Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
en:dpi:bras_bng:radius_integration:radius_auth_coa [2024/12/04 15:35] – ↷ Links adapted because of a move operation 4.227.36.6 | en:dpi:bras_bng:radius_integration:radius_auth_coa [2025/08/19 14:37] (current) – [RADIUS CoA] elena.krasnobryzh | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== | + | ====== |
{{indexmenu_n> | {{indexmenu_n> | ||
- | [[https:// | + | [[https:// |
- | + | ||
- | CoA-Request нотификация говорит о том, что пользователь авторизован и, опционально, | + | |
- | некоторые параметры. Таким образом, | + | |
A CoA-Request notification tells you that the user is authorized and, optionally, has some parameters changed. Thus, CoA-Request can appear in the following cases: | A CoA-Request notification tells you that the user is authorized and, optionally, has some parameters changed. Thus, CoA-Request can appear in the following cases: | ||
Line 12: | Line 9: | ||
</ | </ | ||
Types of СоА: | Types of СоА: | ||
- | - Simplified CoA-Request - on receipt of the CoA fastDPI consideres the user's attributes have changed and re-authorization is required. Upon receiving such a notification, | + | - Simplified CoA-Request - on receipt of the CoA fastDPI consideres the user's attributes have changed and re-authorization is required. Upon receiving such a notification, |
- Full CoA-Request - the '' | - Full CoA-Request - the '' | ||
- Disconnect-Request - resets the authorization status of the user. | - Disconnect-Request - resets the authorization status of the user. | ||
====== Notification types ====== | ====== Notification types ====== | ||
- | <note important> | + | <note important> |
[[en: | [[en: | ||
Line 41: | Line 38: | ||
==== Response to the simplified notification ==== | ==== Response to the simplified notification ==== | ||
- | According to RFC5176, CoA-Request with Service-Type=8 (Authenticate-Only) should be responded with a CoA-NAK response containing the '' | + | According to RFC5176, CoA-Request with Service-Type=8 (Authenticate-Only) should be responded with a CoA-NAK response containing the '' |
The fastPCRF has a '' | The fastPCRF has a '' | ||
- | * 0 (the default value) | + | * 0 - standard behavior: to respond by CoA-NAK with Error-Cause=507 |
- | * 1 - non-standard behavior: | + | * 1 (the default value) |
- | This option can be set in the fastpcrf.conf both globally for all radius-servers and specifically for each radius-server: | + | This option can be set in the fastpcrf.conf both globally for all RADIUS-servers and specifically for each RADIUS-server: |
< | < | ||
# global settings | # global settings | ||
Line 92: | Line 89: | ||
* **0x0001** – '' | * **0x0001** – '' | ||
- | * **0x0002** – '' | + | * **0x0002** – '' |
* **0x0004** – '' | * **0x0004** – '' | ||
* **0x0008** – respond to DHCP Request with NAK. Allows you to shorten the reauthorization time by terminating the IP address lease. | * **0x0008** – respond to DHCP Request with NAK. Allows you to shorten the reauthorization time by terminating the IP address lease. | ||
Line 102: | Line 99: | ||
* send acct stop | * send acct stop | ||
- | * the following DHCP request (Discover or Request) is sent to Radius | + | * the following DHCP request (Discover or Request) is sent to RADIUS |
* reset the L3 session time, which results in an L3 auth on the first non-DHCP packet from the subscriber | * reset the L3 session time, which results in an L3 auth on the first non-DHCP packet from the subscriber | ||
\\ | \\ | ||
Line 108: | Line 105: | ||
* **do not** send acct stop | * **do not** send acct stop | ||
- | * the following DHCP request (Discover or Request) is sent to Radius | + | * the following DHCP request (Discover or Request) is sent to RADIUS |
* reset the L3 session time, which results in an L3 auth on the first non-DHCP packet from the subscriber | * reset the L3 session time, which results in an L3 auth on the first non-DHCP packet from the subscriber | ||
\\ | \\ | ||
Line 114: | Line 111: | ||
* send (2) / do not send (3) acct stop | * send (2) / do not send (3) acct stop | ||
- | * the following DHCP request (Discover or Request) is sent to Radius | + | * the following DHCP request (Discover or Request) is sent to RADIUS |
\\ | \\ | ||
**'' | **'' | ||
* send (4) / do not send (5) acct stop | * send (4) / do not send (5) acct stop | ||
- | * the following DHCP request (Discover or Request) is sent to Radius | + | * the following DHCP request (Discover or Request) is sent to RADIUS |
* reset the L3-reauthorization time, which leads to L3 auth on the first non-DHCP packet from the subscriber | * reset the L3-reauthorization time, which leads to L3 auth on the first non-DHCP packet from the subscriber | ||
\\ | \\ | ||
Line 125: | Line 122: | ||
