09-14-2012 10:29 AM - edited 03-10-2019 07:33 PM
I have a cisco 3845 running 12.4(15)T10.
I can send a POD and disconnect my session. But when I try to send a COA, I always get back the same error. Here is the debug log:
*Sep 14 17:25:16.017: COA: 172.16.XX.XX request queued
*Sep 14 17:25:16.017: ++++++ CoA Attribute List ++++++
*Sep 14 17:25:16.017: 66F2DBEC 0 00000009 string-session-id(337) 8 0000007F
*Sep 14 17:25:16.017: 670B3394 0 00000009 sub-qos-policy-out(346) 11 POLICE-TEST
*Sep 14 17:25:16.017:
*Sep 14 17:25:16.017: COA: No matching entry found
*Sep 14 17:25:16.017: COA: Added Reply Message: No Matching Session
*Sep 14 17:25:16.017: COA: Added NACK Error Cause: Session Context Not Found
I know I'm sending the right session. Any help?
09-14-2012 10:31 AM
James,
Can you please post "show run | inc aaa" and a "show run | inc radius"
Thanks,
Tarik Admani
*Please rate helpful posts*
09-14-2012 10:42 AM
aaa new-model
aaa authentication ppp default local group radius
aaa authentication ppp mounir group radius local
aaa authorization network default local group radius
aaa authorization network mounir group radius
aaa accounting update periodic 1
aaa accounting exec mounir start-stop group radius
aaa accounting network default start-stop group radius
aaa accounting network mounir start-stop group radius
aaa server radius dynamic-author
aaa session-id common
aaa authentication ppp default local group radius
aaa authentication ppp mounir group radius local
aaa authorization network default local group radius
aaa authorization network mounir group radius
aaa accounting exec mounir start-stop group radius
aaa accounting network default start-stop group radius
aaa accounting network mounir start-stop group radius
aaa server radius dynamic-author
radius-server attribute 32 include-in-access-req
radius-server attribute 32 include-in-accounting-req
radius-server attribute nas-port format d
radius-server host 172.20.XX.XX auth-port 1812 acct-port 1813 key thekey
radius-server key thekey
09-14-2012 10:44 AM
Is there a client entry defined under the "aaa server radius dynamic-author"?
Thanks,
Tarik Admani
*Please rate helpful posts*
09-14-2012 10:55 AM
Yes, and I am able to send a pod message from that client successfully.
09-14-2012 11:58 AM
Just so we are on the same page, I am referring to the radius server being present under the configuration (when you hit show run)
aaa server radius dynamic-author
client
thanks,
Tarik Admani
*Please rate helpful posts*
09-14-2012 12:08 PM
Yes, the radius server is listed there and my pc is listed there. The actual COA message is coming from my pc but according to the documentation I have read, that shouldn't be an issue.
If my pc wasn't listed there I would have gotten a different debug message... something like no client, dropping request or something like that, correct?
My interpretation of the debug output is that my pc is listed as an allowed client, the 3845 accepts the message and tries to process it, but complains about no matching session. My pc does get the NACK response.
Again, I can send the POD message from my pc with the correct session ID and the 3845 does the disconnect as expected. Sending the COA from my pc with the correct session ID gives the above log output.
09-14-2012 01:40 PM
James,
What radius server are you using that is connected to this? I am wondering for COA if there has to be certain attributes (av-pairs). So basically you can disconnect users, in this case you are trying to map a specific qos configuration?
Thanks,
Tarik Admani
*Please rate helpful posts*
09-14-2012 01:48 PM
We are connecting to FreeRadius on a linux box so FreeRadius is doing the Authentication, Authorization, and Accounting but I'm sending the COA from my pc with code I wrote using the TinyRadius library.
Yes, I'm trying to send a cisco specific av-pair to set the qos policy.
09-14-2012 04:07 PM
James,
Can you send me the attributes that you are sending, are you using this attribute:
cisco-avpair = "ip:sub-qos-policy-out=out-policy-name"
Can you run "debug aaa coa" to see if there are any other errors (or is this what you provided?
Thanks,
Tarik Admani
*Please rate helpful posts*
09-17-2012 06:56 AM
Yes, the debug output in my original message is the output from "debug aaa coa".
I have tried sending different combinations of attributes and all give the same results. The 2 attributes I sent that resulted in the debug output in my first message were:
1 - Acct-Session-Id = 0000007F
2 - Cisco-AVPair = "ip:sub-qos-policy-out=POLICE-TEST"
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide