Important: Not all commands and keywords/variables are available or supported. This depends on the platform type and the installed license(s).The system supports CoA messages from the AAA server to change data filters associated with a subscriber session. The CoA request message from the AAA server must contain attributes to identify NAS and the subscriber session and a data filter ID for the data filter to apply to the subscriber session. The filter-id attribute (attribute ID 11) contains the name of an Access Control List (ACL). For detailed information on configuring ACLs, refer to the IP Access Control Lists chapter in the System Administration Guide.
Important: Changing ACL and rulebase together in a single CoA is not supported. For this, two separate CoA requests can be sent through AAA server requesting for one attribute change per request.|
Step 1
|
|
Step 2
|
Save your configuration to flash memory, an external memory device, and/or a network location using the Exec mode command save configuration. For additional information on how to verify and save configuration files, refer to the System Administration Guide and the Command Line Interface Reference.
|
|
Step 3
|
Important: Commands used in the configuration examples in this section provide base functionality to the extent that the most common or likely commands and/or keyword options are presented. In many cases, other optional commands and/or keyword options are available. Refer to the Command Line Interface Reference for complete information regarding all commands. Not all commands and keywords/variables are available or supported. This depends on the platform type and the installed license(s). context <context_name>
radius change-authorize-nas-ip <ipv4/ipv6_address>
|
•
|
<context_name> must be the name of the AAA context where you want to enable CoA and DM. The AAA context must have been configured as described in the Configuring Context-Level AAA Functionality section of the AAA and GTPP Interface Administration and Reference.
|
|
•
|
A number of optional keywords and variables are available for the radius change-authorize-nas-ip command. For more information regarding this command please refer to the Command Line Interface Reference.
|
|
•
|
Filter-ID: CoA only. This must be the name of an existing Access Control List. If this is present in a CoA request, the specified ACL is immediately applied to the specified subscriber session. The Context Configuration mode command, radius attribute filter-id direction, controls in which direction filters are applied.
|
The following error cause is sent in ACK messages upon successful completion of a CoA or DM request:
An ACL rule named readdress server supports redirection of subscriber sessions. The ACL containing this rule must be configured in the destination context of the user. Only TCP and UDP protocol packets are supported. The ACL rule allows specifying the redirected address and an optional port. The source and destination address and ports (with respect to the traffic originating from the subscriber) may be wildcarded. If the redirected port is not specified, the traffic will be redirected to the same port as the original destination port in the datagrams. For detailed information on configuring ACLs, refer to the IP Access Control Lists chapter in the System Administration Guide. For more information on readdress server, refer to the ACL Configuration Mode Commands chapter of the Command Line Interface Reference.
An ACL with the readdress server rule is applied to an existing subscriber session through CoA messages from the RADIUS server. The CoA message contains the 3GPP2-Correlation-ID, User-Name, Acct-Session-ID, or Framed-IP-Address attributes to identify the subscriber session. The CoA message also contains the Filter-Id attribute which specifies the name of the ACL with the readdress server rule. This enables applying the ACL dynamically to existing subscriber sessions. By default, the ACL is applied as both the input and output filter for the matching subscriber unless the Filter-Id in the CoA message bears the prefix in: or out:.
For information on CoA messages and how they are implemented in the system, refer to the RADIUS Change of Authorization and Disconnect Message section.
Important: Changing ACL and rulebase together in a single CoA is not supported. For this, two separate CoA requests can be sent through AAA server requesting for one attribute change per request.