CoA, RADIUS DM, and Session Redirection (Hotlining)


CoA, RADIUS DM, and Session Redirection (Hotlining)
 
 
This chapter describes Change of Authorization (CoA), Disconnect Message (DM), and Session Redirect (Hotlining) support in the system. RADIUS attributes, Access Control Lists (ACLs) and filters that are used to implement these features are discussed. The product administration guides provide examples and procedures for configuration of basic services on the system. It is recommended that you select the configuration example that best meets your service model, and configure the required elements for that model, as described in the respective product Administration Guide, before using the procedures in this chapter.
Important: Not all commands and keywords/variables are available or supported. This depends on the platform type and the installed license(s).
 
RADIUS Change of Authorization and Disconnect Message
This section describes how the system implements CoA and DM RADIUS messages and how to configure the system to use and respond to CoA and DM messages.
 
CoA Overview
The system supports CoA messages from the AAA server to change data filters associated with a subscriber session. The CoA request message from the AAA server must contain attributes to identify NAS and the subscriber session and a data filter ID for the data filter to apply to the subscriber session. The filter-id attribute (attribute ID 11) contains the name of an Access Control List (ACL). For detailed information on configuring ACLs, refer to the IP Access Control Lists chapter.
If the system successfully executes a CoA request, a CoA-ACK message is sent back to the RADIUS server and the data filter is applied to the subscriber session. Otherwise, a CoA-NAK message is sent with an error-cause attribute without making any changes to the subscriber session.
Important: Changing ACL and rulebase together in a single CoA is not supported. For this, two separate CoA requests can be sent through AAA server requesting for one attribute change per request.
 
DM Overview
The DM message is used to disconnect subscriber sessions in the system from a RADIUS server. The DM request message should contain necessary attributes to identify the subscriber session. If the system successfully disconnects the subscriber session, a DM-ACK message is sent back to the RADIUS server, otherwise, a DM-NAK message is sent with proper error reasons.
 
Enabling CoA and DM
To enable RADIUS Change of Authorization and Disconnect Message:
Step 1
Step 2
Save your configuration as described in the Verifying and Saving Your Configuration chapter.
Step 3
Important: Commands used in the configuration examples in this section provide base functionality to the extent that the most common or likely commands and/or keyword options are presented. In many cases, other optional commands and/or keyword options are available. Refer to the Command Line Interface Reference for complete information regarding all commands. Not all commands and keywords/variables are available or supported. This depends on the platform type and the installed license(s).
 
Enabling CoA and DM
Use the following example to enable the system to listen for and respond to CoA and DM messages from the RADIUS server:
configure
  context <context_name>
     radius change-authorize-nas-ip <ip_address>
     end
Notes:
 
<context_name> must be the name of the AAA context where you want to enable CoA and DM. The AAA context must have been configured as described in the Configuring Context-Level AAA Functionality section of the AAA Interface Administration Guide.
A number of optional keywords and variables are available for the radius change-authorize-nas-ip command. For more information regarding this command please refer to the Command Line Interface Reference.
 
CoA and DM Attributes
For CoA and DM messages to be accepted and acted upon, the system and subscriber session to be affected must be identified correctly. Use one of the following attributes to identify the system:
 
To identify the subscriber session, use any one of the following attributes.
To specify the ACL to apply to the subscriber session, use the following attribute:
 
The following attributes are also supported:
 
 
CoA and DM Error-Cause Attribute
 
The Error-Cause attribute is used to convey the results of requests to the system. This attribute is present when a CoA or DM NAK or ACK message is sent back to the RADIUS server.
The value classes of error causes is as follows:
 
The following error cause is sent in ACK messages upon successful completion of a CoA or DM request:
 
The following error cause are sent in NAK messages when a CoA or DM request fails:
 
 
Viewing CoA and DM Statistics
View CoA and DM message statistics by entering the following command:
show session subsystem facility aaamgr
The following is a sample output of this command.
1 AAA Managers
807 Total aaa requests                    0 Current aaa requests
379 Total aaa auth requests               0 Current aaa auth requests
  0 Total aaa auth probes                 0 Current aaa auth probes
  0 Total aaa auth keepalive              0 Current aaa auth keepalive
426 Total aaa acct requests               0 Current aaa acct requests
  0 Total aaa acct keepalive              0 Current aaa acct keepalive
379 Total aaa auth success                0 Total aaa auth failure
  0 Total aaa auth purged                 0 Total aaa auth cancelled
  0 Total auth keepalive success          0 Total auth keepalive failure
  0 Total auth keepalive purged
  0 Total aaa auth DMU challenged
367 Total radius auth requests            0 Current radius auth requests
  2 Total radius auth requests retried
  0 Total radius auth responses dropped
  0 Total local auth requests             0 Current local auth requests
 12 Total pseudo auth requests            0 Current pseudo auth requests
  0 Total null-username auth requests (rejected)
  0 Total aaa acct completed              0 Total aaa acct purged
  0 Total acct keepalive success          0 Total acct keepalive timeout
  0 Total acct keepalive purged
  0 Total aaa acct cancelled
426 Total radius acct requests            0 Current radius acct requests
  0 Total radius acct requests retried
  0 Total radius acct responses dropped
  0 Total gtpp acct requests              0 Current gtpp acct requests
  0 Total gtpp acct cancelled             0 Total gtpp acct purged
  0 Total null acct requests              0 Current null acct requests
 54 Total aaa acct sessions               5 Current aaa acct sessions
  3 Total aaa acct archived               0 Current aaa acct archived
  0 Current recovery archives             0 Current valid recovery records
  2 Total aaa sockets opened              2 Current aaa sockets open
  0 Total aaa requests pend socket open
  0 Current aaa requests pend socket open
  0 Total radius requests pend server max-outstanding
  0 Current radius requests pend server max-outstanding
  0 Total aaa radius coa requests         0 Total aaa radius dm requests
  0 Total aaa radius coa acks             0 Total aaa radius dm acks
  0 Total aaa radius coa naks             0 Total aaa radius dm naks
  2 Total radius charg auth               0 Current radius charg auth
  0 Total radius charg auth succ          0 Total radius charg auth fail
  0 Total radius charg auth purg          0 Total radius charg auth cancel
  0 Total radius charg acct               0 Current radius charg acct
  0 Total radius charg acct succ          0 Total radius charg acct purg
  0 Total radius charg acct cancel
357 Total gtpp charg                      0 Current gtpp charg
357 Total gtpp charg success              0 Total gtpp charg failure
  0 Total gtpp charg cancel               0 Total gtpp charg purg
  0 Total prepaid online requests         0 Current prepaid online requests
  0 Total prepaid online success          0 Current prepaid online failure
  0 Total prepaid online retried          0 Total prepaid online cancelled
  0 Current prepaid online purged
  0 Total aaamgr purged requests
  0 SGSN: Total db records
  0 SGSN: Total sub db records
  0 SGSN: Total mm records
  0 SGSN: Total pdp records
  0 SGSN: Total auth records
 
Session Redirection (Hotlining)
 
Overview
Session redirection provides a means to redirect subscriber traffic to an external server by applying ACL rules to the traffic of an existing or a new subscriber session. The destination address and optionally the destination port of TCP/IP or UDP/IP packets from the subscriber are rewritten so the packet is forwarded to the designated redirected address. Return traffic to the subscriber has the source address and port rewritten to the original values. The redirect ACL may be applied dynamically by means of the RADIUS Change of Authorization (CoA) feature.
Note that the session redirection feature is only intended to redirect a very small subset of subscribers at any given time. The data structures allocated for this feature are kept to the minimum to avoid large memory overhead in the session managers.
 
Operation
 
ACL Rule
An ACL rule named readdress server supports redirection of subscriber sessions. The ACL containing this rule must be configured in the destination context of the user. Only TCP and UDP protocol packets are supported. The ACL rule allows specifying the redirected address and an optional port. The source and destination address and ports (with respect to the traffic originating from the subscriber) may be wildcarded. If the redirected port is not specified, the traffic will be redirected to the same port as the original destination port in the datagrams. For detailed information on configuring ACLs, refer to the IP Access Control Lists chapter. For more information on readdress server, refer to the ACL Configuration Mode Commands chapter of the Command Line Interface Reference.
 
Redirecting Subscriber Sessions
An ACL with the readdress server rule is applied to an existing subscriber session through CoA messages from the RADIUS server. The CoA message contains the 3GPP2-Correlation-ID, User-Name, Acct-Session-ID, or Framed-IP-Address attributes to identify the subscriber session. The CoA message also contains the Filter-Id attribute which specifies the name of the ACL with the readdress server rule. This enables applying the ACL dynamically to existing subscriber sessions. By default, the ACL is applied as both the input and output filter for the matching subscriber unless the Filter-Id in the CoA message bears the prefix in: or out:.
For information on CoA messages and how they are implemented in the system, refer to the RADIUS Change of Authorization and Disconnect Message section.
Important: Changing ACL and rulebase together in a single CoA is not supported. For this, two separate CoA requests can be sent through AAA server requesting for one attribute change per request.
 
Session Limits On Redirection
To limit the amount of memory consumed by a session manager a limit of 2000 redirected session entries per session manager is allocated. This limit is equally shared by the set of subscribers who are currently being redirected. Whenever a redirected session entry is subject to revocation from a subscriber due to an insufficient number of available session entries, the least recently used entry is revoked.
 
Stopping Redirection
The redirected session entries for a subscriber remain active until a CoA message issued from the RADIUS server specifies a filter that does not contain the readdress server ACL rule. When this happens, the redirected session entries for the subscriber are deleted.
All redirected session entries are also deleted when the subscriber disconnects.
 
Handling IP Fragments
Since TCP/UDP port numbers are part of the redirection mechanism, fragmented IP datagrams must be reassembled before being redirected. Reassembly is particularly necessary when fragments are sent out of order. The session manager performs reassembly of datagrams and reassembly is attempted only when a datagram matches the redirect server ACL rule. To limit memory usage, only up to 10 different datagrams may be concurrently reassembled for a subscriber. Any additional requests cause the oldest datagram being reassembled to be discarded. The reassembly timeout is set to 2 seconds. In addition, the limit on the total number of fragments being reassembled by a session manager is set to 1000. If this limit is reached, the oldest datagram being reassembled in the session manager and its fragment list are discarded. These limits are not configurable.
 
Recovery
When a session manager dies, the ACL rules are recovered. The session redirect entries have to be re-created when the MN initiates new traffic for the session. Therefore when a crash occurs, traffic from the Internet side is not redirected to the MN.
 
AAA Accounting
Where destination-based accounting is implemented, traffic from the subscriber is accounted for using the original destination address and not the redirected address.
 
