Blame | Last modification | View Log | RSS feed
# -*- text -*-######################################################################## The server can originate Change of Authorization (CoA) or# Disconnect request packets. These packets are used to dynamically# change the parameters of a users session (bandwidth, etc.), or# to forcibly disconnect the user.## There are some caveats. Not all NAS vendors support this# functionality. Even for the ones that do, it may be difficult to# find out what needs to go into a CoA-Request or Disconnect-Request# packet. All we can suggest is to read the NAS documentation# available from the vendor. That documentation SHOULD describe# what information their equipment needs to see in a CoA packet.## This information is usually a list of attributes such as:## NAS-IP-Address (or NAS-IPv6 address)# NAS-Identifier# User-Name# Acct-Session-Id## CoA packets can be originated when a normal Access-Request or# Accounting-Request packet is received. Simply update the# "coa" list:## update coa {# User-Name = "%{User-Name}"# Acct-Session-Id = "%{Acct-Session-Id}"# NAS-IP-Address = "%{NAS-IP-Address}"# }## And the CoA packet will be sent. You can also send Disconnect# packets by using "update disconnect { ...".## This "update coa" entry can be placed in any section (authorize,# preacct, etc.), EXCEPT for pre-proxy and post-proxy. The CoA# packets CANNOT be sent if the original request has been proxied.## The CoA functionality works best when the RADIUS server and# the NAS receiving CoA packets are on the same network.## If "update coa { ... " is used, and then later it becomes necessary# to not send a CoA request, the following example can suppress the# CoA packet:## update control {# Send-CoA-Request = No# }## The default destination of a CoA packet is the NAS (or client)# the sent the original Access-Request or Accounting-Request. See# raddb/clients.conf for a "coa_server" configuration that ties# a client to a specific home server, or to a home server pool.## If you need to send the packet to a different destination, update# the "coa" list with one of:## Packet-Dst-IP-Address = ...# Packet-Dst-IPv6-Address = ...# Home-Server-Pool = ...## That specifies an Ipv4 or IPv6 address, or a home server pool# (such as the "coa" pool example below). This use is not# recommended, however, It is much better to point the client# configuration directly at the CoA server/pool, as outlined# earlier.## If the CoA port is non-standard, you can also set:## Packet-Dst-Port## to have the value of the port.######################################################################### When CoA packets are sent to a NAS, the NAS is acting as a# server (see RFC 5176). i.e. it has a type (accepts CoA and/or# Disconnect packets), an IP address (or IPv6 address), a# destination port, and a shared secret.## This information *cannot* go into a "client" section. In the future,# FreeRADIUS will be able to receive, and to proxy CoA packets.# Having the CoA configuration as below means that we can later do# load-balancing, fail-over, etc. of CoA servers. If the CoA# configuration went into a "client" section, it would be impossible# to do proper proxying of CoA requests.#home_server localhost-coa {type = coa## Note that a home server of type "coa" MUST be a real NAS,# with an ipaddr or ipv6addr. It CANNOT point to a virtual# server.#ipaddr = 127.0.0.1port = 3799# This secret SHOULD NOT be the same as the shared# secret in a "client" section.secret = testing1234# CoA specific parameters. See raddb/proxy.conf for details.coa {irt = 2mrt = 16mrc = 5mrd = 30}}## CoA servers can be put into pools, just like normal servers.#home_server_pool coa {type = fail-over# Point to the CoA server above.home_server = localhost-coa# CoA requests are run through the pre-proxy section.# CoA responses are run through the post-proxy section.virtual_server = originate-coa.example.com## Home server pools of type "coa" cannot (currently) have# a "fallback" configuration.#}## When this virtual server is run, the original request has FINISHED# processing. i.e. the reply has already been sent to the NAS.# You can access the attributes in the original packet, reply, and# control items, but changing them will have NO EFFECT.## The CoA packet is in the "proxy-request" attribute list.# The CoA reply (if any) is in the "proxy-reply" attribute list.#server originate-coa.example.com {pre-proxy {update proxy-request {NAS-IP-Address = 127.0.0.1}}## Handle the responses here.#post-proxy {switch "%{proxy-reply:Packet-Type}" {case CoA-ACK {ok}case CoA-NAK {# the NAS didn't like the CoA requestok}case Disconnect-ACK {ok}case Disconnect-NAK {# the NAS didn't like the Disconnect requestok}# Invalid packet type. This shouldn't happen.case {fail}}## These methods are run when there is NO response# to the request.#Post-Proxy-Type Fail-CoA {ok}Post-Proxy-Type Fail-Disconnect {ok}}}