cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1509
Views
0
Helpful
0
Replies

Dynamic Authorization with CoA (rfc3576)

Nasser Heidari
Level 1
Level 1

Hi,

I'm traying to implement dynamic authorization and Per-User QoS.

What I have already done is that I can send rate-limit interface command via Radius AVpairs and it works.

Now what I want to do is that I want to change rate-limit without disconnecting user sessions (PPPoE Session), as far as I know it should be possible with CoA request.

my problem is that , when I send CoA to Router , I recieve  CoA-NAK , and it doesn't work.

Here is sample CoA packet that I'm sending to router:

root@LinuxBox:/var/tmp# radclient -f f2 -xxx 192.168.19.123:1700 coa nasser

Sending CoA-Request of id 121 to 192.168.19.123 port 1700

User-Name = "testpppuser"

Service-Type = Framed-User

Framed-Protocol = PPP

Cisco-AVPair = "lcp:interface-config=rate-limit output 512000 48000 96000 conform-action continue exceed-action drop"

  Code:                    43

  Id:                    121

  Length:          153

  Vector:          ca0be61b3c55f8754b228c87efb2edb5

  Data:                    01  0d  74 65 73 74 70 70 70 75 73 65 72

06  06  00 00 00 02

07  06  00 00 00 01

1a  6c  00 00 00 09 01 66 6c 63 70 3a 69 6e 74 65 72 66

61 63 65 2d 63 6f 6e 66 69 67 3d 72 61 74 65 2d

6c 69 6d 69 74 20 6f 75 74 70 75 74 20 35 31 32

30 30 30 20 34 38 30 30 30 20 39 36 30 30 30 20

63 6f 6e 66 6f 72 6d 2d 61 63 74 69 6f 6e 20 63

6f 6e 74 69 6e 75 65 20 65 78 63 65 65 64 2d 61

63 74 69 6f 6e 20 64 72 6f 70

rad_recv: CoA-NAK packet from host 192.168.19.123 port 1700, id=121, length=26

  Code:                    45

  Id:                    121

  Length:          26

  Vector:          0aba40210b66fd6e975426d36c38186a

  Data:                    65  06  00 00 00 c8

Error-Cause = 200

also here is router log :

lab1r1#

*Dec 10 16:54:08.511: COA: 192.168.19.28 request queued

*Dec 10 16:54:08.515: RADIUS:  authenticator 11 E2 A0 0D 6A 01 09 02 - FA 30 85 27 1B 93 86 01

*Dec 10 16:54:08.515: RADIUS:  User-Name           [1]   13  "testpppuser"

*Dec 10 16:54:08.515: RADIUS:  Service-Type        [6]   6   Framed                    [2]

*Dec 10 16:54:08.519: RADIUS:  Framed-Protocol     [7]   6   PPP                       [1]

*Dec 10 16:54:08.519: RADIUS:  Vendor, Cisco       [26]  108

*Dec 10 16:54:08.519: RADIUS:   Cisco AVpair       [1]   102 "lcp:interface-config=rate-limit output 512000 48000 96000 conform-action continue exceed-action drop"

*Dec 10 16:54:08.523: AAA/ATTR(00000005): new list: 0x669D1A04

*Dec 10 16:54:08.523: AAA/ATTR(00000000): cursor init: 66B825B8 669D1A04 none none

*Dec 10 16:54:08.523: AAA/ATTR(00000000): add attr: 669D1A14 0 00000009 username(395) 11 testpppuser

*Dec 10 16:54:08.527: AAA/ATTR(00000000): new list: 0x669D16C4 prev list: 0x669D1A04

*Dec 10 16:54:08.527: AAA/ATTR(00000000): add attr: 669D16D4 0 00000001 service-type(302) 4 Framed

*Dec 10 16:54:08.527: AAA/ATTR(00000000): add attr: 669D16E4 0 00000001 Framed-Protocol(101) 4 PPP

*Dec 10 16:54:08.531: AAA/ATTR(00000000): add attr: 669D16F4 0 00000009 interface-config(195) 79 rate-limit output 512000 48000 96000 conform-action continue exceed-action drop

*Dec 10 16:54:08.535:  ++++++ CoA Attribute List ++++++

*Dec 10 16:54:08.535: AAA/ATTR(00000000): cursor init: 66B825B8 669D1A04 none none

*Dec 10 16:54:08.535: AAA/ATTR(00000000): find next matching service=none, protocol=none

*Dec 10 16:54:08.535: AAA/ATTR(00000000):  username ok

*Dec 10 16:54:08.535: 669D1A14 0 00000009 username(395) 11 testpppuser

*Dec 10 16:54:08.539: AAA/ATTR(00000000): find next matching service=none, protocol=none

*Dec 10 16:54:08.539: AAA/ATTR(00000000):  service-type ok

*Dec 10 16:54:08.539: 669D16D4 0 00000001 service-type(302) 4 Framed

*Dec 10 16:54:08.543: AAA/ATTR(00000000): find next matching service=none, protocol=none

*Dec 10 16:54:08.543: AAA/ATTR(00000000):  Framed-Protocol ok

*Dec 10 16:54:08.543: 669D16E4 0 00000001 Framed-Protocol(101) 4 PPP

*Dec 10 16:54:08.547: AAA/ATTR(00000000): find next matching service=none, protocol=none

*Dec 10 16:54:08.547: AAA/ATTR(00000000):  interface-config protocol:lcp ok

*Dec 10 16:54:08.547: 669D16F4 0 00000009 interface-config(195) 79 rate-limit output 512000 48000 96000 conform-action continue exceed-action drop

*Dec 10 16:54:08.551: AAA/ATTR(00000000): find next matching service=none, protocol=none

*Dec 10 16:54:08.551: AAA/ATTR(00000000): not found

*Dec 10 16:54:08.551:

*Dec 10 16:54:08.551: AAA/API(00000000): aaa_req_alloc(), pc 0x61A3808C, enter {

*Dec 10 16:54:08.555: AAA/API(00000000): } aaa_req_alloc()

*Dec 10 16:54:08.555: AAA/ATTR(00000000): cursor init: 66B824B8 669D1A04 none unknown

*Dec 10 16:54:08.555: AAA/ATTR(00000000): find: ssg-command-code(431): not found

*Dec 10 16:54:08.559: COA: Added NACK Error Cause: Success

*Dec 10 16:54:08.559: COA: Sending NAK from port 1700 to 192.168.19.28/46960

*Dec 10 16:54:08.559: RADIUS:  101 6   000000C8

*Dec 10 16:54:08.563: AAA/ATTR(00000000): free all lists: 0x669D1A04

*Dec 10 16:54:08.563: AAA/ATTR(00000000): del attr: 669D1A14 0 00000009 username(395) 11 testpppuser0x669D16C4

*Dec 10 16:54:08.567: AAA/ATTR(00000000): del attr: 669D16D4 0 00000001 service-type(302) 4 Framed

*Dec 10 16:54:08.567: AAA/ATTR(00000000): del attr: 669D16E4 0 00000001 Framed-Protocol(101) 4 PPP

*Dec 10 16:54:08.571: AAA/ATTR(00000000): del attr: 669D16F4 0 00000009 interface-config(195) 79 rate-limit output 512000 48000 96000 conform-action continue exceed-action drop

Does any body has any Idea?

Thanks in advance

0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: