This chapter describes Change of Authorization (CoA), Disconnect Message (DM), and Session Redirect (Hotlining) support in the system. RADIUS attributes, Access Control Lists (ACLs) and filters that are used to implement these features are discussed. The product administration guides provide examples and procedures for configuration of basic services on the system. It is recommended that you select the configuration example that best meets your service model, and configure the required elements for that model, as described in this Administration Guide, before using the procedures in this chapter.
Not all functions, commands, and keywords/variables are available or supported for all network function or services. This depends on the platform type and the installed license(s).
This section describes how the system implements CoA and DM RADIUS messages and how to configure the system to use and respond to CoA and DM messages.
The system supports CoA messages from the AAA server to change data filters associated with a subscriber session. The CoA request message from the AAA server must contain attributes to identify NAS and the subscriber session and a data filter ID for the data filter to apply to the subscriber session. The filter-id attribute (attribute ID 11) contains the name of an Access Control List (ACL). For detailed information on configuring ACLs, refer to the IP Access Control Lists chapter in the System Administration Guide.
If the system successfully executes a CoA request, a CoA-ACK message is sent back to the RADIUS server and the data filter is applied to the subscriber session. Otherwise, a CoA-NAK message is sent with an error-cause attribute without making any changes to the subscriber session.
Changing ACL and rulebase together in a single CoA is not supported. For this, two separate CoA requests can be sent through AAA server requesting for one attribute change per request.
The DM message is used to disconnect subscriber sessions in the system from a RADIUS server. The DM request message should contain necessary attributes to identify the subscriber session. If the system successfully disconnects the subscriber session, a DM-ACK message is sent back to the RADIUS server, otherwise, a DM-NAK message is sent with proper error reasons.
The RADIUS Change of Authorization (CoA) and Disconnect Message (DM) are licensed Cisco features. A separate feature license may be required. Contact your Cisco account representative for detailed information on specific licensing requirements. For information on installing and verifying licenses, refer to the Managing License Keys section of the Software Management Operations chapter in the System Administration Guide.
To enable RADIUS Change of Authorization and Disconnect Message:
Step 1 | Enable the system to listen for and respond to CoA and DM messages from the RADIUS server as described in Enabling CoA and DM. |
Step 2 | Save your configuration to flash memory, an external memory device, and/or a network location using the Exec mode command save configuration. For additional information on how to verify and save configuration files, refer to the System Administration Guide and the Command Line Interface Reference. |
Step 3 | View CoA and DM
message statistics as described in
Viewing CoA and DM Statistics.
Commands used in the configuration examples in this section provide base functionality to the extent that the most common or likely commands and/or keyword options are presented. In many cases, other optional commands and/or keyword options are available. Refer to the Command Line Interface Reference for complete information regarding all commands. Not all commands and keywords/variables are available or supported. This depends on the platform type and the installed license(s). |
Use the following example to enable the system to listen for and respond to CoA and DM messages from the RADIUS server:
configure context <context_name> radius change-authorize-nas-ip <ipv4/ipv6_address> end
<context_name> must be the name of the AAA context where you want to enable CoA and DM.
For more information on configuring the AAA context, if you are using StarOS 12.3 or an earlier release, refer to the Configuring Context-Level AAA Functionality section of the AAA and GTPP Interface Administration and Reference. If you are using StarOS 14.0 or a later release, refer to the AAA Interface Administration and Reference.
A number of optional keywords and variables are available for the radius change-authorize-nas-ip command. For more information regarding this command please refer to the Command Line Interface Reference.
For CoA and DM messages to be accepted and acted upon, the system and subscriber session to be affected must be identified correctly.
If 3GPP2 service is configured the following attribute is used for correlation identifier:
3GPP2-Correlation-ID: The values should exactly match the 3GPP2-correlation-id of the subscriber session. This is one of the preferred methods of subscriber session identification.
3GPP-IMSI: International Mobile Subscriber Identification (IMSI) number should be validated and matched with the specified IMSI for specific PDP context.
3GPP-NSAPI: Network Service Access Point Identifier (NSAPI) should match to the NSAPI specified for specific PDP context.
User-Name: The value should exactly match the subscriber name of the session. This is one of the preferred methods of subscriber session identification.
Framed-IP-Address: The values should exactly match the framed IP address of the session.
Calling-station-id: The value should match the Mobile Station ID.
Filter-ID: CoA only. This must be the name of an existing Access Control List. If this is present in a CoA request, the specified ACL is immediately applied to the specified subscriber session. The Context Configuration mode command, radius attribute filter-id direction, controls in which direction filters are applied.
Event-Timestamp: This attribute is a timestamp of when the event being logged occurred.
3GPP2-Disconnect-Reason: This attribute indicates the reason for disconnecting the user. This attribute may be present in the RADIUS Disconnect-request Message from the Home Radius server to the PDSN.
3GPP2-Session-Termination-Capability: When CoA and DM are enabled by issuing the radius change-authorize-nas-ip command, this attribute is included in a RADIUS Access-request message to the Home RADIUS server and contains the value 3 to indicate that the system supports both Dynamic authorization with RADIUS and Registration Revocation for Mobile IPv4. The attribute is also included in the RADIUS Access-Accept message and contains the preferred resource management mechanism by the home network, which is used for the session and may include values 1 through 3.
The Error-Cause attribute is used to convey the results of requests to the system. This attribute is present when a CoA or DM NAK or ACK message is sent back to the RADIUS server.
201- Residual Session Context Removed
401 - Unsupported Attribute
402 - Missing Attribute
403 - NAS Identification Mismatch
404 - Invalid Request
405 - Unsupported Service
406 - Unsupported Extension
501 - Administratively Prohibited
503 - Session Context Not Found
504 - Session Context Not Removable
506 - Resources Unavailable
View CoA and DM message statistics by entering the following command:
show session subsystem facility aaamgr
1 AAA Managers 807 Total aaa requests 0 Current aaa requests 379 Total aaa auth requests 0 Current aaa auth requests 0 Total aaa auth probes 0 Current aaa auth probes 0 Total aaa auth keepalive 0 Current aaa auth keepalive 426 Total aaa acct requests 0 Current aaa acct requests 0 Total aaa acct keepalive 0 Current aaa acct keepalive 379 Total aaa auth success 0 Total aaa auth failure 0 Total aaa auth purged 0 Total aaa auth cancelled 0 Total auth keepalive success 0 Total auth keepalive failure 0 Total auth keepalive purged 0 Total aaa auth DMU challenged 367 Total radius auth requests 0 Current radius auth requests 2 Total radius auth requests retried 0 Total radius auth responses dropped 0 Total local auth requests 0 Current local auth requests 12 Total pseudo auth requests 0 Current pseudo auth requests 0 Total null-username auth requests (rejected) 0 Total aaa acct completed 0 Total aaa acct purged 0 Total acct keepalive success 0 Total acct keepalive timeout 0 Total acct keepalive purged 0 Total aaa acct cancelled 426 Total radius acct requests 0 Current radius acct requests 0 Total radius acct requests retried 0 Total radius acct responses dropped 0 Total gtpp acct requests 0 Current gtpp acct requests 0 Total gtpp acct cancelled 0 Total gtpp acct purged 0 Total null acct requests 0 Current null acct requests 54 Total aaa acct sessions 5 Current aaa acct sessions 3 Total aaa acct archived 0 Current aaa acct archived 0 Current recovery archives 0 Current valid recovery records 2 Total aaa sockets opened 2 Current aaa sockets open 0 Total aaa requests pend socket open 0 Current aaa requests pend socket open 0 Total radius requests pend server max-outstanding 0 Current radius requests pend server max-outstanding 0 Total aaa radius coa requests 0 Total aaa radius dm requests 0 Total aaa radius coa acks 0 Total aaa radius dm acks 0 Total aaa radius coa naks 0 Total aaa radius dm naks 2 Total radius charg auth 0 Current radius charg auth 0 Total radius charg auth succ 0 Total radius charg auth fail 0 Total radius charg auth purg 0 Total radius charg auth cancel 0 Total radius charg acct 0 Current radius charg acct 0 Total radius charg acct succ 0 Total radius charg acct purg 0 Total radius charg acct cancel 357 Total gtpp charg 0 Current gtpp charg 357 Total gtpp charg success 0 Total gtpp charg failure 0 Total gtpp charg cancel 0 Total gtpp charg purg 0 Total prepaid online requests 0 Current prepaid online requests 0 Total prepaid online success 0 Current prepaid online failure 0 Total prepaid online retried 0 Total prepaid online cancelled 0 Current prepaid online purged 0 Total aaamgr purged requests 0 SGSN: Total db records 0 SGSN: Total sub db records 0 SGSN: Total mm records 0 SGSN: Total pdp records 0 SGSN: Total auth records
Functionality described for this feature in this segment is not applicable for HNB-GW sessions.
Session redirection provides a means to redirect subscriber traffic to an external server by applying ACL rules to the traffic of an existing or a new subscriber session. The destination address and optionally the destination port of TCP/IP or UDP/IP packets from the subscriber are rewritten so the packet is forwarded to the designated redirected address. Return traffic to the subscriber has the source address and port rewritten to the original values. The redirect ACL may be applied dynamically by means of the RADIUS Change of Authorization (CoA) feature.
Note that the session redirection feature is only intended to redirect a very small subset of subscribers at any given time. The data structures allocated for this feature are kept to the minimum to avoid large memory overhead in the session managers.
The Session Redirection (Hotlining) is a licensed Cisco feature. A separate feature license may be required. Contact your Cisco account representative for detailed information on specific licensing requirements. For information on installing and verifying licenses, refer to the Managing License Keys section of the Software Management Operations chapter in the System Administration Guide.
An ACL rule named readdress server supports redirection of subscriber sessions. The ACL containing this rule must be configured in the destination context of the user. Only TCP and UDP protocol packets are supported. The ACL rule allows specifying the redirected address and an optional port. The source and destination address and ports (with respect to the traffic originating from the subscriber) may be wildcarded. If the redirected port is not specified, the traffic will be redirected to the same port as the original destination port in the datagrams. For detailed information on configuring ACLs, refer to the IP Access Control Lists chapter in the System Administration Guide. For more information on readdress server, refer to the ACL Configuration Mode Commands chapter of the Command Line Interface Reference.
An ACL with the readdress server rule is applied to an existing subscriber session through CoA messages from the RADIUS server. The CoA message contains the 3GPP2-Correlation-ID, User-Name, Acct-Session-ID, or Framed-IP-Address attributes to identify the subscriber session. The CoA message also contains the Filter-Id attribute which specifies the name of the ACL with the readdress server rule. This enables applying the ACL dynamically to existing subscriber sessions. By default, the ACL is applied as both the input and output filter for the matching subscriber unless the Filter-Id in the CoA message bears the prefix in: or out:.
For information on CoA messages and how they are implemented in the system, refer to RADIUS Change of Authorization and Disconnect Message.
Changing ACL and rulebase together in a single CoA is not supported. For this, two separate CoA requests can be sent through AAA server requesting for one attribute change per request.
To limit the amount of memory consumed by a session manager a limit of 2000 redirected session entries per session manager is allocated. This limit is equally shared by the set of subscribers who are currently being redirected. Whenever a redirected session entry is subject to revocation from a subscriber due to an insufficient number of available session entries, the least recently used entry is revoked.
The redirected session entries for a subscriber remain active until a CoA message issued from the RADIUS server specifies a filter that does not contain the readdress server ACL rule. When this happens, the redirected session entries for the subscriber are deleted.
All redirected session entries are also deleted when the subscriber disconnects.
Since TCP/UDP port numbers are part of the redirection mechanism, fragmented IP datagrams must be reassembled before being redirected. Reassembly is particularly necessary when fragments are sent out of order. The session manager performs reassembly of datagrams and reassembly is attempted only when a datagram matches the redirect server ACL rule. To limit memory usage, only up to 10 different datagrams may be concurrently reassembled for a subscriber. Any additional requests cause the oldest datagram being reassembled to be discarded. The reassembly timeout is set to 2 seconds. In addition, the limit on the total number of fragments being reassembled by a session manager is set to 1000. If this limit is reached, the oldest datagram being reassembled in the session manager and its fragment list are discarded. These limits are not configurable.
When a session manager dies, the ACL rules are recovered. The session redirect entries have to be re-created when the MN initiates new traffic for the session. Therefore when a crash occurs, traffic from the Internet side is not redirected to the MN.
Where destination-based accounting is implemented, traffic from the subscriber is accounted for using the original destination address and not the redirected address.
View the redirected session entries for a subscriber by entering the following command:
show subscribers debug-info { callid <id> | msid <id> | username <name> }
The following command displays debug information for a subscriber with the MSID 0000012345:
show subscribers debug-info msid 0000012345
The following is a sample output of this command:
username: user1 callid: 01ca11b1 msid: 0000100003 Card/Cpu: 4/2 Sessmgr Instance: 7 Primary callline: Redundancy Status: Original Session Checkpoints Attempts Success Last-Attempt Last-Success Full: 27 26 15700ms 15700ms Micro: 76 76 4200ms 4200ms Current state: SMGR_STATE_CONNECTED FSM Event trace: State Event SMGR_STATE_OPEN SMGR_EVT_NEWCALL SMGR_STATE_NEWCALL_ARRIVED SMGR_EVT_ANSWER_CALL SMGR_STATE_NEWCALL_ANSWERED SMGR_EVT_LINE_CONNECTED SMGR_STATE_LINE_CONNECTED SMGR_EVT_LINK_CONTROL_UP SMGR_STATE_LINE_CONNECTED SMGR_EVT_AUTH_REQ SMGR_STATE_LINE_CONNECTED SMGR_EVT_IPADDR_ALLOC_SUCCESS SMGR_STATE_LINE_CONNECTED SMGR_EVT_AUTH_SUCCESS SMGR_STATE_LINE_CONNECTED SMGR_EVT_UPDATE_SESS_CONFIG SMGR_STATE_LINE_CONNECTED SMGR_EVT_LOWER_LAYER_UP Data Reorder statistics Total timer expiry: 0 Total flush (tmr expiry): 0 Total no buffers: 0 Total flush (no buffers): 0 Total flush (queue full): 0 Total flush (out of range):0 Total flush (svc change): 0 Total out-of-seq pkt drop: 0 Total out-of-seq arrived: 0 IPv4 Reassembly Statistics: Success: 0 In Progress: 0 Failure (timeout): 0 Failure (no buffers): 0 Failure (other reasons): 0 Redirected Session Entries: Allowed: 2000 Current: 0 Added: 0 Deleted: 0 Revoked for use by different subscriber: 0 Peer callline: Redundancy Status: Original Session Checkpoints Attempts Success Last-Attempt Last-Success Full: 0 0 0ms 0ms Micro: 0 0 0ms 0ms Current state: SMGR_STATE_CONNECTED FSM Event trace: State Event SMGR_STATE_OPEN SMGR_EVT_MAKECALL SMGR_STATE_MAKECALL_PENDING SMGR_EVT_LINE_CONNECTED SMGR_STATE_LINE_CONNECTED SMGR_EVT_LOWER_LAYER_UP SMGR_STATE_CONNECTED SMGR_EVT_AUTH_REQ SMGR_STATE_CONNECTED SMGR_EVT_AUTH_SUCCESS SMGR_STATE_CONNECTED SMGR_EVT_REQ_SUB_SESSION SMGR_STATE_CONNECTED SMGR_EVT_RSP_SUB_SESSION username: user1 callid: 01ca11b1 msid: 0000100003 Card/Cpu: 4/2 Sessmgr Instance: 7 Primary callline: Redundancy Status: Original Session Checkpoints Attempts Success Last-Attempt Last-Success Full: 27 26 15700ms 15700ms Micro: 76 76 4200ms 4200ms Current state: SMGR_STATE_CONNECTED FSM Event trace: State Event SMGR_STATE_OPEN SMGR_EVT_NEWCALL SMGR_STATE_NEWCALL_ARRIVED SMGR_EVT_ANSWER_CALL SMGR_STATE_NEWCALL_ANSWERED SMGR_EVT_LINE_CONNECTED SMGR_STATE_LINE_CONNECTED SMGR_EVT_LINK_CONTROL_UP SMGR_STATE_LINE_CONNECTED SMGR_EVT_AUTH_REQ SMGR_STATE_LINE_CONNECTED SMGR_EVT_IPADDR_ALLOC_SUCCESS SMGR_STATE_LINE_CONNECTED SMGR_EVT_AUTH_SUCCESS SMGR_STATE_LINE_CONNECTED SMGR_EVT_UPDATE_SESS_CONFIG SMGR_STATE_LINE_CONNECTED SMGR_EVT_LOWER_LAYER_UP Data Reorder statistics Total timer expiry: 0 Total flush (tmr expiry): 0 Total no buffers: 0 Total flush (no buffers): 0 Total flush (queue full): 0 Total flush (out of range):0 Total flush (svc change): 0 Total out-of-seq pkt drop: 0 Total out-of-seq arrived: 0 IPv4 Reassembly Statistics: Success: 0 In Progress: 0 Failure (timeout): 0 Failure (no buffers): 0 Failure (other reasons): 0 Redirected Session Entries: Allowed: 2000 Current: 0 Added: 0 Deleted: 0 Revoked for use by different subscriber: 0 Peer callline: Redundancy Status: Original Session Checkpoints Attempts Success Last-Attempt Last-Success Full: 0 0 0ms 0ms Micro: 0 0 0ms 0ms Current state: SMGR_STATE_CONNECTED FSM Event trace: State Event SMGR_STATE_OPEN SMGR_EVT_MAKECALL SMGR_STATE_MAKECALL_PENDING SMGR_EVT_LINE_CONNECTED SMGR_STATE_LINE_CONNECTED SMGR_EVT_LOWER_LAYER_UP SMGR_STATE_CONNECTED SMGR_EVT_AUTH_REQ SMGR_STATE_CONNECTED SMGR_EVT_AUTH_SUCCESS SMGR_STATE_CONNECTED SMGR_EVT_REQ_SUB_SESSION SMGR_STATE_CONNECTED SMGR_EVT_RSP_SUB_SESSION SMGR_STATE_CONNECTED SMGR_EVT_ADD_SUB_SESSION SMGR_STATE_CONNECTED SMGR_EVT_AUTH_REQ SMGR_STATE_CONNECTED SMGR_EVT_AUTH_SUCCESS Data Reorder statistics Total timer expiry: 0 Total flush (tmr expiry): 0 Total no buffers: 0 Total flush (no buffers): 0 Total flush (queue full): 0 Total flush (out of range):0 Total flush (svc change): 0 Total out-of-seq pkt drop: 0 Total out-of-seq arrived: 0 IPv4 Reassembly Statistics: Success: 0 In Progress: 0 Failure (timeout): 0 Failure (no buffers): 0 Failure (other reasons): 0 Redirected Session Entries: Allowed: 2000 Current: 0 Added: 0 Deleted: 0 Revoked for use by different subscriber: 0