Hide Navigation Pane
Show Navigation Pane
Feedback
Download
SHA1
RADIUS-Initiated Change of Authorization
This section describes the RADIUS dynamic-request server’s support for CoA messages. CoA messages are used by the E Series router’s RADIUS-initiated packet mirroring feature, which is described in the Configuring RADIUS-Based Mirroring chapter in JunosE Policy Management Configuration Guide, and by Service Manager, which is described in Configuring Service Manager of this guide.
Change-of-Authorization Messages
The RADIUS dynamic-request server receives and processes the unsolicited CoA messages from RADIUS servers. The RADIUS-initiated CoA feature uses the following codes in its RADIUS request and response messages:
- CoA-Request (43)
- CoA-ACK (44)
- CoA-NAK (45)
Message Exchange
The RADIUS server and the router’s RADIUS dynamic-request server exchange messages using UDP. The CoA-Request message sent by the RADIUS server has the same format as the Disconnect-Request packet that is sent for a disconnect operation.
The response is either a CoA-ACK or a CoA-NAK message:
- If AAA successfully changes the authorization, the response is a RADIUS-formatted packet with a CoA-ACK message, and the data filter is applied to the session.
- If AAA is unsuccessful, the request is malformed, or attributes are missing, the response is a RADIUS-formatted packet with a CoA-NAK message.
Supported Error-Cause Codes (RADIUS Attribute 101)
When AAA is unsuccessful, the RADIUS dynamic-request server includes an error-cause attribute (RADIUS attribute 101) in the CoA-NAK message that it sends back to the RADIUS server. If the detected error does not map to one of the supported error-cause attributes, the router sends the CoA-NAK without an error-cause attribute. Table 46 lists the supported error-cause codes.
Table 46: Error-Cause Codes (RADIUS Attribute 101)
Code | Value | Description |
|---|---|---|
401 | Unsupported attribute | The request contains an attribute that is not supported (for example, a third-party attribute). |
402 | Missing attribute | A critical attribute (for example, the session identification attribute) is missing from a request. |
404 | Invalid request | Some other aspect of the request is invalid, such as if one or more attributes (for example, the packet mirroring Mirror Identifier value) are not formatted properly. |
503 | Session context not found | The session context identified in the request does not exist on the NAS. |
504 | Session context not removable | The subscriber identified by attributes in the disconnect request is owned by a component that does not support RADIUS-initiated disconnect (for example, IP LAC subscribers cannot be disconnected). |
506 | Resources unavailable | A request could not be honored due to lack of available NAS resources (such as memory). |
Qualifications for Change of Authorization
To complete the change of authorization for a user, the CoA-Request must contain one of the following RADIUS attributes or pairs of attributes. AAA services handle the actual request.
- User-Name [attribute 1] with Virtual-Router [attribute 26–1] to identify the user per virtual router context
- Framed-IP-Address [attribute 8] with Virtual-Router [attribute 26–1] to identify the address per virtual router context
- Calling-Station-ID [attribute 31]
- Acct-Session-ID [attribute 44] (mandatory for all CoA requests, except when the request is for packet mirroring)
- Nas-Port-ID [attribute 5]
- DHCP-Option-82 [attribute 26–159], Vendor ID 4874
- Agent-Circuit-ID [attribute 26–1], Vendor ID 3561
- Agent-Remote-ID [attribute 26–2], Vendor ID 3561
 | Note: The Calling-Station-ID attribute is valid only for the tunneled subscribers and on the LNS. Additionally, the Calling-Station-ID and Nas-Port-ID attributes are valid only if there is no RADIUS override setting. |
Security/Authentication
For change-of-authorization operations, the RADIUS server calculates the authenticator as specified for an Accounting-Request message in RFC 2866. The RADIUS dynamic-request server verifies the request using authenticator calculation as specified for an Accounting-Request in RFC 2866. A key (secret), as specified in RFC 2865, must be configured and used in the calculation of the authenticator. The response authenticator is calculated as specified for an Accounting-Response message in RFC 2866.
