Radius Disconnect (or Packet of Disconnect (PoD)) is a mechanism that allows the RADIUS server tosend a Radius Disconnect Message to the HA to release resources. Resources may be released for
administrative purposes, and are mainly Mobile IP bindings on the HA.
Support for Radius Disconnect on the Cisco Home Agent conforms with RFC 3576. The HA
communicates its resource management capabilities to the Home AAA server in an Access Request
message that is sent for authentication/authorization procedure by including a 3GPP2 Vendor Specific
Session Termination Capability (STC) VSA. The value communicated in the STC VSA is obtained from
configuration. The HA includes a NAS-Identifier attribute that contains its Fully Qualified Domain
Name (FQDN) in the Access Request when the radius-server attribute 32 include-in-access-req
format command is configured.
The following events occur when a Disconnect Request is received on the HA:
Step 1 Find the user session corresponding to the username (NAI).
Step 2 If the Framed-IP-Address attribute is received in the Disconnect Request, terminate the binding with
corresponding to the address.
Step 3 If Framed-IP-Address is not received in the Disconnect Request, terminate all bindings for the user
(NAI).
Configuring RADIUS Disconnect Client
Perform the following tasks to configure RADIUS disconnect for clients and the associated keys:
Command Purpose
Router(config)# aaa pod server [clients ipaddr1 [ipaddr2]
[ipaddr3] [ipaddr4]] [port port number] [auth-type {any | all |
session-key}] [ignore session-key] {ignore server-key |
server-key string}
Required to enable Packet of Disconnect (POD)
services at AAA subsystem level in Cisco IOS.
Enables inbound user sessions to be disconnected
when specific session attributes are presented.
Router(config)#ip mobile radius disconnect Enables the functionality of processing RADIUS
disconnect messages on the HA.
7-5
Cisco Mobile Wireless Home Agent Feature for IOS 12.4(15)XM
Chapter 7 Terminating IP Registrations
Mobile IPv4 Registration Revocation
Restrictions for RADIUS Disconnect
The following list includes restrictions for the RADIUS Disconnect feature:
• MIB is not updated with Radius Disconnect information.
• Mobile IP conditional debugging is not supported.
•
•
•
Support for Binding Synch and Deletion
In the current implementation of Home Agent redundancy, bindings that are deleted on the active HA in
active-standby mode (or on any peer in a peer to peer mode), due to receipt of a revocation message or
a RADIUS disconnect message, are synched to the standby HA, or the peer HA. Also, the additional
extensions and attributes for Revocation and Radius Disconnect are relayed to the standby. Registration
Revocation and Radius Disconnect (using the clear ip mobile binding command) are supported with
HA redundancy. The following list identifies the benefits of this support:
Active-Standby Mode of HA Redundancy:
• Bindings on the active HA that are deleted by trigger (for example, receipt of a Revocation message,
or a Radius Disconnect message) will be synched to the Standby HA.
• Bindings that are deleted due to commands that unconfigure (for example, ip mobile host, etc.), will
not be synched.
• Bindings that are deleted on the standby HA will not be synched to the active in case of
active-standby mode.
• Additional extensions (Revocation Support Extension) and attributes (STC attribute) for Revocation
and Radius Disconnect will be relayed to the standby HA.
Peer-to-Peer Mode of HA Redundancy:
• Bindings that are deleted on any of the peers by trigger (for instance, a receipt of Revocation
message or a Radius Disconnect message), will be synched to the other peer.
• Bindings that are deleted due to commands that unconfigure (for example, ip mobile host, etc.) will
not be synched.
• Additional extensions (Revocation Support Extension) and attributes (STC attribute) for Revocation
and Radius Disconnect will be relayed to the peer HA.
Router(config)#radius-server attribute 32 include-in-access-req This command is required to include the optional
NAS-Identifier attribute in Access-Request to the
home AAA.
Router# debug aaa pod Displays debug information for Radius
Disconnect message processing at AAA
subsystem level.
Command Purpose
7-6
Cisco Mobile Wireless Home Agent Feature for IOS 12.4(15)XM
Chapter 7 Terminating IP Registrations
Mobile IPv4 Registration Revocation
Binding Synch
The following call flow shows the sequences and message exchange among various network entities used
to bring up the Mobile IP flow and synch the information to the standby Home Agent.
1. The MS originates a call and a PPP session is up.
2. The PDSN receives a MIP RRQ from the MN and authenticates the MN by FA-CHAP. The STC
VSA with the appropriate value (2 or 3) is included in the Access-request message to the AAA. After
successful authentication, the PDSN forwards the RRQ to the HA and includes the revocation
support extension after the MHAE.
3. The HA, upon receiving the MIP RRQ containing a revocation extension, includes a revocation
support extension in the MIP RRP sent back to PDSN. During HA-CHAP to authenticate the MS,
the STC VSA with appropriate value (2 or 3) is included in the Access-request message sent to the
AAA. The binding at the HA is now considered revocable.
4. The PDSN receives the MIP RRP containing a revocation extension. The binding at the PDSN is
revocable as the MIP RRP contained a revocation extension
5. Since the Home Agent is configured in redundant mode, a Bind Update message is sent to the
standby with the additional information (revocation support extension and STC NVSE).
6. The standby Home Agent regenerates the binding using the information received in the Bind Update
message, and sends back a Bind Update Ack message with code “accept” on successful creation of
a binding on the standby.
Binding Deletion
As part of this support, two new messages —“Bind Delete Request” and “Bind Delete Ack”—are
introduced that are exchanged between the redundant HAs when a binding is deleted. The following
sample call flow illustrates when a binding gets deleted on the active Home Agent due to receipt of
Revocation message, and the deletion of binding is synched to the standby Home Agent.
1. The MS originates a call, a PPP session is up and a Mobile IP flow is setup on the active Home Agent
with Registration revocation capability enabled and negotiated. The same is synched to the standby
Home Agent.
2. When a user issues administrative clear command, the PDSN sends a Revocation message to the
active Home Agent, deletes the visitor entry, and associated resources are cleared.
3. The active HA, upon receiving the MIP Revocation message, identifies the binding to be deleted.
On identifying the binding, a Bind Delete Request message is sent out to the standby HA.
4. After a Bind Delete Request is sent out, the active HA cleans up the resources associated with the
binding for the Revocation message that arrived, and sends back a MIP Revocation Ack message to
the PDSN.
5. The standby HA, on receipt of Bind Delete Request message, identifies the binding to be deleted,
and sends back a Bind Delete Ack message with code as “accept”.
6. If a Bind Delete Ack message is not received within a configured time on the active HA, then a Bind
Delete Request message is retransmitted. This process is repeated for the max retransmit count.
During binding synch, the extensions (Revocation Support Extension) and attributes for Revocation and
Radius Disconnect (STC attribute) are synched from active HA to the standby. In scenarios when the
active HA goes down and the standby becomes active, the now active HA is capable of deleting bindings
on receipt of a RADIUS Disconnect message. For revocation, the bindings on the now active HA are
revocable, and the HA can now send and receive revocation messages.
0 comments:
Post a Comment