Viewing the Redirected Session Entries for a Subscriber
View the redirected session entries for a subscriber by entering the following command:
show subscribers debug-info { callid <id> | msid <id> | username <name> }
The following command displays debug information for a subscriber with the MSID 0000012345:
show subscribers debug-info msid 0000012345
The following is a sample output of this command:
username: user1 callid: 01ca11b1 msid: 0000100003
Card/Cpu: 4/2
Sessmgr Instance: 7
Primary callline:
Redundancy Status: Original Session
Checkpoints Attempts Success Last-Attempt Last-Success
Full: 27 26 15700ms 15700ms
Micro: 76 76 4200ms 4200ms
Current state: SMGR_STATE_CONNECTED
FSM Event trace:
State Event
SMGR_STATE_OPEN SMGR_EVT_NEWCALL SMGR_STATE_NEWCALL_ARRIVED SMGR_EVT_ANSWER_CALL SMGR_STATE_NEWCALL_ANSWERED SMGR_EVT_LINE_CONNECTED SMGR_STATE_LINE_CONNECTED SMGR_EVT_LINK_CONTROL_UP SMGR_STATE_LINE_CONNECTED SMGR_EVT_AUTH_REQ
SMGR_STATE_LINE_CONNECTED SMGR_EVT_IPADDR_ALLOC_SUCCESS
SMGR_STATE_LINE_CONNECTED SMGR_EVT_AUTH_SUCCESS
SMGR_STATE_LINE_CONNECTED SMGR_EVT_UPDATE_SESS_CONFIG
SMGR_STATE_LINE_CONNECTED SMGR_EVT_LOWER_LAYER_UP
Data Reorder statistics
Total timer expiry: 0 Total flush (tmr expiry): 0
Total no buffers: 0 Total flush (no buffers): 0
Total flush (queue full): 0 Total flush (out of range):0
Total flush (svc change): 0 Total out-of-seq pkt drop: 0
         Total out-of-seq arrived: 0
IPv4 Reassembly Statistics:
Success: 0 In Progress: 0
Failure (timeout): 0 Failure (no buffers): 0
Failure (other reasons): 0
Redirected Session Entries:
Allowed: 2000 Current: 0
Added: 0 Deleted: 0
Revoked for use by different subscriber: 0
Peer callline:
Redundancy Status: Original Session
Checkpoints Attempts Success Last-Attempt Last-Success
Full: 0 0 0ms 0ms
Micro: 0 0 0ms 0ms
Current state: SMGR_STATE_CONNECTED
FSM Event trace:
State Event
SMGR_STATE_OPEN SMGR_EVT_MAKECALL
SMGR_STATE_MAKECALL_PENDING SMGR_EVT_LINE_CONNECTED
SMGR_STATE_LINE_CONNECTED SMGR_EVT_LOWER_LAYER_UP
SMGR_STATE_CONNECTED SMGR_EVT_AUTH_REQ
SMGR_STATE_CONNECTED SMGR_EVT_AUTH_SUCCESS
SMGR_STATE_CONNECTED SMGR_EVT_REQ_SUB_SESSION
SMGR_STATE_CONNECTED SMGR_EVT_RSP_SUB_SESSION
username: user1 callid: 01ca11b1 msid: 0000100003
Card/Cpu: 4/2
Sessmgr Instance: 7
Primary callline:
Redundancy Status: Original Session
Checkpoints Attempts Success Last-Attempt Last-Success
Full: 27 26 15700ms 15700ms
Micro: 76 76 4200ms 4200ms
Current state: SMGR_STATE_CONNECTED
FSM Event trace:
State Event
SMGR_STATE_OPEN SMGR_EVT_NEWCALL
SMGR_STATE_NEWCALL_ARRIVED SMGR_EVT_ANSWER_CALL
SMGR_STATE_NEWCALL_ANSWERED SMGR_EVT_LINE_CONNECTED
SMGR_STATE_LINE_CONNECTED SMGR_EVT_LINK_CONTROL_UP
SMGR_STATE_LINE_CONNECTED SMGR_EVT_AUTH_REQ
SMGR_STATE_LINE_CONNECTED SMGR_EVT_IPADDR_ALLOC_SUCCESS
SMGR_STATE_LINE_CONNECTED SMGR_EVT_AUTH_SUCCESS
SMGR_STATE_LINE_CONNECTED SMGR_EVT_UPDATE_SESS_CONFIG
SMGR_STATE_LINE_CONNECTED SMGR_EVT_LOWER_LAYER_UP
Data Reorder statistics
Total timer expiry: 0 Total flush (tmr expiry): 0
Total no buffers: 0 Total flush (no buffers): 0
Total flush (queue full): 0 Total flush (out of range):0
Total flush (svc change): 0 Total out-of-seq pkt drop: 0
         Total out-of-seq arrived: 0
IPv4 Reassembly Statistics:
Success: 0 In Progress: 0
Failure (timeout): 0 Failure (no buffers): 0
Failure (other reasons): 0
Redirected Session Entries:
Allowed: 2000 Current: 0
Added: 0 Deleted: 0
Revoked for use by different subscriber: 0
Peer callline:
Redundancy Status: Original Session
Checkpoints Attempts Success Last-Attempt Last-Success
Full: 0 0 0ms 0ms
Micro: 0 0 0ms 0ms
Current state: SMGR_STATE_CONNECTED
FSM Event trace:
State Event
SMGR_STATE_OPEN SMGR_EVT_MAKECALL
SMGR_STATE_MAKECALL_PENDING SMGR_EVT_LINE_CONNECTED
SMGR_STATE_LINE_CONNECTED SMGR_EVT_LOWER_LAYER_UP
SMGR_STATE_CONNECTED SMGR_EVT_AUTH_REQ
SMGR_STATE_CONNECTED SMGR_EVT_AUTH_SUCCESS
SMGR_STATE_CONNECTED SMGR_EVT_REQ_SUB_SESSION
SMGR_STATE_CONNECTED SMGR_EVT_RSP_SUB_SESSION
SMGR_STATE_CONNECTED SMGR_EVT_ADD_SUB_SESSION
SMGR_STATE_CONNECTED SMGR_EVT_AUTH_REQ
SMGR_STATE_CONNECTED SMGR_EVT_AUTH_SUCCESS
Data Reorder statistics
Total timer expiry: 0 Total flush (tmr expiry): 0
Total no buffers: 0 Total flush (no buffers): 0
Total flush (queue full): 0 Total flush (out of range):0
Total flush (svc change): 0 Total out-of-seq pkt drop: 0
Total out-of-seq arrived: 0
IPv4 Reassembly Statistics:
Success: 0 In Progress: 0
Failure (timeout): 0 Failure (no buffers): 0
Failure (other reasons): 0
Redirected Session Entries:
Allowed: 2000 Current: 0
Added: 0 Deleted: 0
Revoked for use by different subscriber: 0
 

Cisco Systems Inc.
Tel: 408-526-4000
Fax: 408-527-0883