[RADIATOR] COA for Cisco ISG

Deniz Aydin deniza at netone.net.tr
Tue Aug 26 02:22:11 CDT 2008 

Hi Mike, 
  Thanks for your help,now its not giving error.

radpwtst -s x -secret x -noauth -noacct -code Change-Filter-Request
-trace 4 Account-Info="Sx" Command-Code="\004 "
Tue Aug 26 10:09:28 2008: DEBUG: Reading dictionary file
'/etc/radiator/dictionary'
sending Change-Filter-Request...
Tue Aug 26 10:09:28 2008: DEBUG: Packet dump:
*** Sending to x port x ....
Code:       Change-Filter-Request

        Account-Info = "Sx.x.x.x"
        Command-Code = "<4> "

*** Received from x port x ....
Code:       Change-Filter-Request-ACKed
Attributes:
        Account-Info = "Nx"
        User-Name = "deniza at turknet"
        Account-Info = "$IVirtual-Access2.1"
        Command-Code = "<4>1"
        Account-Info = "Sx.x.x.x"
        cisco-avpair = "sg-version=1.0"
        cisco-avpair = "circuit-id-tag= atm 1/1/03/01:8.35"
        cisco-avpair = "remote-id-tag=test"
        NAS-Port = 50339846
        NAS-Port-Id = "nas-port:0.0.0.0:0/0/3/2.6"
        Framed-IP-Address = x



 


Deniz AYDIN

-----Original Message-----
From: Mike McCauley [mailto:mikem at open.com.au] 
Sent: Monday, August 25, 2008 11:56 PM
To: Deniz Aydin
Cc: radiator at open.com.au; Hugh Irvine
Subject: Re: [RADIATOR] COA for Cisco ISG

Hello Deniz,

On Tuesday 26 August 2008 00:07, Deniz Aydin wrote:
> Sory for the late response,,
>         I have tried the "4 " and its the same, giving error.
>
>
>  radpwtst -s x -secret x -noauth -noacct -code Change-Filter-Request 
> -trace 4 -dictionary 
> /usr/share/doc/packages/Radiator/goodies/dictionary.cisco
> Account-Info="Sx" Command-Code="4 "

Sigh, looks like Ciscos documentaiton is wrong. In that case you should
try:

 radpwtst -s x -secret x -noauth -noacct -code Change-Filter-Request
-trace 4 -dictionary
/usr/share/doc/packages/Radiator/goodies/dictionary.cisco
Account-Info="Sx" Command-Code="\004 "

Thats an octal escape followed by a space.

Cheers.

>
>
>
> Aug 25 13:55:49: RADIUS: COA  received from id 103 x:33164, CoA 
> Request, len 53 Aug 25 13:55:49: RADIUS(00000000): sending Aug 25 
> 13:55:49: RADIUS(00000000): Send CoA Nack Response to x:33164 id 103, 
> len 84 Aug 25 13:55:49: RADIUS:  authenticator 61 CA AB 27 34 71 A7 8F

> - 8E 84
> 19 4A 75 4D 2B 63
> Aug 25 13:55:49: RADIUS:  Vendor, Cisco       [26]  23
> Aug 25 13:55:49: RADIUS:   ssg-account-info   [250] 17  "Sx"
> Aug 25 13:55:49: RADIUS:  Vendor, Cisco       [26]  10
> Aug 25 13:55:49: RADIUS:   ssg-command-code   [252] 4
> Aug 25 13:55:49: RADIUS:   34 20                [Unknown 4 ]
> Aug 25 13:55:49: RADIUS:  Reply-Message       [18]  25
> Aug 25 13:55:49: RADIUS:   4E 6F 20 63 6F 6E 66 69 67 20 66 6F 75 6E
64
> 20  [No config found ]
> Aug 25 13:55:49: RADIUS:   74 6F 20 70 75 73 68           [ to push]
> Aug 25 13:55:49: RADIUS:  Dynamic-Author-Error[101] 6   Session
Context
> Not Found [503]
>
>
> Deniz AYDIN
>
> -----Original Message-----
> From: Mike McCauley [mailto:mikem at open.com.au]
> Sent: Wednesday, August 20, 2008 1:53 AM
> To: radiator at open.com.au
> Cc: Deniz Aydin; Hugh Irvine
> Subject: Re: [RADIATOR] COA for Cisco ISG
>
> Hello Deniz,
>
> On Wednesday 20 August 2008 04:05, Deniz Aydin wrote:
> > Hi Hugh,
> >   Here is the cisco doc.
> > http://www.cisco.com/en/US/docs/ios/12_2sb/isg/coa/guide/isgcoa3.htm
> > l#
> > wp
> > 1100293
> > You can look at CoA Request Response Code section and also table 7 
> > for
> >
> > detailed information under that chapter.
>
> According to that doc near table 7, "The command codes can be encoded 
> in binary or in ASCII.".
>
> So, have you tried using:
>
> radpwtst -s x.x.x.x -secret ????? -noauth -noacct -code 
> Change-Filter-Request -trace 4 -dictionary 
> /usr/share/doc/packages/Radiator/goodies/dictionary.cisco
> Account-Info="Sx.x.x.x" Command-Code="4 "
>
> (Thats a space after the 4 in Command-Code).
>
> BTW, in the latest patch set the name of the Command-Code attribute 
> has been changed to Cisco-Command-Code because of a collision with 
> another VSA.
>
> Cheers.
>
> > Deniz AYDIN
> >
> > -----Original Message-----
> > From: Hugh Irvine [mailto:hugh at open.com.au]
> > Sent: Tuesday, August 19, 2008 12:14 PM
> > To: Deniz Aydin
> > Cc: radiator at open.com.au
> > Subject: Re: [RADIATOR] COA for Cisco ISG
> >
> >
> > Hello Deniz -
> >
> > Thanks for the additional information.
> >
> > Can you please send us a reference to the Cisco documentation that 
> > describes the format of this attribute?
> >
> > The Cisco debug appears to show that this is 2 octets with values of

