| # -*- text -*- |
| ###################################################################### |
| # |
| # The server can originate Change of Authorization (CoA) or |
| # Disconnect request packets. These packets are used to dynamically |
| # change the parameters of a users session (bandwidth, etc.), or |
| # to forcibly disconnect the user. |
| # |
| # There are some caveats. Not all NAS vendors support this |
| # functionality. Even for the ones that do, it may be difficult to |
| # find out what needs to go into a CoA-Request or Disconnect-Request |
| # packet. All we can suggest is to read the NAS documentation |
| # available from the vendor. That documentation SHOULD describe |
| # what information their equipment needs to see in a CoA packet. |
| # |
| # This information is usually a list of attributes such as: |
| # |
| # NAS-IP-Address (or NAS-IPv6 address) |
| # NAS-Identifier |
| # User-Name |
| # Acct-Session-Id |
| # |
| # CoA packets can be originated when a normal Access-Request or |
| # Accounting-Request packet is received. Simply update the |
| # "coa" list: |
| # |
| # update coa { |
| # User-Name = "%{User-Name}" |
| # Acct-Session-Id = "%{Acct-Session-Id}" |
| # NAS-IP-Address = "%{NAS-IP-Address}" |
| # } |
| # |
| # And the CoA packet will be sent. You can also send Disconnect |
| # packets by using "update disconnect { ...". |
| # |
| # This "update coa" entry can be placed in any section (authorize, |
| # preacct, etc.), EXCEPT for pre-proxy and post-proxy. The CoA |
| # packets CANNOT be sent if the original request has been proxied. |
| # |
| # The CoA functionality works best when the RADIUS server and |
| # the NAS receiving CoA packets are on the same network. |
| # |
| # If "update coa { ... " is used, and then later it becomes necessary |
| # to not send a CoA request, the following example can suppress the |
| # CoA packet: |
| # |
| # update control { |
| # Send-CoA-Request = No |
| # } |
| # |
| # The default destination of a CoA packet is the NAS (or client) |
| # the sent the original Access-Request or Accounting-Request. See |
| # raddb/clients.conf for a "coa_server" configuration that ties |
| # a client to a specific home server, or to a home server pool. |
| # |
| # If you need to send the packet to a different destination, update |
| # the "coa" list with one of: |
| # |
| # Packet-Dst-IP-Address = ... |
| # Packet-Dst-IPv6-Address = ... |
| # Home-Server-Pool = ... |
| # |
| # That specifies an Ipv4 or IPv6 address, or a home server pool |
| # (such as the "coa" pool example below). This use is not |
| # recommended, however, It is much better to point the client |
| # configuration directly at the CoA server/pool, as outlined |
| # earlier. |
| # |
| # If the CoA port is non-standard, you can also set: |
| # |
| # Packet-Dst-Port |
| # |
| # to have the value of the port. |
| # |
| ###################################################################### |
| |
| # |
| # When CoA packets are sent to a NAS, the NAS is acting as a |
| # server (see RFC 5176). i.e. it has a type (accepts CoA and/or |
| # Disconnect packets), an IP address (or IPv6 address), a |
| # destination port, and a shared secret. |
| # |
| # This information *cannot* go into a "client" section. In the future, |
| # FreeRADIUS will be able to receive, and to proxy CoA packets. |
| # Having the CoA configuration as below means that we can later do |
| # load-balancing, fail-over, etc. of CoA servers. If the CoA |
| # configuration went into a "client" section, it would be impossible |
| # to do proper proxying of CoA requests. |
| # |
| home_server localhost-coa { |
| type = coa |
| |
| # |
| # Note that a home server of type "coa" MUST be a real NAS, |
| # with an ipaddr or ipv6addr. It CANNOT point to a virtual |
| # server. |
| # |
| ipaddr = 127.0.0.1 |
| port = 3799 |
| |
| # This secret SHOULD NOT be the same as the shared |
| # secret in a "client" section. |
| secret = testing1234 |
| |
| # CoA specific parameters. See raddb/proxy.conf for details. |
| coa { |
| irt = 2 |
| mrt = 16 |
| mrc = 5 |
| mrd = 30 |
| } |
| } |
| |
| # |
| # CoA servers can be put into pools, just like normal servers. |
| # |
| home_server_pool coa { |
| type = fail-over |
| |
| # Point to the CoA server above. |
| home_server = localhost-coa |
| |
| # CoA requests are run through the pre-proxy section. |
| # CoA responses are run through the post-proxy section. |
| virtual_server = originate-coa.example.com |
| |
| # |
| # Home server pools of type "coa" cannot (currently) have |
| # a "fallback" configuration. |
| # |
| } |
| |
| # |
| # When this virtual server is run, the original request has FINISHED |
| # processing. i.e. the reply has already been sent to the NAS. |
| # You can access the attributes in the original packet, reply, and |
| # control items, but changing them will have NO EFFECT. |
| # |
| # The CoA packet is in the "proxy-request" attribute list. |
| # The CoA reply (if any) is in the "proxy-reply" attribute list. |
| # |
| server originate-coa.example.com { |
| pre-proxy { |
| update proxy-request { |
| NAS-IP-Address = 127.0.0.1 |
| } |
| } |
| |
| # |
| # Handle the responses here. |
| # |
| post-proxy { |
| switch "%{proxy-reply:Packet-Type}" { |
| case CoA-ACK { |
| ok |
| } |
| |
| case CoA-NAK { |
| # the NAS didn't like the CoA request |
| ok |
| } |
| |
| case Disconnect-ACK { |
| ok |
| } |
| |
| case Disconnect-NAK { |
| # the NAS didn't like the Disconnect request |
| ok |
| } |
| |
| # Invalid packet type. This shouldn't happen. |
| case { |
| fail |
| } |
| } |
| |
| # |
| # These methods are run when there is NO response |
| # to the request. |
| # |
| Post-Proxy-Type Fail-CoA { |
| ok |
| } |
| |
| Post-Proxy-Type Fail-Disconnect { |
| ok |
| } |
| } |
| } |