Radius disconnect message

 

Normally called cut packets, it is found that the conventional call is disconnect message or packet of disconnect.

 

 

A disconnect message (sometimes known as packet of disconnect
) Is and unsolicited radius
Disconnect-Request
Packet (a special type of change-of-Authorization
Packet) sent to a NAS
In order to terminate a user session and discard all associated session context. The disconnect-Request
Packet is sent to UDP port 3799 (although sans NAS use port 1700 instead), and is intended to be used in situations where the AAA
Server wants to disconnect the user after the session has been accepted by the radius
Access-accept
Packet.

To prevent unauthorized servers from disconnecting users, the authorizing agent that issues the disconnect-Request
Packet must include identification attributes (usually three
Attributes) in its disconnect-request] packet. for a session to be
Disconnected, all parameters must match their expected values at the NAS
. If the parameters do not match, the NAS
Discards the disconnect-Request
Packet and sends a disconnect-Nak
(Negative acknowledgment message ).

Contents [Hide ] 1 Disconnect messages 2 Message exchange 3 Example disconnect-Request 4 See also

[Edit
]

Disconnect messages

To centrally control the disconnection of remote access users,
Radius clients must be able to receive and process unsolicited
Disconnect requests from RADIUS servers. The radius disconnect feature
Uses the existing format of radius disconnect request and response
Messages.

The code field used in disconnect messages has three codes:

• Disconnect-Request
  (40)
• Disconnect-ack
  (41)
• Disconnect-Nak
  (42)

[Edit
]

Message exchange

The radius
Server (the Disconnect Client) and the NAS
(The disconnect server) exchange messages using UDP. The disconnect-Request
Sent from the Disconnect Client is a radius-formatted packet with the disconnect-Request
And one or more attributes.

The disconnect response is either a disconnect-ack or a disconnect-Nak:

If aaa
Is successful in disconnecting the user, the response is a radius
Formatted packet with a disconnect-ack
.

If AAA is unsuccessful in disconnecting the user, the request is
Malformed, or the request is missing attributes, the response is
Radius-formatted packet with a disconnect-Nak

[Edit
]

Example disconnect-Request

FreeRADIUS
Server (radiusd
) Does not currently have internal disconnect-Request
Support however you can send disconnect packets to a disconnect enabled NAS
With radclient
As follows

# echo "Acct-Session-Id=D91FE8E51802097" > packet.txt
# echo "User-Name=somebody" >> packet.txt
# echo "X-Ascend-Session-Svr-Key=4235DAD8" >> packet.txt
# echo "NAS-IP-Address=10.0.0.1" >> packet.txt

# cat packet.txt | radclient -x 10.0.0.1:3799 disconnect secret

Sending Disconnect-Request of id 214 to 10.0.0.1 port 3799
       Acct-Session-Id = "D91FE8E51802097"
       User-Name = "somebody"
       X-Ascend-Session-Svr-Key = "4235DAD8"
       NAS-IP-Address = 10.0.0.1
rad_recv: Disconnect-ACK packet from host 10.0.0.1 port 3799, id=214, length=20

Note: The actual attributes which need to be sent in the disconnect-Request
And the port you send the packet to may vary depending on your brand of NAS
And it's configuration. Though the RFC states the destination UDP port
Shocould be 3799 for disconnect-requests, Cisco brand equipment uses
Non Standard UDP port 1700 by default for pod.

For mikrotik try

# cat packet.txt | radclient -r 1 10.0.0.1:1700 disconnect secret

Where-R 1 means retry only once and give up.

[Edit
]

See also

• Radius packet of disconnect with Cisco equipment
• RFC 3576

Retrieved from "http://wiki.freeradius.org/Disconnect_Messages
"

This page has been accessed 17,441 times. This page was last modified, 27 January 2009.