Subversion Repositories configs

Rev

Details | Last modification | View Log | RSS feed

Rev Author Line No. Line
4 - 1
# -*- text -*-
2
######################################################################
3
#
4
#  The server can originate Change of Authorization (CoA) or
5
#  Disconnect request packets.  These packets are used to dynamically
6
#  change the parameters of a users session (bandwidth, etc.), or
7
#  to forcibly disconnect the user.
8
#
9
#  There are some caveats.  Not all NAS vendors support this
10
#  functionality.  Even for the ones that do, it may be difficult to
11
#  find out what needs to go into a CoA-Request or Disconnect-Request
12
#  packet.  All we can suggest is to read the NAS documentation
13
#  available from the vendor.  That documentation SHOULD describe
14
#  what information their equipment needs to see in a CoA packet.
15
#
16
#  This information is usually a list of attributes such as:
17
#
18
#	NAS-IP-Address (or NAS-IPv6 address)
19
#	NAS-Identifier
20
#	User-Name
21
#	Acct-Session-Id
22
#
23
#  CoA packets can be originated when a normal Access-Request or
24
#  Accounting-Request packet is received.  Simply update the
25
#  "coa" list:
26
#
27
#	update coa {
28
#	       User-Name = "%{User-Name}"
29
#	       Acct-Session-Id = "%{Acct-Session-Id}"
30
#	       NAS-IP-Address = "%{NAS-IP-Address}"
31
#	}
32
#
33
#  And the CoA packet will be sent.  You can also send Disconnect
34
#  packets by using "update disconnect { ...".
35
#
36
#  This "update coa" entry can be placed in any section (authorize,
37
#  preacct, etc.), EXCEPT for pre-proxy and post-proxy.  The CoA
38
#  packets CANNOT be sent if the original request has been proxied.
39
#
40
#  The CoA functionality works best when the RADIUS server and
41
#  the NAS receiving CoA packets are on the same network.
42
#
43
#  If "update coa { ... " is used, and then later it becomes necessary
44
#  to not send a CoA request, the following example can suppress the
45
#  CoA packet:
46
#
47
#	update control {
48
#		Send-CoA-Request = No
49
#	}
50
#
51
#  The default destination of a CoA packet is the NAS (or client)
52
#  the sent the original Access-Request or Accounting-Request.  See
53
#  raddb/clients.conf for a "coa_server" configuration that ties
54
#  a client to a specific home server, or to a home server pool.
55
#
56
#  If you need to send the packet to a different destination, update
57
#  the "coa" list with one of:
58
#
59
#	Packet-Dst-IP-Address = ...
60
#	Packet-Dst-IPv6-Address = ...
61
#	Home-Server-Pool = ...
62
#
63
#  That specifies an Ipv4 or IPv6 address, or a home server pool
64
#  (such as the "coa" pool example below).  This use is not
65
#  recommended, however,  It is much better to point the client
66
#  configuration directly at the CoA server/pool, as outlined
67
#  earlier.
68
#
69
#  If the CoA port is non-standard, you can also set:
70
#
71
#	Packet-Dst-Port
72
#
73
#  to have the value of the port.
74
#
75
######################################################################
76
 
77
#
78
#  When CoA packets are sent to a NAS, the NAS is acting as a
79
#  server (see RFC 5176).  i.e. it has a type (accepts CoA and/or
80
#  Disconnect packets), an IP address (or IPv6 address), a
81
#  destination port, and a shared secret.
82
#
83
#  This information *cannot* go into a "client" section.  In the future,
84
#  FreeRADIUS will be able to receive, and to proxy CoA packets.
85
#  Having the CoA configuration as below means that we can later do
86
#  load-balancing, fail-over, etc. of CoA servers.  If the CoA
87
#  configuration went into a "client" section, it would be impossible
88
#  to do proper proxying of CoA requests.
89
#
90
home_server localhost-coa {
91
	type = coa
92
 
93
	#
94
	#  Note that a home server of type "coa" MUST be a real NAS,
95
	#  with an ipaddr or ipv6addr.  It CANNOT point to a virtual
96
	#  server.
97
	#
98
	ipaddr = 127.0.0.1
99
	port = 3799
100
 
101
	#  This secret SHOULD NOT be the same as the shared
102
	#  secret in a "client" section.
103
	secret = testing1234
104
 
105
	#  CoA specific parameters.  See raddb/proxy.conf for details.
106
	coa {
107
		irt = 2
108
		mrt = 16
109
		mrc = 5
110
		mrd = 30
111
	}
112
}
113
 
114
#
115
#  CoA servers can be put into pools, just like normal servers.
116
#
117
home_server_pool coa {
118
	type = fail-over
119
 
120
	# Point to the CoA server above.
121
	home_server = localhost-coa
122
 
123
	#  CoA requests are run through the pre-proxy section.
124
	#  CoA responses are run through the post-proxy section.
125
	virtual_server = originate-coa.example.com
126
 
127
	#
128
	#  Home server pools of type "coa" cannot (currently) have
129
	#  a "fallback" configuration.
130
	#
131
}
132
 
133
#
134
#  When this virtual server is run, the original request has FINISHED
135
#  processing.  i.e. the reply has already been sent to the NAS.
136
#  You can access the attributes in the original packet, reply, and
137
#  control items, but changing them will have NO EFFECT.
138
#
139
#  The CoA packet is in the "proxy-request" attribute list.
140
#  The CoA reply (if any) is in the "proxy-reply" attribute list.
141
#
142
server originate-coa.example.com {
143
  pre-proxy {
144
	update proxy-request {
145
		NAS-IP-Address = 127.0.0.1
146
	}
147
  }
148
 
149
  #
150
  # Handle the responses here.
151
  #
152
  post-proxy {
153
	switch "%{proxy-reply:Packet-Type}" {
154
		case CoA-ACK {
155
			ok
156
		}
157
 
158
		case CoA-NAK {
159
			# the NAS didn't like the CoA request
160
			ok
161
		}
162
 
163
		case Disconnect-ACK {
164
			ok
165
		}
166
 
167
		case Disconnect-NAK {
168
			# the NAS didn't like the Disconnect request
169
			ok
170
		}
171
 
172
		# Invalid packet type.  This shouldn't happen.
173
		case {
174
		     fail
175
		}
176
	}
177
 
178
	#
179
	#  These methods are run when there is NO response
180
	#  to the request.
181
	#
182
	Post-Proxy-Type Fail-CoA {
183
		ok
184
	}
185
 
186
	Post-Proxy-Type Fail-Disconnect {
187
		ok
188
	}
189
  }
190
}