Using COA, Change of Authorization for Access and BNG platforms


Thu, 07/09/2015 - 05:51
May 26th, 2011


In access deployments using RADIUS, during the access-accept we can pass reply items back to the NAS which allows us to configure per user configuration to alter the base template config or to apply extra features. These features normally can't change since RADIUS on itself doesn't allow for reauthorization. For that purpose COA (Change of Authorization) was developed allowing an active session to have its configuration changed based on effectively a new set of reply items that are downloaded to the NAS.

** Download a COA client for windows, MAC or linux below **

Latest version is v3.0 September 2013

The words NAS (network access server), BRAS (Broadband Remote Access Server) and BNG (Broadband next generation) are used interchangeably, they all refer to the same concept of aggregating subscribers.

Typically NAS is used in modem access scenarios, BRAS for PPPoA and PPPoE termination whereas BNG involves the concept of subscriber policies along with IP session termination (including PPPoX).

Core Issue

RADIUS servers are available in open source format on the web, for instance Livingston Radius server or Free Radius server are very popular. Also vendors have provided their own RADIUS servers such as Cisco Secure ACS. However there is not a wide variaty of COA tools out there unless they come with a "portal" type implementation in which COA is generally leveraged a lot. In this article I am presenting a COA tool that can be used from a normal linux station allowing you to pass a COA request to a NAS of your choice. The usage of the tool is explained as well as key parameters that you need to be providing in order to make a successful COA request.

Feature changes support with COA

What features can be changed via COA is highly dependant on the platform and software release that is being run. The COA tool will encapsulate your attributes and send them to the NAS, but it is the NAS's responsibility to apply the features and provide a proper status back on the implementation of it.

Features support in COA tool

  • Up to 10 attributes to be included in the COA request
  • Change of Authorization and Packet of Disconnect support
  • Random source ports or manually configurable
  • Encoding of the cisco-avpair subscriber:password="password" for account logon in VSA 249
  • Extended debug capability
  • Configurable via CLI or Configuration file
  • Request timeout support
  • Multi thread support
  • Encoding of strings, ip addresses and integers
  • Currently support on Linux, and W32. Solaris (solaris no longer supported and maintained!)
  • IPv6 Encoding
  • Various binary ISG codes supported (0A, 0B, 04 etc)

NAS configuration

The minimum configuration required for IOS looks like this


aaa server radius dynamic-author
server-key cisco
auth-type any

client determines from which source ip addresses we can accept a COA request. Sources not in the list will get ignored.

server-key is the encryption key to use for the MD5 authenticator computation and must match what the COA client will be using

auth-type defines which attributes are to be used for session identification.

     For instance, if you provide the Accounting-Session-Id and Username the auth-type any means that the first session found that matches EITHER      one of these check items will be subject to modification.

     Auth-type ALL means that all check items much match

With 4.2.0 IOS-Xr for the ASR9000 will have BNG with COA support also. Here is the configuration required in IOS-XR:


aaa server radius dynamic-author
port 1700
server-key cisco
auth-type any

client vrf default server-key cisco

A global server key is possible as well as a per client type key is also configurable. The listen port is configurable (same in IOS config omitted, as port 1700 is default in IOS).

COA Check items

To target a specific session you can use various attributes such as Framed-IP-Address, User-Name or Accounting-Session-Id.

It is recommended to always specify the accounting-session-id (attribute 44), the reason for that is that this att references a single session on any BNG as this number must be unique. The internal code lookups are much faster with this attribute then using user-name or framed-ip-address as these result in a lineair walk. Also user-name and FIP (sessions with same ip addr in different vrf's) may not be unique on the device

To provide extra safety to make sure you are targetting the right session, you can configure the auth-type match-all and send Acct-Session-Id (44) as well as a username (1) to have a fast lookup AND the safety that this username is indeed the one that we had in mind altering.

How to find the Accounting-Session-Id

You can lookup the accounting session id in the radius accountign records, but also in IOS or XR you can find the ID rather easily.

Note that the Accounting-Session-Id is generally a string that is perceived to be an integer.

In IOS the radius-record may prefix the acct-session-id STRING with a nas-port identifier like this:

Accounting Record

Thu May 26 10:22:59 2011
        Acct-Session-Id = "1/0/0/100.1_000000BA"
        Cisco-avpair = "ip:sub-qos-policy-out=briana"
        Framed-Protocol = PPP

IOS will strip and only use the 8 right most digits as the accounting session ID. In COA requests you could omit all 0's and just use "BA" for the id, however at the time of writing ios-xr does a string match and wants to see the 8 digits all together.

in IOS

Step 1: Find the subscriber of interest

NPE-G1#show subscr ses
Current Subscriber Information: Total sessions 1

Uniq ID Interface  State         Service      Identifier           Up-time
44      IP         authen        Local Term   0017.0e43.a1ac       00:00:29
45      Traffic-Cl unauthen      Ltm Internal                      00:00:29
46      Traffic-Cl unauthen      Ltm Internal                      00:00:29


Step 2: Take the subscribers internal ID and locate its record ID in the AAA databasre

NPE-G1#show subscr ses uid 44 det | i AAA_id
AAA_id 0000001B: Flow_handle 0

Step 3: Look into the AAA database for the found record to see what the accounting session id is.

For ISG sessions look at the Parent-Session-Id, for regular subscribers, look at the "session-id"

NPE-G1#sh aaa user 0x1B | i session-id
65684778 0 00000001 session-id(353) 4 48(30)
656848B0 0 00000001 session-id(353) 4 49(31)
656848F0 0 00000009 parent-session-id(352) 8 00000034


Step 1: Find the subscriber of interest:

RP/0/RSP1/CPU0:A9K-BOTTOM#show subscr sess all
Thu May 26 10:37:17.115 EDT
Codes: IN - Initialize, CN - Connecting, CD - Connected, AC - Activated,
       ID - Idle, DN - Disconnecting, EN - End

Type         Interface                State     Subscriber-IP

                                                LNS Address

PPPoE:PTA    BE1001.100.pppoe4        AC <<<

PPPoE:PTA    BE1001.200.pppoe5        AC

IP:DHCP         BE1001.2.ip3                  AC

PPPoE:LAC    BE1001.300.pppoe6        AC

Step 2: Detail the subscriber interface

RP/0/RSP1/CPU0:A9K-BOTTOM#show subscriber session filter interface bundle-e1001.100.pppoe4 detail
Thu May 26 10:38:42.647 EDT
Interface:                Bundle-Ether1001.100.pppoe4
Circuit ID:               Unknown
Remote ID:                "XTH_TEST"
Type:                     PPPoE:PTA
IP Address:     , VRF: default
Mac Address:              000b.5f2c.ef01
Account-Session Id:       00000067
Nas-Port:                 Unknown
Username:                 test
Subscriber Label:         0x00000067
Created:                  Tue May 24 12:00:57 2011
State:                    Activated
Access-interface:         Bundle-Ether1001.100

<output omitted>

COA Tool Manual

The  COA tool requires you to have a little bit of attribute knowledge in  RADIUS, that is, the attributes are identified by their enummerated  numbers rather then their name. Although you can look at a dictionary  file (attached) to map them should you need that.

The options can be specified all via a CLI, or can be provided in flat config file for ease of use and easy scripting.

The tool supports POD (packet of disconnect) as well as COA requests.


-n <ip addr>The IP address of the NAS that you want to send this COA request to
-N <ipv6>The IPv6 address of the NAS to be targeted (v3.0 new feature) either provide -n or -N
-p <int>The destination port on the NAS that is listening to COA requests (normally this is 1700)
-k <string>The secret-key that is used for the MD5 HASH computation, this must match the definition on the BNG/NAS router.
-dNo sub argument needed, designates the tool to send a POD (packet of  disconnect) request rather then a COA request. If the session is found  it will get terminated.
-t <integer>By default the tool waits indefinitely for a response from the NAS.  The timeout option allows you to wait a number of seconds before the  tool exists
-s <int>Normally a random source port is selected by the tool that is used  to originate the request and listen for a response. If you wish to  specify the source port manually you can use this option. If there is a  single COA request on station X already using source port Q and the tool  is waiting for a response, then a second request cannot use source port  Q if fired from the same station X. An error will be thrown (socket /  bind error).
-f <string>Configuration file that holds the paramters described in a config file

The tool has the option for 6 attributes to be specified. The format is attribute_number,value

The Value is always perceived to be a string value, that means if  there are spaces involved, you need to embrace the string with quotes,  eg 18,"this is a test string"

If you like a certain value to be sent as an integer, for instance  for the Session-Timeout (27), then prefix the value with the word INT

example: 27,INT100 to send an integer value of 100

In case you need to send an ip address such as for Framed-IP-Address then prefix the ip with IP

example: 8,IP255.255.255.254

You can use the sample dictionary file attached to lookup the Attribute name to number to type (int, ip, string)

If you have an IPv6 Address for encoding, you can use the prefix V6 followed by the ipv6 address.

example: 98,"V6fe80::260:1111:feff:ffff"

Framed-IPv6-Prefix is automatically encoded (attribute 97).

-eDecode the response from the NAS into an attribute (integer) and value (string).
-r [0-255]Provide a static requestID, if omitted or out of bounds a random value is generated.
-xExtended debug output, follow what the tool is doing

Note: The bold options must always be provided otherwise the tool can't continue.

Using the Config file

The Tool has the ability to read values from a config file for ease of use. Sample config files will be provided below.

The following is the format of a config file:




Config file Parameters



the nas-ip address, the destination ip.
ipv6-address-Nthe nas-ipv6 address, destination IP of the BNG
secret-ksecret key for md5 hash computation
destport-pdestination port to send the request to
attribute0 (to 9)-0 to -9the attributes to be encapsulated
sourceport-sdefine the source port for the request (optional)
timeout-tTo set the timeout waiting for response (optional)
ENDn/aTo denote the END of the config file reading stops after seeing this keyword

Note that parameters provided by CLI are NOT overwritten by the  config file, so the config file has precedence, eg if secret is provided  by cli using the -k CLIKEY and in the config file with secret=CFGKEY then the key used to hash is CFGKEY.

Formatting VSA's

This section described how to format a VSA

The vendor-specific attribute nubmer is 26

Cisco's vendor ID is 9

Cisco has a few VSA's defined such as:

Cisco-avpair, which is vendor attribute 1

Cisco-nas-port, which is vendor attribute 2

A few SSG attributes:

ATTRIBUTE       SSG-Account-Info              250     string  Cisco
ATTRIBUTE       SSG-Service-Info                251     string  Cisco
ATTRIBUTE       SSG-Command-Code         252     string  Cisco
ATTRIBUTE       SSG-Control-Info                253     string  Cisco

Microsoft is vendor 311 and has 2 key attributes commonly used:

ATTRIBUTE       MS-1st-NBNS-Server              30      ipaddr  Microsoft
ATTRIBUTE       MS-2nd-NBNS-Server              31      ipaddr  Microsoft

To provide a vsa into the tool you use the following format:

-1 26,9,1,"ip:ip-unnumbered=Loopback 123"

to send cisco-avpair with the ip unnumbered info


Account-Logon (config file)


Parameterized QOS (config file)

Adding a parent shaper and a child class with a priority queue policed

attribute3=26,9,1,ip:qos-policy-out=add-class(sub, (class-default), shape(800))
attribute4=26,9,1,ip:qos-policy-out=add-class(sub,(class-default, 3play-voip), pri-level(1), police(256,8))

Account-Logoff (cli)

# ./coa_new -n -p 1700 -k cisco -1 44,34 -2 26,9,1,"subscriber:command=account-logoff" -3 1,"0017.0e43.a1ac"

Release Notes

* VERSION 1.0 - first offical RELEASE

* version 1.1 - added random source port and transaction ID generation

* version 1.2 - added POD capability via the -d option

* version 1.3 - added capability for ssg account info converting

*               serivce logoff 0C to binary 0x0C

* version 1.4 - added capability for ssg account info converting

*               service logoff 0B to binary 0x0B

* version 1.5 - fixed bug in length field of attribute size

* version 1.6 - added session query 0x04

* version 1.7 - added timeout receive option -t

* version 1.8 - added manual source port configuration

* version 1.9 - detect integer strings and send them as int rather then string

*               a string prefix of INT tells the program to treat value as int.

