MLPPP Acct-Session-Id
Hi, Is there another attribute syntax on radclient that could be used aside from Acct-Session-Id to perform COA to a session We are using MultilinkPPP (single session per bundle still) and it is not working as it normally would with PPP. Thanks, Jay RADIUS: COA received from id 48 x.x.x.99:1052, CoA Request, len 149 COA: x.x.x.20 request queued RADIUS: authenticator 70 8D C4 4D 97 82 50 02 - 73 6B 53 27 81 52 29 BD RADIUS: User-Name [1] 25 "user1@5_6_mlp.com1" RADIUS: Acct-Session-Id [44] 10 "000110A4" RADIUS: Vendor, Cisco [26] 46 RADIUS: Cisco AVpair [1] 40 "ip:sub-qos-policy-in=policy_session_in_coa" RADIUS: Vendor, Cisco [26] 48 RADIUS: Cisco AVpair [1] 42 "ip:sub-qos-policy-out=policy_session_out_coa" COA: Message Authenticator missing or failed decode ++++++ CoA Attribute List ++++++ 7FD2EA5DA700 0 00000009 username(447) 23 user1@asr_5_6_mlp.com1 7FD2EA5DB090 0 00000001 session-id(409) 4 69796(110A4) 7FD2EA5DB0A8 0 00000009 sub-qos-policy-in(421) 17 policy_session_in_coa 7FD2EA5DB0C0 0 00000009 sub-qos-policy-out(423) 18 policy_session_out_coa RADIUS/ENCODE(00000000):Orig. component type = Invalid RADIUS(00000000): sending RADIUS(00000000): Send CoA Nack Response to x.x.x.99:1052 id 48, len 157 RADIUS: authenticator 76 2F 9A 52 29 2C 26 57 - 27 F6 E0 CC A6 E6 F1 13 RADIUS: User-Name [1] 25 "user1@5_6_mlp.com1" RADIUS: Vendor, Cisco [26] 43 RADIUS: Cisco AVpair [1] 37 "sub-qos-policy-in=policy_session_in_coa" RADIUS: Vendor, Cisco [26] 45 RADIUS: Cisco AVpair [1] 39 "sub-qos-policy-out=policy_session_out_coa" RADIUS: Reply-Message [18] 18 RADIUS: 4E 6F 20 76 61 6C 69 64 20 53 65 73 73 69 6F 6E [ No valid Session] RADIUS: Dynamic-Author-Error[101] 6 Unsupported Service [405]
Ignore the fact the user domains don't match, I was manually editing to change them....and blocking out the IPs -----Original Message----- From: freeradius-users-bounces+jkuhne=cisco.com@lists.freeradius.org [mailto:freeradius-users-bounces+jkuhne=cisco.com@lists.freeradius.org] On Behalf Of Jay Kuhne (jkuhne) Sent: Monday, March 28, 2011 10:43 PM To: FreeRadius users mailing list Subject: MLPPP Acct-Session-Id Hi, Is there another attribute syntax on radclient that could be used aside from Acct-Session-Id to perform COA to a session We are using MultilinkPPP (single session per bundle still) and it is not working as it normally would with PPP. Thanks, Jay RADIUS: COA received from id 48 x.x.x.99:1052, CoA Request, len 149 COA: x.x.x.20 request queued RADIUS: authenticator 70 8D C4 4D 97 82 50 02 - 73 6B 53 27 81 52 29 BD RADIUS: User-Name [1] 25 "user1@5_6_mlp.com1" RADIUS: Acct-Session-Id [44] 10 "000110A4" RADIUS: Vendor, Cisco [26] 46 RADIUS: Cisco AVpair [1] 40 "ip:sub-qos-policy-in=policy_session_in_coa" RADIUS: Vendor, Cisco [26] 48 RADIUS: Cisco AVpair [1] 42 "ip:sub-qos-policy-out=policy_session_out_coa" COA: Message Authenticator missing or failed decode ++++++ CoA Attribute List ++++++ 7FD2EA5DA700 0 00000009 username(447) 23 user1@asr_5_6_mlp.com1 7FD2EA5DB090 0 00000001 session-id(409) 4 69796(110A4) 7FD2EA5DB0A8 0 00000009 sub-qos-policy-in(421) 17 policy_session_in_coa 7FD2EA5DB0C0 0 00000009 sub-qos-policy-out(423) 18 policy_session_out_coa RADIUS/ENCODE(00000000):Orig. component type = Invalid RADIUS(00000000): sending RADIUS(00000000): Send CoA Nack Response to x.x.x.99:1052 id 48, len 157 RADIUS: authenticator 76 2F 9A 52 29 2C 26 57 - 27 F6 E0 CC A6 E6 F1 13 RADIUS: User-Name [1] 25 "user1@5_6_mlp.com1" RADIUS: Vendor, Cisco [26] 43 RADIUS: Cisco AVpair [1] 37 "sub-qos-policy-in=policy_session_in_coa" RADIUS: Vendor, Cisco [26] 45 RADIUS: Cisco AVpair [1] 39 "sub-qos-policy-out=policy_session_out_coa" RADIUS: Reply-Message [18] 18 RADIUS: 4E 6F 20 76 61 6C 69 64 20 53 65 73 73 69 6F 6E [ No valid Session] RADIUS: Dynamic-Author-Error[101] 6 Unsupported Service [405] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Jay Kuhne (jkuhne) wrote:
Is there another attribute syntax on radclient that could be used aside from Acct-Session-Id to perform COA to a session
I'm not sure I can parse that. I *think* the correct response is to say "read the NAS documentation". If the NAS accepts CoA packets, the documentation *should* say what it needs in the CoA to disconnect a session. Failing that, look at the Accounting-Request packets for the session. Take that data (other than the various counters), put it into a CoA packet, and hope for the best.
RADIUS: COA received from id 48 x.x.x.99:1052, CoA Request, len 149 COA: x.x.x.20 request queued ... COA: Message Authenticator missing or failed decode
That message seems clear. Add the Message-Authenticator attribute to the CoA packet. And *why* does the NAS require this? RFC5176 does *not* require a Message-Authenticator to be in a CoA packet. Alan DeKok.
Hi Alan, Thanks for your reply. I think the bottom line is I need to do some more investigation. I tried a PPP vs. MLPPP session and my COAs work as expected. I'll see if I can gather data from the Accounting-Request like you mention. I'll see if I can find the " Message-Authenticator attribute" I'm not sure why the NAS is making this mandatory, I'll have to investigate. This is very helpful since as I can clearly see I'm not an expert in this area. Thanks, Jay -----Original Message----- From: freeradius-users-bounces+jkuhne=cisco.com@lists.freeradius.org [mailto:freeradius-users-bounces+jkuhne=cisco.com@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Tuesday, March 29, 2011 1:50 AM To: FreeRadius users mailing list Subject: Re: MLPPP Acct-Session-Id Jay Kuhne (jkuhne) wrote:
Is there another attribute syntax on radclient that could be used aside from Acct-Session-Id to perform COA to a session
I'm not sure I can parse that. I *think* the correct response is to say "read the NAS documentation". If the NAS accepts CoA packets, the documentation *should* say what it needs in the CoA to disconnect a session. Failing that, look at the Accounting-Request packets for the session. Take that data (other than the various counters), put it into a CoA packet, and hope for the best.
RADIUS: COA received from id 48 x.x.x.99:1052, CoA Request, len 149
COA: x.x.x.20 request queued
...
COA: Message Authenticator missing or failed decode
That message seems clear. Add the Message-Authenticator attribute to the CoA packet. And *why* does the NAS require this? RFC5176 does *not* require a Message-Authenticator to be in a CoA packet. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Alan, Do you know of a syntax on Radclient for defining the "Message-Authenticator attribute"? I'll see if I can find it in the accounting record, get it working and then follow-up as to why the it's not as per RFC. Thanks, Jay -----Original Message----- From: Jay Kuhne (jkuhne) Sent: Tuesday, March 29, 2011 9:08 AM To: FreeRadius users mailing list Subject: RE: MLPPP Acct-Session-Id Hi Alan, Thanks for your reply. I think the bottom line is I need to do some more investigation. I tried a PPP vs. MLPPP session and my COAs work as expected. I'll see if I can gather data from the Accounting-Request like you mention. I'll see if I can find the " Message-Authenticator attribute" I'm not sure why the NAS is making this mandatory, I'll have to investigate. This is very helpful since as I can clearly see I'm not an expert in this area. Thanks, Jay -----Original Message----- From: freeradius-users-bounces+jkuhne=cisco.com@lists.freeradius.org [mailto:freeradius-users-bounces+jkuhne=cisco.com@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Tuesday, March 29, 2011 1:50 AM To: FreeRadius users mailing list Subject: Re: MLPPP Acct-Session-Id Jay Kuhne (jkuhne) wrote:
Is there another attribute syntax on radclient that could be used aside from Acct-Session-Id to perform COA to a session
I'm not sure I can parse that. I *think* the correct response is to say "read the NAS documentation". If the NAS accepts CoA packets, the documentation *should* say what it needs in the CoA to disconnect a session. Failing that, look at the Accounting-Request packets for the session. Take that data (other than the various counters), put it into a CoA packet, and hope for the best.
