RADIUS CoA [Документация VAS Experts]
Документация VAS Experts Документация VAS Experts-mobile
in

Settings

  • Show page
  • Old revisions
  • Export to PDF
  • Backlinks
  • Show page
  • Old revisions
  • Export to PDF
  • Backlinks

    • Differences

    This shows you the differences between two versions of the page.

    Link to this comparison view

    Next revision    		Previous revision
    en:dpi:bras_bng:radius_integration:radius_auth_coa [2024/12/04 15:35] – ↷ Page moved from en:dpi:bras_bng:radius_integration:radius_auth_server_integration:radius_auth_coa to en:dpi:bras_bng:radius_integration:radius_auth_coa elena.krasnobryzhen:dpi:bras_bng:radius_integration:radius_auth_coa [2024/12/05 15:03] (current) elena.krasnobryzh
    Line 1: Line 1:
    -====== Radius CoA ======+====== RADIUS CoA ======
     {{indexmenu_n>2}} {{indexmenu_n>2}}
    -[[https://tools.ietf.org/html/rfc5176|CoA]] - Change of Authorization are notifications from the Radius server that the user properties have changed or that the user has become unauthorized.+[[https://tools.ietf.org/html/rfc5176|CoA]] - Change of Authorization are notifications from the RADIUS server that the user properties have changed or that the user has become unauthorized.
      
     CoA-Request нотификация говорит о том, что пользователь авторизован и, опционально, у него изменились  CoA-Request нотификация говорит о том, что пользователь авторизован и, опционально, у него изменились 
    Line 9: Line 9:
       * the user went from "not authorized" to "authorized" (for example, topped up the account) - see below;   * the user went from "not authorized" to "authorized" (for example, topped up the account) - see below;
       * the authorized user's parameters have changed (enabling/disabling services, changing service profiles).   * the authorized user's parameters have changed (enabling/disabling services, changing service profiles).
    -<note important>If the user is not authorized and his parameters are changed, a [[en:dpi:bras_bng:radius_integration:radius_auth_server_integration:radius_auth_coa#simplified_notification_request_for_reauthorization|simplified CoA-Request]] must be generated, which actually instructs fastDPI to reauthorize the subscriber immediately, that is, to send an Access-Request.+<note important>If the user is not authorized and his parameters are changed, a [[en:dpi:bras_bng:radius_integration:radius_auth_coa#simplified_notification_request_for_reauthorization|simplified CoA-Request]] must be generated, which actually instructs fastDPI to reauthorize the subscriber immediately, that is, to send an Access-Request.
     </note> </note>
     Types of СоА: Types of СоА:
    -  - Simplified CoA-Request -  on receipt of the CoA fastDPI consideres the user's attributes have changed and re-authorization is required. Upon receiving such a notification, fastDPI sends a normal ''Access-Request'' request to the Radius server, [[en:dpi:bras_bng:radius_integration:radius_auth_server_integration|as described here]].+  - Simplified CoA-Request -  on receipt of the CoA fastDPI consideres the user's attributes have changed and re-authorization is required. Upon receiving such a notification, fastDPI sends a normal ''Access-Request'' request to the RADIUS server, [[en:dpi:bras_bng:radius_integration:radius_auth_server_integration|as described here]].
       - Full CoA-Request - the ''CoA-Request'' notification may contain the full list of __changed__ user attributes.   - Full CoA-Request - the ''CoA-Request'' notification may contain the full list of __changed__ user attributes.
       - Disconnect-Request - resets the authorization status of the user.   - Disconnect-Request - resets the authorization status of the user.
      
     ====== Notification types ====== ====== Notification types ======
    -<note important>Although the ''CoA-Request'' notification may contain a complete list of __ changed __ user attributes, it is suggested to use a simplified version of this notification.This allows the fastDPI to be informed that the user attributes have changed and require reauthorization. When such a message is received the fastDPI sends reqular ''Access-Request'' request to the Radius server, as described+<note important>Although the ''CoA-Request'' notification may contain a complete list of __ changed __ user attributes, it is suggested to use a simplified version of this notification.This allows the fastDPI to be informed that the user attributes have changed and require reauthorization. When such a message is received the fastDPI sends reqular ''Access-Request'' request to the RADIUS server, as described
     [[en:dpi:bras_bng:radius_integration:radius_auth_server_integration|earlier]].</note> [[en:dpi:bras_bng:radius_integration:radius_auth_server_integration|earlier]].</note>
      
    Line 41: Line 41:
      
     ==== Response to the simplified notification ==== ==== Response to the simplified notification ====
    -According to RFC5176, CoA-Request with Service-Type=8 (Authenticate-Only) should be responded with a CoA-NAK response containing the ''Error-Cause=507'' (Request Initiated) attribute. It's not always convenient since some utilities (for example, radclient from the FreeRadius package) treat the CoA-NAK response as an error.+According to RFC5176, CoA-Request with Service-Type=8 (Authenticate-Only) should be responded with a CoA-NAK response containing the ''Error-Cause=507'' (Request Initiated) attribute. It's not always convenient since some utilities (for example, radclient from the FreeRADIUS package) treat the CoA-NAK response as an error.
     The fastPCRF has a ''coa_reauth_ack'' option that determines how to respond to the CoA-Request with Service-Type=8: The fastPCRF has a ''coa_reauth_ack'' option that determines how to respond to the CoA-Request with Service-Type=8:
       * 0 (the default value) - standard behavior: to respond by CoA-NAK with Error-Cause=507   * 0 (the default value) - standard behavior: to respond by CoA-NAK with Error-Cause=507
       * 1 - non-standard behavior: to respond by CoA-ACK   * 1 - non-standard behavior: to respond by CoA-ACK
      
    -This option can be set in the fastpcrf.conf both globally for all radius-servers and specifically for each radius-server:+This option can be set in the fastpcrf.conf both globally for all RADIUS-servers and specifically for each RADIUS-server:
     <code> <code>
       # global settings   # global settings
    Line 92: Line 92:
      
       * **0x0001** – ''disable acct stop'', do not immediately send ''acct stop'' to a ''disconnected'' DHCP subscriber. Allows traffic after PoD to be counted. By default, the acct session is closed by PoD, which may result in unaccounted traffic for DHCP subscribers from PoD to DHCP reauthorization.   * **0x0001** – ''disable acct stop'', do not immediately send ''acct stop'' to a ''disconnected'' DHCP subscriber. Allows traffic after PoD to be counted. By default, the acct session is closed by PoD, which may result in unaccounted traffic for DHCP subscribers from PoD to DHCP reauthorization.
    -  * **0x0002** – ''disable L3 auth'', do not perform L3 auth for a ''disconnected'' DHCP subscriber. Stingray SG can authorize an L2 subscriber by its IP address with Radius support.+  * **0x0002** – ''disable L3 auth'', do not perform L3 auth for a ''disconnected'' DHCP subscriber. Stingray SG can authorize an L2 subscriber by its IP address with RADIUS support.
       * **0x0004** – ''block traffic'' – block all traffic from the ''disconnected'' subscriber (i.e. on the ''subs -> inet'' route). Attempt to reduce reauthentication time: many CPEs send DHCP ahead of time when the Internet connection is down. But the price of this flag is the breaking of all existing subscriber sessions.   * **0x0004** – ''block traffic'' – block all traffic from the ''disconnected'' subscriber (i.e. on the ''subs -> inet'' route). Attempt to reduce reauthentication time: many CPEs send DHCP ahead of time when the Internet connection is down. But the price of this flag is the breaking of all existing subscriber sessions.
       * **0x0008** – respond to DHCP Request with NAK. Allows you to shorten the reauthorization time by terminating the IP address lease.   * **0x0008** – respond to DHCP Request with NAK. Allows you to shorten the reauthorization time by terminating the IP address lease.
    Line 102: Line 102:
      
       * send acct stop   * send acct stop
    -  * the following DHCP request (Discover or Request) is sent to Radius+  * the following DHCP request (Discover or Request) is sent to RADIUS
       * reset the L3 session time, which results in an L3 auth on the first non-DHCP packet from the subscriber   * reset the L3 session time, which results in an L3 auth on the first non-DHCP packet from the subscriber
     \\ \\
    Line 108: Line 108:
      
       * **do not** send acct stop   * **do not** send acct stop
    -  * the following DHCP request (Discover or Request) is sent to Radius+  * the following DHCP request (Discover or Request) is sent to RADIUS
       * reset the L3 session time, which results in an L3 auth on the first non-DHCP packet from the subscriber   * reset the L3 session time, which results in an L3 auth on the first non-DHCP packet from the subscriber
     \\ \\
    Line 114: Line 114:
      
       * send (2) / do not send (3) acct stop   * send (2) / do not send (3) acct stop
    -  * the following DHCP request (Discover or Request) is sent to Radius+  * the following DHCP request (Discover or Request) is sent to RADIUS
     \\ \\
     **''=4, 5''**: waiting for a DHCP request from a subscriber with traffic blocking, L3 enabled. That is, packets from the subscriber are blocked, but L3 auth is performed on them. **''=4, 5''**: waiting for a DHCP request from a subscriber with traffic blocking, L3 enabled. That is, packets from the subscriber are blocked, but L3 auth is performed on them.
      
       * send (4) / do not send (5) acct stop   * send (4) / do not send (5) acct stop
    -  * the following DHCP request (Discover or Request) is sent to Radius+  * the following DHCP request (Discover or Request) is sent to RADIUS
       * reset the L3-reauthorization time, which leads to L3 auth on the first non-DHCP packet from the subscriber   * reset the L3-reauthorization time, which leads to L3 auth on the first non-DHCP packet from the subscriber
     \\ \\
    Line 125: Line 125:
      
       * send (6) / do not send (7) acct stop   * send (6) / do not send (7) acct stop
    -  * the following DHCP request (Discover or Request) is sent to Radius+  * the following DHCP request (Discover or Request) is sent to RADIUS
       * traffic from the subscriber is dropped   * traffic from the subscriber is dropped
     \\ \\
    Line 132: Line 132:
       * send (8) / do not send (9) acct stop   * send (8) / do not send (9) acct stop
       * reset the L3-reauthorization time, which leads to L3 auth on the first non-DHCP packet from the subscriber   * reset the L3-reauthorization time, which leads to L3 auth on the first non-DHCP packet from the subscriber
    -  * DHCP Request – respond with NAK, DHCP Discover – send to Radius+  * DHCP Request – respond with NAK, DHCP Discover – send to RADIUS
     \\ \\
     **''=10, 11''**: (2 + 8) waiting for DHCP request from subscriber without traffic blocking, L3 auth disabled **''=10, 11''**: (2 + 8) waiting for DHCP request from subscriber without traffic blocking, L3 auth disabled
      
       * send (10) / do not send (11) acct stop   * send (10) / do not send (11) acct stop
    -  * DHCP Request – respond with NAK, DHCP Discover – send to Radius+  * DHCP Request – respond with NAK, DHCP Discover – send to RADIUS
       * L3 auth disabled   * L3 auth disabled
     \\ \\
    Line 143: Line 143:
      
       * send (12) / do not send (13) acct stop   * send (12) / do not send (13) acct stop
    -  * DHCP Request – respond with NAK, DHCP Discover – send to Radius+  * DHCP Request – respond with NAK, DHCP Discover – send to RADIUS
       * traffic from the subscriber is dropped   * traffic from the subscriber is dropped
       * reset L3-reauthorization time, which leads to L3 auth on the first non-DHCP packet from the subscriber   * reset L3-reauthorization time, which leads to L3 auth on the first non-DHCP packet from the subscriber
    Line 150: Line 150:
      
       * send (14) / do not send (15) acct stop   * send (14) / do not send (15) acct stop
    -  * DHCP Request – respond with NAK, DHCP Discover – send to Radius+  * DHCP Request – respond with NAK, DHCP Discover – send to RADIUS
       * traffic from the subscriber is dropped   * traffic from the subscriber is dropped
       * L3 auth disabled   * L3 auth disabled
    Line 158: Line 158:
       * send (16) / do not send (17) acct stop   * send (16) / do not send (17) acct stop
       * reset L3-reauthorization time, which leads to L3 auth on the first non-DHCP packet from the subscriber   * reset L3-reauthorization time, which leads to L3 auth on the first non-DHCP packet from the subscriber
    -  * DHCP Request is ignored (drop), DHCP Discover – send to Radius+  * DHCP Request is ignored (drop), DHCP Discover – send to RADIUS
     \\ \\
     **''=18, 19''**: (2 + 16) waiting for DHCP request from subscriber without traffic blocking, L3 auth disabled **''=18, 19''**: (2 + 16) waiting for DHCP request from subscriber without traffic blocking, L3 auth disabled
      
       * send (18) / do not send (19) acct stop   * send (18) / do not send (19) acct stop
    -  * DHCP Request is ignored (drop), DHCP Discover – send to Radius+  * DHCP Request is ignored (drop), DHCP Discover – send to RADIUS
       * L3 auth disabled   * L3 auth disabled
     \\ \\
    Line 169: Line 169:
      
       * send (20) / do not send (21) acct stop   * send (20) / do not send (21) acct stop
    -  * DHCP Request is ignored (drop), DHCP Discover – send to Radius+  * DHCP Request is ignored (drop), DHCP Discover – send to RADIUS
       * traffic from the subscriber is dropped   * traffic from the subscriber is dropped
       * reset L3-reauthorization time, which leads to L3 auth L3 auth on the first non-DHCP packet from the subscriber   * reset L3-reauthorization time, which leads to L3 auth L3 auth on the first non-DHCP packet from the subscriber
    Line 176: Line 176:
      
       * send (22) / do not send (23) acct stop   * send (22) / do not send (23) acct stop
    -  * DHCP Request is ignored (drop), DHCP Discover – send to Radius+  * DHCP Request is ignored (drop), DHCP Discover – send to RADIUS
       * traffic from the subscriber is dropped   * traffic from the subscriber is dropped
       * L3 auth disabled   * L3 auth disabled
    Line 184: Line 184:
     <note important>Acct stop data will still be sent with any authorization (if auth/acct synchronization is enabled in PCRF).\\ Without sending acct stop, the DHCP subscriber does not understand if Disconnect is processed or not.</note> <note important>Acct stop data will still be sent with any authorization (if auth/acct synchronization is enabled in PCRF).\\ Without sending acct stop, the DHCP subscriber does not understand if Disconnect is processed or not.</note>
     ====== Individual CoA clients ====== ====== Individual CoA clients ======
    -The CoA client sending the Disconnect-Request and CoA-Request CoA requests in some configurations may be a separate entity that is not a radius server. For example, it can be some utility used in scripts that can generate CoA requests. The fastpcrf supports such "stand-alone" CoA-clients. Each such CoA client is specified by a separate ''coa_client'' option in the fastpcrf.conf configuration file using a format similar to the ''radius_server'' option:+The CoA client sending the Disconnect-Request and CoA-Request CoA requests in some configurations may be a separate entity that is not a RADIUS server. For example, it can be some utility used in scripts that can generate CoA requests. The fastpcrf supports such "stand-alone" CoA-clients. Each such CoA client is specified by a separate ''coa_client'' option in the fastpcrf.conf configuration file using a format similar to the ''radius_server'' option:
      
     <code>coa_client=secret@ip%dev:port{;param=value}*</code> <code>coa_client=secret@ip%dev:port{;param=value}*</code>
    -  * ''secret'' – the Radius secret;+  * ''secret'' – the RADIUS secret;
       * ''ip'' – CoA client IP address;   * ''ip'' – CoA client IP address;
       * ''dev'' (optional) – the name of the interface used to listen for incoming requests; if it is not specified then the interface is chosen by the operating system;   * ''dev'' (optional) – the name of the interface used to listen for incoming requests; if it is not specified then the interface is chosen by the operating system;
    Line 194: Line 194:
      
     Each CoA-client is described by separate ''coa_client'' parameter in the configuration file. There can be up to 16 separate CoA-clients. Each CoA-client is described by separate ''coa_client'' parameter in the configuration file. There can be up to 16 separate CoA-clients.
    -Fastpcrf accepts the CoA requests only from registered (described in the configuration file) radius servers and CoA-clients. If the radius server supports CoA there is no need to describe it using the ''coa_client'' parameter; it is enough to specify the ''coa_port'' suboption within the ''radius_server'' parameter for this radius server.+Fastpcrf accepts the CoA requests only from registered (described in the configuration file) RADIUS servers and CoA-clients. If the RADIUS server supports CoA there is no need to describe it using the ''coa_client'' parameter; it is enough to specify the ''coa_port'' suboption within the ''radius_server'' parameter for this RADIUS server.
      
     ====== Accounting session request using CoA ====== ====== Accounting session request using CoA ======