Configuring IKEv2 Packet of Disconnect

The IKEv2 Remote Access Change of Authorization (CoA)—Packet of Disconnect feature terminates an active crypto IKEv2 session on Cisco supported devices.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Information About IKEv2 Packet of Disconnect

Disconnect Request

The Packet of Disconnect (POD) is a RADIUS disconnect_request packet and is intended to be used in situations where the authenticating agent server wants to disconnect a crypto session.

When the POD is Needed

The Packet of Disconnect is required in the following situations:

  • Enforce reauthentication—As a network administrator, you might want to terminate a user on FlexVPN server to forcefully reauthenticate if a session is connected for a very long duration.

  • Apply a new policy—As a network administrator, you may want to terminate an active crypto session and apply the new policy on the session when the client reconnects.

  • Free resources—A session may need to be terminated to free resources and exit rekey.

IKEv2 Packet of Disconnect

The IKEv2 Remote Access Change of Authorization (CoA)—Packet of Disconnect feature uses the RADIUS Packet of Disconnect (POD) feature to delete a crypto session. The crypto session is deleted to update VPN users to the new user or group policy on the AAA server.

  1. AAA passes the attribute key-value pair list, provided by the RADIUS server, to IKEv2.

  2. IKEv2 parses the list and locates the Audit-Session-ID, a Cisco AV pair, as a key and validates the pair value.

  3. IKEv2 searches the session and deletes the specific session.

  4. IKEv2 notifies AAA and AAA notifies the RADIUS server.

  5. The session pertaining to the Audit-Session-ID is deleted.

Parameters in IKEv2 Packet of Disconnect

RFC 3576 specifies the following POD codes that are supported for IKEv2 Packet of Disconnect:

  • 40 - Disconnect-Request

  • 41 - Disconnect-ACK

  • 42 - Disconnect-NAK

The Disconnect-ACK code indicates that a session existed for an audit-session-ID and that the session, pertaining to an audit-session-ID was terminated successfully. The Disconnect-NACK code indicates that there are no session corresponding to the audit-session-ID. No reply message is sent to the gateway.

How to Configure IKEv2 Packet of Disconnect

Configuring AAA on the FlexVPN Server

There is no IKEv2-specific configuration required on the FlexVPN server for the IKEv2 Remote Access Change of Authorization (CoA)—Packet of Disconnect feature. You only need to configure authentication, authorization, and accounting (AAA) on the FlexVPN server. For additional information on AAA configuration, see Authentication Authorization and Accounting Configuration Guide, Cisco IOS XE Release 3S.

SUMMARY STEPS

    1.    enable

    2.    configure terminal

    3.    aaa new-model

    4.    aaa server radius dynamic-author

    5.    client {hostname | ip-address} [server-key string | vrf vrf-id]

    6.    port number

    7.    end


DETAILED STEPS
     Command or ActionPurpose
    Step 1enable


    Example:
    Device> enable
     

    Enables privileged EXEC mode.

    • Enter your password if prompted.
     
    Step 2configure terminal


    Example:
    Device# configure terminal
     

    Enters global configuration mode.

     
    Step 3aaa new-model


    Example:
    Device(config)# aaa new-model
     

    Enables AAA globally.

     
    Step 4 aaa server radius dynamic-author


    Example:  

    Sets up the local AAA server for the dynamic authorization service and enters dynamic authorization local server configuration mode.

    • In this mode, the RADIUS application commands are configured.

     
    Step 5client {hostname | ip-address} [server-key string | vrf vrf-id]


    Example:
    Device(config-locsvr-da-radius)# client 192.168.0.5 server-key cisco
     

    Configures the IP address or hostname of the AAA server client.

    • Use the server-key keyword and string argument to configure the server key at the client level.

    Note   

    Configuring the server key at the client level overrides the server key configured at the global level.

     
    Step 6 port number


    Example:
    Device(config-locsvr-da-radius)# port 1812
     

    Configures the UDP port.

     
    Step 7end


    Example:
    Device(config-locsvr-da-radius)# end
     

    Exits dynamic authorization local server configuration mode and returns to privileged EXEC mode.

     

    Configuration Examples for IKEv2 Packet of Disconnect

    Example: Terminating an IKEv2 Session

    The following is a sample output from the show aaa sessions command. This command must be executed to identify the IKEv2 session that needs to be terminated.

    Device# show aaa sessions 
    
    Total sessions since last reload: 32
    Session Id: 3
       Unique Id: 14
       User Name: *not available*
       IP Address: 0.0.0.0
       Idle Time: 0
       CT Call Handle: 0
    Session Id: 30
       Unique Id: 41
       User Name: pskuser2.g1.engdt.com
       IP Address: 0.0.0.0
       Idle Time: 0
       CT Call Handle: 0
    Session Id: 32
       Unique Id: 43
       User Name: pskuser4.g2.engdt.com
       IP Address: 0.0.0.0
       Idle Time: 0
       CT Call Handle: 0
    
    

    In the above output, ID 41 and 43 pertain to IKEv2 sessions. Optionally, you can run the show aaa user command to view detailed information about the session.

    Device# show aaa user 41
    
    Unique id 41 is currently in use.
      No data for type 0
      No data for type EXEC
      No data for type CONN
      NET: Username=(n/a)
        Session Id=0000001E Unique Id=00000029
        Start Sent=0 Stop Only=N
        stop_has_been_sent=N
        Method List=0
        Attribute list:
          7FBD9783CCF0 0 00000001 session-id(408) 4 30(1E)
          7FBD9783CD30 0 00000001 start_time(418) 4 Nov 04 2014 00:20:23
    --------
      No data for type CMD
      No data for type SYSTEM
      No data for type VRRS
      No data for type RM CALL
      No data for type RM VPDN
      No data for type AUTH PROXY
      No data for type DOT1X
      No data for type CALL
      No data for type VPDN-TUNNEL
      No data for type VPDN-TUNNEL-LINK
      IPSEC-TUNNEL: Username=pskuser2.g1.engdt.com
        Session Id=0000001E Unique Id=00000029
        Start Sent=1 Stop Only=N
        stop_has_been_sent=N
        Method List=7FBDA6E05A68 : Name = accnt_prof
        Attribute list:
          7FBD9783CCF0 0 00000001 session-id(408) 4 30(1E)
          7FBD9783CD30 0 00000001 start_time(418) 4 Nov 04 2014 00:20:23
          7FBD9783CD70 0 00000082 formatted-clid(37) 13 192.168.202.2
          7FBD9783CDB0 0 0000008A audit-session-id(819) 37 L2L433010101ZO2L4C0A8CA02ZH119404ZP37
          7FBD9783CDF0 0 00000081 isakmp-phase1-id(737) 21 pskuser2.g1.engdt.com
          7FBD9783BF80 0 00000002 isakmp-initator-ip(738) 4 192.168.202.2
    --------
      No data for type MCAST
      No data for type RESOURCE
      No data for type SSG
      No data for type IDENTITY
      No data for type ConnectedApps
    Accounting:
      log=0x400018041
      Events recorded :
        CALL START
        ATTR REPLACE
        INTERIM START
        INTERIM STOP
        IPSEC TNL UP
      update method(s) :
        NONE
      update interval = 0
      Outstanding Stop Records : 0
      Dynamic attribute list:
        7FBD9783BF80 0 00000001 connect-progress(75) 4 No Progress
        7FBD9783BFC0 0 00000001 pre-session-time(334) 4 0(0)
        7FBD9783C000 0 00000001 elapsed_time(414) 4 341(155)
        7FBD9783C040 0 00000001 bytes_in(146) 4 0(0)
        7FBD9783C080 0 00000001 bytes_out(311) 4 0(0)
        7FBD9783CCF0 0 00000001 pre-bytes-in(330) 4 0(0)
        7FBD9783CD30 0 00000001 pre-bytes-out(331) 4 0(0)
        7FBD9783CD70 0 00000001 paks_in(147) 4 0(0)
        7FBD9783CDB0 0 00000001 paks_out(312) 4 0(0)
        7FBD9783CDF0 0 00000001 pre-paks-in(332) 4 0(0)
        7FBD9783BA20 0 00000001 pre-paks-out(333) 4 0(0)
    Debg: No data available
    Radi: No data available
    Interface:
      TTY Num = -1
      Stop Received = 0
      Byte/Packet Counts till Call Start:
        Start Bytes In = 0             Start Bytes Out = 0         
        Start Paks  In = 0             Start Paks  Out = 0         
      Byte/Packet Counts till Service Up:
        Pre Bytes In = 0             Pre Bytes Out = 0         
        Pre Paks  In = 0             Pre Paks  Out = 0         
      Cumulative Byte/Packet Counts :
        Bytes In = 0             Bytes Out = 0         
        Paks  In = 0             Paks  Out = 0         
      StartTime = 00:20:23 IST Nov 4 2014
      AuthenTime = 00:20:23 IST Nov 4 2014
      Component = VPN IPSEC
    Authen: service=NONE type=NONE method=NONE
    Kerb: No data available
    Meth: No data available
    Preauth: No Preauth data.
    General:
      Unique Id = 00000029
      Session Id = 0000001E
      Session Server Key = 1771D693
      Attribute List:
    PerU: No data available
    Service Profile: No Service Profile data.
    Unkn: No data available
    Unkn: No data available
    
    

    Note the audit-session-id in the above output, which is L2L433010101ZO2L4C0A8CA02ZH119404ZP37. The following sample output is displayed on the FlexVPN server on starting an accounting session starts with a RADIUS server.

    Nov  4 00:26:49.908 IST: RADIUS/ENCODE: Best Local IP-Address 192.168.202.1 for Radius-Server 9.45.15.144
    Nov  4 00:26:49.908 IST: RADIUS(0000002C): Send Accounting-Request to 9.45.15.144:1813 id 1646/231, len 288
    Nov  4 00:26:49.908 IST: RADIUS:  authenticator 29 63 0C 79 C1 5E F2 0E - F3 CA 36 DD A3 55 C1 DE
    Nov  4 00:26:49.908 IST: RADIUS:  Acct-Session-Id     [44]  10  "00000021"
    Nov  4 00:26:49.908 IST: RADIUS:  Calling-Station-Id  [31]  15  "192.168.202.2"
    Nov  4 00:26:49.908 IST: RADIUS:  Vendor, Cisco       [26]  64  
    Nov  4 00:26:49.908 IST: RADIUS:   Cisco AVpair       [1]   58  "audit-session-id=L2L433010101ZO2L4C0A8CA02ZH11941194ZN3A"
    Nov  4 00:26:49.908 IST: RADIUS:  Vendor, Cisco       [26]  46  
    Nov  4 00:26:49.908 IST: RADIUS:   Cisco AVpair       [1]   40  "isakmp-phase1-id=pskuser1.g1.engdt.com"
    Nov  4 00:26:49.908 IST: RADIUS:  Vendor, Cisco       [26]  40  
    Nov  4 00:26:49.908 IST: RADIUS:   Cisco AVpair       [1]   34  "isakmp-initator-ip=192.168.202.2"
    Nov  4 00:26:49.908 IST: RADIUS:  User-Name           [1]   23  "pskuser1.g1.engdt.com"
    Nov  4 00:26:49.908 IST: RADIUS:  Vendor, Cisco       [26]  36  
    Nov  4 00:26:49.908 IST: RADIUS:   Cisco AVpair       [1]   30  "connect-progress=No Progress"
    Nov  4 00:26:49.908 IST: RADIUS:  Acct-Authentic      [45]  6   Local                     [2]
    Nov  4 00:26:49.908 IST: RADIUS:  Acct-Status-Type    [40]  6   Start                     [1]
    Nov  4 00:26:49.908 IST: RADIUS:  NAS-IP-Address      [4]   6   192.168.202.1             
    Nov  4 00:26:49.908 IST: RADIUS:  home-hl-prefix      [151] 10  "D33648D8"
    Nov  4 00:26:49.908 IST: RADIUS:  Acct-Delay-Time     [41]  6   0                         
    Nov  4 00:26:49.908 IST: RADIUS(0000002C): Sending a IPv4 Radius Packet
    
    

    The following output is displayed on the FlexVPN server when disconnecting a session for a specific audit-session-id. The terminate session request is sent to the RADIUS server via a RADIUS client. In this example, the session for the audit-session-ID, which is L2L433010101ZO2L4C0A8CA02ZH119404ZP37 is terminated and, hence, not visible in the output.

    Nov  4 00:32:29.004 IST: RADIUS: POD  received from id 216 9.45.15.144:50567, POD Request, len 84
    Nov  4 00:32:29.004 IST: POD: 9.45.15.144 request queued
    Nov  4 00:32:29.004 IST:  ++++++ POD Attribute List ++++++
    Nov  4 00:32:29.004 IST: 7FBD9783D3A8 0 00000089 audit-session-id(819) 39 L2L433010101ZO2L4C0A8CA02ZH11941194ZN3B
    Nov  4 00:32:29.004 IST: 
    Nov  4 00:32:29.004 IST: POD: Sending ACK from port 1812 to 9.45.15.144/50567
    
    Nov  4 00:32:29.005 IST: IKEv2:(SESSION ID = 59,SA ID = 2):Check for existing active SA
    Nov  4 00:32:29.006 IST: IKEv2:in_octets 0, out_octets 0
    Nov  4 00:32:29.006 IST: IKEv2:in_packets 0, out_packets 0
    Nov  4 00:32:29.006 IST: IKEv2:(SA ID = 2):[IKEv2 -> AAA] Accounting stop request sent successfully
    Nov  4 00:32:29.006 IST: IKEv2:(SESSION ID = 59,SA ID = 2):Delete all IKE SAs
    Nov  4 00:32:29.010 IST: RADIUS/ENCODE(0000002D):Orig. component type = VPN IPSEC
    Nov  4 00:32:29.010 IST: RADIUS(0000002D): Config NAS IP: 0.0.0.0
    Nov  4 00:32:29.010 IST: RADIUS(0000002D): Config NAS IPv6: ::
    Nov  4 00:32:29.010 IST: RADIUS(0000002D): sending
    Nov  4 00:32:29.011 IST: RADIUS/ENCODE: Best Local IP-Address 192.168.202.1 for Radius-Server 9.45.15.144
    Nov  4 00:32:29.011 IST: RADIUS(0000002D): Send Accounting-Request to 9.45.15.144:1813 id 1646/246, len 356
    Nov  4 00:32:29.011 IST: RADIUS:  authenticator 52 88 5E CB 8B FA 1E C1 - CC EF 73 75 89 73 CA 95
    Nov  4 00:32:29.011 IST: RADIUS:  Acct-Session-Id     [44]  10  "00000022"
    Nov  4 00:32:29.011 IST: RADIUS:  Calling-Station-Id  [31]  15  "192.168.202.2"
    Nov  4 00:32:29.011 IST: RADIUS:  Vendor, Cisco       [26]  64  
    Nov  4 00:32:29.011 IST: RADIUS:   Cisco AVpair       [1]   58  "audit-session-id=L2L433010101ZO2L4C0A8CA02ZH11941194ZN3B"
    Nov  4 00:32:29.011 IST: RADIUS:  Vendor, Cisco       [26]  46  
    Nov  4 00:32:29.011 IST: RADIUS:   Cisco AVpair       [1]   40  "isakmp-phase1-id=pskuser1.g1.engdt.com"
    Nov  4 00:32:29.011 IST: RADIUS:  Vendor, Cisco       [26]  40  
    Nov  4 00:32:29.011 IST: RADIUS:   Cisco AVpair       [1]   34  "isakmp-initator-ip=192.168.202.2"
    Nov  4 00:32:29.011 IST: RADIUS:  User-Name           [1]   23  "pskuser1.g1.engdt.com"
    Nov  4 00:32:29.011 IST: RADIUS:  Acct-Authentic      [45]  6   Local                     [2]
    Nov  4 00:32:29.011 IST: RADIUS:  Vendor, Cisco       [26]  36  
    Nov  4 00:32:29.011 IST: RADIUS:   Cisco AVpair       [1]   30  "connect-progress=No Progress"
    Nov  4 00:32:29.011 IST: RADIUS:  Acct-Session-Time   [46]  6   56                        
    Nov  4 00:32:29.011 IST: RADIUS:  Acct-Input-Octets   [42]  6   0                         
    Nov  4 00:32:29.011 IST: RADIUS:  Acct-Output-Octets  [43]  6   0                         
    Nov  4 00:32:29.011 IST: RADIUS:  Acct-Input-Packets  [47]  6   0                         
    Nov  4 00:32:29.011 IST: RADIUS:  Acct-Output-Packets [48]  6   0                         
    Nov  4 00:32:29.011 IST: RADIUS:  Acct-Terminate-Cause[49]  6   none                      [0]
    Nov  4 00:32:29.011 IST: RADIUS:  Vendor, Cisco       [26]  32  
    Nov  4 00:32:29.011 IST: RADIUS:   Cisco AVpair       [1]   26  "disc-cause-ext=No Reason"
    Nov  4 00:32:29.011 IST: RADIUS:  Acct-Status-Type    [40]  6   Stop                      [2]
    Nov  4 00:32:29.011 IST: RADIUS:  NAS-IP-Address      [4]   6   192.168.202.1             
    Nov  4 00:32:29.011 IST: RADIUS:  home-hl-prefix      [151] 10  "E2F80C34"
    Nov  4 00:32:29.011 IST: RADIUS:  Acct-Delay-Time     [41]  6   0                         
    Nov  4 00:32:29.011 IST: RADIUS(0000002D): Sending a IPv4 Radius Packet
    Nov  4 00:32:29.011 IST: RADIUS(0000002D): Started 5 sec timeout
    
    

    The following output is displayed when there is no valid session for the specific audit-session-ID. This happens if there is no session pertaining to the specific audit-session-id when the session is terminated already. Note the NACK message that is sent back to the FlexVPN server

    Nov  4 00:30:31.905 IST: RADIUS: POD  received from id 131 9.45.15.144:52986, POD Request, len 84
    Nov  4 00:30:31.905 IST: POD: 9.45.15.144 request queued
    Nov  4 00:30:31.905 IST:  ++++++ POD Attribute List ++++++
    Nov  4 00:30:31.905 IST: 7FBD9783BA20 0 00000089 audit-session-id(819) 39 L2L433010101ZO2L4C0A8CA02ZH11941194ZN3A
    Nov  4 00:30:31.905 IST: 
    Nov  4 00:30:31.906 IST: POD: 9.45.15.144 Unsupported attribute type 26 for component
    Nov  4 00:30:31.906 IST: POD: 9.45.15.144 user  0.0.0.0i sessid 0x0 key 0x0 DROPPED
    Nov  4 00:30:31.906 IST: POD: Added Reply Message: No Matching Session
    Nov  4 00:30:31.906 IST: POD: Added NACK Error Cause: Invalid Request
    Nov  4 00:30:31.906 IST: POD: Sending NAK from port 1812 to 9.45.15.144/52986
    Nov  4 00:30:31.906 IST: RADIUS:  18  21  4E6F204D61746368696E672053657373696F6E
    Nov  4 00:30:31.906 IST: RADIUS:  101 6   00000194
    

    Additional References for IKEv2 Packet of Disconnect

    Related Documents

    Related Topic

    Document Title

    Cisco IOS commands

    Cisco IOS Master Command List, All Releases

    Security commands

    RADIUS Packet of Disconnect

    RADIUS Packet of Disconnect

    RADIUS Packet of Disconnect

    Standards and RFCs

    Standard/RFC

    Title

    RFC 3576

    Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS)

    RFC 5176

    Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS)

    Technical Assistance

    Description

    Link

    The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

    http:/​/​www.cisco.com/​cisco/​web/​support/​index.html

    Feature Information for IKEv2 Packet of Disconnect

    The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

    Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.
    Table 1 Feature Information for IKEv2 Packet of Disconnect

    Feature Name

    Releases

    Feature Information

    IKEv2 Remote Access Change of Authorization (CoA)—Packet of Disconnect

    Cisco IOS XE Release 3.14S

    The IKEv2 Remote Access Change of Authorization (CoA)—Packet of Disconnect feature terminates an active crypto IKEv2 session on Cisco supported devices.

    No commands were introduced by this feature.