radius disconnect message

 

   习惯称cut报文，发现常规的叫法为Disconnect Message 或 Packet of Disconnect。

 

 

A Disconnect Message (sometimes known as Packet of Disconnect ) is and unsolicited RADIUS Disconnect-Request packet (A special type of Change-of-Authorization packet) sent to a NAS in order to terminate a user session and discard all associated session context. The Disconnect-Request packet is sent to UDP port 3799 (Although many NAS use port 1700 instead), and is intended to be used in situations where the AAA server wants to disconnect the user after the session has been accepted by the RADIUS Access-Accept packet.

To prevent unauthorized servers from disconnecting users, the authorizing agent that issues the Disconnect-Request packet must include identification attributes (Usually three attributes) in its Disconnect-Request]] packet. For a session to be disconnected, all parameters must match their expected values at the NAS . If the parameters do not match, the NAS discards the Disconnect-Request packet and sends a Disconnect-NAK (negative acknowledgment message).

<script type="text/javascript"> </script>

[ edit ]

Disconnect Messages

To centrally control the disconnection of remote access users, RADIUS clients must be able to receive and process unsolicited disconnect requests from RADIUS servers. The RADIUS disconnect feature uses the existing format of RADIUS disconnect request and response messages.

The code field used in disconnect messages has three codes:

• Disconnect-Request (40)
• Disconnect-ACK (41)
• Disconnect-NAK (42)

[ edit ]

Message Exchange

The RADIUS server (the disconnect client) and the NAS (the disconnect server) exchange messages using UDP. The Disconnect-Request sent from the disconnect client is a RADIUS-formatted packet with the Disconnect-Request and one or more attributes.

The disconnect response is either a Disconnect-ACK or a Disconnect-NAK:

If AAA is successful in disconnecting the user, the response is a RADIUS formatted packet with a Disconnect-ACK .

If AAA is unsuccessful in disconnecting the user, the request is malformed, or the request is missing attributes, the response is a RADIUS-formatted packet with a Disconnect-NAK

[ edit ]

Example Disconnect-Request

FreeRADIUS server (radiusd ) does not currently have internal Disconnect-Request support however you can send disconnect packets to a Disconnect enabled NAS with radclient as follows

# echo "Acct-Session-Id=D91FE8E51802097" > packet.txt


# echo "User-Name=somebody" >> packet.txt


# echo "X-Ascend-Session-Svr-Key=4235DAD8" >> packet.txt


# echo "NAS-IP-Address=10.0.0.1" >> packet.txt

# cat packet.txt | radclient -x 10.0.0.1:3799 disconnect secret

Sending Disconnect-Request of id 214 to 10.0.0.1 port 3799


       Acct-Session-Id = "D91FE8E51802097"


       User-Name = "somebody"


       X-Ascend-Session-Svr-Key = "4235DAD8"


       NAS-IP-Address = 10.0.0.1


rad_recv: Disconnect-ACK packet from host 10.0.0.1 port 3799, id=214, length=20

Note: The actual attributes which need to be sent in the Disconnect-Request and the port you send the packet to may vary depending on your brand of NAS and it's configuration. Though the RFC states the destination UDP port should be 3799 for Disconnect-Requests , Cisco brand equipment uses the non standard UDP port 1700 by default for POD.

For Mikrotik try

# cat packet.txt | radclient -r 1 10.0.0.1:1700 disconnect secret

where -r 1 means retry only once and give up.

[ edit ]

See Also

• RADIUS Packet of Disconnect with Cisco equipment
• RFC 3576

Retrieved from "http://wiki.freeradius.org/Disconnect_Messages "

This page has been accessed 17,441 times. This page was last modified 15:57, 27 January 2009.