[RADIATOR] CoA / Change-of-Authorization / Change-Filter-Request

Michael ringo at vianet.ca
Fri Jan 28 05:43:52 CST 2011 


On Fri, 28 Jan 2011, Steve Lalonde wrote:

> On 28 Jan 2011, at 02:30, Michael wrote:
>
>>
>> I give up.  I've searched for hours for a hint at what this CoA /
>> Change-of-Authorization / Change-Filter-Request is.  I think it is what
>> i'm looking for.
>>
>> I was kinda hoping something like this would work:
>> -code Change-Filter-Request User-Name="test" cisco-Policy-Down="rate1M"
>> or:
>> code Change-Filter-Request Acct-Session-Id="00000012"
>> cisco-Policy-Down="rate1M"
>>
>> My Disconnect-Request process works fine which uses a similar process.
>>
>>
>> Michael
>
> Hi
>
> I had the same problem and eventually got it working using the following
>
> /usr/local/bin/radpwtst -noauth -noacct -code Change-Filter-Request -secret XXXXXXXX -s $nas-ip -auth_port 1700 Framed-IP-Address=$ip cisco-avpair="ip:sub-qos-policy-out=$policy"
>
> that worked but i had scaling issues, only solved when i moved the traffic management to Cisco SCE devices.
>
> -- 
> Steve Lalonde RTFM
> Chief Technical Officer
> Entanet International Ltd
> http://www.enta.net/
>
>


Thanks for the suggestion.  I never thought to try to match by IP alone, 
but it didn't seem to work. The router shows the attributes i enter with 
radpwtst, it just refuses to match anything.

COA: x.x.x.x request queued
++++++ CoA Attribute List ++++++
86124E38 0 00000001 addr(7) 4 x.x.x.x
857EA738 0 00000009 sub-qos-policy-out(348) 6 RATE1M
COA: No matching entry found
COA: Added Reply Message: No Matching Session
COA: Added NACK Error Cause: Session Context Not Found
COA: Sending NAK from port 1700 to x.x.x.x

There must be more strict limitations/requirments in order to match a 
session for CoA? maybe something else has to be used as matching 
attributes?

I do have the match policy set for ANY for now during testing:
aaa server radius dynamic-author
  ...
  auth-type any

This to me is suppose to tell the router to match a session if ANY 
attribute at all match.

There must me something more that's required that most people 
unknowingly adhere to?

More information about the radiator mailing list