update-disconnect and originate-coa

Alan DeKok aland at deployingradius.com
Mon May 30 13:22:49 UTC 2022 

On May 30, 2022, at 4:08 AM, Antonios Kalkakos <akalkakos at hotmail.com> wrote:
> I am trying to figure out how to disconnect a user using the originate-coa and update disconnect{} using FreeRADIUS 3.0.21 on Debian 11. Sorry if it seems a bit stupid, but I am really confused and frustrated...
> 
> Let's say that a user configured in user's file "testuser Cleartext-Password := "password", Login-Time := "Wk1000-1400"" should be disconnected after the permitted Login-Time has passed.

  Nothing in the documentation says that's what happens.

  Unfortunately, the users session is 100% controlled by the NAS.  Including disconnection timers.  The Login-Time attribute causes FreeRADIUS to send a Session-Timeout to the NAS.  Read the debug output to see this.

  The NAS should disconnect the user after that timeout period has expired.  If it doesn't (and it's not a toy RADIUS client), then the NAS is broken.  Throw it in the garbage, and get one which works properly.

  i..e. the server doesn't need to send a disconnect packet.  You don't need to configure anything special.  Just send "Session-Timeout = 3600", and the user is magically kicked offline an hour later.

> Is this the correct way to forcibly disconnect the user using originate-coa?

  No.

> Sorry again if the following question may be a bit stupid, but what is the recommended place in the virtual server (except pre- or post-proxy) to put update coa{} or update disconnect{}?

  Wherever you want, and where it works.

  This is where most people get confused with FreeRADIUS.  They have a mental model of the configuration files as "configure this setting, and FreeRADIUS will do what I want".  That isn't the way it works.

  The FreeRADIUS configuration policies (unlang) are a programming language intended for packet processing.

	WHEN i receive a packet containing X,
	SEND a reply containing Y

  So the question of "where do I put the update coa", is really "at which point in the processing did I decide that the user needs to be disconnected".  That's where the "update coa" goes.

  Alan DeKok.

More information about the Freeradius-Users mailing list