| Both sides previous revisionPrevious revision | |
| en:dpi:dpi_options:brass:opt_bras:reference_bras:interact_fastpcrf_radius:interact_fastpcrf_coa [2020/02/05 17:38] – ↷ Page moved from en:dpi:dpi_options:base_functionality:brass:opt_bras:reference_bras:interact_fastpcrf_radius:interact_fastpcrf_coa to en:dpi:dpi_options:brass:opt_bras:reference_bras:interact_fastpcrf_radius:interact_fastpcrf_coa lexx26 | en:dpi:dpi_options:brass:opt_bras:reference_bras:interact_fastpcrf_radius:interact_fastpcrf_coa [2020/03/18 14:56] (current) – removed lexx26 |
|---|
| ====== 3 Interaction of the FastPCRF with the RADIUS CoA ====== | |
| {{indexmenu_n>3}} | |
| === General description === | |
| [[https://tools.ietf.org/html/rfc5176|CoA]] (Change of Authorization) is a notification from the RADIUS sent to the FastPCRF server informing that the attributes assigned to the user have changed or the user should be currently in the "not authorized" status. | |
| <note>Although the CoA-Request notification may contain a complete list of changed user attributes, it is preferable to use the simplified version of the notification. The simplified version informs the FastDPI that the user attributes have changed and re-authorization is required. Once received such a notification, the FastDPI sends the typical Access-Request request to the RADIUS server.</note> | |
| The FastPCRF supports the [[#Complete CoA-Request notification|Complete CoA-Request notification]], but it is deprecated due to its complexity: so supporting of such type a notification implies holding the list of subscriber attributes that have been changed (list of services, etc.) in the CoA-Request. | |
| |
| === Simplified notification (reauthorization request). The CoA-Request contains the following attributes: === | |
| |
| ^ Attribute ^ Value ^ | |
| |Service-Type|8 (Authenticate-Only) | | |
| |User-Name |User login. Is mandatory if there is no CUI. | | |
| |VasExperts-UserName |User login. | | |
| |Chargeable-User-Identity (CUI) |User login. If the CoA-Request contains both attributes the User-Name and CUI then the CUI will have a higher priority over User-Name (so the User-Name will be ignored). | | |
| |Framed-IP-Address |Subscriber IPv4 address, in case IPv4-only or Dual-Stack modes. | | |
| |Framed-IPv6-Address |Subscriber IPv6 address, if used. | | |
| |Framed-IPv6-Prefix |Subscriber IPv6 prefix, if used. | | |
| <note>Login is preferred subscriber ID in CoA. When processing CoA, the FastDPI searches for a subscriber by its login, if a login is not found or is not specified in CoA, then the search will be performed by subscriber IP address. If CoA contains both the login and the IP address, and subscriber is found by its login, then the IP address will be ignored. So the FastDPI does not check whether the login and IP address are associated according to the UDR database.</note> | |
| |
| === FastCPRF responses to simplified COA notification === | |
| According to the [[https://tools.ietf.org/html/rfc5176|RFC5176]], CoA-Request with Service-Type=8 (Authenticate-Only) should be answered with CoA-NAK with the Error-Cause=507 (Request Initiated) attribute. This is not always convenient as some utilities (for example, the radclient from FreeRadius) treat the CoA-NAK response as an error. The FastPCRF has a ''coa_reauth_ack'' configuration parameter that determines how to respond to a CoA-Request with Service-Type=8: | |
| |
| 0 (default value) corresponds to the standard behaviour: respond with CoA-NAK with Error-Cause=507\\ | |
| 1 corresponds to the non-standard behavior: respond with CoA-ACK\\ | |
| <note>The ''coa_reauth_ack'' parameter can be specified in the fastpcrf.conf both globally, for all RADIUS servers, and for each RADIUS server individually</note> | |
| Example of configuration: | |
| <code> | |
| # Global setting: | |
| coa_reauth_ack=0 | |
| # Global coa_reauth_ack=0 setting is applied for the server: | |
| radius_server=mysecret1@192.168.10.10%eth0 | |
| # And for those one the coa_reauth_ack=1 is set explicitly | |
| radius_server=mysecret2@192.168.20.10%eth0;coa_reauth_ack=1 </code> | |
| |
| === Complete CoA-Request notification === | |
| <note>Complete CoA-Request notification is used when the authorized Subscriber parameters have been changed, or when the following events occur: enabling/disabling services or changing of associated profiles and the [[#Simplified notification (reauthorization request). The CoA-Request contains the following attributes:|simplified CoA-Request]] cannot be used.</note> | |
| |
| <note warning>If the Subscriber is in the "not authorized" state and the parameters assigned to him have changed, then the [[#Simplified notification (reauthorization request). The CoA-Request contains the following attributes:|simplified CoA-Request]] should be generated. The FastDPI will send an Access-Request to authorize the Subscriber in this case. This logic can be applied when the Subscriber replenishes the account and therefore should be authorized.</note> | |
| The full CoA-Request notification contains only changes in user parameters for the authorized Subscriber. | |
| |
| The following attributes are supported: | |
| ^ Attribute ^ Value ^ | |
| |User-Name |User login. Is mandatory if there is no CUI. | | |
| |VasExperts-UserName |User login. | | |
| |Chargeable-User-Identity (CUI) |User login. If the CoA-Request contains both attributes the User-Name and CUI then the CUI will have a higher priority over User-Name (so the User-Name will be ignored). | | |
| |Framed-IP-Address |Subscriber IPv4 address, in case IPv4-only or Dual-Stack modes. | | |
| |Framed-IPv6-Address |Subscriber IPv6 address, if used. | | |
| |Framed-IPv6-Prefix |Subscriber IPv6 prefix, if used. | | |
| |VasExperts-Policing-Profile |The user policing profile name. This attribute should be added only if the user policing profile has been changed. Note that no more than one ''VasExperts-Policing-Profile'' attribute is allowed within the CoA-Request. | | |
| |VasExperts-Enable-Service |The parameter specifying the enabling/disabling of a specific service that doesn't require a profile. Format to use: ''service_id:flag'', here service_id is the number, the fastDPI service ID; flag is an indicator whether the service is enabled/disabled. Valid values: -1, on, enabled — the service is enabled; -0, off, disabled - the service is disabled. Each service having changed its state should be defined by a separate ''VasExperts-Enable-Service'' attribute, so the CoA-Request can contain zero or more VasExperts-Enable-Service attributes. | | |
| |VasExperts-Service-Profile |Parameter specifying the profile name for a specific fastDPI service. Format:\\ service_id: profile_name\\ ,here:\\ ''service_id'' is the number, the fastDPI service identifier;\\ ''profile_name'' is a string, profile name for associated service. For example, in order to enable a NAT service (11) with the “cgnat” profile you shoud specify following: VasExperts-Service-Profile = "11: cgnat"\\ PDU can contain zero or more ''VasExperts-Service-Profile'' attributes, one attribute for each service. If a service has associated profile,it is considered to be enabled. If you want to disable any service in CoA, you should use the ''VasExperts-Enable-Service'' attribute. For example, to disable service 5 you should specify in the CoA:\\ VasExperts-Enable-Service = "5: off"\\ To enable service 5 with my_white_list profile, you should specify:\\ VasExperts-Service-Profile="5:my_white_list"\\ Every change in the service profile name is specified by an individual ''VasExperts-Service-Profile'' attribute, so the CoA-Request may contain zero or more VasExperts-Service-Profile attributes. | | |
| | Session-Timeout |Is the optional attribute specifying the period during which the authorization is considered to be approved, in seconds. The value of 0 is ignored. Once this time limit expired, the user authorization state will be set to "unknown" resulting in sending an Access-Request authorization request.| | |
| |
| === Description of CoA Disconnect-Request processing procedure === | |
| Disconnect-Request notification indicates that the user has become unauthorized (for example, he has run out of money). | |
| The Disconnect-Request notification shall contain the following attributes: | |
| ^ Attribute ^ Value ^ | |
| |User-Name |User login. Is mandatory if there is no either the CUI and the VasExperts-UserName. | | |
| |VasExperts-UserName |User login. | | |
| |Chargeable-User-Identity\\ (CUI) |User login. If the CoA-Request contains both attributes the User-Name and CUI then the CUI will have a higher priority over User-Name (so the User-Name will be ignored). | | |
| |Framed-IP-Address |Subscriber IPv4 address, in case IPv4-only or Dual-Stack modes. | | |
| |Framed-IPv6-Address |Subscriber IPv6 address, if used. | | |
| |Framed-IPv6-Prefix |Subscriber IPv6 prefix, if used. | | |
| |Acct-Session-Id |Accounting session identifier. The VAS Experts DPI searches for an IP address associated with this accounting session in its internal database using this identifier. | | |
| |
| Once the VAS Experts DPI received the Disconnect-Request it performs the following actions: | |
| - If accounting is enabled, it sends an Accounting Stop with an Admin-Reset (6) reason. | |
| - Disconnects a session for protocols allowing a session break initiated by a server (for example, PPPoE). | |
| - Set the authorization state to "unknown" for the IP address. Hence once the VAS Experts DPI received a packet from this IP, it will send a request for authorization. | |
| - If the subscriber login is specified in the Disconnect-Request, then these actions are performed for all the IP addresses associated with the login. | |
| |
| === Support for individual CoA clients === | |
| In some configurations, the CoA client sending CoA Disconnect-Request and CoA-Request requests may be both an individual, not a RADIUS server. For example, it may be some kind of utility that can generate CoA requests and is used in scripts. The FastPCRF supports such "individual" CoA clients. Each such CoA client is specified by an individual ''coa_client'' parameter in the fastpcrf.conf configuration file and has similar to the radius_server parameter format: | |
| <code>coa_client=secret@ip%dev:port{;param=value}*</code> ,here:\\ | |
| ''secret'' is the RADIUS secret;\\ | |
| ''ip'' is the CoA client IP address;\\ | |
| ''dev'' (is not mandatory) is the interface name used to listen incoming requests; if it is not specified, the interface will be choosen by operating system;\\ | |
| ''port'' is the listened port;\\ | |
| ''param=value'' is a semicolon-separated list of the configuration parameters for this CoA client. Supported parameters are: max_resend_count, msg_auth_attr, coa_resend_timeout. | |
| |
| Each CoA client is described by an individual ''coa_client'' parameter. There can be up to 16 separate CoA clients. The FastPCRF accepts CoA requests only from registered (which are specified in the configuration file) RADIUS servers and CoA clients. | |
| <note>If the RADIUS server supports CoA, it is enough to specify the ''coa_port'' option for it in the radius_server parameter, there is no need to describe it with additional ''coa_client'' parameter.</note> | |