* send (6) / do not send (7) acct stop | * send (6) / do not send (7) acct stop | ||
- | * the following DHCP request (Discover or Request) is sent to Radius | + | * the following DHCP request (Discover or Request) is sent to RADIUS |
* traffic from the subscriber is dropped | * traffic from the subscriber is dropped | ||
\\ | \\ | ||
Line 132: | Line 129: | ||
* send (8) / do not send (9) acct stop | * send (8) / do not send (9) acct stop | ||
* reset the L3-reauthorization time, which leads to L3 auth on the first non-DHCP packet from the subscriber | * reset the L3-reauthorization time, which leads to L3 auth on the first non-DHCP packet from the subscriber | ||
- | * DHCP Request – respond with NAK, DHCP Discover – send to Radius | + | * DHCP Request – respond with NAK, DHCP Discover – send to RADIUS |
\\ | \\ | ||
**'' | **'' | ||
* send (10) / do not send (11) acct stop | * send (10) / do not send (11) acct stop | ||
- | * DHCP Request – respond with NAK, DHCP Discover – send to Radius | + | * DHCP Request – respond with NAK, DHCP Discover – send to RADIUS |
* L3 auth disabled | * L3 auth disabled | ||
\\ | \\ | ||
Line 143: | Line 140: | ||
* send (12) / do not send (13) acct stop | * send (12) / do not send (13) acct stop | ||
- | * DHCP Request – respond with NAK, DHCP Discover – send to Radius | + | * DHCP Request – respond with NAK, DHCP Discover – send to RADIUS |
* traffic from the subscriber is dropped | * traffic from the subscriber is dropped | ||
* reset L3-reauthorization time, which leads to L3 auth on the first non-DHCP packet from the subscriber | * reset L3-reauthorization time, which leads to L3 auth on the first non-DHCP packet from the subscriber | ||
Line 150: | Line 147: | ||
* send (14) / do not send (15) acct stop | * send (14) / do not send (15) acct stop | ||
- | * DHCP Request – respond with NAK, DHCP Discover – send to Radius | + | * DHCP Request – respond with NAK, DHCP Discover – send to RADIUS |
* traffic from the subscriber is dropped | * traffic from the subscriber is dropped | ||
* L3 auth disabled | * L3 auth disabled | ||
Line 158: | Line 155: | ||
* send (16) / do not send (17) acct stop | * send (16) / do not send (17) acct stop | ||
* reset L3-reauthorization time, which leads to L3 auth on the first non-DHCP packet from the subscriber | * reset L3-reauthorization time, which leads to L3 auth on the first non-DHCP packet from the subscriber | ||
- | * DHCP Request is ignored (drop), DHCP Discover – send to Radius | + | * DHCP Request is ignored (drop), DHCP Discover – send to RADIUS |
\\ | \\ | ||
**'' | **'' | ||
* send (18) / do not send (19) acct stop | * send (18) / do not send (19) acct stop | ||
- | * DHCP Request is ignored (drop), DHCP Discover – send to Radius | + | * DHCP Request is ignored (drop), DHCP Discover – send to RADIUS |
* L3 auth disabled | * L3 auth disabled | ||
\\ | \\ | ||
Line 169: | Line 166: | ||
* send (20) / do not send (21) acct stop | * send (20) / do not send (21) acct stop | ||
- | * DHCP Request is ignored (drop), DHCP Discover – send to Radius | + | * DHCP Request is ignored (drop), DHCP Discover – send to RADIUS |
* traffic from the subscriber is dropped | * traffic from the subscriber is dropped | ||
* reset L3-reauthorization time, which leads to L3 auth L3 auth on the first non-DHCP packet from the subscriber | * reset L3-reauthorization time, which leads to L3 auth L3 auth on the first non-DHCP packet from the subscriber | ||
Line 176: | Line 173: | ||
* send (22) / do not send (23) acct stop | * send (22) / do not send (23) acct stop | ||
- | * DHCP Request is ignored (drop), DHCP Discover – send to Radius | + | * DHCP Request is ignored (drop), DHCP Discover – send to RADIUS |
* traffic from the subscriber is dropped | * traffic from the subscriber is dropped | ||
* L3 auth disabled | * L3 auth disabled | ||
Line 184: | Line 181: | ||
<note important> | <note important> | ||
====== Individual CoA clients ====== | ====== Individual CoA clients ====== | ||
- | The CoA client sending the Disconnect-Request and CoA-Request CoA requests in some configurations may be a separate entity that is not a radius | + | The CoA client sending the Disconnect-Request and CoA-Request CoA requests in some configurations may be a separate entity that is not a RADIUS |
< | < | ||
- | * '' | + | * '' |
* '' | * '' | ||
* '' | * '' | ||
Line 194: | Line 191: | ||
Each CoA-client is described by separate '' | Each CoA-client is described by separate '' | ||
- | Fastpcrf accepts the CoA requests only from registered (described in the configuration file) radius | + | Fastpcrf accepts the CoA requests only from registered (described in the configuration file) RADIUS |
====== Accounting session request using CoA ====== | ====== Accounting session request using CoA ====== |