radius-server authorization error-reply

Function

The radius-server authorization error-reply command configures the method for the device to respond to the RADIUS server-delivered CoA packets that it cannot process.

By default, the device uses version 1 to respond to the RADIUS server-delivered CoA packets that it cannot process.

This command is supported only on the NetEngine 8000 F1A.

Format

radius-server authorization error-reply { version1 | version2 }

Parameters

Parameter Description Value
version1

Indicates that the device sends Change-of-Authorization packets in response to the server in version 1 method by default. Version 1 is the default method.

-
version2

Indicates that the device sends Change-of-Authorization packets in response to the server in version 2 method. The version 2 method complies with relevant standards.

-

Views

System view

Default Level

2: Configuration level

Task Name and Operations

Task Name Operations
radius write

Usage Guidelines

Usage Scenario

If the device cannot process the CoA packets delivered by the RADIUS server, the device sends response packets carrying the error cause to the RADIUS server.

When version2 is configured in the radius-server authorization error-reply command, the requirements are stricter and the affected attributes are as follows:

  • When the HW-Domain-Name attributes carried in CoA packets are in empty pad character or do not exist, the device responds with NAK packets (Error-Cause 404).
  • When the Filter-ID attributes carried in CoA packets are in empty pad character or not set up, the device responds with NAK packets (Error-Cause 404).
  • When the HW-QOS-Profile-Name attributes carried in CoA packets are in empty pad character or not set up, the device responds with NAK packets (Error-Cause 404).
  • When the HW-Down-QOS-Profile-Name attributes carried in CoA packets are in empty pad character or not set up, the device responds with NAK packets (Error-Cause 404).
  • When the HW-Subscriber-QOS-Profile attributes carried in CoA packets are in empty pad character or not set up, the device responds with NAK packets (Error-Cause 404).
  • When the HW-VPN-Instance attributes carried in CoA packets are in empty pad character or not set up, the device responds with NAK packets (Error-Cause 404).
  • When the HW-Up-Priority attributes carried in CoA packets are not correct, the device responds with NAK packets (Error-Cause 404).
  • When the HW-Down-Priority attributes carried in CoA packets are not correct, the device responds with NAK packets (Error-Cause 404).
  • When the HW-Priority attributes carried in CoA packets are not correct, the device responds with NAK packets (Error-Cause 404).
  • When the HW-Lease-Time attributes carried in CoA packets are not correct, the device responds with NAK packets (Error-Cause 404).
  • When the HW-Multicast-Profile-Name attributes carried in CoA packets are in empty pad character or not set up, the device responds with NAK packets (Error-Cause 404).
  • When the Acct-Interim-Interval attributes carried in CoA packets are not correct, the device responds with NAK packets (Error-Cause 404).
  • When the HW-Portal-Mode attributes carried in CoA packets are not correct, the device responds with NAK packets (Error-Cause 404).
  • When the length of the HW-Portal-URL attributes carried in CoA packets is greater than 200 bytes, the device responds with NAK packets (Error-Cause 404).
  • When the length of the HW-Web-URL attributes carried in CoA packets is greater than 200 bytes, the device responds with NAK packets (Error-Cause 404).
  • When CoA packets deliver HW-Subscriber-QoS-Profile attributes to the LNS users, the attributes are not supported by the LNS, the device responds with NAK packets (Error-Cause 404).
  • When the Subscriber:gq-inbound attribute carried in COA packets is incorrect, the device responds with NAK packets (Error-Cause 404).
  • When the subscriber:gq-outbound attribute carried in COA packets is incorrect, the device responds with NAK packets (Error-Cause 404).
  • When the COA server delivers DM message to a non-existent user (or an off-line user), the Error-Cause 404 packets sent by the device are changed to Error-Cause 503.
  • When the value of the attributes delivered by the COA server is correct, but the device fails to execute the command delivered by the RADIUS server due to unavailable resources, the Error-Cause 404 packets are changed to Error-Cause 506 (Resource Unavailable). Therefore, when the device fails to process the general AAA and UCM modules, the RADIUS server respond to the NAK packets (Error-Cause 506).

    When version1 is configured, the following attributes are affected:
  • When the HW-QOS-Profile-Name attribute carried in COA packets is empty, qos-profile is not created on the device, or the created qos-profile is not supported, the device responds with ACK packets.
  • When the HW-Down-Qos-Profile-Name attribute carried in COA packets is empty or qos-profile is not created on the device, the device responds with ACK messages.
  • When the HW-Subscriber-QoS-Profile attribute carried in COA packets is empty or qos-profile is not created on the device, the device replies with ACK packets.

Precautions

In VS mode, this command is supported only by the admin VS.

Example

# Configure version 2 to encapsulate CoA response packets.
<HUAWEI> system-view
[~HUAWEI] radius-server authorization error-reply version2
Parent Topic: AAA and User Management Configuration (Access User)
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >