[RADIATOR] CoA / Change-of-Authorization / Change-Filter-Request

Fri Jan 28 06:26:15 CST 2011

On Fri, 28 Jan 2011, Michael wrote:

>
>
> On Fri, 28 Jan 2011, Steve Lalonde wrote:
>
>> On 28 Jan 2011, at 02:30, Michael wrote:
>>
>>>
>>> I give up.  I've searched for hours for a hint at what this CoA /
>>> Change-of-Authorization / Change-Filter-Request is.  I think it is what
>>> i'm looking for.
>>>
>>> I was kinda hoping something like this would work:
>>> -code Change-Filter-Request User-Name="test" cisco-Policy-Down="rate1M"
>>> or:
>>> code Change-Filter-Request Acct-Session-Id="00000012"
>>> cisco-Policy-Down="rate1M"
>>>
>>> My Disconnect-Request process works fine which uses a similar process.
>>>
>>>
>>> Michael
>>
>> Hi
>>
>> I had the same problem and eventually got it working using the following
>>
>> /usr/local/bin/radpwtst -noauth -noacct -code Change-Filter-Request -secret XXXXXXXX -s $nas-ip -auth_port 1700 Framed-IP-Address=$ip cisco-avpair="ip:sub-qos-policy-out=$policy"
>>
>> that worked but i had scaling issues, only solved when i moved the traffic management to Cisco SCE devices.
>>
>> --
>> Steve Lalonde RTFM
>> Chief Technical Officer
>> Entanet International Ltd
>> http://www.enta.net/
>>
>>
>
>
> Thanks for the suggestion.  I never thought to try to match by IP alone,
> but it didn't seem to work. The router shows the attributes i enter with
> radpwtst, it just refuses to match anything.
>
> COA: x.x.x.x request queued
> ++++++ CoA Attribute List ++++++
> 86124E38 0 00000001 addr(7) 4 x.x.x.x
> 857EA738 0 00000009 sub-qos-policy-out(348) 6 RATE1M
> COA: No matching entry found
> COA: Added Reply Message: No Matching Session
> COA: Added NACK Error Cause: Session Context Not Found
> COA: Sending NAK from port 1700 to x.x.x.x
>
> There must be more strict limitations/requirments in order to match a
> session for CoA? maybe something else has to be used as matching
> attributes?
>
> I do have the match policy set for ANY for now during testing:
> aaa server radius dynamic-author
>  ...
>  auth-type any
>
> This to me is suppose to tell the router to match a session if ANY
> attribute at all match.
>
> There must me something more that's required that most people
> unknowingly adhere to?
>
>
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
>

I tried this on a production router, getting frustrated!!  A little 
risky I know.  Last time I tried this for Disconnect-Request, a bug 
matched ALL SESSIONS and kicked everyone offline. DAMN CISCO

Anyways, the CoA matched the session and appears to have accepted 
the CoA. gonna have to test this later to see if the rate limit was 
applied.  the show aaa user xxxx showed the rate limit before i tried it, 
and now shows nothing so i'm not sure if it broke the policy, or applied 
what i wanted and it just doesn't show me.

Looks like another IOS bug with my test lns.  DAMN YOU cisco.  I'm not 
even a network person.  I'm a systems person that has to learn 
cisco because it seems the cisco people don't know how to do what I want 
to do.  But, i don't blame them now that i've started to learn it. Stick 
that in your mailing list archive!!! ;)