You should understand how to target a session in order to send COA to Cisco ISG or BNG.
Read Cisco IOS ISG RADIUS CoA Interface Guide first before reading this post.
Targeting a session :
” All CoA commands must include the session identifier between ISG and the CoA client. This is usually the client’s IP address, or when PBHK is used, the ISG IP address followed by a port number. The session identifier is sent as a separate VSA, for example: vsa cisco 250 account-info = S10.10.10.11:85 “
If you are using the client’s IP address and it is in a VRF, vrf name must be included in the COA request! The search order for finding the client session with the ip address is;
First to look at vrf name included in the request than look the vrf that the COA request came.
Cisco-Account-Info=’Sclient_ip_address:vrf-id=INTERNET‘
PBHK or Client-ip-address : If you are using portal and try to identify the customer that is accessing the service, you have the source ip address that can be used to find the client. In most of the scenarios client ip address will be dynamic. If its not, than its possible to search database to find client from the source ip address. For the dynamic address, you may use your AAA servers session table. Also BNG knows the session information. In this case the problem becomes to finding session’s BNG. If you have single BNG, or some relation between client ip prefixes and BNG’es that can be accessed via portal service with a single lookup or hard coded in the service code, you may send the COA to the BNG directly. And another alternate method is to use PBHK can be used on the BNG side. Look for cisco docs for more info.
Using CoA Commands : All commands have a code value that should ve encoded as binary.
For example with radpwtst sending a Session Query request ;
Cisco-Command-Code=”\004 ” : For command code 4, used for octal escape and for Complete-ID (port,VPI/VCI etc) & must be added Cisco-Command-Code=”\004&”. For service info Cisco-Command-Code=”\004 ” and both Cisco-Command-Code=”\004 &”.
radpwtst -s X -secret X -noauth -noacct -code Change-Filter-Request -trace 4 Cisco-Account-Info=’S10.1.1.1:vrf-id=INTERNET’ Cisco-Command-Code=”\004 &”
ISG will not return all the information about the session. For example Calling-Station-Id which will be cary circuit-id or remote-id from the PPPoEoL2TP sessions (on the LNS side as expected, LAC will forward those messages as Calling-Station-Id).
I was pulling my hair having successful CoA communication with an ISG when the users were in the global rt, but getting Reply-Message = “No valid Session” for vrf users. In 500 pages of the freaking ISG documentation there is not a single mention of Cisco-Account-Info=’Sclient_ip_address:vrf-id=‘ . I don’t know how you figured it out, but you have saved me hours if not days.
Your welcome,
I really do not remember how I figured it out:)