Session Termination Causes and RADIUS Termination Cause Codes
Understanding Session Termination Causes and RADIUS Termination Cause Codes
When a RADIUS Acct-Stop message is issued as a result of the termination of a subscriber session or service session, the RADIUS Acct-Terminate-Cause attribute (49) reports the cause or reason for the termination. This attribute is included only in RADIUS Acct-Stop messages. The termination cause is conveyed as a code value in the attribute. RFC 2866, RADIUS Accounting, defines the standard mapping between 18 code values and termination causes.
Junos OS defines a set of internal termination cause codes that are mapped to the RFC-defined code values. Default mappings exist for AAA, DHCP, L2TP, PPP, and VLAN subscriber and service sessions. When a subscriber or service session is terminated, the router logs a message for the internal termination cause and logs another message for the RADIUS Acct-Terminate-Cause attribute.
You can use the logged information to help monitor and troubleshoot the events. For example, the AAA termination causes include session and service terminations as well as access denials. You might want to route the access failures to a team that monitors attempts to hack the network, the timeout failures to a AAA server team, and resource failures to a team that manages the routers.
Because there are many different Junos OS internal identifiers for termination causes and only 18 standard code values defined in the RFC, by default a given code value can map to multiple identifiers. Instead of using the default code values, you can optionally map any of the internally defined termination causes to any 32-bit number (1 through 4,294,967,295). The flexibility of customized mapping greatly increases the possibilities for fine-grained analytics and failure tracking.
A single mapping for RADIUS account termination is shared by all clients.
Table 1 lists the RFC-defined standard RADIUS Acct-Terminate-Cause codes and the corresponding causes.
Table 1: RFC-Defined Code Values and Termination Causes
User initiated the disconnect (logout).
DCD was dropped on the port.
Service can no longer be provided; for example, the user’s connection to a host was interrupted.
Idle timer expired.
Subscriber reached the maximum continuous time allowed for the service or session.
System administrator reset the port or session.
System administrator terminated the session on the NAS; for example, prior to rebooting the NAS.
NAS detected an error on the port that required ending the session.
NAS detected an error (other than on the port) that required ending the session.
NAS ended the session for a non-error reason.
NAS ended the session due to a non-administrative reboot.
NAS ended the session because the resource usage fell below the low threshold; for example, the bandwidth-on-demand algorithm determined that the port was no longer needed.
NAS ended the session to allocate the port to a higher-priority use.
NAS ended the session to suspend a virtual session.
NAS was unable to provide the requested service.
NAS is terminating the current session in order to perform callback for a new session.
Error in the user input caused the session to be terminated.
Login host terminated the session normally.
Benefits of Session and Service Termination Cause Codes
Termination cause codes mapped to Junos OS internal identifiers can help you monitor, analyze, and troubleshoot the events that resulted in termination of subscriber sessions or service sessions.
Customized mappings enable you to map internal termination cause identifiers for termination cause codes to a code value of your choosing for more fine-grained tracking and analysis of termination events.
Mapping Session Termination Causes to Custom Termination Cause Codes
By default, Junos OS uses the RFC-defined termination cause codes for the internal identifiers that identify the causes of session termination and that are reported in the RADIUS Acct-Terminate-Cause attribute (49). Internal identifiers are available for AAA, DHCP, L2TP, PPP, and VLAN subscriber and service session failures. When a subscriber or service session is terminated or denied, the router logs a message for the internal termination cause and logs another message for the RADIUS Acct-Terminate-Cause attribute. The Acct-Terminate-Cause attribute is included in RADIUS Acct-Stop messages. You can use the logged information to help monitor and troubleshoot terminated sessions.
You can optionally create customized mappings between any of the internal termination cause identifiers for the protocol and termination cause codes. You can specify any 32-bit value for the code, enabling you to track and analyze particular termination events at a more fine-grained level.
To configure customized mappings between a termination cause and a RADIUS cause code:
- Edit the access hierarchy.user@host# edit access
- Edit the terminate-code statement.
Termination cause codes do not appear as options on platforms where they are not supported.[edit access]user@host# edit terminate-code
- Specify the protocol option (aaa (deny | service-shutdown
| shutdown) | dhcp | l2tp | ppp | vlan) that you want to modify.[edit access terminate-code]user@host# edit protocol-option
- Specify an existing termination cause that you want to
remap.[edit access terminate-code protocol-option]user@host# edit term-reason
Attempts to remap a termination cause to its default code value are rejected by the CLI. You must delete a custom mapping to restore the default mapping.
- Specify the RADIUS termination cause code value (from
1 through 4,294,967,295) that you want to map to the termination cause.[edit access terminate-code protocol-option term-reason]user@host# set radius term-cause
Use the show network-access aaa terminate-code command to display the mapping between AAA termination causes and cause code values.