Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

AAA Termination Causes and Code Values

When a AAA event terminates a subscriber or service session, causing a RADIUS Acct-Stop message to be issued, the RADIUS Acct-Terminate-Cause attribute (49) reports the cause or reason for the termination. This attribute is included only in RADIUS Acct-Stop messages. The termination cause is conveyed as a code value in the attribute. RFC 2866, RADIUS Accounting, defines the standard mapping between 18 code values and termination causes.

Junos OS defines a set of internal termination cause codes that are mapped to the RFC-defined code values. When a subscriber or service session is terminated, the router logs a message for the internal termination cause and logs another message for the RADIUS Acct-Terminate-Cause attribute. You can use the logged information to help monitor and troubleshoot terminated sessions.

Table 1 lists the default mapping between the internal identifier for AAA termination causes and the code values that represent them in the RADIUS Acct-Terminate-Cause attribute (49).

Note:

You can remap the internal identifiers to a custom code value in the range 1 through 4,294,967,295 by using the terminate-code statement at the [edit access] hierarchy level. You can view the current mapping by issuing the show network-access terminate-code aaa detail command.

Table 1: Default Mapping Between AAA Termination Causes and Code Values

Internal AAATermination Cause

RADIUS Acct-Terminate-Cause Attribute

 

Code Value

Description

deny-authentication-denied

17

Subscriber access denied due to authentication failure.

deny-no-resources

10

Subscriber access denied for reasons such as no RADIUS server exists.

deny-server-request-timeout

17

Subscriber access denied because the BNG retried the Access-Request to the authentication server for the configured number of retries without receiving a response.

service-shutdown-network-logout

6

Service session termination initiated by deactivation of a family (network), typically triggered by termination of the corresponding Layer 3 access protocol.

service-shutdown-remote-reset

10

Service session termination initiated by an external authority, such as a CoA service deactivation.

service-shutdown-subscriber-logout

Inherited from the parent subscriber session.

Overrides the default value.

This code is displayed only when you map it to a custom value.

service-shutdown-time-limit

5

Service session termination initiated because the service time limit was reached.

service-shutdown-volume-limit

10

Service session termination initiated because the service traffic volume limit was reached.

shutdown-administrative-reset

6

Session has been terminated by a local CLI command (such as the dhcp clear binding command [I do not know the exact syntax])

shutdown-idle-timeout

4

Session has been idle for a period equal to or longer than the configured timeout value. This value is set with the CLI or by RADIUS attribute.

shutdown-reassign-on-match

10

Session is terminated to allow a second session to replace the terminated session. This occurs only when both sessions are allocated the same static IP address by means of the RADIUS Framed-IP-Address attribute (8). This behavior enables a customer to reconnect with a new session after dropping off the original session, even though the original session is still up.

shutdown-remote-reset

10

Session has been terminated by a remote service, such as a RADIUS Disconnect-Request or Diameter Abort-Session-Request messages.

shutdown-session-timeout

5

Session has been active for a period equal to or longer than the configured timeout value. This value is set with the CLI or by RADIUS attribute.