Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Search instead for
Did you mean:
Using COA, Change of Authorization for Access and BNG platforms
In access deployments using RADIUS, during the access-accept we can pass reply items back to the NAS which allows us to configure per user configuration to alter the base template config or to apply extra features. These features normally can't change since RADIUS on itself doesn't allow for reauthorization. For that purpose COA (Change of Authorization) was developed allowing an active session to have its configuration changed based on effectively a new set of reply items that are downloaded to the NAS.
** Download a COA client for windows, MAC or linux below **
Latest version is v3.1 January 2017
The words NAS (network access server), BRAS (Broadband Remote Access Server) and BNG (Broadband next generation) are used interchangeably, they all refer to the same concept of aggregating subscribers.
Typically NAS is used in modem access scenarios, BRAS for PPPoA and PPPoE termination whereas BNG involves the concept of subscriber policies along with IP session termination (including PPPoX).
RADIUS servers are available in open source format on the web, for instance Livingston Radius server or Free Radius server are very popular. Also vendors have provided their own RADIUS servers such as Cisco Secure ACS. However there is not a wide variaty of COA tools out there unless they come with a "portal" type implementation in which COA is generally leveraged a lot. In this article I am presenting a COA tool that can be used from a normal linux station allowing you to pass a COA request to a NAS of your choice. The usage of the tool is explained as well as key parameters that you need to be providing in order to make a successful COA request.
Feature changes support with COA
What features can be changed via COA is highly dependant on the platform and software release that is being run. The COA tool will encapsulate your attributes and send them to the NAS, but it is the NAS's responsibility to apply the features and provide a proper status back on the implementation of it.
Features support in COA tool
Up to 10 attributes to be included in the COA request
Change of Authorization and Packet of Disconnect support
Random source ports or manually configurable
Encoding of the cisco-avpair subscriber:password="password" for account logon in VSA 249
Extended debug capability
Configurable via CLI or Configuration file
Request timeout support
Multi thread support
Encoding of strings, ip addresses and integers
Currently support on Linux, and W32. Solaris (solaris no longer supported and maintained!)
Various binary ISG codes supported (0A, 0B, 04 etc)
The minimum configuration required for IOS looks like this
aaa server radius dynamic-author client 18.104.22.168 client 22.214.171.124 server-key cisco auth-type any
client determines from which source ip addresses we can accept a COA request. Sources not in the list will get ignored.
server-key is the encryption key to use for the MD5 authenticator computation and must match what the COA client will be using
auth-type defines which attributes are to be used for session identification.
For instance, if you provide the Accounting-Session-Id and Username the auth-type any means that the first session found that matches EITHER one of these check items will be subject to modification.
Auth-type ALL means that all check items much match
With 4.2.0 IOS-Xr for the ASR9000 will have BNG with COA support also. Here is the configuration required in IOS-XR:
aaa server radius dynamic-author port 1700 server-key cisco auth-type any
client 126.96.36.199 vrf default server-key cisco
A global server key is possible as well as a per client type key is also configurable. The listen port is configurable (same in IOS config omitted, as port 1700 is default in IOS).
COA Check items
To target a specific session you can use various attributes such as Framed-IP-Address, User-Name or Accounting-Session-Id.
It is recommended to always specify the accounting-session-id (attribute 44), the reason for that is that this att references a single session on any BNG as this number must be unique. The internal code lookups are much faster with this attribute then using user-name or framed-ip-address as these result in a lineair walk. Also user-name and FIP (sessions with same ip addr in different vrf's) may not be unique on the device
To provide extra safety to make sure you are targetting the right session, you can configure the auth-type match-all and send Acct-Session-Id (44) as well as a username (1) to have a fast lookup AND the safety that this username is indeed the one that we had in mind altering.
How to find the Accounting-Session-Id
You can lookup the accounting session id in the radius accountign records, but also in IOS or XR you can find the ID rather easily.
Note that the Accounting-Session-Id is generally a string that is perceived to be an integer.
In IOS the radius-record may prefix the acct-session-id STRING with a nas-port identifier like this:
IOS will strip and only use the 8 right most digits as the accounting session ID. In COA requests you could omit all 0's and just use "BA" for the id, however at the time of writing ios-xr does a string match and wants to see the 8 digits all together.
