12-15-2013 01:52 PM - edited 03-10-2019 09:11 PM
Dears,
How to make WLC Receive PoD (Packet of Disconnect) from the RADIUS server to terminate the session and disconnect authenticating clients.
Thanks,
12-16-2013 03:51 AM
Ahmed,
Here is the wireless controller side of it if this is a Cisco one:
config radius auth rfc3576 {enable
|
disable
}
index
—Enables or disables RFC 3576, which is an extension to the RADIUS protocol that allows dynamic changes to a user session. RFC 3576 includes support for disconnecting users and changing authorizations applicable to a user session and supports disconnect and change-of-authorization (CoA) messages. Disconnect messages cause a user session to be terminated immediately where CoA messages modify session authorization attributes such as data filters.
http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-0/configuration/guide/c70/c70sol.html
**Share your knowledge. It’s a way to achieve immortality.
--Dalai Lama**
Please Rate if helpful.
Regards
Ed
12-16-2013 05:35 AM
thanks for reply but i mean which message External Radius Server can sent to Wireless Lan Controller to disconnect Client Session.
Thanks,
12-16-2013 04:12 PM
Hi Ahmed,
Its not documented well, but here is it:
CSCso52532 No Documentation for sending RADIUS Disconnect-Request (RFC 3576)
. If a user has to be logged out then, following attributes are expected - SSH_RADIUS_AVP_SERVICE_TYPE(6) attribte with following value. SSH_RADIUS_SERVICE_TYPE_LOGIN(1) - SSH_RADIUS_AVP_CALLING_STATION_ID(31) - this is needed, if we want to delete particular user session via particular device (like PDA, Phone or PC) - SSH_RADIUS_AVP_USER_NAME(1) . If a management user has to be logged out then, following attributes are expected - SSH_RADIUS_AVP_SERVICE_TYPE(6) attribte with following value - SSH_RADIUS_SERVICE_TYPE_ADMINISTRATIVE OR - SSH_RADIUS_SERVICE_TYPE_NAS_PROMPT - SSH_RADIUS_AVP_USER_NAME(1) - SSH_RADIUS_AVP_FRAMED_IP_ADDRESS(8)
Eg:
*Dec 17 12:59:08.926: Packet contains 14 AVPs: *Dec 17 12:59:08.926: AVP[01] User-Name................................user@domain (17 bytes) *Dec 17 12:59:08.926: AVP[02] Nas-Port.................................0x0000000d (13) (4 bytes) *Dec 17 12:59:08.926: AVP[03] Nas-Ip-Address...........................0x0a0047fb (167790587) (4 bytes) *Dec 17 12:59:08.926: AVP[04] Framed-IP-Address........................0x0a003f1b (167788315) (4 bytes) *Dec 17 12:59:08.926: AVP[05] NAS-Identifier...........................wlcRM_1 (7 bytes) *Dec 17 12:59:08.926: AVP[06] Airespace / WLAN-Identifier..............0x00000004 (4) (4 bytes) *Dec 17 12:59:08.926: AVP[07] Acct-Session-Id..........................4b2a1d0c/00:1c:26:cb:27:71/4 (28 bytes) *Dec 17 12:59:08.926: AVP[08] Acct-Authentic...........................0x00000001 (1) (4 bytes) *Dec 17 12:59:08.926: AVP[09] Tunnel-Type..............................0x0000000d (13) (4 bytes) *Dec 17 12:59:08.926: AVP[10] Tunnel-Medium-Type.......................0x00000006 (6) (4 bytes) *Dec 17 12:59:08.926: AVP[11] Tunnel-Group-Id..........................0x3633 (13875) (2 bytes) *Dec 17 12:59:08.926: AVP[12] Acct-Status-Type.........................0x00000001 (1) (4 bytes) *Dec 17 12:59:08.926: AVP[13] Calling-Station-Id.......................10.0.63.27 (10 bytes) *Dec 17 12:59:08.926: AVP[14] Called-Station-Id........................10.0.71.251 (11 bytes) *Dec 17 12:59:10.943: 00:1c:26:cb:27:71 Accounting-Response received from RADIUS server 10.0.71.249 for mobile 00:1c:26:cb:27:71 receiveId = 0 *Dec 17 12:59:34.044: Received a 'RFC-3576 Disconnect-Request' from 10.0.71.249 *Dec 17 12:59:34.044: Packet contains 6 AVPs: *Dec 17 12:59:34.044: AVP[01] Nas-Ip-Address...........................0x0a0047fb (167790587) (4 bytes) *Dec 17 12:59:34.044: AVP[02] User-Name................................user@domain (17 bytes) *Dec 17 12:59:34.044: AVP[03] Acct-Session-Id..........................4b2a1d0c/00:1c:26:cb:27:71/4 (28 bytes) *Dec 17 12:59:34.044: AVP[04] Calling-Station-Id.......................10.0.63.27 (10 bytes) *Dec 17 12:59:34.044: AVP[05] Called-Station-Id........................10.0.71.251 (11 bytes) *Dec 17 12:59:34.044: AVP[06] Service-Type.............................0x00000001 (1) (4 bytes) *Dec 17 12:59:34.044: Error cause 503 generated for 'RFC-3576 Disconnect-Request' from 10.0.71.249 (Session Identification attributes not valid) *Dec 17 12:59:34.045: Sent a 'RFC-3576 Disconnect-Nak' to 10.0.71.249:3799 *Dec 17 12:59:36.561: ****Enter processIncomingMessages: response code=5
**Share your knowledge. It’s a way to achieve immortality.
--Dalai Lama**
Please Rate if helpful.
Regards
Ed
09-09-2014 07:58 AM
Hello, Ed!
What is the format of messages for CoA? I've added User-Name and Service-Type, but WLC wants somewhat other:
*radiusRFC3576TransportThread: Sep 09 18:48:18.990: Invalid attributes received in 'RFC-3576 CoA-Request' from 11.1.7.240
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide