on 05-26-2011 06:52 AM
In access deployments using RADIUS, during the access-accept we can pass reply items back to the NAS which allows us to configure per user configuration to alter the base template config or to apply extra features. These features normally can't change since RADIUS on itself doesn't allow for reauthorization. For that purpose COA (Change of Authorization) was developed allowing an active session to have its configuration changed based on effectively a new set of reply items that are downloaded to the NAS.
** Download a COA client for windows, MAC or linux below **
Latest version is v3.1 January 2017
The words NAS (network access server), BRAS (Broadband Remote Access Server) and BNG (Broadband next generation) are used interchangeably, they all refer to the same concept of aggregating subscribers.
Typically NAS is used in modem access scenarios, BRAS for PPPoA and PPPoE termination whereas BNG involves the concept of subscriber policies along with IP session termination (including PPPoX).
RADIUS servers are available in open source format on the web, for instance Livingston Radius server or Free Radius server are very popular. Also vendors have provided their own RADIUS servers such as Cisco Secure ACS. However there is not a wide variaty of COA tools out there unless they come with a "portal" type implementation in which COA is generally leveraged a lot. In this article I am presenting a COA tool that can be used from a normal linux station allowing you to pass a COA request to a NAS of your choice. The usage of the tool is explained as well as key parameters that you need to be providing in order to make a successful COA request.
What features can be changed via COA is highly dependant on the platform and software release that is being run. The COA tool will encapsulate your attributes and send them to the NAS, but it is the NAS's responsibility to apply the features and provide a proper status back on the implementation of it.
The minimum configuration required for IOS looks like this
IOS
aaa server radius dynamic-author
client 3.0.0.38
client 3.0.0.1
server-key cisco
auth-type any
client determines from which source ip addresses we can accept a COA request. Sources not in the list will get ignored.
server-key is the encryption key to use for the MD5 authenticator computation and must match what the COA client will be using
auth-type defines which attributes are to be used for session identification.
For instance, if you provide the Accounting-Session-Id and Username the auth-type any means that the first session found that matches EITHER one of these check items will be subject to modification.
Auth-type ALL means that all check items much match
With 4.2.0 IOS-Xr for the ASR9000 will have BNG with COA support also. Here is the configuration required in IOS-XR:
IOS-XR
aaa server radius dynamic-author
port 1700
server-key cisco
auth-type any
client 3.0.0.38 vrf default server-key cisco
A global server key is possible as well as a per client type key is also configurable. The listen port is configurable (same in IOS config omitted, as port 1700 is default in IOS).
To target a specific session you can use various attributes such as Framed-IP-Address, User-Name or Accounting-Session-Id.
It is recommended to always specify the accounting-session-id (attribute 44), the reason for that is that this att references a single session on any BNG as this number must be unique. The internal code lookups are much faster with this attribute then using user-name or framed-ip-address as these result in a lineair walk. Also user-name and FIP (sessions with same ip addr in different vrf's) may not be unique on the device
To provide extra safety to make sure you are targetting the right session, you can configure the auth-type match-all and send Acct-Session-Id (44) as well as a username (1) to have a fast lookup AND the safety that this username is indeed the one that we had in mind altering.
You can lookup the accounting session id in the radius accountign records, but also in IOS or XR you can find the ID rather easily.
Note that the Accounting-Session-Id is generally a string that is perceived to be an integer.
In IOS the radius-record may prefix the acct-session-id STRING with a nas-port identifier like this:
Accounting Record
Thu May 26 10:22:59 2011
Acct-Session-Id = "1/0/0/100.1_000000BA"
Cisco-avpair = "ip:sub-qos-policy-out=briana"
Framed-Protocol = PPP
IOS will strip and only use the 8 right most digits as the accounting session ID. In COA requests you could omit all 0's and just use "BA" for the id, however at the time of writing ios-xr does a string match and wants to see the 8 digits all together.
Step 1: Find the subscriber of interest
NPE-G1#show subscr ses
Current Subscriber Information: Total sessions 1
Uniq ID Interface State Service Identifier Up-time
44 IP authen Local Term 0017.0e43.a1ac 00:00:29
45 Traffic-Cl unauthen Ltm Internal 00:00:29
46 Traffic-Cl unauthen Ltm Internal 00:00:29
NPE-G1#
Step 2: Take the subscribers internal ID and locate its record ID in the AAA databasre
NPE-G1#show subscr ses uid 44 det | i AAA_id
AAA_id 0000001B: Flow_handle 0
NPE-G1#
Step 3: Look into the AAA database for the found record to see what the accounting session id is.
For ISG sessions look at the Parent-Session-Id, for regular subscribers, look at the "session-id"
NPE-G1#sh aaa user 0x1B | i session-id
65684778 0 00000001 session-id(353) 4 48(30)
656848B0 0 00000001 session-id(353) 4 49(31)
656848F0 0 00000009 parent-session-id(352) 8 00000034
NPE-G1#
Step 1: Find the subscriber of interest:
RP/0/RSP1/CPU0:A9K-BOTTOM#show subscr sess all
Thu May 26 10:37:17.115 EDT
Codes: IN - Initialize, CN - Connecting, CD - Connected, AC - Activated,
ID - Idle, DN - Disconnecting, EN - End
Type Interface State Subscriber-IP
LNS Address
-------------------------------------------------------------------------
PPPoE:PTA BE1001.100.pppoe4 AC 199.1.1.9:default <<<
PPPoE:PTA BE1001.200.pppoe5 AC 199.1.1.10:RED
IP:DHCP BE1001.2.ip3 AC 172.28.15.14:default
PPPoE:LAC BE1001.300.pppoe6 AC 2.2.2.100
Step 2: Detail the subscriber interface
RP/0/RSP1/CPU0:A9K-BOTTOM#show subscriber session filter interface bundle-e1001.100.pppoe4 detail
Thu May 26 10:38:42.647 EDT
Interface: Bundle-Ether1001.100.pppoe4
Circuit ID: Unknown
Remote ID: "XTH_TEST"
Type: PPPoE:PTA
IP Address: 199.1.1.9, VRF: default
Mac Address: 000b.5f2c.ef01
Account-Session Id: 00000067
Nas-Port: Unknown
Username: test
Subscriber Label: 0x00000067
Created: Tue May 24 12:00:57 2011
State: Activated
Access-interface: Bundle-Ether1001.100
<output omitted>
The COA tool requires you to have a little bit of attribute knowledge in RADIUS, that is, the attributes are identified by their enummerated numbers rather then their name. Although you can look at a dictionary file (attached) to map them should you need that.
The options can be specified all via a CLI, or can be provided in flat config file for ease of use and easy scripting.
The tool supports POD (packet of disconnect) as well as COA requests.
options:
Option |
Explanation |
---|---|
-n <ip addr> | The IP address of the NAS that you want to send this COA request to |
-N <ipv6> | The IPv6 address of the NAS to be targeted (v3.0 new feature) either provide -n or -N |
-p <int> | The destination port on the NAS that is listening to COA requests (normally this is 1700) |
-k <string> | The secret-key that is used for the MD5 HASH computation, this must match the definition on the BNG/NAS router. |
-d | No sub argument needed, designates the tool to send a POD (packet of disconnect) request rather then a COA request. If the session is found it will get terminated. |
-t <integer> | By default the tool waits indefinitely for a response from the NAS. The timeout option allows you to wait a number of seconds before the tool exists |
-s <int> | Normally a random source port is selected by the tool that is used to originate the request and listen for a response. If you wish to specify the source port manually you can use this option. If there is a single COA request on station X already using source port Q and the tool is waiting for a response, then a second request cannot use source port Q if fired from the same station X. An error will be thrown (socket / bind error). |
-f <string> | Configuration file that holds the paramters described in a config file |
-0/1/2/3/4/5/6/7/8/9 |
The tool has the option for 6 attributes to be specified. The format is attribute_number,value The Value is always perceived to be a string value, that means if there are spaces involved, you need to embrace the string with quotes, eg 18,"this is a test string" If you like a certain value to be sent as an integer, for instance for the Session-Timeout (27), then prefix the value with the word INT example: 27,INT100 to send an integer value of 100 In case you need to send an ip address such as for Framed-IP-Address then prefix the ip with IP example: 8,IP255.255.255.254 You can use the sample dictionary file attached to lookup the Attribute name to number to type (int, ip, string) If you have an IPv6 Address for encoding, you can use the prefix V6 followed by the ipv6 address. example: 98,"V6fe80::260:1111:feff:ffff" Framed-IPv6-Prefix is automatically encoded (attribute 97). |
-e | Decode the response from the NAS into an attribute (integer) and value (string). |
-r [0-255] | Provide a static requestID, if omitted or out of bounds a random value is generated. |
-x | Extended debug output, follow what the tool is doing |
Note: The bold options must always be provided otherwise the tool can't continue.
The Tool has the ability to read values from a config file for ease of use. Sample config files will be provided below.
The following is the format of a config file:
ip-address=3.0.0.102
secret=cisco
destport=1700
attribute1=44,000029CD
attribute2=26,9,1,subscriber:command=account-logon
attribute3=26,9,1,subscriber:password=cisco
attribute4=1,xander
timeout=1
END
Keyword | CLI |
Description |
---|---|---|
ip-address |
-n |
the nas-ip address, the destination ip. |
ipv6-address | -N | the nas-ipv6 address, destination IP of the BNG |
secret | -k | secret key for md5 hash computation |
destport | -p | destination port to send the request to |
attribute0 (to 9) | -0 to -9 | the attributes to be encapsulated |
sourceport | -s | define the source port for the request (optional) |
timeout | -t | To set the timeout waiting for response (optional) |
END | n/a | To denote the END of the config file reading stops after seeing this keyword |
Note that parameters provided by CLI are NOT overwritten by the config file, so the config file has precedence, eg if secret is provided by cli using the -k CLIKEY and in the config file with secret=CFGKEY then the key used to hash is CFGKEY.
This section described how to format a VSA
The vendor-specific attribute nubmer is 26
Cisco's vendor ID is 9
Cisco has a few VSA's defined such as:
Cisco-avpair, which is vendor attribute 1
Cisco-nas-port, which is vendor attribute 2
A few SSG attributes:
ATTRIBUTE SSG-Account-Info 250 string Cisco
ATTRIBUTE SSG-Service-Info 251 string Cisco
ATTRIBUTE SSG-Command-Code 252 string Cisco
ATTRIBUTE SSG-Control-Info 253 string Cisco
Microsoft is vendor 311 and has 2 key attributes commonly used:
ATTRIBUTE MS-1st-NBNS-Server 30 ipaddr Microsoft
ATTRIBUTE MS-2nd-NBNS-Server 31 ipaddr Microsoft
To provide a vsa into the tool you use the following format:
-1 26,9,1,"ip:ip-unnumbered=Loopback 123"
to send cisco-avpair with the ip unnumbered info
ip-address=3.0.0.102
secret=cisco
destport=1700
attribute1=44,000029CD
attribute2=26,9,1,subscriber:command=account-logon
attribute3=26,9,1,subscriber:password=cisco
attribute4=1,xander
timeout=1
Adding a parent shaper and a child class with a priority queue policed
ip-address=3.0.0.234
secret=cisco
destport=1700
attribute1=44,000000df
attribute2=26,9,1,subscriber:command=account-update
attribute3=26,9,1,ip:qos-policy-out=add-class(sub, (class-default), shape(800))
attribute4=26,9,1,ip:qos-policy-out=add-class(sub,(class-default, 3play-voip), pri-level(1), police(256,8))
timeout=1
# ./coa_new -n 3.0.0.102 -p 1700 -k cisco -1 44,34 -2 26,9,1,"subscriber:command=account-logoff" -3 1,"0017.0e43.a1ac"
* VERSION 1.0 - first offical RELEASE
* version 1.1 - added random source port and transaction ID generation
* version 1.2 - added POD capability via the -d option
* version 1.3 - added capability for ssg account info converting
* serivce logoff 0C to binary 0x0C
* version 1.4 - added capability for ssg account info converting
* service logoff 0B to binary 0x0B
* version 1.5 - fixed bug in length field of attribute size
* version 1.6 - added session query 0x04
* version 1.7 - added timeout receive option -t
* version 1.8 - added manual source port configuration
* version 1.9 - detect integer strings and send them as int rather then string
* a string prefix of INT tells the program to treat value as int.
* version 1.10- detect ip prefixes and convert accordingly with IP1.2.3.4
* version 2.0 - ability to read config from file with -f
* version 2.1 - fixed subscriber:password length calculation in v2.0
* version 2.2 - improved hexdump, added code comments, cleaned up code
* version 2.3 - added ability to decode the COA/POD response attributes via -e
* user configurable requestID
* version 2.4 - config file parse chokes on empty line, fixed that issue
* version 2.5 - Adds support for VSA36 with SALT encryption
* version 2.6 - Fixed bug in salt length character
* version 2.7 - Added expanded source port range (+retry), increased attributes
* version 2.8 - Added IPV6 encoding capabilities via V6 prefix keyword
* version 2.9 - Fixed prefix length corruption crash attr 97
* version 3.0 - Added IPv6 transport for sending COA requests to the BNG
* version 3.1 - Fixed integer encoding to proper int formatting (4 bytes)
Disclaimer: this is not an official Cisco supported tool but merely provided to verify, demonstrate and integrate COA requests with.
hi tural,
thank you :) say it sounds like from this debug that the platform cannot support the layer 4 redirect as you wanted. I did some extra investigation and found a similar case that states:
The session level L4R support for ASR1k has been officially turned off in XE3.5 release, so this is expected behavior. need to configure the L4R on the service level, in order to this feature to work.
can you work with that option?
xander
Hi Alex,
Is it available before XE3.5 release? if not I will try service level option
Thank you in advance!
Tural
yeah that is what it sounds like tural. I am not very much in tune with a1k/XE releases, so I cant give you a recommendation what release to best use etc, but you could give that a try to see. the fact that it got disabled sounds like there may have been some issues before with that mode(L), hence the service approach sounds like a safer bet to me.
xander
Hi Alex ,
I have Cisco ASR 1002 Router with 15.3 version on it.
I am trying to make sure that my IPTV will not suffer when my IPoE subscriber uses internet.
Both IPTV and IPOE are in the same VLAN using same session
So How can I apply polising for my IPTV ?
IPTV uses Mediaservers to download the content.
best regards
Tural
hi tural,
I dont think that the asr1k has a parameterized qos, allowing you to dynamically change the qos policy.
what you can do is to exhcnage the qos policy that are predefined on the device.
so if the user has a qos policy X assigned, we can replace it with Y, and Y has an extra class for the video service.
cheers!
xander
Hi Alex,
Do you mean COA or HQoS ?
Can I apply hqos with data and iptv classes in it to the ipoe user upon session start ? Will it work ?
Regards
Tural
yes yes indeed tural!
hqos: concept of a parent shaper and child classes matching traffic and their associated service profile: policer/bandwidth etc.
coa: ability to change the users configuration during the session's life time
and for sure you can apply a qos policy at the session start event to put a hqos profile onto the session. you can exchnage the policy via coa at session lifetime.
a9k/xr bng can insert classes into an existing policy map either with VSA's from coa, or as part of a service profile requesitng a merge of the service qos profile (eg a child class) onto and into an existing already applied qos policy on the subscriber. (aka policy merge).
xander
Hi Alex,
Thank you so much for quick reply
I am trying to apply this config. is it correct ?
Cisco-AVPair += "subscriber:accounting-list=ISG-AUTH-1"
Cisco-AVpair += "traffic-class=input access-group 108"
Cisco-AVpair += "traffic-class=output access-group 108"
Cisco-AVpair += "traffic-class=input access-group 109"
Cisco-AVpair += "traffic-class=output access-group 109"
Cisco-AVPair += "ip:traffic-class=out default drop"
Cisco-AVPair += "ip:traffic-class=in default drop"
Cisco-AVPair += "ip:sub-qos-policy-in= IPOE-QOS "
Cisco-AVPair += "ip:sub-qos-policy-in= IPOE-QOS"
Internet traffic excluding mediaserver
access-list 109 deny ip 10.1.2.0 0.0.0.255 any
access-list 109 deny ip any 10.1.2.0 0.0.0.255
access-list 108 permit ip any any
mediaserver traffic
access-list 109 permit ip 10.1.2.0 0.0.0.255 any
access-list 109 permit ip any 10.1.2.0 0.0.0.255
access-list 108 deny ip any any
class-map match-all DATA
match access-group 108
class-map match-all IPTV
match access-group 109
policy-map IPOE-QOS
class DATA
police rate 2048000
conform-action transmit
exceed-action drop
class IPTV
police rate 5000000
conform-action transmit
exceed-action drop
hi tural, yes! you did that right!
one minor nit, you have in qos twice:
Cisco-AVPair += "ip:sub-qos-policy-in= IPOE-QOS "
Cisco-AVPair += "ip:sub-qos-policy-in= IPOE-QOS"
may meant:
Cisco-AVPair += "ip:sub-qos-policy-in= IPOE-QOS "
Cisco-AVPair += "ip:sub-qos-policy-out= IPOE-QOS"
xander
Hi Alex,
This helped me a lot, thank you so much.
Now I am trying to understand redirect on the service level. how QV0 message is sent from radius ? is it coa or what ?
Regards
Tural
ok great!! :) the easiest is to define a service and put the http redirect functionality on the service.
then you can activate the service for instance via access-accept and deactivate the service (/redirect) via a COA after the bill is paid :).
I have a little youtube video for you on that: https://www.youtube.com/watch?v=Z_Hw9i_TcGY
xander
Hi Alex,
I am using 1k for ipoe. as http redirect is not supported in the session start, i have to do it on the service level when quota is zero. http redirect is for information purposes in order to inform the subscriber that the billing is zero and etc.
I have 3 scenarios to implement
1) session starts but quota is 0 - how to redirect
2) bras receive quota 0 for a online user - how to redirect
3) bras receives quota >0 for an online user - how to disconnect from portal and activate normal service
for the 1st scenario I am trying to do
SERVICE_L4R:
Cisco-Service-Info += "SERVICE_L4R"
Cisco-AVpair += "traffic-class=input access-group 198"
Cisco-AVpair += "traffic-class=output access-group 198"
Cisco-AVpair += "ip:l4redirect=redirect to group REDIRECT_NOPAY"
Cisco-AVPair += "ip:traffic-class=out default drop"
Cisco-AVPair += "ip:traffic-class=in default drop"
-=======
policy-map type control ISG-CUSTOMERS-POLICY
class type control ISG-IP-UNAUTH event timed-policy-expiry
1 service disconnect
!
class type control always event session-start
10 authorize aaa list ISG-AUTH-1 identifier circuit-id
20 set-timer UNAUTH-TIMER 5
!
class type control always event session-restart
10 authorize aaa list ISG-AUTH-1 identifier circuit-id
20 set-timer UNAUTH-TIMER 5
!
class type control always event quota-depleted
1 set-param drop-traffic FALSE
!
class type control always event credit-exhausted
1 service-policy type service name SERVICE_L4R
!
class type control always event service-start
10 service-policy type service identifier service-name
!
class type control always event service-stop
1 service-policy type service unapply identifier service-name
!
But I do not know what kind of message I have to send from radius in order bras apply it .
Or I am not doing correct ?
Regards
Tural
Thanks alot, much appreciated article ,,,
Please from where we can download latest version 3.1
Hi,
I'm getting a lot of ignored disconnect packets, neither ACK nor NAK in reply. I'm rather sure it's not a network problem between radclient and ASR. What other reasons can be for ASR to silently discard COA/disconnect request?
I've used id by username, then moved to account-session-id but that didn't help.
May be I should turn on some debugs to see what's going on?
All those problems were gone with installation of SP10 for 5.3.3.
But now I see another strange behavior:
I'm sending Disconnect packets from my radius server authorization phase to kill previous session with the same login. I look up Acct-Session-Id for this username in accounting database and use it in Disconnect. And sometimes I see NAK for it. The previous session keeps working and I can't kill it by correct session-id. But if I use user-name as key, I get ACK.
For example I have this session:
RP/0/RSP0/CPU0:asr-l11#sh subs ses fil user xa062 det Mon Aug 20 16:46:19.845 EEST Interface: Bundle-Ether2.2.pppoe38655 Circuit ID: Unknown Remote ID: Unknown Type: PPPoE:PTA IPv4 State: Up, Mon Aug 20 16:34:29 2018 IPv4 Address: 192.168.22.62, VRF: nat1in1 Mac Address: 001b.2201.1388 Account-Session Id: 00035d92 Nas-Port: 33573887 User name: xa062 Formatted User name: unknown Client User name: unknown Outer VLAN ID: 75 Subscriber Label: 0x0006fed5 Created: Mon Aug 20 16:34:25 2018 State: Activated Authentication: authenticated Authorization: unauthorized Access-interface: Bundle-Ether2.2 Policy Executed: policy-map type control subscriber PPP_P1
Then I send request with session-id:
Sent Disconnect-Request Id 238 from 0.0.0.0:12752 to 192.168.31.61:3799 length 30 Acct-Session-Id = "00035d92" Received Disconnect-NAK Id 238 from 192.168.31.61:3799 to 0.0.0.0:0 length 39 Acct-Session-Id = "00035d92" Cisco-Command-Code = "X" (0) -: Expected Disconnect-ACK got Disconnect-NAK
and then with user-name
Sent Disconnect-Request Id 223 from 0.0.0.0:27481 to 192.168.31.61:3799 length 27 User-Name = "xa062" Received Disconnect-ACK Id 223 from 192.168.31.61:3799 to 0.0.0.0:0 length 20
@xthuijs thanks for great overview and utilit!
Could You please advice the syntax for account update with static IP and network mask? We try
./coa_lin -n 3.0.0.102 -p 1700 -k cisco -1 1,000029CD -2 26,9,1,"subscriber:command=account-update" -3 8,"Framed-Ip-Address=10.11.12.138" -4 9,"netmask=255.255.255.128"
Using COA with :
NAS(v4): 5115ffaa
Port: 1700
Timeout: 0 (0 means indefinite wait)
Secret: '***'
CoA: Request was accepted! (ID 171)
But no IP assigned as additional attributes
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: