Mapping Application Terminate Reasons to RADIUS Terminate Codes

[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]

JUNOSe 9.1.x Broadband Access Configuration Guide > Configuring Remote Access > Mapping Application Terminate Reasons to RADIUS Terminate Codes
Mapping Application Terminate Reasons to RADIUS Terminate Codes

The JUNOSe software uses a default configuration that maps terminate reasons to RADIUS Acct-Terminate-Cause attributes. You can optionally create customized mappings between a terminate reason and a RADIUS Acct-Terminate-Cause attribute—these mappings enable you to provide different information about the cause of a termination.

When a subscriber's L2TP or PPP session is terminated, the router logs a message for the internal terminate reason and logs another message for the RADIUS Acct-Terminate-Cause attribute (RADIUS attribute 49). RADIUS attribute 49 is also included in RADIUS Acct-Off and Acct-Stop messages. You can use the logged information to help monitor and troubleshoot terminated sessions.

Use the show terminate-code command to display information about the mappings between application terminate reasons and RADIUS Acct-Terminate-Cause attributes.

Table 9 lists the IETF RADIUS Acct-Terminate-Cause codes that you can use to map application terminate reasons. In addition, you can also configure and use proprietary codes for values beyond 22.

Table 9: Supported RADIUS Acct-Terminate-Cause Codes

Code

Name

Description

1

User Request

User initiated the disconnect (log out)

2

Lost Carrier

DCD was dropped on the port

3

Lost Service

Service can no longer be provided; for example, the user's connection to a host was interrupted

4

Idle Timeout

Idle timer expired

5

Session Timeout

Subscriber reached the maximum continuous time allowed for the service or session

6

Admin Reset

System administrator reset the port or session

7

Admin Reboot

System administrator terminated the session on the NAS; for example, prior to rebooting the NAS

8

Port Error

NAS detected an error on the port that required ending the session

9

NAS Error

NAS detected an error (other than on the port) that required ending the session

10

NAS Request

NAS ended the session for a non-error reason

11

NAS Reboot

NAS ended the session due to a non-administrative reboot

12

Port Unneeded

NAS ended the session because the resource usage fell below the low threshold; for example, the bandwidth-on-demand algorithm determined that the port was no longer needed

13

Port Preempted

NAS ended the session to allocate the port to a higher-priority use

14

Port Suspended

NAS ended the session to suspend a virtual session

15

Service Unavailable

NAS was unable to provide the requested service

16

Callback

NAS is terminating the current session in order to perform callback for a new session

17

User Error

An error in the user input caused the session to be terminated

18

Host Request

The login host terminated the session normally

19

Supplicant Restart

Supplicant state machine was reinitialized

20

Reauthentication Failure

A previously authenticated supplicant failed to reauthenticate successfully following expiration of the reauthentication timer or explicit reauthentication request by management action

21

Port Reinitialized

The port's MAC has been reinitialized

22

Port Administratively Disabled

The port has been administratively disabled

Configuration Example

This example describes a sample configuration procedure that creates custom mappings for PPP terminate reasons.
Configure the router to include the Acct-Terminate-Cause attribute in RADIUS Acct-Off messages.
host1(config)#radius include acct-terminate-cause acct-off enable
(Optional) Display the current PPP terminate-cause mappings.
host1(config)#run show terminate-code ppp
                                                                      Radius
  Apps           Terminate Reason               Description            Code
---------   --------------------------   --------------------------   ------
ppp         authenticate-authenticator   authenticate authenticator     17
            -timeout                      timeout
ppp         authenticate-challenge-tim   authenticate challenge tim     10
            eout                         eout
ppp         authenticate-chap-no-resou   authenticate chap no resou     10
            rces                         rces
ppp         authenticate-chap-peer-aut   authenticate chap peer aut     17
            henticator-timeout           henticator timeout
ppp         authenticate-deny-by-peer    authenticate deny by peer      17
ppp         authenticate-inactivity-ti   authenticate inactivity ti     4
            meout                        meout
 --More-- 
(Optional) Display all PPP terminate reasons.
host1(config)#terminate-code ppp ?
  authenticate-authenticator-timeout            Configure authenticate
                                                authenticator timeout
                                                translation
  authenticate-challenge-timeout                Configure authenticate
                                                challenge timeout translation
  authenticate-chap-no-resources                Configure authenticate chap no
                                                resources translation
  authenticate-chap-peer-authenticator-timeout  Configure authenticate chap
                                                peer authenticator timeout
                                                translation
  authenticate-deny-by-peer                     Configure authenticate deny by
                                                peer translation
 --More-- 
Configure your customized PPP terminate-cause to RADIUS Acct-Terminate-Cause code mappings.
host1(config)#terminate-code ppp authenticate-authenticator-timeout radius 3
host1(config)#terminate-code ppp authenticate-challenge-timeout radius 4
Verify the new terminate-cause mappings.
host1(config)#run show terminate-code ppp
                                                                      Radius
  Apps           Terminate Reason               Description            Code
---------   --------------------------   --------------------------   ------
ppp         authenticate-authenticator   authenticate authenticator     3
            -timeout                      timeout
ppp         authenticate-challenge-tim   authenticate challenge tim     4
            eout                         eout
ppp         authenticate-chap-no-resou   authenticate chap no resou     10
            rces                         rces
ppp         authenticate-chap-peer-aut   authenticate chap peer aut     17
            henticator-timeout           henticator timeout
ppp         authenticate-deny-by-peer    authenticate deny by peer      17
ppp         authenticate-inactivity-ti   authenticate inactivity ti     4
            meout                        meout
ppp         authenticate-max-requests    authenticate max requests      10
 --More-- 
radius include acct-terminate-cause
Use to include the Acct-Terminate-Cause attribute (RADIUS attribute 49) in RADIUS Acct-Off messages.

You control inclusion of the Acct-Terminate-Cause attribute by enabling or disabling this command.

Example
host1(config)#radius include acct-terminate-cause acct-off disable
Use the no version to restore the default, enable.
terminate-code

Use to configure a customized mapping relationship between an application's terminate reason and a RADIUS Acct-Terminate-Cause code (RADIUS attribute 49).

To set up the mapping, specify the following variables with this command:

Specify the application where the terminate event occurs. You can specify aaa, l2tp, ppp, or radius-client.

Specify the application's terminate reason that you want to map.
Use the question mark character (?) to display a list of the application's terminate reasons. For example:
host1(config)#terminate-code l2tp ?
See Chapter 7, Application Terminate Reasons for a list of the default terminate reasons for the AAA, L2TP, PPP, and RADIUS client applications.
Specify RADIUS as the translation application that is used for mapping. Then, specify the RADIUS Acct-Terminate-Cause code that you want to map to the application's terminate reason. See Table 9 for a list of supported RADIUS codes.
Example
host1(config)#terminate-code ppp authenticate-challenge-timeout radius 4
Use the no version to restore a default mapping, which are listed in Chapter 7, Application Terminate Reasons. For example:
host1(config)#no terminate-code aaa deny-address-allocation-failure radius 

Code	Name	Description
1	User Request	User initiated the disconnect (log out)
2	Lost Carrier	DCD was dropped on the port
3	Lost Service	Service can no longer be provided; for example, the user's connection to a host was interrupted
4	Idle Timeout	Idle timer expired
5	Session Timeout	Subscriber reached the maximum continuous time allowed for the service or session
6	Admin Reset	System administrator reset the port or session
7	Admin Reboot	System administrator terminated the session on the NAS; for example, prior to rebooting the NAS
8	Port Error	NAS detected an error on the port that required ending the session
9	NAS Error	NAS detected an error (other than on the port) that required ending the session
10	NAS Request	NAS ended the session for a non-error reason
11	NAS Reboot	NAS ended the session due to a non-administrative reboot
12	Port Unneeded	NAS ended the session because the resource usage fell below the low threshold; for example, the bandwidth-on-demand algorithm determined that the port was no longer needed
13	Port Preempted	NAS ended the session to allocate the port to a higher-priority use
14	Port Suspended	NAS ended the session to suspend a virtual session
15	Service Unavailable	NAS was unable to provide the requested service
16	Callback	NAS is terminating the current session in order to perform callback for a new session
17	User Error	An error in the user input caused the session to be terminated
18	Host Request	The login host terminated the session normally
19	Supplicant Restart	Supplicant state machine was reinitialized
20	Reauthentication Failure	A previously authenticated supplicant failed to reauthenticate successfully following expiration of the reauthentication timer or explicit reauthentication request by management action
21	Port Reinitialized	The port's MAC has been reinitialized
22	Port Administratively Disabled	The port has been administratively disabled

[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]