11-07-2013 07:46 AM - edited 03-01-2019 02:43 PM
Hello Guys,
I am using a Cisco 2951 with 15.3(3)M1, and when doing some tests with CoA i got the following error:
*Nov 7 10:34:24.780: COA: 1.1.1.1 request queued
*Nov 7 10:34:24.780: RADIUS: authenticator 52 CF BB 58 BB D5 69 4E - 59 3B 09 75 E9 83 54 4C
*Nov 7 10:34:24.780: RADIUS: User-Name [1] 2 ""
*Nov 7 10:34:24.780: RADIUS: Acct-Session-Id [44] 10 "0000002B"
*Nov 7 10:34:24.780: RADIUS: Vendor, Cisco [26] 42
*Nov 7 10:34:24.780: RADIUS: Cisco AVpair [1] 36 "subscriber:command=reauthenticate "
*Nov 7 10:34:24.780: RADIUS: Message-Authenticato[80] 18
*Nov 7 10:34:24.780: RADIUS: B6 78 8B EA DE 3B 73 26 57 53 C0 E7 47 89 2C 6D [ x;s&WSG,m]
*Nov 7 10:34:24.780: COA: Message Authenticator decode passed
*Nov 7 10:34:24.780: ++++++ CoA Attribute List ++++++
*Nov 7 10:34:24.780: 01EEAF6C 0 00000081 username(450) 0
*Nov 7 10:34:24.780: 01EEB7EC 0 00000001 session-id(408) 4 43(2B)
*Nov 7 10:34:24.780: 01EEB820 0 00000081 ssg-command-code(490) 1 32
*Nov 7 10:34:24.780:
*Nov 7 10:34:24.780: ++++++ Received CoA response Attribute List ++++++
*Nov 7 10:34:24.780: 01EEB7EC 0 00000082 reply-message(273) 16 No valid Session
*Nov 7 10:34:24.780: 01EEB820 0 00000002 error-cause(272) 4 Session Context Not Found
This is very strange, because the session-id is correct.
Can anyone advice me on this? Thanks!
David
Solved! Go to Solution.
11-08-2013 07:31 AM
Hi David,
One thing that calls my attention is that in the logs the username in the CoA shows like "testguy1@xx.xx".
Also the domain shows like "xxx.xx" in the session status:
Identifier: Auth-Domain = "xxx.xx"
However, the username seems to be "testguy1@link.bm".
Is this displaying like that or are you changing it by any chance?
On the other hand, I was checking on the support for CoA on this platform and SW version. In the Cisco Feature Navigator (http://tools.cisco.com/ITDIT/CFN/) I could not find CoA being supported here. The only reference for CoA on this SW release is for 802.1x but I'm afraid that is not what is needed here. Not sure if thisis supposed to work here. Was it working before?
I've used CoA with a different key also. Something like:
Cisco-Account-Info = "S1.1.1.2" ===> where 1.1.1.2 is the subscriber IP.
Perhaps you can try a CoA like that to see if it makes any difference. If not, try a reload just to see if it helps. If no avail, I would suggest to open a TAC case. As I mentioned, seems like CoA is not really supported for this product and release but, if you want to have an official confirmation, is better to do it via a TAC case.
Best regards.
11-08-2013 01:19 AM
Hi David,
Was the CoA working before or are you just trying it?
Did you tried adding also the username? I see it's empty in the log you included.
Can you also take 'show subscriber session uid X detail internal' for the session (I hope this is available in 2951 as I never tried it on that platform). It should allow us to see the session keys.
Regards.
