On Fri, 28 Jan 2011, Michael wrote:
> > > On Fri, 28 Jan 2011, Michael wrote: > >> >> >> On Fri, 28 Jan 2011, Steve Lalonde wrote: >> >>> On 28 Jan 2011, at 02:30, Michael wrote: >>> >>>> >>>> I give up. I've searched for hours for a hint at what this CoA / >>>> Change-of-Authorization / Change-Filter-Request is. I think it is what >>>> i'm looking for. >>>> >>>> I was kinda hoping something like this would work: >>>> -code Change-Filter-Request User-Name="test" cisco-Policy-Down="rate1M" >>>> or: >>>> code Change-Filter-Request Acct-Session-Id="00000012" >>>> cisco-Policy-Down="rate1M" >>>> >>>> My Disconnect-Request process works fine which uses a similar process. >>>> >>>> >>>> Michael >>> >>> Hi >>> >>> I had the same problem and eventually got it working using the following >>> >>> /usr/local/bin/radpwtst -noauth -noacct -code Change-Filter-Request -secret >>> XXXXXXXX -s $nas-ip -auth_port 1700 Framed-IP-Address=$ip >>> cisco-avpair="ip:sub-qos-policy-out=$policy" >>> >>> that worked but i had scaling issues, only solved when i moved the traffic >>> management to Cisco SCE devices. >>> >>> -- >>> Steve Lalonde RTFM >>> Chief Technical Officer >>> Entanet International Ltd >>> http://www.enta.net/ >>> >>> >> >> >> Thanks for the suggestion. I never thought to try to match by IP alone, >> but it didn't seem to work. The router shows the attributes i enter with >> radpwtst, it just refuses to match anything. >> >> COA: x.x.x.x request queued >> ++++++ CoA Attribute List ++++++ >> 86124E38 0 00000001 addr(7) 4 x.x.x.x >> 857EA738 0 00000009 sub-qos-policy-out(348) 6 RATE1M >> COA: No matching entry found >> COA: Added Reply Message: No Matching Session >> COA: Added NACK Error Cause: Session Context Not Found >> COA: Sending NAK from port 1700 to x.x.x.x >> >> There must be more strict limitations/requirments in order to match a >> session for CoA? maybe something else has to be used as matching >> attributes? >> >> I do have the match policy set for ANY for now during testing: >> aaa server radius dynamic-author >> ... >> auth-type any >> >> This to me is suppose to tell the router to match a session if ANY >> attribute at all match. >> >> There must me something more that's required that most people >> unknowingly adhere to? >> >> >> >> _______________________________________________ >> radiator mailing list >> radiator@open.com.au >> http://www.open.com.au/mailman/listinfo/radiator >> > > > I tried this on a production router, getting frustrated!! A little > risky I know. Last time I tried this for Disconnect-Request, a bug > matched ALL SESSIONS and kicked everyone offline. DAMN CISCO > > Anyways, the CoA matched the session and appears to have accepted > the CoA. gonna have to test this later to see if the rate limit was > applied. the show aaa user xxxx showed the rate limit before i tried it, > and now shows nothing so i'm not sure if it broke the policy, or applied > what i wanted and it just doesn't show me. > > Looks like another IOS bug with my test lns. DAMN YOU cisco. I'm not > even a network person. I'm a systems person that has to learn > cisco because it seems the cisco people don't know how to do what I want > to do. But, i don't blame them now that i've started to learn it. Stick > that in your mailing list archive!!! ;) > > _______________________________________________ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator > CONFIRMED. i just noticed now, it changed the order of the attributes. I didn't see notice at first. It did apply the new policy. looks like it worked fine with my production router. must be a bug in my test lns. damn you cisco. there's hours of my life i'll never get back. Are we allowed to swear in this mailing list? :D _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
