RADIUS Change of Authorization and Disconnect Message
This section describes how the system implements CoA and DM RADIUS messages and how to configure the system to use and respond to CoA and DM messages.
CoA Overview
The system supports CoA messages from the AAA server to change data filters associated with a subscriber session. The CoA request message from the AAA server must contain attributes to identify NAS and the subscriber session and a data filter ID for the data filter to apply to the subscriber session. The filter-id attribute (attribute ID 11) contains the name of an Access Control List (ACL). For detailed information on configuring ACLs, refer to the IP Access Control Lists chapter in the System Administration Guide.
If the system successfully executes a CoA request, a CoA-ACK message is sent back to the RADIUS server and the data filter is applied to the subscriber session. Otherwise, a CoA-NAK message is sent with an error-cause attribute without making any changes to the subscriber session.
Important |
Changing ACL and rulebase together in a single CoA is not supported. For this, two separate CoA requests can be sent through AAA server requesting for one attribute change per request. |
DM Overview
The DM message is used to disconnect subscriber sessions in the system from a RADIUS server. The DM request message should contain necessary attributes to identify the subscriber session. If the system successfully disconnects the subscriber session, a DM-ACK message is sent back to the RADIUS server, otherwise, a DM-NAK message is sent with proper error reasons.
License Requirements
The RADIUS Change of Authorization (CoA) and Disconnect Message (DM) are licensed Cisco features. A separate feature license may be required. Contact your Cisco account representative for detailed information on specific licensing requirements. For information on installing and verifying licenses, refer to the Managing License Keys section of the Software Management Operations chapter in the System Administration Guide.
Enabling CoA and DM
To enable RADIUS Change of Authorization and Disconnect Message:
Procedure
Step 1 |
Enable the system to listen for and respond to CoA and DM messages from the RADIUS server as described in Enabling CoA and DM. |
||
Step 2 |
Save your configuration to flash memory, an external memory device, and/or a network location using the Exec mode command save configuration . For additional information on how to verify and save configuration files, refer to the System Administration Guide and the Command Line Interface Reference. |
||
Step 3 |
View CoA and DM message statistics as described in Viewing CoA and DM Statistics.
|
Enabling CoA and DM
Use the following example to enable the system to listen for and respond to CoA and DM messages from the RADIUS server:
configure
context <context_name>
radius change-authorize-nas-ip <ipv4/ipv6_address>
end
-
<context_name> must be the name of the AAA context where you want to enable CoA and DM.
For more information on configuring the AAA context, if you are using StarOS 12.3 or an earlier release, refer to the Configuring Context-Level AAA Functionality section of the AAA and GTPP Interface Administration and Reference. If you are using StarOS 14.0 or a later release, refer to the AAA Interface Administration and Reference.
-
A number of optional keywords and variables are available for the radius change-authorize-nas-ip command. For more information regarding this command please refer to the Command Line Interface Reference.
CoA and DM Attributes
For CoA and DM messages to be accepted and acted upon, the system and subscriber session to be affected must be identified correctly.
-
NAS-IP-Address: NAS IP address if present in the CoA/DM request should match with the NAS IP address.
-
NAS-Identifier: If this attribute is present, its value should match to the nas-identifier generated for the subscriber session
-
If 3GPP2 service is configured the following attribute is used for correlation identifier:
-
3GPP2-Correlation-ID: The values should exactly match the 3GPP2-correlation-id of the subscriber session. This is one of the preferred methods of subscriber session identification.
-
-
If 3GPP service is configured the following attributes are used for different identifiers: -
3GPP-IMSI: International Mobile Subscriber Identification (IMSI) number should be validated and matched with the specified IMSI for specific PDP context.
-
3GPP-NSAPI: Network Service Access Point Identifier (NSAPI) should match to the NSAPI specified for specific PDP context.
-
-
User-Name: The value should exactly match the subscriber name of the session. This is one of the preferred methods of subscriber session identification.
-
Framed-IP-Address: The values should exactly match the framed IP address of the session.
-
Calling-station-id: The value should match the Mobile Station ID.
-
Filter-ID: CoA only. This must be the name of an existing Access Control List. If this is present in a CoA request, the specified ACL is immediately applied to the specified subscriber session. The Context Configuration mode command, radius attribute filter-id direction, controls in which direction filters are applied.
-
Event-Timestamp: This attribute is a timestamp of when the event being logged occurred.
-
If 3GPP2 service is configured following additional attributes are supported: -
3GPP2-Disconnect-Reason: This attribute indicates the reason for disconnecting the user. This attribute may be present in the RADIUS Disconnect-request Message from the Home Radius server to the PDSN.
-
3GPP2-Session-Termination-Capability: When CoA and DM are enabled by issuing the radius change-authorize-nas-ip command, this attribute is included in a RADIUS Access-request message to the Home RADIUS server and contains the value 3 to indicate that the system supports both Dynamic authorization with RADIUS and Registration Revocation for Mobile IPv4. The attribute is also included in the RADIUS Access-Accept message and contains the preferred resource management mechanism by the home network, which is used for the session and may include values 1 through 3.
-
CoA and DM Error-Cause Attribute
The Error-Cause attribute is used to convey the results of requests to the system. This attribute is present when a CoA or DM NAK or ACK message is sent back to the RADIUS server.
-
0-199, 300-399 reserved
-
200-299 - successful completion
-
400-499 - errors in RADIUS server
-
500-599 - errors in NAS/Proxy
-
201- Residual Session Context Removed
-
401 - Unsupported Attribute
-
402 - Missing Attribute
-
403 - NAS Identification Mismatch
-
404 - Invalid Request
-
405 - Unsupported Service
-
406 - Unsupported Extension
-
501 - Administratively Prohibited
-
503 - Session Context Not Found
-
504 - Session Context Not Removable
-
506 - Resources Unavailable
Viewing CoA and DM Statistics
View CoA and DM message statistics by entering the following command:
show session subsystem facility aaamgr
1 AAA Managers
807 Total aaa requests 0 Current aaa requests
379 Total aaa auth requests 0 Current aaa auth requests
0 Total aaa auth probes 0 Current aaa auth probes
0 Total aaa auth keepalive 0 Current aaa auth keepalive
426 Total aaa acct requests 0 Current aaa acct requests
0 Total aaa acct keepalive 0 Current aaa acct keepalive
379 Total aaa auth success 0 Total aaa auth failure
0 Total aaa auth purged 0 Total aaa auth cancelled
0 Total auth keepalive success 0 Total auth keepalive failure
0 Total auth keepalive purged
0 Total aaa auth DMU challenged
367 Total radius auth requests 0 Current radius auth requests
2 Total radius auth requests retried
0 Total radius auth responses dropped
0 Total local auth requests 0 Current local auth requests
12 Total pseudo auth requests 0 Current pseudo auth requests
0 Total null-username auth requests (rejected)
0 Total aaa acct completed 0 Total aaa acct purged
0 Total acct keepalive success 0 Total acct keepalive timeout
0 Total acct keepalive purged
0 Total aaa acct cancelled
426 Total radius acct requests 0 Current radius acct requests
0 Total radius acct requests retried
0 Total radius acct responses dropped
0 Total gtpp acct requests 0 Current gtpp acct requests
0 Total gtpp acct cancelled 0 Total gtpp acct purged
0 Total null acct requests 0 Current null acct requests
54 Total aaa acct sessions 5 Current aaa acct sessions
3 Total aaa acct archived 0 Current aaa acct archived
0 Current recovery archives 0 Current valid recovery records
2 Total aaa sockets opened 2 Current aaa sockets open
0 Total aaa requests pend socket open
0 Current aaa requests pend socket open
0 Total radius requests pend server max-outstanding
0 Current radius requests pend server max-outstanding
0 Total aaa radius coa requests 0 Total aaa radius dm requests
0 Total aaa radius coa acks 0 Total aaa radius dm acks
0 Total aaa radius coa naks 0 Total aaa radius dm naks
2 Total radius charg auth 0 Current radius charg auth
0 Total radius charg auth succ 0 Total radius charg auth fail
0 Total radius charg auth purg 0 Total radius charg auth cancel
0 Total radius charg acct 0 Current radius charg acct
0 Total radius charg acct succ 0 Total radius charg acct purg
0 Total radius charg acct cancel
357 Total gtpp charg 0 Current gtpp charg
357 Total gtpp charg success 0 Total gtpp charg failure
0 Total gtpp charg cancel 0 Total gtpp charg purg
0 Total prepaid online requests 0 Current prepaid online requests
0 Total prepaid online success 0 Current prepaid online failure
0 Total prepaid online retried 0 Total prepaid online cancelled
0 Current prepaid online purged
0 Total aaamgr purged requests
0 SGSN: Total db records
0 SGSN: Total sub db records
0 SGSN: Total mm records
0 SGSN: Total pdp records
0 SGSN: Total auth records