Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

WLC WLAN Authentication from External RADIUS Server

Dears,

How to make WLC Receive PoD (Packet of Disconnect) from the RADIUS server to terminate the session and disconnect authenticating clients.

Thanks,

4 REPLIES
Silver

WLC WLAN Authentication from External RADIUS Server

Ahmed,

Here is the wireless controller side of it if this is a Cisco one:

config radius auth rfc3576 {enable

|

disable

}

index

—Enables  or disables RFC 3576, which is an extension to the RADIUS protocol that  allows dynamic changes to a user session. RFC 3576 includes support for  disconnecting users and changing authorizations applicable to a user  session and supports disconnect and change-of-authorization (CoA)  messages. Disconnect messages cause a user session to be terminated  immediately where CoA messages modify session authorization attributes  such as data filters.

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/xe-3se/5700/sec-usr-aaa-xe-3se-5700-book/sec-rad-coa.html

http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-0/configuration/guide/c70/c70sol.html

**Share your knowledge. It’s a way to achieve immortality.
--Dalai Lama**

Please Rate if helpful.
Regards
Ed

**Share your knowledge. It’s a way to achieve immortality. --Dalai Lama** Please Rate if helpful. Regards Ed
New Member

WLC WLAN Authentication from External RADIUS Server

thanks for reply but i mean which message External Radius Server can sent to Wireless Lan Controller to disconnect Client Session.

Thanks,

Silver

Re: WLC WLAN Authentication from External RADIUS Server

Hi Ahmed,

Its not documented well, but here is it:

CSCso52532 No Documentation for sending RADIUS Disconnect-Request (RFC 3576)

. If a user has to be logged out then, following attributes are expected
  - SSH_RADIUS_AVP_SERVICE_TYPE(6) attribte with following value.
         SSH_RADIUS_SERVICE_TYPE_LOGIN(1)
       - SSH_RADIUS_AVP_CALLING_STATION_ID(31) - this is needed, if 
              we want to delete  particular user  session via particular device 
              (like PDA, Phone or PC)

       - SSH_RADIUS_AVP_USER_NAME(1)

. If a management user has to be logged out then, following attributes
are expected
  - SSH_RADIUS_AVP_SERVICE_TYPE(6) attribte with following value
  - SSH_RADIUS_SERVICE_TYPE_ADMINISTRATIVE 
                      OR
   - SSH_RADIUS_SERVICE_TYPE_NAS_PROMPT
   - SSH_RADIUS_AVP_USER_NAME(1)
   - SSH_RADIUS_AVP_FRAMED_IP_ADDRESS(8)

Eg:

*Dec 17 12:59:08.926:   Packet contains 14 AVPs:

*Dec 17 12:59:08.926:       AVP[01] User-Name................................user@domain (17 bytes)

*Dec 17 12:59:08.926:       AVP[02] Nas-Port.................................0x0000000d (13) (4 bytes)

*Dec 17 12:59:08.926:       AVP[03] Nas-Ip-Address...........................0x0a0047fb (167790587) (4 bytes)

*Dec 17 12:59:08.926:       AVP[04] Framed-IP-Address........................0x0a003f1b (167788315) (4 bytes)

*Dec 17 12:59:08.926:       AVP[05] NAS-Identifier...........................wlcRM_1 (7 bytes)

*Dec 17 12:59:08.926:       AVP[06] Airespace / WLAN-Identifier..............0x00000004 (4) (4 bytes)

*Dec 17 12:59:08.926:       AVP[07] Acct-Session-Id..........................4b2a1d0c/00:1c:26:cb:27:71/4 (28 bytes)

*Dec 17 12:59:08.926:       AVP[08] Acct-Authentic...........................0x00000001 (1) (4 bytes)

*Dec 17 12:59:08.926:       AVP[09] Tunnel-Type..............................0x0000000d (13) (4 bytes)

*Dec 17 12:59:08.926:       AVP[10] Tunnel-Medium-Type.......................0x00000006 (6) (4 bytes)

*Dec 17 12:59:08.926:       AVP[11] Tunnel-Group-Id..........................0x3633 (13875) (2 bytes)

*Dec 17 12:59:08.926:       AVP[12] Acct-Status-Type.........................0x00000001 (1) (4 bytes)

*Dec 17 12:59:08.926:       AVP[13] Calling-Station-Id.......................10.0.63.27 (10 bytes)

*Dec 17 12:59:08.926:       AVP[14] Called-Station-Id........................10.0.71.251 (11 bytes)

 

*Dec 17 12:59:10.943: 00:1c:26:cb:27:71 Accounting-Response received from RADIUS server 10.0.71.249 for mobile 00:1c:26:cb:27:71 receiveId = 0

*Dec 17 12:59:34.044: Received a 'RFC-3576 Disconnect-Request' from 10.0.71.249

*Dec 17 12:59:34.044:   Packet contains 6 AVPs:

*Dec 17 12:59:34.044:       AVP[01] Nas-Ip-Address...........................0x0a0047fb (167790587) (4 bytes)

*Dec 17 12:59:34.044:       AVP[02] User-Name................................user@domain (17 bytes)

*Dec 17 12:59:34.044:       AVP[03] Acct-Session-Id..........................4b2a1d0c/00:1c:26:cb:27:71/4 (28 bytes)

*Dec 17 12:59:34.044:       AVP[04] Calling-Station-Id.......................10.0.63.27 (10 bytes)

*Dec 17 12:59:34.044:       AVP[05] Called-Station-Id........................10.0.71.251 (11 bytes)

*Dec 17 12:59:34.044:       AVP[06] Service-Type.............................0x00000001 (1) (4 bytes)

*Dec 17 12:59:34.044: Error cause 503 generated for 'RFC-3576 Disconnect-Request' from 10.0.71.249 (Session Identification attributes not valid)

*Dec 17 12:59:34.045: Sent a 'RFC-3576 Disconnect-Nak' to 10.0.71.249:3799

*Dec 17 12:59:36.561: ****Enter processIncomingMessages: response code=5

**Share your knowledge. It’s a way to achieve immortality.
--Dalai Lama**

Please Rate if helpful.
Regards
Ed

**Share your knowledge. It’s a way to achieve immortality. --Dalai Lama** Please Rate if helpful. Regards Ed
New Member

Hello, Ed!What is the format

Hello, Ed!

What is the format of messages for CoA? I've added User-Name and Service-Type, but WLC wants somewhat other:

*radiusRFC3576TransportThread: Sep 09 18:48:18.990: Invalid attributes received in 'RFC-3576 CoA-Request' from 11.1.7.240

610
Views
0
Helpful
4
Replies