OT: Cisco Disconnect-Request packets

Arran Cudbard-Bell a.cudbardb at freeradius.org
Wed Aug 24 20:11:12 CEST 2011


> 
> radclient  -xs -f /tmp/disconnect.txt 172.17.107.210:3799 disconnect secret
> Sending Disconnect-Request of id 7 to 172.17.107.210 port 3799
> 	User-Name = "testUser at bristol.ac.uk"
> 	Calling-Station-Id = "89:c6:65:99:39:52"
> 	Service-Type = Login-User
> rad_recv: Disconnect-ACK packet from host 172.17.107.210 port 3799, id=7, length=20
> 
> 	   Total approved auths:  1
> 	     Total denied auths:  0
> 	       Total lost auths:  0
> 
> ...so it seems you need User-Name, Calling-Station-Id and Service-Type.

>From RFC 3576 

      In Disconnect and CoA-Request messages, all Attributes are treated
      as mandatory.  A NAS MUST respond to a CoA-Request containing one
      or more unsupported Attributes or Attribute values with a CoA-NAK;
      a Disconnect-Request containing one or more unsupported Attributes
      or Attribute values MUST be answered with a Disconnect-NAK.  State
      changes resulting from a CoA-Request MUST be atomic: if the
      Request is successful, a CoA-ACK is sent, and all requested
      authorization changes MUST be made.  If the CoA-Request is
      unsuccessful, a CoA-NAK MUST be sent, and the requested

So if you do include an unsupported attribute the NAS should NaK the request.

RFC Says User-Name should be present and one or more of the following may be present

 NAS-Port               5    [RFC2865]  The port on which the session is terminated.
 Framed-IP-Address      8    [RFC2865]  The IPv4 address associated
                                          with the session.
   Called-Station-Id     30    [RFC2865]  The link address to which
                                          the session is connected.
   Calling-Station-Id    31    [RFC2865]  The link address from which
                                          the session is connected.
   Acct-Session-Id       44    [RFC2866]  The identifier uniquely
                                          identifying the session
                                          on the NAS.
   Acct-Multi-Session-Id 50    [RFC2866]  The identifier uniquely
                                          identifying related sessions.
   NAS-Port-Type         61    [RFC2865]  The type of port used.
   NAS-Port-Id           87    [RFC2869]  String identifying the port
                                          where the session is.
   Originating-Line-Info 94    [NASREQ]   Provides information on the
                                          characteristics of the line
                                          from which a session
                                          originated.
   Framed-Interface-Id   96    [RFC3162]  The IPv6 Interface Identifier
                                          associated with the session;
                                          always sent with
                                          Framed-IPv6-Prefix.
   Framed-IPv6-Prefix    97    [RFC3162]  The IPv6 prefix associated
                                          with the session, always sent
                                          with Framed-Interface-Id.

and then one of the following NAS identification attribute should be present

   NAS-IP-Address        4    [RFC2865]  The IPv4 address of the NAS.
   NAS-Identifier       32    [RFC2865]  String identifying the NAS.
   NAS-IPv6-Address     95    [RFC3162]  The IPv6 address of the NAS.

That service-type looks iffy to me? Are you 100% sure its required? Could you try swapping it out for another session attribute like Acct-Session-ID? It might just need 3 or more identifying attributes, some vendors have really weird implementations.

-Arran

> 
> -James
> 
> -- 
> James J J Hooper
> Senior Network Specialist, University of Bristol
> http://www.wireless.bristol.ac.uk
> -- 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 

Arran Cudbard-Bell
a.cudbardb at freeradius.org

RADIUS - Half the complexity of Diameter





More information about the Freeradius-Users mailing list