OT: Cisco Disconnect-Request packets
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Wed Aug 24 20:11:12 CEST 2011
>
> radclient -xs -f /tmp/disconnect.txt 172.17.107.210:3799 disconnect secret
> Sending Disconnect-Request of id 7 to 172.17.107.210 port 3799
> User-Name = "testUser at bristol.ac.uk"
> Calling-Station-Id = "89:c6:65:99:39:52"
> Service-Type = Login-User
> rad_recv: Disconnect-ACK packet from host 172.17.107.210 port 3799, id=7, length=20
>
> Total approved auths: 1
> Total denied auths: 0
> Total lost auths: 0
>
> ...so it seems you need User-Name, Calling-Station-Id and Service-Type.
>From RFC 3576
In Disconnect and CoA-Request messages, all Attributes are treated
as mandatory. A NAS MUST respond to a CoA-Request containing one
or more unsupported Attributes or Attribute values with a CoA-NAK;
a Disconnect-Request containing one or more unsupported Attributes
or Attribute values MUST be answered with a Disconnect-NAK. State
changes resulting from a CoA-Request MUST be atomic: if the
Request is successful, a CoA-ACK is sent, and all requested
authorization changes MUST be made. If the CoA-Request is
unsuccessful, a CoA-NAK MUST be sent, and the requested
So if you do include an unsupported attribute the NAS should NaK the request.
RFC Says User-Name should be present and one or more of the following may be present
NAS-Port 5 [RFC2865] The port on which the session is terminated.
Framed-IP-Address 8 [RFC2865] The IPv4 address associated
with the session.
Called-Station-Id 30 [RFC2865] The link address to which
the session is connected.
Calling-Station-Id 31 [RFC2865] The link address from which
the session is connected.
Acct-Session-Id 44 [RFC2866] The identifier uniquely
identifying the session
on the NAS.
Acct-Multi-Session-Id 50 [RFC2866] The identifier uniquely
identifying related sessions.
NAS-Port-Type 61 [RFC2865] The type of port used.
NAS-Port-Id 87 [RFC2869] String identifying the port
where the session is.
Originating-Line-Info 94 [NASREQ] Provides information on the
characteristics of the line
from which a session
originated.
Framed-Interface-Id 96 [RFC3162] The IPv6 Interface Identifier
associated with the session;
always sent with
Framed-IPv6-Prefix.
Framed-IPv6-Prefix 97 [RFC3162] The IPv6 prefix associated
with the session, always sent
with Framed-Interface-Id.
and then one of the following NAS identification attribute should be present
NAS-IP-Address 4 [RFC2865] The IPv4 address of the NAS.
NAS-Identifier 32 [RFC2865] String identifying the NAS.
NAS-IPv6-Address 95 [RFC3162] The IPv6 address of the NAS.
That service-type looks iffy to me? Are you 100% sure its required? Could you try swapping it out for another session attribute like Acct-Session-ID? It might just need 3 or more identifying attributes, some vendors have really weird implementations.
-Arran
>
> -James
>
> --
> James J J Hooper
> Senior Network Specialist, University of Bristol
> http://www.wireless.bristol.ac.uk
> --
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
Arran Cudbard-Bell
a.cudbardb at freeradius.org
RADIUS - Half the complexity of Diameter
More information about the Freeradius-Users
mailing list