11-08-2013 06:36 AM
Hello Manuel,
Thanks for all your help. Here is the show output
LNS#show subscriber session uid 47 detailed internal
Subscriber session handle: EC00005E, state: connected, service: Local Term
Unique Session ID: 47
Identifier: testguy1@xxx.xx
SIP subscriber access type(s): VPDN/PPP
Root SIP Handle: 5300005D, PID: 313
Child SIP Handle: 7900002F, PID: 318
Current SIP options: Req Fwding/Req Fwded
Session Up-time: 19:52:55, Last Changed: 19:52:55
Switch handle: 211E
Interface: Virtual-Access2.2
Policy information:
Context 10EC39C0: Handle 7B00002F
AAA_id 0000003B: Flow_handle 0
Authentication status: authen
Policy internals:
Policy state : wait-for-events
Authorization type : AAA service
Active key : apply-config-only
Authorization active key : Auth-User
Last top level rule type : session-service-found
Client : SM
Last message from client : Apply Config Success
Last message to client : Apply Config Success
Current key list from client :
Identifier: Auth-Domain = "xxx.xx"
Identifier: Protocol-Type = 0 (PPP Access Protocol)
Identifier: Session-Handle = 3959423070 (EC00005E)
Identifier: Tunnel-Name = "LNS"
Identifier: Media-Type = 2 (IP)
Identifier: Input Interface = "GigabitEthernet0/1.2000"
Identifier: AAA-Acct-Enbl = 1 (YES)
Identifier: Authen-Status = 0 (Authenticated)
Identifier: Nasport = Vty Terminal: port 47 IP 69.17.193.90
Identifier: Auth-User = "testguy1@link.bm"
Network plumbing done yet : Yes
Network plumbing directive proposed : None
AIE handle : 2B00002F
AIE user ID : 47
AAA user ID : 0000003B/59
Authorization index : 0
Authorization priority : 1
Context : 7B00002F
North handle : 00000000
North callback : 00000000
South handle : EC00005E
South callback : 06B898A8
Current access-type : PPP
All access-types : [0] VPDN
: [1] PPP
No more keys available from : PPP
Session activated : Yes
Session inbound features:
Feature: QoS Policy Map
Input Policy Map: INTERNET-15Mb-IN
Session outbound features:
Feature: QoS Policy Map
Output Policy Map: INTERNET-15Mb-OUT
Configuration sources associated with this session:
Interface: Virtual-Template1, Active Time = 19:52:55
Pending status associated with this session:
Bind status: Success, Delay delete: No, Pending mask: 0
And the debug output for a reauthenticate command
*Nov 8 10:21:58.367: RADIUS: COA received from id 1 x.x.x.x:60590, CoA Request, len 108
*Nov 8 10:21:58.367: COA: x.x.x.x request queued
*Nov 8 10:21:58.367: RADIUS: authenticator 1D 92 FF 04 43 EA 0E 11 - DE 49 2F AE 81 46 42 78
*Nov 8 10:21:58.367: RADIUS: User-Name [1] 18 testguy1@xx.xx
*Nov 8 10:21:58.367: RADIUS: Acct-Session-Id [44] 10 "0000003B"
*Nov 8 10:21:58.367: RADIUS: Vendor, Cisco [26] 42
*Nov 8 10:21:58.367: RADIUS: Cisco AVpair [1] 36 "subscriber:command=reauthenticate "
*Nov 8 10:21:58.367: RADIUS: Message-Authenticato[80] 18
*Nov 8 10:21:58.367: RADIUS: 7F CA 0A 96 A7 4C 5F 05 57 33 4D 36 D6 7A 37 7E [ L_W3M6z7~]
*Nov 8 10:21:58.367: COA: Message Authenticator decode passed
*Nov 8 10:21:58.367: ++++++ CoA Attribute List ++++++
