[RADIATOR] CoA / Change-of-Authorization / Change-Filter-Request

Fri Jan 28 06:35:29 CST 2011

On Fri, 28 Jan 2011, Michael wrote:

>
>
> On Fri, 28 Jan 2011, Michael wrote:
>
>>
>>
>> On Fri, 28 Jan 2011, Steve Lalonde wrote:
>>
>>> On 28 Jan 2011, at 02:30, Michael wrote:
>>>
>>>>
>>>> I give up.  I've searched for hours for a hint at what this CoA /
>>>> Change-of-Authorization / Change-Filter-Request is.  I think it is what
>>>> i'm looking for.
>>>>
>>>> I was kinda hoping something like this would work:
>>>> -code Change-Filter-Request User-Name="test" cisco-Policy-Down="rate1M"
>>>> or:
>>>> code Change-Filter-Request Acct-Session-Id="00000012"
>>>> cisco-Policy-Down="rate1M"
>>>>
>>>> My Disconnect-Request process works fine which uses a similar process.
>>>>
>>>>
>>>> Michael
>>>
>>> Hi
>>>
>>> I had the same problem and eventually got it working using the following
>>>
>>> /usr/local/bin/radpwtst -noauth -noacct -code Change-Filter-Request -secret XXXXXXXX -s $nas-ip -auth_port 1700 Framed-IP-Address=$ip cisco-avpair="ip:sub-qos-policy-out=$policy"
>>>
>>> that worked but i had scaling issues, only solved when i moved the traffic management to Cisco SCE devices.
>>>
>>> --
>>> Steve Lalonde RTFM
>>> Chief Technical Officer
>>> Entanet International Ltd
>>> http://www.enta.net/
>>>
>>>
>>
>>
>> Thanks for the suggestion.  I never thought to try to match by IP alone,
>> but it didn't seem to work. The router shows the attributes i enter with
>> radpwtst, it just refuses to match anything.
>>
>> COA: x.x.x.x request queued
>> ++++++ CoA Attribute List ++++++
>> 86124E38 0 00000001 addr(7) 4 x.x.x.x
>> 857EA738 0 00000009 sub-qos-policy-out(348) 6 RATE1M
>> COA: No matching entry found
>> COA: Added Reply Message: No Matching Session
>> COA: Added NACK Error Cause: Session Context Not Found
>> COA: Sending NAK from port 1700 to x.x.x.x
>>
>> There must be more strict limitations/requirments in order to match a
>> session for CoA? maybe something else has to be used as matching
>> attributes?
>>
>> I do have the match policy set for ANY for now during testing:
>> aaa server radius dynamic-author
>>  ...
>>  auth-type any
>>
>> This to me is suppose to tell the router to match a session if ANY
>> attribute at all match.
>>
>> There must me something more that's required that most people
>> unknowingly adhere to?
>>
>>
>>
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>>
>
>
> I tried this on a production router, getting frustrated!!  A little
> risky I know.  Last time I tried this for Disconnect-Request, a bug
> matched ALL SESSIONS and kicked everyone offline. DAMN CISCO
>
> Anyways, the CoA matched the session and appears to have accepted
> the CoA. gonna have to test this later to see if the rate limit was
> applied.  the show aaa user xxxx showed the rate limit before i tried it,
> and now shows nothing so i'm not sure if it broke the policy, or applied
> what i wanted and it just doesn't show me.
>
> Looks like another IOS bug with my test lns.  DAMN YOU cisco.  I'm not
> even a network person.  I'm a systems person that has to learn
> cisco because it seems the cisco people don't know how to do what I want
> to do.  But, i don't blame them now that i've started to learn it. Stick
> that in your mailing list archive!!! ;)
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
>

CONFIRMED. i just noticed now, it changed the order of the 
attributes.  I didn't see notice at first.  It did apply the new 
policy.  looks like it worked fine with my production router.  must be a 
bug in my test lns. damn you cisco.  there's hours of my life i'll never 
get back.

Are we allowed to swear in this mailing list? :D