aaa new-model

aaa authentication ppp default local group radius

aaa authentication ppp mounir group radius local

aaa authorization network default local group radius

aaa authorization network mounir group radius

aaa accounting update periodic 1

aaa accounting exec mounir start-stop group radius

aaa accounting network default start-stop group radius

aaa accounting network mounir start-stop group radius

aaa server radius dynamic-author

aaa session-id common

aaa authentication ppp default local group radius

aaa authentication ppp mounir group radius local

aaa authorization network default local group radius

aaa authorization network mounir group radius

aaa accounting exec mounir start-stop group radius

aaa accounting network default start-stop group radius

aaa accounting network mounir start-stop group radius

aaa server radius dynamic-author

radius-server attribute 32 include-in-access-req

radius-server attribute 32 include-in-accounting-req

radius-server attribute nas-port format d

radius-server host 172.20.XX.XX auth-port 1812 acct-port 1813 key thekey

radius-server key thekey

Is there a client entry defined under the "aaa server radius dynamic-author"?

Thanks,

Tarik Admani
*Please rate helpful posts*

Yes, and I am able to send a pod message from that client successfully.

Just so we are on the same page, I am referring to the radius server being present under the configuration (when you hit show run)

aaa server radius dynamic-author

     client key xxxx

thanks,

Tarik Admani
*Please rate helpful posts*

Yes, the radius server is listed there and my pc is listed there. The actual COA message is coming from my pc but according to the documentation I have read, that shouldn't be an issue.

If my pc wasn't listed there I would have gotten a different debug message... something like no client, dropping request or something like that, correct?

My interpretation of the debug output is that my pc is listed as an allowed client, the 3845 accepts the message and tries to process it, but complains about no matching session. My pc does get the NACK response.

Again, I can send the POD message from my pc with the correct session ID and the 3845 does the disconnect as expected. Sending the COA from my pc with the correct session ID gives the above log output.

James,

What radius server are you using that is connected to this? I am wondering for COA if there has to be certain attributes (av-pairs). So basically you can disconnect users, in this case you are trying to map a specific qos configuration?

Thanks,

Tarik Admani
*Please rate helpful posts*

We are connecting to FreeRadius on a linux box so FreeRadius is doing the Authentication, Authorization, and Accounting but I'm sending the COA from my pc with code I wrote using the TinyRadius library.

Yes, I'm trying to send a cisco specific av-pair to set the qos policy.

James,

Can you send me the attributes that you are sending, are you using this attribute:

cisco-avpair = "ip:sub-qos-policy-out=out-policy-name"

Can you run "debug aaa coa" to see if there are any other errors (or is this what you provided?

Thanks,

Tarik Admani
*Please rate helpful posts*

Yes, the debug output in my original message is the output from "debug aaa coa".

I have tried sending different combinations of attributes and all give the same results. The 2 attributes I sent that resulted in the debug output in my first message were:

1 - Acct-Session-Id = 0000007F

2 - Cisco-AVPair  = "ip:sub-qos-policy-out=POLICE-TEST"