通過CoA Message讓Radius來踢用戶下線

轉自 http://blog.c114.net/html/13/106213.html

第一步，首先Radius/CoA server先發送CoA DM（Disconnect Message）-Request報文，抓包解碼：

Dec 8 03:02:33: [0004]: %AAA-7-RAD_PKT: Received packet (53 bytes) from 220.191.135.200/3799 (CoA): Disconnect-Request Id: 0x11 length: 53
   Authenticator Field: 12 6d 20 45 c5 22 3e 93 93 c6 7f 5a 0d d8 95 76 
   Framed-IP-Address: 115.212.2.159
   Acct-Session-Id: 0B01FFFF680093B1-4CFEF463


一般來說，通過Acct-Session-Id就能定位找到BAS上那個要踢的唯一的session，但通常DM-request中會包含用戶名和地址，甚至NAS-IP-Address。不同的BAS收到該報文後做相應的踢用戶處理，通過各家BAS自身機制實現。

CoA message的端口爲udp 3799。

=====================

第二步，踢成功後BAS發送reply包給CoA server

Dec 8 03:02:33: [0004]: %AAA-7-RAD_PKT: Send packet (32 bytes) to 220.191.135.200/3799 (CoA): Disconnect-ACK Id: 0x11 length: 32
   Authenticator Field: b3 df 70 e1 88 8e 93 61 9d d4 8c d4 2c 9f d2 6f 
   COA-Error-Cause: Success (200)
   Event-Timestamp: 19:02:33 - 2010/12/07 (1291777353)

=====================

第三步，BAS要發送這個被踢用戶的下線計費報文，注意斷線代碼爲6，Amin-Reset

Dec 8 03:02:33: [0004]: [12/2:1023:63/6/2/37809]: %AAA-7-RAD_PKT: aaa_idx 1008c5f3: Send packet (678 bytes) to 220.191.135.200/1813 ([email protected]): Accounting-Request Id: 0xbf length: 678
   Authenticator Field: 3d 76 93 58 d9 dc d8 ee 98 77 fe 76 be a1 9a 38 
   User-Name: UO\[email protected]
   Acct-Status-Type: Stop (2)
   Acct-Session-Id: 0B01FFFF680093B1-4CFEF463
   Service-Type: Framed-User (2)
   Framed-Protocol: PPP (1)
   RBN:Acct-Update-Reason: AAA-ACCT-SESSION-DOWN (2)
   NAS-Identifier: JH-JH-CDXY-BAS-SE800-1-DM1.MAN
   NAS-IP-Address: 61.130.158.45
   NAS-Port: 0x0c020000
   RBN:NAS-Real-Port: 0xc200014a
   NAS-Port-Type: Ethernet (15)
   NAS-Port-Id: 12/2 vlan-id 330 pppoe 669
   RBN:Medium-Type: DSL (11)
   RBN:MAC-Address: 00-21-70-a2-84-63
   Connect-Info: lan-nas-port-type
   RBN:Platform-Type: SE-800 (2)
   RBN:OS-Version: 6.1.4.6
   Acct-Authentic: Radius (1)
   RBN:Subscriber-Profile-Name: p4m
   RBN:Client-DNS-Pri: 60.191.244.5
   RBN:Client-DNS-Sec: 60.191.244.2
   Port-Limit: 1
   Framed-IP-Address: 115.212.2.159
   Acct-Session-Time: 229
   Acct-Terminate-Cause: Admin-Reset (6)
   RBN:Session-Error-Code: 40
   RBN:Session-Error-Msg: Session cleared by administrator
   Acct-Input-Packets: 835
   Acct-Output-Packets: 482
   Acct-Input-Octets: 294297
   Acct-Output-Octets: 155126
   Acct-Input-Gigawords: 0
   Acct-Output-Gigawords: 0
   RBN:Acct-Input-Packets-64: 835
   RBN:Acct-Output-Packets-64: 482
   RBN:Acct-Input-Octets-64: 294297
   RBN:Acct-Output-Octets-64: 155126
   RBN:Acct-Mcast-In-Packets: 0
   RBN:Acct-Mcast-Out-Packets: 0
   RBN:Acct-Mcast-In-Octets: 0
   RBN:Acct-Mcast-Out-Octets: 0
   RBN:Acct-Mcast-In-Packets-64: 0
   RBN:Acct-Mcast-Out-Packets-64: 0
   RBN:Acct-Mcast-In-Octets-64: 0
   RBN:Acct-Mcast-Out-Octets-64: 0
   Class: OAMServer;1291748531;158
   Acct-Interim-Interval: 900
   Session-Timeout: 604800
   RBN:Qos-Metering-Profile-Name: 4m
   RBN:Qos-Policing-Profile-Name: up-1m
   Event-Timestamp: 19:02:33 - 2010/12/07 (1291777353)

=====================

第四步，Radius再回應

Dec 8 03:02:33: [0004]: [12/2:1023:63/6/2/37809]: %AAA-7-RAD_PKT: aaa_idx 1008c5f3: Received packet (73 bytes) from 220.191.135.200/1813 (UO\[email protected]): Accounting-Response Id: 0xbf length: 73
   Authenticator Field: 62 fa 8a 9f 44 79 17 5b 5e 25 f0 bc 90 0b f1 b2 
   Class: OAMServer;1291748531;158
   Acct-Session-Id: 0B01FFFF680093B1-4CFEF463


此機制遵循RFC 3576 - Dynamic Authorization Extensions to Remote Authentica

http://datatracker.ietf.org/doc/rfc3576/

http://datatracker.ietf.org/doc/rfc5176/?include_text=1