> > "04" and "20".
> >
> > You can see additional detail from radpwtst by using "-trace 5".
> >
> > regards
> >
> > Hugh
> >
> > On 19 Aug 2008, at 15:28, Deniz Aydin wrote:
> > > Hi Hugh,
> > >   Version is 4.2.
> > > Here there is working debug i got from cisco.
> > > As you see they sent a command code 4 with a space after it, and 
> > > the
> > >
> > > router correctly recognize the atttribute value.
> > >
> > > Aug 16 11:11:31.299: RADIUS: COA  received from id 3 x.x.x.x:1700,

> > > CoA
> > >
> > > Request, len 47 *Aug 16 11:11:31.299: COA: x.x.x.x request queued 
> > > *Aug
> > >
> > > 16 11:11:31.299: RADIUS:  authenticator C5 E4 09 50 1F 02 2A 1D -
> > > 45 E7 A6 47 08 D2 53 19
> > > *Aug 16 11:11:31.299: RADIUS:  Vendor, Cisco       [26]  17
> > > *Aug 16 11:11:31.299: RADIUS:   ssg-account-info   [250] 11
> > > "Sx.x.x.x"
> > > *Aug 16 11:11:31.299: RADIUS:  Vendor, Cisco       [26]  10
> > > *Aug 16 11:11:31.299: RADIUS:   ssg-command-code   [252] 4
> > > *Aug 16 11:11:31.299: RADIUS:   04 20
[Account-Ping
>
> ]
>
> > > <<=====
> > > *Aug 16 11:11:31.299:  ++++++ CoA Attribute List ++++++
> > >
> > > Here is debug of my request, as you see router recognize this 
> > > attribute as its in ASCI format. I have also captured radius 
> > > packets
> > >
> > > and its also shows that Command-Code = 04 20. Is there any value 
> > > that shows the attribute value is binary or ASCI in the radius
>
> header?
>
> > > radpwtst -s x.x.x.x -secret dr5mak -noauth -noacct -code 
> > > Change-Filter-Request -trace 4 -dictionary 
> > > /usr/share/doc/packages/Radiator/goodies/dictionary.cisco
> > > Account-Info="Sx.x.x.x" Command-Code="04 20"
> > > Tue Aug 19 08:46:54 2008: DEBUG: Reading dictionary file 
> > > '/usr/share/doc/packages/Radiator/goodies/dictionary.cisco'
> > > sending Change-Filter-Request...
> > > Tue Aug 19 08:46:54 2008: DEBUG: Packet dump:
> > > *** Sending to x.x.x.x port x ....
> > > Code:       Change-Filter-Request
> > > Identifier: 159
> > > Authentic:  <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> > > Attributes:
> > >         Account-Info = "Sx.x.x.x"
> > >         Command-Code = 04 20
> > >
> > >
> > > Aug 18 12:35:40: RADIUS: COA  received from id 95 x.x.x.x:33070, 
> > > CoA
> > >
> > > Request, len 55 Aug 18 12:35:40: COA: 193.192.100.200 request 
> > > queued
> > >
> > > Aug 18 12:35:40: RADIUS:  authenticator 94 3A BC 82 6F 8B 09 03 -
> > > 44 0A
> > > B7 FE 27 F3 A3 1A
> > > Aug 18 12:35:40: RADIUS:  Vendor, Cisco       [26]  22
> > > Aug 18 12:35:40: RADIUS:   ssg-account-info   [250] 16  "Sx.x.x.x"
> > > Aug 18 12:35:40: RADIUS:  Vendor, Cisco       [26]  13
> > > Aug 18 12:35:40: RADIUS:   ssg-command-code   [252] 7
> > > Aug 18 12:35:40: RADIUS:   30 34 20 32 30             [Unknown 04
>
> 20]
>
> > > Deniz AYDIN
> > >
> > > -----Original Message-----
> > > From: Hugh Irvine [mailto:hugh at open.com.au]
> > > Sent: Tuesday, August 19, 2008 5:42 AM
> > > To: Deniz Aydin
> > > Cc: radiator at open.com.au
> > > Subject: Re: [RADIATOR] COA for Cisco ISG
> > >
> > >
> > > Hello Deniz -
> > >
> > > The Command-Code that you are sending is in fact an ASCII string -

> > > you will see the same thing as both ASCII and binary.
> > >
> > > What version of Radiator are you using? And what does the Cisco 
> > > device debug say is wrong?
> > >
> > > You can see what radpwtst is sending by using "-trace 4" as a 
> > > parameter (you are just using "-trace" in what you show below).
> > >
> > > regards
> > >
> > > Hugh
> > >
> > > On 18 Aug 2008, at 19:08, Deniz Aydin wrote:
> > >> Hi,
> > >>         I have been tring to testing radpwtst utility.But there 
> > >> is some problem about the Command-Code attribute. Firstly I tried

> > >> with
> > >>
> > >> ASCI mode command-code ;
> > >>
> > >> radpwtst -s x.x.x.x -secret x -noauth -noacct -code 
> > >> Change-Filter- Request -trace -dictionary 
> > >> /usr/share/doc/packages/Radiator/goodies/
> > >> dictionary.cisco Account-Info="Sx.x.x.x.x" Command- 
> > >> Code="subscriber:command=account-status-query"
> > >>
> > >> And Cisco want me to try with binary mode command code. So I  
> > >> have changed dictionary file for Command-Code
> > >> VENDORATTR      9               Command-Code            252
> > >> binary
> > >>
> > >> Is it enough for sending this attribute in binary mode, because 
> > >> when i
> > >>
> > >> look at cisco debugs, i am seeing that it recognize this as
string.
> > >>
> > >> radpwtst -s x.x.x.x -secret x -noauth -noacct -code 
> > >> Change-Filter- Request -trace -dictionary 
> > >> /usr/share/doc/packages/Radiator/goodies/
> > >> dictionary.cisco Account-Info="Sx.x.x.x" Command-Code="04 20"
> > >>
> > >> Deniz AYDIN
> > >>
> > >> _______________________________________________
> > >> radiator mailing list
> > >> radiator at open.com.au
> > >> http://www.open.com.au/mailman/listinfo/radiator
> > >
> > > NB:
> > >
> > > Have you read the reference manual ("doc/ref.html")?
> > > Have you searched the mailing list archive 
> > > (www.open.com.au/archives/ radiator)?
> > > Have you had a quick look on Google (www.google.com)?
> > > Have you included a copy of your configuration file (no secrets), 
> > > together with a trace 4 debug showing what is happening?
> > > Have you checked the RadiusExpert wiki:
> > > http://www.open.com.au/wiki/index.php/Main_Page
> > >
> > > --
> > > Radiator: the most portable, flexible and configurable RADIUS 
> > > server
> > >
> > > anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> > > Includes support for reliable RADIUS transport (RadSec), and 
> > > DIAMETER translation agent.
> > > -
> > > Nets: internetwork inventory and management - graphical, 
> > > extensible,
> > >
> > > flexible with hardware, software, platform and database
>
> independence.
>
> > > -
> > > CATool: Private Certificate Authority for Unix and Unix-like
>
> systems.
>
> > NB:
> >
> > Have you read the reference manual ("doc/ref.html")?
> > Have you searched the mailing list archive 
> > (www.open.com.au/archives/ radiator)?
> > Have you had a quick look on Google (www.google.com)?
> > Have you included a copy of your configuration file (no secrets), 
> > together with a trace 4 debug showing what is happening?
> > Have you checked the RadiusExpert wiki:
> > http://www.open.com.au/wiki/index.php/Main_Page

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia
http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco etc on Unix, Windows, MacOSX,
Solaris, VMS, NetWare etc.

More information about the radiator mailing list