compliant" command, you enable the router to interpret CoA messages based on the RFC 5176 standard. This allows the router to correctly handle and respond to CoA requests that adhere to the RFC 5176 specifications.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

camilochaux · ‎08-04-2023

Hello M02@rt37

I enable it but nothing, not work.

In debug show the same error: "COA: server not enabled. Dropping COA packet"

There is no firewall between the two devices and there is no rule blocking the port. As I commented, the disconnect PoD work, and I send them through the same port (1700).

Also, the ASR show, in debug, a COA-exclusive message saying that it has received a COA packet but has not handled it because the COA service is not enabled.

I mean, the ASR does detect that it is receiving a COA request.

I have seen the bugs resolved and opened in this IOS version, but not found CoA bugs that have a known relationship.

Regards.

camilochaux · ‎08-04-2023

Hello M02@rt37

Ok, i found the problem.

It is necessary to specify the configuration of the RADIUS client.
The problem with this is that any RADIUS client that is not specified will stop working for PoD disconnect requests.

It is strange that for disconnect PoDs it is not necessary to specify the client radius but for CoAs it is. I understand that it will be for security reasons but it would be nice if it were specified in the documentation.

This example works:

aaa server radius dynamic-author
client x.x.x.x
client y.y.y.y
server-key secret
auth-type any
ignore session-key
ignore server-key

Thanks for the help.

Regards.

M02@rt37 · ‎08-04-2023

Great news !!!! Happy for you @camilochaux !

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.