cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5041
Views
0
Helpful
8
Replies

RADIUS COA on software version 12.4 using 3845 router

igor
Level 1
Level 1

We  working to provide dynamic badwidth control by using RADIUS COA to 3845 router.

When we issue the COA 3845 rejects the message with invalid session id message.

We are using following instructions to craft RADIUS COA  message.

http://www.cisco.com/en/US/docs/ios/12_4t/12_4t2/htipmaaa.html

1 Accepted Solution

Accepted Solutions

Hi Igor,

I used same configuration as yours (only IP addresses changed). The main change is the IOS release which is 12.2(33)SRE7. Since I moved to this IOS I also had to changed to a different platform which supports that IOS

Best regards.

View solution in original post

8 Replies 8

Manuel Rodriguez
Cisco Employee
Cisco Employee

Hello Igor,

Since the rejection reason you get is invalid session id, I would suggest to start by verifying that the accounting session id attribute you are sending in the CoA packet is the same as the one used by the session. Did you verify that? Perhaps some debugs can help for that (I would use "debug radius" and "debug aaa coa")

Also, can you provide a bit more details about your setup? I understand that you are terminating some type of sessions (PPPoA, PPPoE, IP) on this 3845? A configuration of the device would also help understand what you are doing in this setup.

Regards.

Manuel

Hi Manuel,

I have PPPOE client running directly against 3845 and terminating PPOE. Authentication, authorization and accounting work against FreeRADIUS.

Next step for us is to manage subscriber connections by sending COA to change service parameters.

Our system sends RADIUS COA as in below.

You can find the packet dumps, configuration and Cisco log below.

Thank you for responding and looking forware to your next response.

Igor

*** Example with Shaping ***

policy-map SHAPE-TEST
class class-default
shape average 48000

Using: cisco-avpair = "ip:sub-qos-policy-out=SHAPE-TEST"

======================== Packet capture =================================

No.     Time                          Source                Destination           Protocol Info

      1 2000-01-01 08:46:03.257911000 172.16.2.218          172.20.2.55           RADIUS   CoA-Request(43) (id=1, l=49)

Frame 1: 91 bytes on wire (728 bits), 91 bytes captured (728 bits)

    Arrival Time: Jan  1, 2000 08:46:03.257911000 Eastern Standard Time

    Epoch Time: 946734363.257911000 seconds

    [Time delta from previous captured frame: 0.000000000 seconds]

    [Time delta from previous displayed frame: 0.000000000 seconds]

    [Time since reference or first frame: 0.000000000 seconds]

    Frame Number: 1

    Frame Length: 91 bytes (728 bits)

    Capture Length: 91 bytes (728 bits)

    [Frame is marked: False]

    [Frame is ignored: False]

    [Protocols in frame: eth:ip:udp:radius]

    [Coloring Rule Name: UDP]

    [Coloring Rule String: udp]

Ethernet II, Src: HewlettP_af:82:b5 (2c:27:d7:af:82:b5), Dst: IntelCor_b3:18:58 (00:1b:21:b3:18:58)

    Destination: IntelCor_b3:18:58 (00:1b:21:b3:18:58)

        Address: IntelCor_b3:18:58 (00:1b:21:b3:18:58)

        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)

        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)

    Source: HewlettP_af:82:b5 (2c:27:d7:af:82:b5)

        Address: HewlettP_af:82:b5 (2c:27:d7:af:82:b5)

        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)

        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)

    Type: IP (0x0800)

Internet Protocol, Src: 172.16.2.218 (172.16.2.218), Dst: 172.20.2.55 (172.20.2.55)

    Version: 4

    Header length: 20 bytes

    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)

        0000 00.. = Differentiated Services Codepoint: Default (0x00)

        .... ..0. = ECN-Capable Transport (ECT): 0

        .... ...0 = ECN-CE: 0

    Total Length: 77

    Identification: 0x5b26 (23334)

    Flags: 0x00

        0... .... = Reserved bit: Not set

        .0.. .... = Don't fragment: Not set

        ..0. .... = More fragments: Not set

    Fragment offset: 0

    Time to live: 128

    Protocol: UDP (17)

    Header checksum: 0x8244 [correct]

        [Good: True]

        [Bad: False]

    Source: 172.16.2.218 (172.16.2.218)

    Destination: 172.20.2.55 (172.20.2.55)

User Datagram Protocol, Src Port: 57459 (57459), Dst Port: radius-dynauth (3799)

    Source port: 57459 (57459)

    Destination port: radius-dynauth (3799)

    Length: 57

    Checksum: 0x6ec3 [validation disabled]

        [Good Checksum: False]

        [Bad Checksum: False]

Radius Protocol

    Code: CoA-Request (43)

    Packet identifier: 0x1 (1)

    Length: 49

    Authenticator: f8ce880960a402b9809f0c173c6c8530

    [The response to this request is in frame 2]

    Attribute Value Pairs

        AVP: l=10  t=Acct-Session-Id(44): 000000C3

            Acct-Session-Id: 000000C3

        AVP: l=19  t=Vendor-Specific(26) v=Cisco(9)

            VSA: l=13 t=Cisco-Policy-Down(38): POLICE-TEST

                Cisco-Policy-Down: POLICE-TEST

0000  00 1b 21 b3 18 58 2c 27 d7 af 82 b5 08 00 45 00   ..!..X,'......E.

0010  00 4d 5b 26 00 00 80 11 82 44 ac 10 02 da ac 14   .M[&.....D......

0020  02 37 e0 73 0e d7 00 39 6e c3 2b 01 00 31 f8 ce   .7.s...9n.+..1..

0030  88 09 60 a4 02 b9 80 9f 0c 17 3c 6c 85 30 2c 0a   ..`.......

0040  30 30 30 30 30 30 43 33 1a 13 00 00 00 09 26 0d   000000C3......&.

0050  50 4f 4c 49 43 45 2d 54 45 53 54                  POLICE-TEST

No.     Time                          Source                Destination           Protocol Info

      2 2000-01-01 08:46:03.259029000 172.20.2.55           172.16.2.218          RADIUS   CoA-NAK(45) (id=1, l=47)

Frame 2: 89 bytes on wire (712 bits), 89 bytes captured (712 bits)

    Arrival Time: Jan  1, 2000 08:46:03.259029000 Eastern Standard Time

    Epoch Time: 946734363.259029000 seconds

    [Time delta from previous captured frame: 0.001118000 seconds]

    [Time delta from previous displayed frame: 0.001118000 seconds]

    [Time since reference or first frame: 0.001118000 seconds]

    Frame Number: 2

    Frame Length: 89 bytes (712 bits)

    Capture Length: 89 bytes (712 bits)

    [Frame is marked: False]

    [Frame is ignored: False]

    [Protocols in frame: eth:ip:udp:radius]

    [Coloring Rule Name: UDP]

    [Coloring Rule String: udp]

Ethernet II, Src: IntelCor_b3:18:58 (00:1b:21:b3:18:58), Dst: HewlettP_af:82:b5 (2c:27:d7:af:82:b5)

    Destination: HewlettP_af:82:b5 (2c:27:d7:af:82:b5)

        Address: HewlettP_af:82:b5 (2c:27:d7:af:82:b5)

        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)

        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)

    Source: IntelCor_b3:18:58 (00:1b:21:b3:18:58)

        Address: IntelCor_b3:18:58 (00:1b:21:b3:18:58)

        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)

        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)

    Type: IP (0x0800)

Internet Protocol, Src: 172.20.2.55 (172.20.2.55), Dst: 172.16.2.218 (172.16.2.218)

    Version: 4

    Header length: 20 bytes

    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)

        0000 00.. = Differentiated Services Codepoint: Default (0x00)

        .... ..0. = ECN-Capable Transport (ECT): 0

        .... ...0 = ECN-CE: 0

    Total Length: 75

    Identification: 0xe66e (58990)

    Flags: 0x00

        0... .... = Reserved bit: Not set

        .0.. .... = Don't fragment: Not set

        ..0. .... = More fragments: Not set

    Fragment offset: 0

    Time to live: 254

    Protocol: UDP (17)

    Header checksum: 0x78fd [correct]

        [Good: True]

        [Bad: False]

    Source: 172.20.2.55 (172.20.2.55)

    Destination: 172.16.2.218 (172.16.2.218)

User Datagram Protocol, Src Port: radius-dynauth (3799), Dst Port: 57459 (57459)

    Source port: radius-dynauth (3799)

    Destination port: 57459 (57459)

    Length: 55

    Checksum: 0xa044 [validation disabled]

        [Good Checksum: False]

        [Bad Checksum: False]

Radius Protocol

    Code: CoA-NAK (45)

    Packet identifier: 0x1 (1)

    Length: 47

    Authenticator: 8edb97b90c05e6ed7c1ce06688723520

    [This is a response to a request in frame 1]

    [Time from request: 0.001118000 seconds]

    Attribute Value Pairs

        AVP: l=21  t=Reply-Message(18): No Matching Session

            Reply-Message: No Matching Session

        AVP: l=6  t=Error-Cause(101): Session-Context-Not-Found(503)

            Error-Cause: Session-Context-Not-Found (503)

0000  2c 27 d7 af 82 b5 00 1b 21 b3 18 58 08 00 45 00   ,'......!..X..E.

0010  00 4b e6 6e 00 00 fe 11 78 fd ac 14 02 37 ac 10   .K.n....x....7..

0020  02 da 0e d7 e0 73 00 37 a0 44 2d 01 00 2f 8e db   .....s.7.D-../..

0030  97 b9 0c 05 e6 ed 7c 1c e0 66 88 72 35 20 12 15   ......|..f.r5 ..

0040  4e 6f 20 4d 61 74 63 68 69 6e 67 20 53 65 73 73   No Matching Sess

0050  69 6f 6e 65 06 00 00 01 f7                        ione.....

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2012.09.21 10:00:43 =~=~=~=~=~=~=~=~=~=~=~=

ABN-3845#
ABN-3845#sho run
Building configuration...


Current configuration : 2831 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ABN-3845
!
boot-start-marker
boot-end-marker
!
enable password ipdradm
!
aaa new-model
!
!
aaa authentication ppp default local group radius
aaa authentication ppp mounir group radius local
aaa authorization network default local group radius
aaa authorization network mounir group radius
aaa accounting update periodic 1
--More--        
aaa accounting exec mounir start-stop group radius
aaa accounting network default start-stop group radius
aaa accounting network mounir start-stop group radius
!
aaa server radius dynamic-author
client 172.16.2.183
client 172.20.2.234
client 172.20.2.204
client 172.16.2.218
server-key ipdradm
port 3799
auth-type session-key
!
aaa session-id common
dot11 syslog
!
!
ip cef
!
!
ip domain name a-bb.net
ip name-server 172.16.0.25
multilink bundle-name authenticated
--More--        
!
vpdn-group mounir
! Default L2TP VPDN group
accept-dialin
  protocol pppoe
  virtual-template 11
l2tp tunnel receive-window 1024
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
--More--        
!
!
!
!
!
!
!
!
archive
log config
  hidekeys
!
!
!
policy-map POLICE-TEST
class class-default
    police 48000 9000 18000 conform-action transmit  exceed-action drop  violate
-action drop
!
!
!
!
bba-group pppoe global
--More--        
virtual-template 11
!
!
interface Loopback0
ip address 172.29.1.5 255.255.255.255
!
interface GigabitEthernet0/0
ip address 172.20.2.55 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
ip address 10.30.1.1 255.255.255.0
duplex auto
speed auto
media-type rj45
pppoe enable group global
!
interface GigabitEthernet0/1.1
encapsulation dot1Q 2
!
interface Virtual-Template11
--More--        
ip unnumbered GigabitEthernet0/1
ppp authentication pap mounir
ppp authorization mounir
ppp accounting mounir
!
interface Virtual-Template15
ip unnumbered Loopback0
no peer default ip address
ppp authentication pap mounir
ppp authorization mounir
ppp accounting mounir
!
router ospf 1
router-id 172.29.1.5
log-adjacency-changes
redistribute connected subnets
network 172.20.2.0 0.0.0.255 area 0
network 172.29.1.5 0.0.0.0 area 0
!
ip forward-protocol nd
!
!
no ip http server
--More--        
no ip http secure-server
!
logging 172.20.2.150
!
!
radius-server attribute 32 include-in-access-req
radius-server attribute 32 include-in-accounting-req
radius-server attribute 25 access-request include
radius-server attribute nas-port format d
radius-server host 172.20.2.204 auth-port 1812 acct-port 1813 key ipdradm
radius-server key ipdradm
radius-server vsa send cisco-nas-port
radius-server vsa send accounting
radius-server vsa send authentication
!
control-plane
!
!
!
!
!
!
!
--More--        
!
!
line con 0
line aux 0
line vty 0 4
password ipdradm
!
scheduler allocate 20000 1000
!
end