*Nov 8 10:21:58.367: 01FCE77C 0 00000081 username(450) 16 testguy1@xx.xx
*Nov 8 10:21:58.367: 01FCFBAC 0 00000001 session-id(408) 4 59(3B)
*Nov 8 10:21:58.367: 01FCFBE0 0 00000081 ssg-command-code(490) 1 32
*Nov 8 10:21:58.367:
*Nov 8 10:21:58.367: RADIUS/ENCODE(00000000):Orig. component type = Invalid
*Nov 8 10:21:58.367: RADIUS(00000000): sending
*Nov 8 10:21:58.367: RADIUS(00000000): Send CoA Nack Response to 69.17.193.4:60590 id 1, len 62
*Nov 8 10:21:58.367: RADIUS: authenticator A3 EC 85 01 C3 31 E2 B3 - 25 22 38 79 DA 8E 95 46
*Nov 8 10:21:58.367: RADIUS: Reply-Message [18] 18
*Nov 8 10:21:58.367: RADIUS: 4E 6F 20 76 61 6C 69 64 20 53 65 73 73 69 6F 6E [ No valid Session]
*Nov 8 10:21:58.367: RADIUS: Dynamic-Author-Error[101] 6 Session Context Not Found [503]
*Nov 8 10:21:58.367: RADIUS: Message-Authenticato[80] 18
*Nov 8 10:21:58.367: RADIUS: AC 83 2A 7C DE 7D 78 8E B7 91 C9 F0 16 8B 86 D2 [ *|}x]
Even the PoA is not working
*Nov 8 10:24:04.022: RADIUS: POD received from id 4 x.x.x.x:57061, POD Request, len 66
*Nov 8 10:24:04.022: POD: 69.17.193.4 request queued
*Nov 8 10:24:04.022: ++++++ POD Attribute List ++++++
*Nov 8 10:24:04.022: 01FCFBAC 0 00000081 username(450) 16
*Nov 8 10:24:04.022: 01FCE77C 0 00000001 session-id(408) 4 59(3B)
*Nov 8 10:24:04.022: 01FCE7B0 0 00000081 Message-Authenticator(274) 16 20 2C D0 32 B2 B7 70 BC CE 0F 57 30 8A 0B 52 B7
*Nov 8 10:24:04.022:
*Nov 8 10:24:04.022: RADIUS/ENCODE(00000000):Orig. component type = Invalid
*Nov 8 10:24:04.022: RADIUS(00000000): sending
*Nov 8 10:24:04.022: RADIUS(00000000): Send Disconnect Nack Response to x.x.x.x:57061 id 4, len 44
*Nov 8 10:24:04.022: RADIUS: authenticator 86 6C A4 7E EC E6 D8 DA - 30 03 38 E7 51 03 78 86
*Nov 8 10:24:04.022: RADIUS: Reply-Message [18] 18
*Nov 8 10:24:04.022: RADIUS: 4E 6F 20 76 61 6C 69 64 20 53 65 73 73 69 6F 6E [ No valid Session]
*Nov 8 10:24:04.022: RADIUS: Dynamic-Author-Error[101] 6 Session Context Not Found [503] *Nov 8 10:24:04.022: RADIUS: POD received from id 4 x.x.x.x:57061, POD Request, len 66
*Nov 8 10:24:04.022: POD: x.x.x.x request queued
*Nov 8 10:24:04.022: ++++++ POD Attribute List ++++++
*Nov 8 10:24:04.022: 01FCFBAC 0 00000081 username(450) 16 testguy1@xxx.xx
*Nov 8 10:24:04.022: 01FCE77C 0 00000001 session-id(408) 4 59(3B)
*Nov 8 10:24:04.022: 01FCE7B0 0 00000081 Message-Authenticator(274) 16 20 2C D0 32 B2 B7 70 BC CE 0F 57 30 8A 0B 52 B7
*Nov 8 10:24:04.022:
*Nov 8 10:24:04.022: RADIUS/ENCODE(00000000):Orig. component type = Invalid
*Nov 8 10:24:04.022: RADIUS(00000000): sending
*Nov 8 10:24:04.022: RADIUS(00000000): Send Disconnect Nack Response to x.x.x.x:57061 id 4, len 44
*Nov 8 10:24:04.022: RADIUS: authenticator 86 6C A4 7E EC E6 D8 DA - 30 03 38 E7 51 03 78 86
*Nov 8 10:24:04.022: RADIUS: Reply-Message [18] 18
*Nov 8 10:24:04.022: RADIUS: 4E 6F 20 76 61 6C 69 64 20 53 65 73 73 69 6F 6E [ No valid Session]
*Nov 8 10:24:04.022: RADIUS: Dynamic-Author-Error[101] 6 Session Context Not Found [503]
Thanks!!
David
11-08-2013 07:31 AM
Hi David,
One thing that calls my attention is that in the logs the username in the CoA shows like "testguy1@xx.xx".
Also the domain shows like "xxx.xx" in the session status:
Identifier: Auth-Domain = "xxx.xx"
However, the username seems to be "testguy1@link.bm".
Is this displaying like that or are you changing it by any chance?
On the other hand, I was checking on the support for CoA on this platform and SW version. In the Cisco Feature Navigator (http://tools.cisco.com/ITDIT/CFN/) I could not find CoA being supported here. The only reference for CoA on this SW release is for 802.1x but I'm afraid that is not what is needed here. Not sure if thisis supposed to work here. Was it working before?
I've used CoA with a different key also. Something like:
Cisco-Account-Info = "S1.1.1.2" ===> where 1.1.1.2 is the subscriber IP.
Perhaps you can try a CoA like that to see if it makes any difference. If not, try a reload just to see if it helps. If no avail, I would suggest to open a TAC case. As I mentioned, seems like CoA is not really supported for this product and release but, if you want to have an official confirmation, is better to do it via a TAC case.
Best regards.
11-20-2013 07:06 AM
Thanks Manuel. Very appreciated.
11-20-2013 07:14 AM
Hi David,
No problem. Were you able to test the CoA using session ID like:
Cisco-Account-Info = "S1.1.1.2"? Any luck?
Also, one thing I noticed from your debugs is that you are using a reauthenticate command in the CoA. Any specific reason to do that for a VPDN session? Did you try to do the CoA with a different command like a sesion query or an accounto logoff? Did you ended up opening a TAC case?
Just want to verify if your issue was indeed solved
Best regards.
11-20-2013 07:20 AM
Hello Manuel,
It did not solve it i'm afraid. I did opened a Cisco SR.. the answer after one week of troubleshooting was that COA is an ISG feature and it is not compatible with the router acting has an LNS.. No words if the 2951 supports it or not..
Will an true ISG, like the ASR1001 support LNS and ISG features like CoA?
Thanks Manuel!
11-20-2013 07:22 AM
Will an true ISG, like the ASR1001 support LNS and ISG features like CoA, simultaneous?
11-20-2013 07:33 AM
Hi David,
On an ASR1k, ISG, CoA and LNS are certainly supported and working together. I've seen this plenty of times. I cannot speak for the 2951 I'm afraid as I'm not normally working with that platform. The comment I made before regarding the support there was based simply on what I could see in the cisco.com feature navigator.
I think you should still give it a try using the session identifier as I suggested and also trying a different CoA command (not sure if reauthenticate is something we are supposed to do fo PPP session as that is normally used for 802.1x)
Best regards.
11-20-2013 07:53 AM
Hello Manuel,
Even the Packet of Disconnect is not working, and it should. At least the Feature Navigator says it is supported on the 2951. Do you have any recommendation for an attribute to force the subscriber to re-authenticate again?
11-20-2013 08:12 AM
Hi David,
Indeed the PoD is a concern but I'm just thinking on give the CoA a try with the session ID as I mentioned to see if tehre is any luck.
Also, what is your requirement exactly? Why do you need to re-authenticate the session?
Cheers
11-22-2013 10:21 AM
Hello manuel,
What we want to do is to force the Subscriber to restart its session again to apply then settings to the session. Just this. Any thoughts on how we can do it?
Thanks!!!!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: