cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

Using COA, Change of Authorization for Access and BNG platforms

31592
Views
20
Helpful
77
Comments

Introduction

In access deployments using RADIUS, during the access-accept we can pass reply items back to the NAS which allows us to configure per user configuration to alter the base template config or to apply extra features. These features normally can't change since RADIUS on itself doesn't allow for reauthorization. For that purpose COA (Change of Authorization) was developed allowing an active session to have its configuration changed based on effectively a new set of reply items that are downloaded to the NAS.

** Download a COA client for windows, MAC or linux below **

Latest version is v3.1 January 2017


The words NAS (network access server), BRAS (Broadband Remote Access Server) and BNG (Broadband next generation) are used interchangeably, they all refer to the same concept of aggregating subscribers.

Typically NAS is used in modem access scenarios, BRAS for PPPoA and PPPoE termination whereas BNG involves the concept of subscriber policies along with IP session termination (including PPPoX).


Core Issue

RADIUS servers are available in open source format on the web, for instance Livingston Radius server or Free Radius server are very popular. Also vendors have provided their own RADIUS servers such as Cisco Secure ACS. However there is not a wide variaty of COA tools out there unless they come with a "portal" type implementation in which COA is generally leveraged a lot. In this article I am presenting a COA tool that can be used from a normal linux station allowing you to pass a COA request to a NAS of your choice. The usage of the tool is explained as well as key parameters that you need to be providing in order to make a successful COA request.

Feature changes support with COA

What features can be changed via COA is highly dependant on the platform and software release that is being run. The COA tool will encapsulate your attributes and send them to the NAS, but it is the NAS's responsibility to apply the features and provide a proper status back on the implementation of it.

Features support in COA tool

  • Up to 10 attributes to be included in the COA request
  • Change of Authorization and Packet of Disconnect support
  • Random source ports or manually configurable
  • Encoding of the cisco-avpair subscriber:password="password" for account logon in VSA 249
  • Extended debug capability
  • Configurable via CLI or Configuration file
  • Request timeout support
  • Multi thread support
  • Encoding of strings, ip addresses and integers
  • Currently support on Linux, and W32. Solaris (solaris no longer supported and maintained!)
  • IPv6 Encoding
  • Various binary ISG codes supported (0A, 0B, 04 etc)

NAS configuration

The minimum configuration required for IOS looks like this

IOS

aaa server radius dynamic-author
client 3.0.0.38
client 3.0.0.1
server-key cisco
auth-type any

client determines from which source ip addresses we can accept a COA request. Sources not in the list will get ignored.

server-key is the encryption key to use for the MD5 authenticator computation and must match what the COA client will be using

auth-type defines which attributes are to be used for session identification.

     For instance, if you provide the Accounting-Session-Id and Username the auth-type any means that the first session found that matches EITHER      one of these check items will be subject to modification.

     Auth-type ALL means that all check items much match

With 4.2.0 IOS-Xr for the ASR9000 will have BNG with COA support also. Here is the configuration required in IOS-XR:

IOS-XR

aaa server radius dynamic-author
port 1700
server-key cisco
auth-type any

client 3.0.0.38 vrf default server-key cisco

A global server key is possible as well as a per client type key is also configurable. The listen port is configurable (same in IOS config omitted, as port 1700 is default in IOS).

COA Check items


To target a specific session you can use various attributes such as Framed-IP-Address, User-Name or Accounting-Session-Id.

It is recommended to always specify the accounting-session-id (attribute 44), the reason for that is that this att references a single session on any BNG as this number must be unique. The internal code lookups are much faster with this attribute then using user-name or framed-ip-address as these result in a lineair walk. Also user-name and FIP (sessions with same ip addr in different vrf's) may not be unique on the device

To provide extra safety to make sure you are targetting the right session, you can configure the auth-type match-all and send Acct-Session-Id (44) as well as a username (1) to have a fast lookup AND the safety that this username is indeed the one that we had in mind altering.

How to find the Accounting-Session-Id

You can lookup the accounting session id in the radius accountign records, but also in IOS or XR you can find the ID rather easily.

Note that the Accounting-Session-Id is generally a string that is perceived to be an integer.

In IOS the radius-record may prefix the acct-session-id STRING with a nas-port identifier like this:

Accounting Record

Thu May 26 10:22:59 2011
        Acct-Session-Id = "1/0/0/100.1_000000BA"
        Cisco-avpair = "ip:sub-qos-policy-out=briana"
        Framed-Protocol = PPP

IOS will strip and only use the 8 right most digits as the accounting session ID. In COA requests you could omit all 0's and just use "BA" for the id, however at the time of writing ios-xr does a string match and wants to see the 8 digits all together.

in IOS

Step 1: Find the subscriber of interest

NPE-G1#show subscr ses
Current Subscriber Information: Total sessions 1

Uniq ID Interface  State         Service      Identifier           Up-time
44      IP         authen        Local Term   0017.0e43.a1ac       00:00:29
45      Traffic-Cl unauthen      Ltm Internal                      00:00:29
46      Traffic-Cl unauthen      Ltm Internal                      00:00:29

NPE-G1#

Step 2: Take the subscribers internal ID and locate its record ID in the AAA databasre

NPE-G1#show subscr ses uid 44 det | i AAA_id
AAA_id 0000001B: Flow_handle 0
NPE-G1#

Step 3: Look into the AAA database for the found record to see what the accounting session id is.

For ISG sessions look at the Parent-Session-Id, for regular subscribers, look at the "session-id"

NPE-G1#sh aaa user 0x1B | i session-id
65684778 0 00000001 session-id(353) 4 48(30)
656848B0 0 00000001 session-id(353) 4 49(31)
656848F0 0 00000009 parent-session-id(352) 8 00000034
NPE-G1#

in IOS-XR

Step 1: Find the subscriber of interest:

RP/0/RSP1/CPU0:A9K-BOTTOM#show subscr sess all
Thu May 26 10:37:17.115 EDT
Codes: IN - Initialize, CN - Connecting, CD - Connected, AC - Activated,
       ID - Idle, DN - Disconnecting, EN - End

Type         Interface                State     Subscriber-IP

                                                LNS Address

-------------------------------------------------------------------------
PPPoE:PTA    BE1001.100.pppoe4        AC        199.1.1.9:default <<<

PPPoE:PTA    BE1001.200.pppoe5        AC        199.1.1.10:RED

IP:DHCP         BE1001.2.ip3                  AC        172.28.15.14:default

PPPoE:LAC    BE1001.300.pppoe6        AC        2.2.2.100

Step 2: Detail the subscriber interface

RP/0/RSP1/CPU0:A9K-BOTTOM#show subscriber session filter interface bundle-e1001.100.pppoe4 detail
Thu May 26 10:38:42.647 EDT
Interface:                Bundle-Ether1001.100.pppoe4
Circuit ID:               Unknown
Remote ID:                "XTH_TEST"
Type:                     PPPoE:PTA
IP Address:               199.1.1.9, VRF: default
Mac Address:              000b.5f2c.ef01
Account-Session Id:       00000067
Nas-Port:                 Unknown
Username:                 test
Subscriber Label:         0x00000067
Created:                  Tue May 24 12:00:57 2011
State:                    Activated
Access-interface:         Bundle-Ether1001.100

<output omitted>

COA Tool Manual

The  COA tool requires you to have a little bit of attribute knowledge in  RADIUS, that is, the attributes are identified by their enummerated  numbers rather then their name. Although you can look at a dictionary  file (attached) to map them should you need that.

The options can be specified all via a CLI, or can be provided in flat config file for ease of use and easy scripting.

The tool supports POD (packet of disconnect) as well as COA requests.

options:

    Option        
Explanation
-n <ip addr> The IP address of the NAS that you want to send this COA request to
-N <ipv6> The IPv6 address of the NAS to be targeted (v3.0 new feature) either provide -n or -N
-p <int> The destination port on the NAS that is listening to COA requests (normally this is 1700)
-k <string> The secret-key that is used for the MD5 HASH computation, this must match the definition on the BNG/NAS router.
-d No sub argument needed, designates the tool to send a POD (packet of  disconnect) request rather then a COA request. If the session is found  it will get terminated.
-t <integer> By default the tool waits indefinitely for a response from the NAS.  The timeout option allows you to wait a number of seconds before the  tool exists
-s <int> Normally a random source port is selected by the tool that is used  to originate the request and listen for a response. If you wish to  specify the source port manually you can use this option. If there is a  single COA request on station X already using source port Q and the tool  is waiting for a response, then a second request cannot use source port  Q if fired from the same station X. An error will be thrown (socket /  bind error).
-f <string> Configuration file that holds the paramters described in a config file
-0/1/2/3/4/5/6/7/8/9

The tool has the option for 6 attributes to be specified. The format is attribute_number,value

The Value is always perceived to be a string value, that means if  there are spaces involved, you need to embrace the string with quotes,  eg 18,"this is a test string"

If you like a certain value to be sent as an integer, for instance  for the Session-Timeout (27), then prefix the value with the word INT

example: 27,INT100 to send an integer value of 100

In case you need to send an ip address such as for Framed-IP-Address then prefix the ip with IP

example: 8,IP255.255.255.254

You can use the sample dictionary file attached to lookup the Attribute name to number to type (int, ip, string)

If you have an IPv6 Address for encoding, you can use the prefix V6 followed by the ipv6 address.

example: 98,"V6fe80::260:1111:feff:ffff"

Framed-IPv6-Prefix is automatically encoded (attribute 97).

-e Decode the response from the NAS into an attribute (integer) and value (string).
-r [0-255] Provide a static requestID, if omitted or out of bounds a random value is generated.
-x Extended debug output, follow what the tool is doing

Note: The bold options must always be provided otherwise the tool can't continue.

Using the Config file


The Tool has the ability to read values from a config file for ease of use. Sample config files will be provided below.

The following is the format of a config file:

Example1:


ip-address=3.0.0.102
secret=cisco
destport=1700
attribute1=44,000029CD
attribute2=26,9,1,subscriber:command=account-logon
attribute3=26,9,1,subscriber:password=cisco
attribute4=1,xander
timeout=1

END

Config file Parameters

Keyword CLI
Description
ip-address

-n

the nas-ip address, the destination ip.
ipv6-address -N the nas-ipv6 address, destination IP of the BNG
secret -k secret key for md5 hash computation
destport -p destination port to send the request to
attribute0 (to 9) -0 to -9 the attributes to be encapsulated
sourceport -s define the source port for the request (optional)
timeout -t To set the timeout waiting for response (optional)
END n/a To denote the END of the config file reading stops after seeing this keyword

Note that parameters provided by CLI are NOT overwritten by the  config file, so the config file has precedence, eg if secret is provided  by cli using the -k CLIKEY and in the config file with secret=CFGKEY then the key used to hash is CFGKEY.

Formatting VSA's

This section described how to format a VSA

The vendor-specific attribute nubmer is 26

Cisco's vendor ID is 9

Cisco has a few VSA's defined such as:

Cisco-avpair, which is vendor attribute 1

Cisco-nas-port, which is vendor attribute 2

A few SSG attributes:

ATTRIBUTE       SSG-Account-Info              250     string  Cisco
ATTRIBUTE       SSG-Service-Info                251     string  Cisco
ATTRIBUTE       SSG-Command-Code         252     string  Cisco
ATTRIBUTE       SSG-Control-Info                253     string  Cisco

Microsoft is vendor 311 and has 2 key attributes commonly used:

ATTRIBUTE       MS-1st-NBNS-Server              30      ipaddr  Microsoft
ATTRIBUTE       MS-2nd-NBNS-Server              31      ipaddr  Microsoft

To provide a vsa into the tool you use the following format:

-1 26,9,1,"ip:ip-unnumbered=Loopback 123"

to send cisco-avpair with the ip unnumbered info

Examples


Account-Logon (config file)

ip-address=3.0.0.102
secret=cisco
destport=1700
attribute1=44,000029CD
attribute2=26,9,1,subscriber:command=account-logon
attribute3=26,9,1,subscriber:password=cisco
attribute4=1,xander
timeout=1

Parameterized QOS (config file)

Adding a parent shaper and a child class with a priority queue policed

ip-address=3.0.0.234
secret=cisco
destport=1700
attribute1=44,000000df
attribute2=26,9,1,subscriber:command=account-update
attribute3=26,9,1,ip:qos-policy-out=add-class(sub, (class-default), shape(800))
attribute4=26,9,1,ip:qos-policy-out=add-class(sub,(class-default, 3play-voip), pri-level(1), police(256,8))
timeout=1

Account-Logoff (cli)

# ./coa_new -n 3.0.0.102 -p 1700 -k cisco -1 44,34 -2 26,9,1,"subscriber:command=account-logoff" -3 1,"0017.0e43.a1ac"

Release Notes

* VERSION 1.0 - first offical RELEASE

* version 1.1 - added random source port and transaction ID generation

* version 1.2 - added POD capability via the -d option

* version 1.3 - added capability for ssg account info converting

*               serivce logoff 0C to binary 0x0C

* version 1.4 - added capability for ssg account info converting

*               service logoff 0B to binary 0x0B

* version 1.5 - fixed bug in length field of attribute size

* version 1.6 - added session query 0x04

* version 1.7 - added timeout receive option -t

* version 1.8 - added manual source port configuration

* version 1.9 - detect integer strings and send them as int rather then string

*               a string prefix of INT tells the program to treat value as int.