ABN-3845#
ABN-3845#
ABN-3845#
ABN-3845#debug aaa coa
AAA CoA packet processing debugging is on
ABN-3845#debug radius
Radius protocol debugging is on
Radius protocol brief debugging is off
Radius protocol verbose debugging is off
Radius packet hex dump debugging is off
Radius packet protocol debugging is on
Radius elog debugging debugging is off
Radius packet retransmission debugging is off
Radius server fail-over debugging is off
Radius elog debugging debugging is off
ABN-3845#
ABN-3845#
ABN-3845#
ABN-3845#
ABN-3845#
ABN-3845#
ABN-3845#
*Sep 21 13:59:05.380: RADIUS/ENCODE(000000BA):Orig. component type = PPoE
*Sep 21 13:59:05.380: RADIUS/ENCODE(000000BA): Acct-session-id pre-pended with N
as Port = 0/0/1/1
*Sep 21 13:59:05.380: RADIUS(000000BA): Config NAS IP: 0.0.0.0
*Sep 21 13:59:05.380: RADIUS(000000BA): Config NAS IP: 0.0.0.0
*Sep 21 13:59:05.380: RADIUS(000000BA): sending
*Sep 21 13:59:05.380: RADIUS/ENCODE: Best Local IP-Address 172.20.2.55 for Radiu
s-Server 172.20.2.204
*Sep 21 13:59:05.380: RADIUS(000000BA): Send Accounting-Request to 172.20.2.204:
1813 id 1646/40, len 322
*Sep 21 13:59:05.380: RADIUS:  authenticator 65 F4 15 61 6F AD B1 76 - 45 35 D5
42 9A 3E 2F C7
*Sep 21 13:59:05.380: RADIUS:  Acct-Session-Id     [44]  18  "0/0/1/1_000000C3"
*Sep 21 13:59:05.380: RADIUS:  Vendor, Cisco       [26]  41 
*Sep 21 13:59:05.380: RADIUS:   Cisco AVpair       [1]   35  "client-mac-address
=f8d1.11a7.167a"
*Sep 21 13:59:05.380: RADIUS:  Framed-Protocol     [7]   6   PPP               
       [1]
*Sep 21 13:59:05.380: RADIUS:  Framed-IP-Address   [8]   6   10.30.1.2         
      
*Sep 21 13:59:05.380: RADIUS:  User-Name           [1]   9   "ipdradm"
*Sep 21 13:59:05.380: RADIUS:  Vendor, Cisco       [26]  35 
*Sep 21 13:59:05.380: RADIUS:   Cisco AVpair       [1]   29  "connect-progress=L
AN Ses Up"
*Sep 21 13:59:05.380: RADIUS:  Vendor, Cisco       [26]  31 
*Sep 21 13:59:05.380: RADIUS:   Cisco AVpair       [1]   25  "nas-tx-speed=10000
00000"
*Sep 21 13:59:05.380: RADIUS:  Vendor, Cisco       [26]  31 
*Sep 21 13:59:05.380: RADIUS:   Cisco AVpair       [1]   25  "nas-rx-speed=10000
00000"
*Sep 21 13:59:05.380: RADIUS:  Acct-Session-Time   [46]  6   143522            
      
*Sep 21 13:59:05.380: RADIUS:  Acct-Input-Octets   [42]  6   6382156           
      
*Sep 21 13:59:05.380: RADIUS:  Acct-Output-Octets  [43]  6   2559911           
      
*Sep 21 13:59:05.380: RADIUS:  Acct-Input-Packets  [47]  6   224941            
      
*Sep 21 13:59:05.380: RADIUS:  Acct-Output-Packets [48]  6   161500            
      
*Sep 21 13:59:05.380: RADIUS:  Acct-Authentic      [45]  6   RADIUS            
       [1]
*Sep 21 13:59:05.380: RADIUS:  Acct-Status-Type    [40]  6   Watchdog          
       [3]
*Sep 21 13:59:05.380: RADIUS:  NAS-Port-Type       [61]  6   Ethernet          
       [15]
*Sep 21 13:59:05.380: RADIUS:  Vendor, Cisco       [26]  15 
*Sep 21 13:59:05.380: RADIUS:   cisco-nas-port     [2]   9   "0/0/1/1"
*Sep 21 13:59:05.380: RADIUS:  NAS-Port            [5]   6   16777217          
      
*Sep 21 13:59:05.380: RADIUS:  NAS-Port-Id         [87]  9   "0/0/1/1"
*Sep 21 13:59:05.380: RADIUS:  Service-Type        [6]   6   Framed            
       [2]
*Sep 21 13:59:05.380: RADIUS:  NAS-IP-Address      [4]   6   172.20.2.55       
      
*Sep 21 13:59:05.380: RADIUS:  Unsupported         [151] 10 
*Sep 21 13:59:05.380: RADIUS:   44 36 34 41 36 36 31 33                        
[D64A6613]
*Sep 21 13:59:05.380: RADIUS:  Nas-Identifier      [32]  19  "ABN-3845.a-bb.net"
*Sep 21 13:59:05.380: RADIUS:  Acct-Delay-Time     [41]  6   0                 
      
*Sep 21 13:59:09.804: RADIUS: acct-timeout for 2DC0CAF4 now 5, acct-jitter -1, a
cct-delay-time (at 2DC0CC30) now 4
ABN-3845#
ABN-3845#
*Sep 21 13:59:32.708: RADIUS: COA  received from id 1 172.16.2.218:50186, CoA Re
quest, len 49
*Sep 21 13:59:32.708: COA: 172.16.2.218 request queued
*Sep 21 13:59:32.708:  ++++++ CoA Attribute List ++++++
*Sep 21 13:59:32.708: 65F0A840 0 00000009 string-session-id(337) 8 000000C3
*Sep 21 13:59:32.708: 670B2A10 0 00000009 sub-policy-Out(345) 11 POLICE-TEST
*Sep 21 13:59:32.708:
*Sep 21 13:59:32.708: COA: No matching entry found
*Sep 21 13:59:32.708: COA: Added Reply Message: No Matching Session
*Sep 21 13:59:32.708: COA: Added NACK Error Cause: Session Context Not Found
*Sep 21 13:59:32.708: COA: Sending NAK from port 3799 to 172.16.2.218/50186
*Sep 21 13:59:32.708: RADIUS:  18  21  4E6F204D61746368696E672053657373696F6E
*Sep 21 13:59:32.708: RADIUS:  101 6   000001F7
ABN-3845#
ABN-3845#
ABN-3845#
ABN-3845#
ABN-3845#
ABN-3845#
ABN-3845#
ABN-3845#

===================A

Hi Igor,

Thanks for the reply. The one thing that call for my attention is that in the accounting request packet we see the accounting-session-id having some extra information appended at the beginning:

*Sep 21 13:59:05.380: RADIUS:  Acct-Session-Id     [44]  18  "0/0/1/1_000000C3"

I can see that the accounting session id is 000000C3

*Sep 21 13:59:32.708: 65F0A840 0 00000009 string-session-id(337) 8 000000C3

Not sure why we see the Acct-Session-Id with this format. Perhaps you can let me know which IOS release are you exactly using here and I can give this a try in a lab to see what may be happening with the CoA processin in this device? Perhaps a full show tech from the device would be good to have a better idea.

Best regards.

Hi Manuel we are following instructions here :

https://supportforums.cisco.com/docs/DOC-16677

Show tech below:

http://pastebin.com/LzCxZhJ8

Hello Igor,

Hope you are doing good. First of all, sorry it took me so long to reply to you. I have done some tests for this. Let me describe to youe what I've done:

- First I tried this with a 3845 and IOS 12.4(15)T10. I could see the same issue you see

- I moved to a 7200 to discard this may be a 3845 platform limitation. On 7200 using IOS 12.4(15)T10, I got same result.

- I tried then 12.2(33)SRE7 on a c7200 and I was able to apply the QoS policy with a CoA.

From this, my conclussion is that there is some issue/limitation in the IOS release you are trying to use on c3845.

My recommendation would be for you to open a TAC case so you can have formal answer on whether the functionality is supported in the platform/IOS release you are using and whether the behavior you see is consequence of a SW issue.

If you open a TAC case, you can use the comments we have shared in this thread to provide some background for thre engineer who will be handling your case.

Best regards.

Hi Manuel, thank you so much for spending the time to look into this.

Did you have to do any configuration changes to make it happen or you just used similar configuration as I have?

Thanks again,

Igor

Hi Igor,

I used same configuration as yours (only IP addresses changed). The main change is the IOS release which is 12.2(33)SRE7. Since I moved to this IOS I also had to changed to a different platform which supports that IOS

Best regards.

Hello Manuel,

could you share the 7200 model and what cards you have in 7200?

I am going to get one for our purposes.

Igor

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: