Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Example of Account Login on ISG in CoA mode

We are developing an ISG Radius CoA client.

Our settings are:

* Cisco IOS Software, 7200 Software (C7200-K91P-M), Version 12.2(31)SB6, RELEASE SOFTWARE (fc1)

* Here is a snippet of our configuration for CoA:

aaa server radius dynamic-author

client server-key xxx

server-key xxx

auth-type all

ignore session-key


The issue is that we are not able to implement the "Account Logon" procedure based on the Cisco documentation ( ISG Radius Interface ). We are not clear about the section below from this document:

"Since a CoA Account Logon request usually requires the inclusion of an encrypted password attribute, this password must be sent as Cisco VSA 249, which contains a separate authenticator for the user password (called initiator vector) followed by the encrypted user password, as detailed in Figure 6.


The initiator vector is a 16-octet pseudo-random number uniquely generated for each attribute. The encrypted value field is 16 or more octets containing data that is length-prefixed and zero padded to an even multiple of 16 octets."

We do not understand what procedure should be used for creating the encrypted password/value.

Can someone provide us more information on this with details on how to fill out subscriber-password field? An example would be especially helpful.



New Member

Re: Example of Account Login on ISG in CoA mode

Hi steve, we have a similar issue. please share the details of any resolution if you have had so far. thanks.

New Member

Re: Example of Account Login on ISG in CoA mode

We are using Java and we patched JRadius for supporting Cisco ISG CoA.

Below is the main code for the creation of the cisco subscriber value for the Cisco VSA Radius attribute.

Attached is another file with some Java classes that may help.


public class CiscoUtils {

public static byte[] makeCiscoSubscriberPasswordValue(RadiusClient rc, String password){

byte len = (byte) (password.length()&0xff);

// Encode the length into a first byte of the password (required by util)

byte[] lenPassword = new byte[1 + len];

lenPassword[0] = (byte) (len);

System.arraycopy(password.getBytes(), 0, lenPassword, 1, password.length());

byte[] authenticator = RadiusUtils.makeRFC2865RequestAuthenticator(rc.getMD(), rc.getSharedSecret());

byte[] encryptedValue = RadiusUtils.encodePapPassword(rc.getMD(), lenPassword, authenticator, rc.getSharedSecret());

byte[] result = new byte[authenticator.length + encryptedValue.length ];

System.arraycopy(authenticator, 0, result, 0, authenticator.length);

System.arraycopy(encryptedValue, 0, result, authenticator.length, encryptedValue.length);

return result;