RADIUS: COA received from id 48 x.x.x.99:1052, CoA Request, len 149
COA: x.x.x.20 request queued
...
COA: Message Authenticator missing or failed decode
That message seems clear. Add the Message-Authenticator attribute to the CoA packet. And *why* does the NAS require this? RFC5176 does *not* require a Message-Authenticator to be in a CoA packet. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Jay Kuhne (jkuhne) wrote:
Do you know of a syntax on Radclient for defining the "Message-Authenticator attribute"?
It's just like any other attribute... Message-Authenticator = ""
I'll see if I can find it in the accounting record, get it working and then follow-up as to why the it's not as per RFC.
The NAS vendors don't bother following (or even reading) the RFCs. Alan DeKok.
Okay thanks. I'll do some investigating and let you know. It may be a little bit but I will reply with my findings. Jay -----Original Message----- From: freeradius-users-bounces+jkuhne=cisco.com@lists.freeradius.org [mailto:freeradius-users-bounces+jkuhne=cisco.com@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Tuesday, March 29, 2011 10:20 AM To: FreeRadius users mailing list Subject: Re: MLPPP Acct-Session-Id Jay Kuhne (jkuhne) wrote:
Do you know of a syntax on Radclient for defining the "Message-Authenticator attribute"?
It's just like any other attribute... Message-Authenticator = ""
I'll see if I can find it in the accounting record, get it working and
then follow-up as to why the it's not as per RFC.
The NAS vendors don't bother following (or even reading) the RFCs. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Alan, Thanks again for your reply, I just wanted to follow-up with you. On the ASR1K BRAS we see the same Message-Authenticator when performing COA via PPP so that is not the issue here After enabling more debug and performing COA when the multilink bundle is established, we get Mar 28 14:32:07.078 EST: RADIUS: 4E 6F 20 76 61 6C 69 64 20 53 65 73 73 69 6F 6E [ No valid Session] Mar 28 14:32:07.078 EST: RADIUS: Dynamic-Author-Error[101] 6 Unsupported Service [405] So far the bundle appears to be reflected in cli output as having the same type of UID, AAA_id and Sesison_Id as a PPP session but obviously that does not work. So we need to work with our Cisco development to understand how to identify the bundle. The qos policies are attached to the bundles and not the underlying PPP sessions so we truly need to address the bundle with COA. Just wanted to let you know where I'm at. Thanks, Jay -----Original Message----- From: freeradius-users-bounces+jkuhne=cisco.com@lists.freeradius.org [mailto:freeradius-users-bounces+jkuhne=cisco.com@lists.freeradius.org] On Behalf Of Jay Kuhne (jkuhne) Sent: Tuesday, March 29, 2011 10:56 AM To: FreeRadius users mailing list Subject: RE: MLPPP Acct-Session-Id Okay thanks. I'll do some investigating and let you know. It may be a little bit but I will reply with my findings. Jay -----Original Message----- From: freeradius-users-bounces+jkuhne=cisco.com@lists.freeradius.org [mailto:freeradius-users-bounces+jkuhne=cisco.com@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Tuesday, March 29, 2011 10:20 AM To: FreeRadius users mailing list Subject: Re: MLPPP Acct-Session-Id Jay Kuhne (jkuhne) wrote:
Do you know of a syntax on Radclient for defining the "Message-Authenticator attribute"?
It's just like any other attribute... Message-Authenticator = ""
I'll see if I can find it in the accounting record, get it working and
then follow-up as to why the it's not as per RFC.
The NAS vendors don't bother following (or even reading) the RFCs. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Forgot to mention, also attempted with Acct-Multi-Session-Id, which was in the accounting record but same result. -----Original Message----- From: freeradius-users-bounces+jkuhne=cisco.com@lists.freeradius.org [mailto:freeradius-users-bounces+jkuhne=cisco.com@lists.freeradius.org] On Behalf Of Jay Kuhne (jkuhne) Sent: Thursday, March 31, 2011 5:26 PM To: FreeRadius users mailing list Subject: RE: MLPPP Acct-Session-Id Hi Alan, Thanks again for your reply, I just wanted to follow-up with you. On the ASR1K BRAS we see the same Message-Authenticator when performing COA via PPP so that is not the issue here After enabling more debug and performing COA when the multilink bundle is established, we get Mar 28 14:32:07.078 EST: RADIUS: 4E 6F 20 76 61 6C 69 64 20 53 65 73 73 69 6F 6E [ No valid Session] Mar 28 14:32:07.078 EST: RADIUS: Dynamic-Author-Error[101] 6 Unsupported Service [405] So far the bundle appears to be reflected in cli output as having the same type of UID, AAA_id and Sesison_Id as a PPP session but obviously that does not work. So we need to work with our Cisco development to understand how to identify the bundle. The qos policies are attached to the bundles and not the underlying PPP sessions so we truly need to address the bundle with COA. Just wanted to let you know where I'm at. Thanks, Jay -----Original Message----- From: freeradius-users-bounces+jkuhne=cisco.com@lists.freeradius.org [mailto:freeradius-users-bounces+jkuhne=cisco.com@lists.freeradius.org] On Behalf Of Jay Kuhne (jkuhne) Sent: Tuesday, March 29, 2011 10:56 AM To: FreeRadius users mailing list Subject: RE: MLPPP Acct-Session-Id Okay thanks. I'll do some investigating and let you know. It may be a little bit but I will reply with my findings. Jay -----Original Message----- From: freeradius-users-bounces+jkuhne=cisco.com@lists.freeradius.org [mailto:freeradius-users-bounces+jkuhne=cisco.com@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Tuesday, March 29, 2011 10:20 AM To: FreeRadius users mailing list Subject: Re: MLPPP Acct-Session-Id Jay Kuhne (jkuhne) wrote:
Do you know of a syntax on Radclient for defining the "Message-Authenticator attribute"?
It's just like any other attribute... Message-Authenticator = ""
I'll see if I can find it in the accounting record, get it working and
then follow-up as to why the it's not as per RFC.
The NAS vendors don't bother following (or even reading) the RFCs. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Jay Kuhne (jkuhne) wrote:
Forgot to mention, also attempted with Acct-Multi-Session-Id, which was in the accounting record but same result.
I would say to ask the NAS manufacturer for a list of what they need in the CoA packet, but that doesn't seem to apply here. I'm not sure why CoA is so complicated. If there's an Acct-Session-Id attribute, the NAS should use that to identify a session. Pretty much every other "session identification" attribute can be ignored. Alan DeKok.
On Apr 2, 2011, at 12:34 AM, Alan DeKok wrote:
Jay Kuhne (jkuhne) wrote:
Forgot to mention, also attempted with Acct-Multi-Session-Id, which was in the accounting record but same result.
I would say to ask the NAS manufacturer for a list of what they need in the CoA packet, but that doesn't seem to apply here.
I'm not sure why CoA is so complicated. If there's an Acct-Session-Id attribute, the NAS should use that to identify a session. Pretty much every other "session identification" attribute can be ignored.
Some NAS manufacturers require multiple Identification attributes, you really need to ask the manufacturer what attributes and values are required to identify a session. Sometimes you also need a minimum number of policy attributes in addition to the identification attributes. CoA doesn't differentiate between the two types at a packet level its completely implementation specific. -Arran
Thank you Arran and Alan for your feedback. I received confirmation it was not yet implemented on Cisco ASR1k. -----Original Message----- From: freeradius-users-bounces+jkuhne=cisco.com@lists.freeradius.org [mailto:freeradius-users-bounces+jkuhne=cisco.com@lists.freeradius.org] On Behalf Of Arran Cudbard-Bell Sent: Saturday, April 02, 2011 4:58 AM To: FreeRadius users mailing list Subject: Re: MLPPP Acct-Session-Id On Apr 2, 2011, at 12:34 AM, Alan DeKok wrote:
Jay Kuhne (jkuhne) wrote:
Forgot to mention, also attempted with Acct-Multi-Session-Id, which was in the accounting record but same result.
I would say to ask the NAS manufacturer for a list of what they need in the CoA packet, but that doesn't seem to apply here.
I'm not sure why CoA is so complicated. If there's an Acct-Session-Id attribute, the NAS should use that to identify a session. Pretty much every other "session identification" attribute can be ignored.
Some NAS manufacturers require multiple Identification attributes, you really need to ask the manufacturer what attributes and values are required to identify a session. Sometimes you also need a minimum number of policy attributes in addition to the identification attributes. CoA doesn't differentiate between the two types at a packet level its completely implementation specific. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
Arran Cudbard-Bell -
Jay Kuhne (jkuhne)