# -*- text -*- ###################################################################### # # The server can originate Change of Authorization (CoA) or # Disconnect request packets. These packets are used to dynamically # change the parameters of a users session (bandwidth, etc.), or # to forcibly disconnect the user. # # There are some caveats. Not all NAS vendors support this # functionality. Even for the ones that do, it may be difficult to # find out what needs to go into a CoA-Request or Disconnect-Request # packet. All we can suggest is to read the NAS documentation # available from the vendor. That documentation SHOULD describe # what information their equipment needs to see in a CoA packet. # # This information is usually a list of attributes such as: # # NAS-IP-Address (or NAS-IPv6 address) # NAS-Identifier # User-Name # Acct-Session-Id # # CoA packets can be originated when a normal Access-Request or # Accounting-Request packet is received. Simply update the # "coa" list: # # update coa { # User-Name = "%{User-Name}" # Acct-Session-Id = "%{Acct-Session-Id}" # NAS-IP-Address = "%{NAS-IP-Address}" # } # # And the CoA packet will be sent. You can also send Disconnect # packets by using "update disconnect { ...". # # This "update coa" entry can be placed in any section (authorize, # preacct, etc.), EXCEPT for pre-proxy and post-proxy. The CoA # packets CANNOT be sent if the original request has been proxied. # # The CoA functionality works best when the RADIUS server and # the NAS receiving CoA packets are on the same network. # # If "update coa { ... " is used, and then later it becomes necessary # to not send a CoA request, the following example can suppress the # CoA packet: # # update control { # Send-CoA-Request = No # } # # The default destination of a CoA packet is the NAS (or client) # the sent the original Access-Request or Accounting-Request. See # raddb/clients.conf for a "coa_server" configuration that ties # a client to a specific home server, or to a home server pool. # # If you need to send the packet to a different destination, update # the "coa" list with one of: # # Packet-Dst-IP-Address = ... # Packet-Dst-IPv6-Address = ... # Home-Server-Pool = ... # # That specifies an Ipv4 or IPv6 address, or a home server pool # (such as the "coa" pool example below). This use is not # recommended, however, It is much better to point the client # configuration directly at the CoA server/pool, as outlined # earlier. # # If the CoA port is non-standard, you can also set: # # Packet-Dst-Port # # to have the value of the port. # ###################################################################### # # When CoA packets are sent to a NAS, the NAS is acting as a # server (see RFC 5176). i.e. it has a type (accepts CoA and/or # Disconnect packets), an IP address (or IPv6 address), a # destination port, and a shared secret. # # This information *cannot* go into a "client" section. In the future, # FreeRADIUS will be able to receive, and to proxy CoA packets. # Having the CoA configuration as below means that we can later do # load-balancing, fail-over, etc. of CoA servers. If the CoA # configuration went into a "client" section, it would be impossible # to do proper proxying of CoA requests. # home_server localhost-coa { type = coa # # Note that a home server of type "coa" MUST be a real NAS, # with an ipaddr or ipv6addr. It CANNOT point to a virtual # server. # ipaddr = 127.0.0.1 port = 3799 # This secret SHOULD NOT be the same as the shared # secret in a "client" section. secret = testing1234 # CoA specific parameters. See raddb/proxy.conf for details. coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } # # CoA servers can be put into pools, just like normal servers. # home_server_pool coa { type = fail-over # Point to the CoA server above. home_server = localhost-coa # CoA requests are run through the pre-proxy section. # CoA responses are run through the post-proxy section. virtual_server = originate-coa.example.com # # Home server pools of type "coa" cannot (currently) have # a "fallback" configuration. # } # # When this virtual server is run, the original request has FINISHED # processing. i.e. the reply has already been sent to the NAS. # You can access the attributes in the original packet, reply, and # control items, but changing them will have NO EFFECT. # # The CoA packet is in the "proxy-request" attribute list. # The CoA reply (if any) is in the "proxy-reply" attribute list. # server originate-coa.example.com { pre-proxy { update proxy-request { NAS-IP-Address = 127.0.0.1 } } # # Handle the responses here. # post-proxy { switch "%{proxy-reply:Packet-Type}" { case CoA-ACK { ok } case CoA-NAK { # the NAS didn't like the CoA request ok } case Disconnect-ACK { ok } case Disconnect-NAK { # the NAS didn't like the Disconnect request ok } # Invalid packet type. This shouldn't happen. case { fail } } # # These methods are run when there is NO response # to the request. # Post-Proxy-Type Fail-CoA { ok } Post-Proxy-Type Fail-Disconnect { ok } } }