Cisco Cisco ASR 5000 Guide De Dépannage
Understand and Troubleshoot RADIUS CoA and
Disconnect Messages
Disconnect Messages
Document ID: 119397
Contributed by Tomasz Dudarski and Maciej Poszywak, Cisco TAC
Engineers.
Dec 17, 2015
Engineers.
Dec 17, 2015
Contents
Introduction
Definition of RADIUS CoA Messages
RADIUS DM
Attributes for Session Identification
Configuration of RADIUS DMs
Sample Configuration
Failure Scenario Examples
No DM Messages Received on the ASR 5000 Side
UDP Port 3379 Has Ready Socket with No DM Messages
Accounting Request
Disconnect-Request
All the Attributes Match, but the ASR 5000 Sends DM NAK with the Error Message: 401 - Unsupported
Attribute
System Has Configured "no-nas-identification-check" in the "radius change-authorize-nas-ip" Line,
"NAS-Identification-Mismatch" Error Still Returned
Definition of RADIUS CoA Messages
RADIUS DM
Attributes for Session Identification
Configuration of RADIUS DMs
Sample Configuration
Failure Scenario Examples
No DM Messages Received on the ASR 5000 Side
UDP Port 3379 Has Ready Socket with No DM Messages
Accounting Request
Disconnect-Request
All the Attributes Match, but the ASR 5000 Sends DM NAK with the Error Message: 401 - Unsupported
Attribute
System Has Configured "no-nas-identification-check" in the "radius change-authorize-nas-ip" Line,
"NAS-Identification-Mismatch" Error Still Returned
Introduction
This document describes RADIUS disconnect messages (DMs).
Definition of RADIUS CoA Messages
A Change of Authorization (CoA) message is used in order to change attributes and the data filters associated
with a user session. The system supports CoA messages from the Authentication, Authorization, and
Accounting (AAA) server to change data filters associated with a subscriber session.
with a user session. The system supports CoA messages from the Authentication, Authorization, and
Accounting (AAA) server to change data filters associated with a subscriber session.
Note
: The filters in filter-id attributes (if present in the request) should be configured in the ASR 5000 for
application to the user traffic. This is the form of Access Control Lists (ACLs) and is configured in the ASR
5000 with ip access-list commands.
5000 with ip access-list commands.
The CoA request message should contain attributes to identify the user session; attributes and the data filters
need to be applied to the user session. The filter-id attribute (attribute id 11) contains the names of the filters.
If the ASR 5000 successfully executes the CoA request, a CoA ACK is sent back to the RADIUS server and
the new attributes and data filters are applied to the user session. Otherwise, a CoA NAK is sent with proper
reason as an error-code attribute without making any changes to the user session.
need to be applied to the user session. The filter-id attribute (attribute id 11) contains the names of the filters.
If the ASR 5000 successfully executes the CoA request, a CoA ACK is sent back to the RADIUS server and
the new attributes and data filters are applied to the user session. Otherwise, a CoA NAK is sent with proper
reason as an error-code attribute without making any changes to the user session.
RADIUS DM