Step 1: Find the subscriber of interest
NPE-G1#show subscr ses Current Subscriber Information: Total sessions 1
Uniq ID Interface State Service Identifier Up-time 44 IP authen Local Term 0017.0e43.a1ac 00:00:29 45 Traffic-Cl unauthen Ltm Internal 00:00:29 46 Traffic-Cl unauthen Ltm Internal 00:00:29
Step 2: Take the subscribers internal ID and locate its record ID in the AAA databasre
NPE-G1#show subscr ses uid 44 det | i AAA_id AAA_id 0000001B: Flow_handle 0 NPE-G1#
Step 3: Look into the AAA database for the found record to see what the accounting session id is.
For ISG sessions look at the Parent-Session-Id, for regular subscribers, look at the "session-id"
RP/0/RSP1/CPU0:A9K-BOTTOM#show subscr sess all Thu May 26 10:37:17.115 EDT Codes: IN - Initialize, CN - Connecting, CD - Connected, AC - Activated, ID - Idle, DN - Disconnecting, EN - End
Type Interface State Subscriber-IP
------------------------------------------------------------------------- PPPoE:PTA BE1001.100.pppoe4 AC 188.8.131.52:default <<<
PPPoE:PTA BE1001.200.pppoe5 AC 184.108.40.206:RED
IP:DHCP BE1001.2.ip3 AC 172.28.15.14:default
PPPoE:LAC BE1001.300.pppoe6 AC 220.127.116.11
Step 2: Detail the subscriber interface
RP/0/RSP1/CPU0:A9K-BOTTOM#show subscriber session filter interface bundle-e1001.100.pppoe4 detail Thu May 26 10:38:42.647 EDT Interface: Bundle-Ether1001.100.pppoe4 Circuit ID: Unknown Remote ID: "XTH_TEST" Type: PPPoE:PTA IP Address: 18.104.22.168, VRF: default Mac Address: 000b.5f2c.ef01 Account-Session Id: 00000067 Nas-Port: Unknown Username: test Subscriber Label: 0x00000067 Created: Tue May 24 12:00:57 2011 State: Activated Access-interface: Bundle-Ether1001.100
COA Tool Manual
The COA tool requires you to have a little bit of attribute knowledge in RADIUS, that is, the attributes are identified by their enummerated numbers rather then their name. Although you can look at a dictionary file (attached) to map them should you need that.
The options can be specified all via a CLI, or can be provided in flat config file for ease of use and easy scripting.
The tool supports POD (packet of disconnect) as well as COA requests.
-n <ip addr>
The IP address of the NAS that you want to send this COA request to
The IPv6 address of the NAS to be targeted (v3.0 new feature) either provide -n or -N
The destination port on the NAS that is listening to COA requests (normally this is 1700)
The secret-key that is used for the MD5 HASH computation, this must match the definition on the BNG/NAS router.
No sub argument needed, designates the tool to send a POD (packet of disconnect) request rather then a COA request. If the session is found it will get terminated.
By default the tool waits indefinitely for a response from the NAS. The timeout option allows you to wait a number of seconds before the tool exists
Normally a random source port is selected by the tool that is used to originate the request and listen for a response. If you wish to specify the source port manually you can use this option. If there is a single COA request on station X already using source port Q and the tool is waiting for a response, then a second request cannot use source port Q if fired from the same station X. An error will be thrown (socket / bind error).
Configuration file that holds the paramters described in a config file
The tool has the option for 6 attributes to be specified. The format is attribute_number,value
The Value is always perceived to be a string value, that means if there are spaces involved, you need to embrace the string with quotes, eg 18,"this is a test string"
If you like a certain value to be sent as an integer, for instance for the Session-Timeout (27), then prefix the value with the word INT
example: 27,INT100 to send an integer value of 100
In case you need to send an ip address such as for Framed-IP-Address then prefix the ip with IP
You can use the sample dictionary file attached to lookup the Attribute name to number to type (int, ip, string)
If you have an IPv6 Address for encoding, you can use the prefix V6 followed by the ipv6 address.
Framed-IPv6-Prefix is automatically encoded (attribute 97).
Decode the response from the NAS into an attribute (integer) and value (string).
Provide a static requestID, if omitted or out of bounds a random value is generated.
Extended debug output, follow what the tool is doing
Note: The bold options must always be provided otherwise the tool can't continue.
Using the Config file
The Tool has the ability to read values from a config file for ease of use. Sample config files will be provided below.
To set the timeout waiting for response (optional)
To denote the END of the config file reading stops after seeing this keyword
Note that parameters provided by CLI are NOT overwritten by the config file, so the config file has precedence, eg if secret is provided by cli using the -k CLIKEY and in the config file with secret=CFGKEY then the key used to hash is CFGKEY.