Cisco ASR 9000 Series Configuration Manual page 69

Configuring Authentication, Authorization, and Accounting Functions
To identify the subscriber whose configuration needs to be changed, a RADIUS CoA server supports and
uses a variety of keys (RADIUS attributes) such as Accounting-Session-ID, Username, IP-Address, and
ipv4:vrf-id.
The RADIUS CoA supports:
• account-logon — When a user logs into a network, an external web portal that supports CoA sends an
account-logon request to BNG with the user's credentials (username and password). Account-logon on
BNG then attempts to authenticate the user through RADIUS with those credentials.
• account-logoff— BNG processes the account-logoff request as a disconnect event for the subscriber and
terminates the session.
• account-update — BNG parses and applies the attributes received as part of the CoA profile. Only
subscriber-specific attributes are supported and applied on the user profile.
• activate-service — BNG starts a predefined service on a subscriber. The service settings can either be
defined locally by a dynamic template, or downloaded from the RADIUS server.
• deactivate-service — BNG stops a previously started service on the subscriber, which is equivalent to
deactivating a dynamic-template.
For a list of supported Vendor-Specific Attributes for account operations, see
Account Operations, on page
Service Activate from CoA
BNG supports activating services through CoA requests. The CoA service-activate command is used for
activating services. The CoA request for the service activate should contain these attributes:
• "subscriber:command=activate-service" Cisco VSA
• "subscriber:service-name=<service name>" Cisco VSA
• Other attributes that are part of the service profile
The "<subscriber:sa=<service-name>" can also be used to activate services from CoA and through RADIUS.
Duplicate service activate requests can be sent to BNG from the CoA server. BNG does not take any action
on services that are already activated. BNG sends a CoA ACK message to the CoA server under these scenarios:
• When a duplicate request with identical parameters comes from the CoA for a service that is already
active.
• When a duplicate request with identical parameters comes from the CoA to apply a parameterized service.
BNG sends a CoA NACK message to the CoA server with an error code as an invalid attribute under these
scenarios:
OL-28375-03
Note The RADIUS CoA server does not differentiate between originators of the disconnect
event. Hence, when the BNG receives an account-logoff request from the RADIUS
CoA server, for both a user-initiated and an administrator-initiated request, the
Acct-Terminate-Cause to be sent to the RADIUS server is always set as Admin-Reset.
300.
Cisco ASR 9000 Series Aggregation Services Router Broadband Network Gateway Configuration Guide, Release
RADIUS Change of Authorization (CoA) Overview
Vendor-Specific Attributes for
4.3.x
57