* version 1.10- detect ip prefixes and convert accordingly with IP1.2.3.4

* version 2.0 - ability to read config from file with -f

* version 2.1 - fixed subscriber:password length calculation in v2.0

* version 2.2 - improved hexdump, added code comments, cleaned up code

* version 2.3 - added ability to decode the COA/POD response attributes via -e

*               user configurable requestID

* version 2.4 - config file parse chokes on empty line, fixed that issue

* version 2.5 - Adds support for VSA36 with SALT encryption

* version 2.6 - Fixed bug in salt length character

* version 2.7 - Added expanded source port range (+retry), increased attributes

* version 2.8 - Added IPV6 encoding capabilities via V6 prefix keyword

* version 2.9 - Fixed prefix length corruption crash attr 97

* version 3.0 - Added IPv6 transport for sending COA requests to the BNG

* version 3.1 - Fixed integer encoding to proper int formatting (4 bytes)

Related Information

Disclaimer: this is not an official Cisco supported tool but merely provided to verify, demonstrate and integrate COA requests with.

Xander Thuijs, CCIE #6775

Principal Engineer ASR9000

ASR9K news BLOG

Comments
Cisco Employee

Xander,

 

I am doing service update coa request with multiple pqos attributes. I have more than 9 attributes but the tool limits only 6 attributes; is there any way we can send more cisco-avpairs ?

 

Thanks,

Thulasi

Cisco Employee

hi thulasi,

expanded attribute support was added in version 2.9

so if you take either v29 or v30 you should be all set.

cheers!

xander

Hi Xander,

Thanks for the tool works great!

Seems that I have stumbled upon a small bug though, not sure if it the config we are using, the ASR software or the CoA tool. However every time we change between two QoS policies via CoA a process (pkg/bin/qos_ma_ea) on the ASR crashes. It seems the unit does not like going back to the old QoS policy that was originally on the subsriber session.

We are running ASR9001 with software IOSXR 5.2.2

I have attatched a file showing some policy outputs and the crash from the CLI view.

Just wondering if yourself or anyone else has witnessed this before?

If more configuration is required please let me know.

Thanks,

Chris

Cisco Employee

hi chris, thank you! :) say although crashes are never good i think there is a problem with the coa profile here. a session wants to have hierarchical qos, so parent shaper, child Q.

the way to achieve that is like this:

attribute2=26,9,1,subscriber:command=account-update
attribute3=26,9,1,ip:qos-policy-out=add-class(sub,  (class-default), shape(2048)
attribute4=26,9,1,ip:qos-policy-out=add-class(sub,(class-default, class-default), queue-limit(100))

the crash seem to be related that the hw cant handle the pmap construct provided,

this is a bug, because the condition should be handled more gracefully.

xander

Thanks for the response Xander, much appreciated :)

I understand where you are coming from for establishing the child and parent structure.

However all I am trying to achieve to changing the base parent shaper from say 3M to 2M and then back to 3M.  I am running into the bug, when I am trying to use the "add-class" attribute to change the policy back to the original 3M.

May I ask, am I doing this correctly? or should I be using "remove-class" first and then "add-class" to change the base parent shaping speed?

 

Thanks,

 

Chris

Cisco Employee

hi chris,

if you want to change the shape rate, you can directly doing that by sending an update for that particular class/rate something like this:

 

attribute2=26,9,1,subscriber:command=account-update
attribute3=26,9,1,ip:qos-policy-out=add-class(sub,  (class-default), shape(200)
 

this will change an existing shape at the parent level to 200, of whatever the existing value is today.

that is a little faster also.

regards

xander

Beginner

Hi Xander,

I was reading RFC for radius accounting https://tools.ietf.org/html/rfc2866 on  "acct-multi-session-id", each session will always have its unique acct-session-id

in what method can we utilize o benefit from "acct-multi-session-id" with AAA if i have multiple sessions related to one user, but each session might have a different service-type and access vlan example:

bundle-ether10.10 - vlan 10 pppoe session

bundle-ether10.11 - vlan 11 ipoe session

bundle-ether10.30 - vlan 30 ipoe session

thank you,

Regards

Sami

Cisco Employee

hi sami,

yeah the multi session ID is for accounting records tied to a single "actual- session".

if we have 3 sessions on 3 different interfaces they all have a different attr44 though.

when you enable a service with accounting, that service will generate records with 2 ID's:

- the unique attr 44, for the session *instance*

- the mult session ID pointing to the attr44 of the subscriber that uses that session.

so the attr44 of session accounting is near useless, but the mult session id that points to the actual subscriber using it is of most use in that regard.

xander

Beginner

Hi Xander,

thanks for your reply, but how can we tie several sessions to the same user, during authentication or what process, can we tie them based on remote-id-tag or circuit-id-tag, where sessions with a unique remote-id-tag for example have a acct common multi-session-id.

or i understood you wrong ?

Regards

Sami

Cisco Employee

hi sami, the service accounting records dont record the circ/remID as far as I know, so the only way to aggregte the different subsriber sessions is by means of access interface (nas-port) or circ/remID for that matter.

then separately the services OFF those subscribers sessions are tied together (from service to session ) by the acct multi session ID parameter.

cheers

xander

Beginner

Hi Xander,

you mean do that(tie multiple session to a user) on the AAA side based on the common remote-id-tag or other attribute to tie them together to a unique user ?

that's what we are doing now on AAA side, just thought maybe there is another way.

one more question,

concerning the user-service-type attribute sent from BNG to AAA during authentication, i read that it cant be modified, its sending the below based on session type, can we send a cisco VSA containing protocol-type= ppp/dhcp during authentication instead of the below or in addition ?

user-service-type = outbound-user (sent with IPOE requests)

user-service-type = Framed (sent with PPP requests)

thanks alot for your prompt replies

Regards

Sami

Beginner

Dear Xander

Your CoA tool is very great. I always use it for CoA functional on BNG/ISG. However, I wonder that is it possible to use this tool to send CoA request in binary command. I try to deactivate and activate multiple services in single CoA request but some documents of ISG specific that 

"Text-based commands are not supported for multiple-service activation and deactivation in a single CoA
message. Only binary commands are supported for multiple-service activation and deactivation in a
single CoA message."

So, I don't know how to use this tool to send with binary command, I try many style of configuration but it won't work. Please help to give me some advice.

Thanks

Best regards

tumarha

Cisco Employee

hi tumarha,

ah great to hear!! yeah it has support for old style ISG binary commands also. the way to format is like this:

-1 26,9,252,"0BMY_Service"

this means: vendor specific (26), cisco (9), isg-command (252) and 0B will get converted to service activate 0x0B for service My_Service.

0B is activate

0C is deactivate

04 is session query

the tool with -x for debug info will print a message that it detected the string 0B/0C and message that it is converting it to hex 0x0B/C

cheers!

xander

Beginner

Cool!. Thank you very much for your advice.

Best regards

Tumarha

Beginner

Hello Alex,

Great doc. thank you very much.

Is it possible to apply redirect through COA to online session on ASR 1002 routers ?

Here is the debug logs from "debug subscriber feature name l4redirect"

ov 7 10:53:41.809: L4 Redirect: Parsing L4R VSA: "redirect to group REDIRECT_NOPAY"
Nov 7 10:53:41.809: L4 Redirect: Creating L4R feature info from AAA attributes
Nov 7 10:53:41.809: L4 Redirect: Created L4R Feature info
Nov 7 10:53:41.809: L4 Redirect: Created L4R rule info
Nov 7 10:53:41.810: L4 Redirect: Apply inbound direction from Per-user configuration
Nov 7 10:53:41.810: L4 Redirect: ERROR: L4R installation at session level not supported on this platform
Nov 7 10:53:41.810: L4 Redirect: Remove inbound direction from Per-user configuration
Nov 7 10:53:41.810: L4 Redirect: L4R not installed in inbound direction
Nov 7 10:53:41.810: L4 Redirect: Deleting L4R feature info
Nov 7 10:53:41.810: L4 Redirect: Deleted L4R rule info
Nov 7 10:53:41.811: L4 Redirect: Deleted L4R Feature info
Nov 7 10:53:41.850: L4 Redirect: Parsing L4R VSA: "redirect to group REDIRECT_NOPAY"
Nov 7 10:53:41.850: L4 Redirect: Creating L4R feature info from AAA attributes
Nov 7 10:53:41.850: L4 Redirect: Created L4R Feature info
Nov 7 10:53:41.850: L4 Redirect: Created L4R rule info
Nov 7 10:53:41.851: L4 Redirect: Apply inbound direction from Per-user configuration
Nov 7 10:53:41.851: L4 Redirect: ERROR: L4R installation at session level not supported on this platform
Nov 7 10:53:41.851: L4 Redirect: Remove inbound direction from Per-user configuration

What could be issue ?

Tural

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here