On 30/05/2022 09:08, Antonios Kalkakos wrote:
Let's say that a user configured in user's file "testuser Cleartext-Password := "password", Login-Time := "Wk1000-1400"" should be disconnected after the permitted Login-Time has passed. I enabled and changed the contents of the originate-coa according to it's documentation, using the correct NAS IP address, secret etc and added the coa_server = coa under the appropriate NAS section in clients.conf.
According to my understanding FreeRADIUS should have generated coa messages to the NAS but it didn't do anything.
No. FreeRADIUS needs some trigger to tell it to do something. For example during an accounting Interim-Update you may see that the user is outside their time window, therefore send a CoA disconnect. originate-coa gives examples of how you would set the home server (the NAS) to send the CoA to, and how you create a virtual server to process the CoA packets before they are sent, and when the reply is received.
Using radclient (cat packet.txt | radclient -x <nas ip address>:3799 disconnect "secret"") with the Acct-Session-Id obtained from freeradius -X output and the NAS coa secret, the user was disconnected normally.
Yes. That's good. At least you know CoA packets work... they are often ignored. If you don't have frequent enough Interim-Updates, then you could for example use radclient (or something else) to send CoA packets to FreeRADIUS. That can then for example look up in the database to fill out the full CoA attributes that the NAS needs to see (for example, look up the NAS the user session is on and add the Acct-Session-Id), and generate a new CoA to send to the correct NAS. See the sites-available/coa-relay for an example of this. This is useful for e.g. billing systems that know the User-Name, but nothing else. FreeRADIUS will take care of the hard work of ensuring the CoA packet is correct, and is sent to the correct place. -- Matthew