* version 1.10- detect ip prefixes and convert accordingly with IP1.2.3.4

* version 2.0 - ability to read config from file with -f

* version 2.1 - fixed subscriber:password length calculation in v2.0

* version 2.2 - improved hexdump, added code comments, cleaned up code

* version 2.3 - added ability to decode the COA/POD response attributes via -e

*               user configurable requestID

* version 2.4 - config file parse chokes on empty line, fixed that issue

* version 2.5 - Adds support for VSA36 with SALT encryption

* version 2.6 - Fixed bug in salt length character

* version 2.7 - Added expanded source port range (+retry), increased attributes

* version 2.8 - Added IPV6 encoding capabilities via V6 prefix keyword

* version 2.9 - Fixed prefix length corruption crash attr 97

* version 3.0 - Added IPv6 transport for sending COA requests to the BNG

Related Information

Disclaimer: this is not an official Cisco supported tool but merely provided to verify, demonstrate and integrate COA requests with.

Xander Thuijs, CCIE #6775

Principal Engineer ASR9000


oasiscommunication Tue, 03/05/2013 - 05:12

I see this massage about these two files

can you fix it (20.2 K) BLOCKED: Virus detected (23.1 K) BLOCKED: Virus detected



xthuijs Tue, 03/05/2013 - 05:27

Nitzan, thanks for bringing that to my attention, I have fixed it up!


xthuijs Mon, 04/22/2013 - 12:39


this question has come up before. It is not official open source (yet). Although it is not an official Cisco (supported) or provided application, i am investigating with our legal department how to provide source for home grown tools like this.

At this point in time I dont have that authorization to distribute source. But you are free to use the tool for integration in your scripts, portals, testing or whatever other purpose you may have.


refikhadzialic Tue, 08/06/2013 - 01:32

Hi Xander,

I have a question regarding your coa tool. I am building a similar tool just instead of calling your tool the packets get generated in PHP (once I finish it I am willing to share the code with other people who need it).

My question is regarding the authenticator request field. How do you generate it? Could you give me an example or more details, please? I have found the following online: md5( chr(43) . chr(154) . chr(116) . str_repeat(chr(0),16) . $request_attributes . "secret");

where CoARequest=43

Packet identifier=154

Packet length=116

Repeated 16 octets of a zero

Shared secret key: secret

$request_attributes ? what are they? Just the value of the included fields? The dots between the variables and constants is used to concatenate everything.

Thank you. I hope you can help me out with an example!

Best regards,

Refik Hadzialic

xthuijs Tue, 08/06/2013 - 07:03

Hi Refik,

the procedure is as follows. It is probably easiest to define a struct for the Radius header:

typedef struct pw_auth_hdr {

        u_char          code;

        u_char          id;

        u_short     length;

        u_char          vector[AUTH_VECTOR_LEN];

        u_char          data[4096];


First set the vector to all zero's (or better yet, memset the whole structure to zero when you allocate it).

Then fill in all the data, attributes, length, code, ID etc.

Then append the secret to the structure's end of data (omitting the zero's from the data portion (so no padding).

then call the MD5 routines to compute the authenticator and put it back in teh authenticator field with a memcpy.

Does that help?



refikhadzialic Wed, 08/07/2013 - 05:04

Dear Xander,

thanks a lot for your help! Even a hint helps a lot when you are new in the field, therefore your support means a lot to a new employee. I followed your steps and I recreated it in C/C++, once I get the correct results I can easily port it to PHP or any other programming language which fits better our deployed solution.

However I don't get the same hash as compared to your coa tool. I used the packet generated by your coa tool (it is in the source code) for the sake of comparing the two resulting hashes. I guess I didn't insert correctly the data or it is a tiny misunderstanding on my side which we will solve together I hope.

I coppied my source code to paste bin and the output result (hash). Instead of 4096, I used 102 because I thought the length of the packet is attributes.length() + secret.length() = 96+6 since you said to omitt the zeros. Once I get it to work I will make a proper version without mechanically writing all the data and dynamically allocating the memory. On line 62 I substracted 1 from the size of the secret variable as you know C adds a 0 to denote end of the string. I hope my messy code is readable and I explained what I did. The libraries which are used and the way to compile it is mentioned in the comments as well.

Thanks a lot Xander for your help!

Best regards,


xthuijs Wed, 08/07/2013 - 07:41

Hi Refik,

I see a few issues based on a quick glance; depending on the processor type that you are compiling it for, the length

field in the radius header maybe needs to be endian converted.

Also, your packet length is signaled in the header at 0x74, but you are appending the secret at position 96?

Probably best to use a strlen secret too in line 62.

On line 69 you forgot to add the length fo the secret to the buffer length

Probably best to do a memcopy to put the md5 vector into the auth header. You are converting the hex md5 digit to a 2byte string value, or is that just for displaying? (looks like it right?)



refikhadzialic Wed, 08/07/2013 - 14:17

Hi Xander,

thanks a lot. The issue was with the endian notation as you said, my computer stores the variables in little endian while it was required to be in big endian. Thanks once again, without your help I would probably spend a great amount of time looking for the bug!

Best regards,


Carlos A. Silva Tue, 08/13/2013 - 09:00

Hi, Xander:

Is there a way (command) to force a ip session to completely terminate, like the service disconnect command on ASR1k?

We're trying to completely disconnect a customer when a certain timer expires and try to force a reauthentication/reauthorization process.


example on ASR1k:

policy-map type control ipsession

class type control always event session-start

  10 set-timer timer 1440

  20 authorize aaa list ipsession password isg identifier mac-address

  30 service disconnect


class type control always event session-restart

  10 set-timer timer 1440

  20 authorize aaa list ipsession password isg identifier mac-address


class type control always event timed-policy-expiry

  1 service disconnect




xthuijs Tue, 08/13/2013 - 13:59

POD'ing an ip session is tricky right, because the client cant be signaled that we revoked their lease.

so we can destroy the subscr session and mark the binding, but that is dependent on the renewal rate of the lease from the client to rediscover.

Why not do it differently:

timed service. after time expiry apply back HTTP-R?!?!


Carlos A. Silva Thu, 08/15/2013 - 06:32

Hi, Xander:

The reason for trying to do this (and forgive me, I can't remember if I asked you this before) is that customer doesn't have CoA implementation. What they're trying to achieve is for a non-paying customer to get redirected to a portal, by chaging their RADIUS attributes every (say) night. What customer does is they 'sync' dhcp lease time with the policy timer so that session is disconnected at the same time that dhcp lease expires.

Every night a bot grabs non-paying customers MAC address and changes RADIUS atts, so that when that customer is forced to reauthenticate by timer/disconnect, the BRAS receives the atts necessary to redirect customer if it's determined to be behind on payment.

In ASR1k, this scheme seems to work pretty well. In ASR9k, however, looks like we will have to look at a different alternative, correct?



xthuijs Thu, 08/15/2013 - 06:38

Hi Carlos, I would recommend the customer using COA for this as that is much smoother.

But either case, you can disconnect the session with a "clear subscriber" command, but that doesnt revoke the lease, it just marks the binding so on the next renewal from the client, it NAK's the request who will fall back to discover upon which radius will pull the new attributes.

What is interesting to me is that after that HTTP-R is applied, the user will get redirected, pay but how is the HTTP-R then removed if you dont have COA?

it sounds like this design/use case screams for COA.

Also, side note; a POD packet is really like a COA with a different code. So if they want to use POD, then might as well expand to COA.

But any case that is up to you, you know what the options are now



Carlos A. Silva Fri, 08/16/2013 - 15:45

Hi, Xander:

Quick followup on this issue. What happens to an IP Session on ASR BNG when the DHCP lease timers expires. Say DHCP lease given to CPE is 24 hours. When those 24 hours go by, does the IPsession get killed on the BNG so that the CPE when trying get another DHCP has to reauthenticate? (Also, I think CPE will always ask for a renew well before lease time expires, so that is another problem)

Is there a way to make sure (say on DHCP server) that it won't grant the same IP address and force BNG to kill the session, forcing reauthentication?

Thanks in advance.


xthuijs Sat, 08/17/2013 - 05:06

Hi Carlos,

an ip session would renew every time on the half lease time, once the dhcp server acks, the lease time is renewed then also. During renew, the session would ask (dhcp request) the same address, and the server and ack or nack that.

if ACK, it retains the addr, if it naks, the subscriber will fall back to discover upon which you can assign a new addr, but that is really a server implementation.

If the server doesn't ack or nack and the client attempts to renew and doesn't get an answer, it will release the addr (or should) and the binding on the BNG will disappear which will instruct the subscriber session to get destroyed also.

when that happens, the subscr session removed, the subscr will no longer be able to foward traffic, or well better put, the subscr traffic will hit the access interface, so depending on the config of the access if we can basically stop fowarding for this user.



Carlos A. Silva Sat, 08/17/2013 - 05:24

Hi, Xander:

When you say:

"if ACK, it retains the addr, if it naks, the subscriber will fall back to discover upon which you can assign a new addr, but that is really a server implementation."

Say the server NAKs, will the session be destroyed by BNG at that very moment, so that when you fallback to discover the session has to be recreated and reauthenticated/authorized?



xthuijs Sun, 08/18/2013 - 06:15

Hey carlos, yes if the server naks the subscr will fall back to discover and likely obtain a new address, for that reason the subscr session and binding need to be released also.

I'll reconfirm with a quick test and let you know if this is inaccurate, but for now assume this model.



Carlos A. Silva Mon, 08/19/2013 - 13:24

Thank you, Xander. I'd appreciate it if you could confirm. I won't be able to get my hands on an ASR to test it myself for the next couple of weeks.

xthuijs Mon, 08/19/2013 - 13:27

hey carlos, confirmed, the way I wrote it above is the way it is supposed to be operating.



Carlos A. Silva Mon, 08/19/2013 - 13:43

First of all, Xander, thank you very much for taking the time. I know I speak for a lot of people here.

I was wondering if you could share whatever you did to your dhcp server to nak the subscriber. Is that a line on a linux dhcp server perhaps?

xthuijs Mon, 08/19/2013 - 14:09

hi carlos,

you're very welcome, and thanks for that note, thats nice to hear!

I took an IOS dhcp server and tried to clear the binding on teh dhcp server in IOS, that didnt work reliably, so made a special image to NAK requests when they would come in for renewal.

Then i figured a way that if you exclude an address from the pool it should NAK it also.

ip dhcp-server exclude address <addr>

For linux dhcp, I dont know of a trick unfortunately.

MS dhcp server has the option though.



xthuijs Mon, 08/19/2013 - 15:09

If you take the address out of the scope or put it in reserved state, the dhcp server will send a NAK then.



Carlos A. Silva Mon, 08/19/2013 - 15:16

OK, now I get it. So this is a trick you're using to 'insert' a NAK in the renewal process, but NOT a 'feature' on the dhcp server where you are configuring the server so that the client/server setup goes all the way to lease time expiration by NAKing every renewal request.

xthuijs Mon, 08/19/2013 - 15:39

yeah yeah exactly! There may be some dhcp servers out there probably where you can mark a lease for nak or something, but that is so server specific. I would assume that any decent SP dhcp server can do that, as it is a very useful feature to prevent semi static adds (which are usually more expensive).

In order to test the nak func, this is the trick to use (reserve addr from lease)

cheers! xander

Carlos A. Silva Mon, 08/26/2013 - 06:24


And after long conversation: we were told that as of 4.3.1 the 'disconnect' command does exist now (even though I cannot find it anywhere in the command reference). Can you confirm its existence and if it does the same as in the ASR1000, kill the session that is?

RP/0/RSP0/CPU0:BNG_Demo(config-pmap-c)#10 ?

  activate      Activate

  authenticate  Authentication related configuration

  authorize     Authorize

  deactivate    Deactivate

  disconnect    Disconnect session

  set-timer     Set a timer to execute a rule on its expiry

  stop-timer    Disable timer before it expires



xthuijs Mon, 08/26/2013 - 06:38

hi carlos, yes this will destroy the subscriber session.

it is new in XR4.3.1

policy-map type control subscriber testme

event account-logoff match-first

  class type control subscriber DHCP do-until-failure

   10 disconnect





Carlos A. Silva Wed, 10/23/2013 - 14:35


I was wondering if you could take the time for a very 'open' question.

I think BNG is able to integrate with the Quantum (Broadhop) policy-server to offer stuff like speed boost to customers. But as part of this strategy, my customer is thinking about implementing Parental Control also, hopefully through the same BH product.

Is BNG (in some fashion) able to support Parental Controls? If not, what have you seen Cisco is doing to be able to integrate this function? I've heard SCE/Websense integration is no longer an option, so I was wondering if you could point me in the right direction.

Thanks in advance!


xthuijs Wed, 10/23/2013 - 14:38

you can do it multiple ways, either with ACL's but that is not filtering content.

for that you need DPI.

A DPI device is indeed SCE, so if you want to enable PC then you would want to assign/apply an ACL to the subscr

and aBF him towards the SCE.

that is a very common model and supported solution for the asr9000.



Carlos A. Silva Wed, 10/23/2013 - 14:41

Thanks so much for your reply.

Actually, my company has worked with the SCE and (what used to be) Websense Surfcontrol. This was a few years back. What I'm hearing from local Cisco office is that this is not recommended/supported anymore. So I'm looking for an alternative.

sarmed alkadumi Tue, 02/11/2014 - 04:59

Hi Xander,

I was able to use the COA tool to test few things sucessfully on our ASR 9000 BNG, the below command worked for example:

coa_w32.exe -n -p 1700 -k sarmed -1 44,00048a2d -2 26,9,1,"subscriber:sub-qos-policy-in=Bronze-QoS-Policy"

but I cannot activate a dynamic template with it, can you let me know the format required to activate a dynamic template on a subscriber's session ?



xthuijs Tue, 02/11/2014 - 05:05

hi sarmed,

your dynamic template needs to be of the "service" kind if you want to activate them from access-accept or coa.

then you'd use the avpairs for:



see also here for more info maybe:


sarmed alkadumi Tue, 02/11/2014 - 05:44

Hi Xander,

the following worked:

C:\Users\Sarmed-pc\Desktop>coa_w32.exe -n -p 1700 -k sarmed -1 44,00048a2d -2 26,9,1,"subscriber:

sa=xxxx" where xxxx is the dynamic template.

Thanks alot.



sarmed alkadumi Mon, 02/24/2014 - 22:25

Hi Xander,

One more question please, we are trying to get the session information using a COA message from the BNG, we tried to use attribute 250, 252 like the following:



Reply-Message : No sessions found matching identities provided

we are not getting a session query response from the ASR, is there a way to make this work ?




xthuijs Fri, 02/28/2014 - 06:47

hi sarmed, one of the biggest mistakes in ISG for IOS was these complex SSG attributes.

fortunately, we have the cleartext vSA's which are much simplier to use.

You can target the subscriber with the Framed-IP-Address or if the mac is part of the username you can use the username.



sarmed alkadumi Wed, 02/26/2014 - 22:06

Hi Xander,

Our Radius support eng. asked me this question, I did some checking and it seems that this attribute is not supported on the ASR 9000, can you please confirm ?



xthuijs Fri, 02/28/2014 - 06:48

yeah correct, the cleartext avp's are easier to use anyway.



sarmed alkadumi Sat, 03/01/2014 - 21:26

Hi Xander,

we tried using the following:

cisco-avpair : "subscriber:command=session-query"

Acct-Session-Id : 00056286

the only thing we get in response is wether ther session is active or not, is there a command that returns back the complete session parameters like the one available in ISG ?



xthuijs Sat, 03/01/2014 - 23:20

hi sarmed,

ah I see what you're trying to do, at this point session query is not yet supported. Track CSCuc45110 which I filed for the integration.

At this point there is no way to "account ping" the session via COA. You can do some scripted (that is via telnet/ssh) query eg the routing table to find out the subscriber interface, which then can be used as a parameter as filter in teh show subscriber session idenifier command to get the session-ID.


elnur.mammadov Mon, 09/15/2014 - 15:29

Hi Xander

is there a way to extract IP subscriber session state via

XML API/SNMP/CoA on 5.1.1 / 5.1.2 / 5.2.0? 

I particular I'm interested in extracting services activated per session, the below document lists some interesting XML objects but they it come out empty on 5.1.1/5.1.2, do I need to configure anything for that information to get populated?

Also what is the purpose of a subscriber-label? XML seem to refer to it. 


Thank you


xthuijs Mon, 09/15/2014 - 18:11

Unfortunately not yet Elnur.

We have a requirement open for a "session-query" that will get you a response in COA with the services, session id and all that info returned.

today the only option is a show subscriber session [filter <filter criteria>] detail to get the session service details, but it requires some bit of screen scraping.

the subscriber label is an internal reference that is like a session ID in AAA/radius, that links the subscriber components together such as dhcp lease, iedge record, etc etc. it is just an internal label/reference.

All traces inside XR pertaining to BNG leverage that label so we/you can easily link the different events together from different traces.



Thulasirajan Al... Tue, 05/05/2015 - 20:38



I am doing service update coa request with multiple pqos attributes. I have more than 9 attributes but the tool limits only 6 attributes; is there any way we can send more cisco-avpairs ?




xthuijs Wed, 05/06/2015 - 04:03

hi thulasi,

expanded attribute support was added in version 2.9

so if you take either v29 or v30 you should be all set.



Christopher Demaria Fri, 07/03/2015 - 00:49

Hi Xander,

Thanks for the tool works great!

Seems that I have stumbled upon a small bug though, not sure if it the config we are using, the ASR software or the CoA tool. However every time we change between two QoS policies via CoA a process (pkg/bin/qos_ma_ea) on the ASR crashes. It seems the unit does not like going back to the old QoS policy that was originally on the subsriber session.

We are running ASR9001 with software IOSXR 5.2.2

I have attatched a file showing some policy outputs and the crash from the CLI view.

Just wondering if yourself or anyone else has witnessed this before?

If more configuration is required please let me know.



xthuijs Fri, 07/03/2015 - 04:15

hi chris, thank you! :) say although crashes are never good i think there is a problem with the coa profile here. a session wants to have hierarchical qos, so parent shaper, child Q.

the way to achieve that is like this:

attribute3=26,9,1,ip:qos-policy-out=add-class(sub,  (class-default), shape(2048)
attribute4=26,9,1,ip:qos-policy-out=add-class(sub,(class-default, class-default), queue-limit(100))

the crash seem to be related that the hw cant handle the pmap construct provided,

this is a bug, because the condition should be handled more gracefully.


Christopher Demaria Wed, 07/08/2015 - 22:01

Thanks for the response Xander, much appreciated :)

I understand where you are coming from for establishing the child and parent structure.

However all I am trying to achieve to changing the base parent shaper from say 3M to 2M and then back to 3M.  I am running into the bug, when I am trying to use the "add-class" attribute to change the policy back to the original 3M.

May I ask, am I doing this correctly? or should I be using "remove-class" first and then "add-class" to change the base parent shaping speed?






This Document