Change of Authorization (RFC 3576 / 5176)
I have just committed *full* support for CoA to the "stable" and "master" branches on git.freeradius.org. I'd like to thank the sponsor of this work, who wishes to remain anonymous. In 2.1.6, the server could *originate* CoA packets. e.g. If the users bandwidth consumption is over a quota, send a packet to disconnect them. In the current "git" code, it can now *receive* CoA packets. This also means full proxying of CoA packets. It is now possible to implement functionality such as: "disconnect user bob" This can be done by sending a CoA packet to the server, with User-Name of "bob". The policies on the server can then look up in the accounting database to see where that user has logged in, and fill in the rest of the CoA packet with NAS IP, port, etc. The resulting packet can then be sent to the NAS. The only caveat is that none of these policies have been written. The functionality works, and has been tested with switches from at least one major networking vendor. We now need help to create the policies, schemas, etc. to implement the required functionality. Alan DeKok.
I have a related question, although it's a bit off topic. On Tue, 2009-05-19 at 14:08 +0200, Alan DeKok wrote:
In 2.1.6, the server could *originate* CoA packets. e.g. If the users bandwidth consumption is over a quota, send a packet to disconnect them.
Does this include things like changing the group a user in? For example, if a user in the "allowed" group is updated to be in the "disallowed" group (and auth/acct are in mysql), freeradius would originate a CoA packet to disconnect the user. Can this be done with unlang, or am I mad? Ranbir -- Kanwar Ranbir Sandhu Linux 2.6.27.21-170.2.56.fc10.x86_64 x86_64 GNU/Linux 15:04:19 up 17 days, 16:14, 4 users, load average: 1.42, 1.33, 1.18
On Wed, 2009-06-10 at 15:09 -0400, Kanwar Ranbir Sandhu wrote:
I have a related question, although it's a bit off topic.
On Tue, 2009-05-19 at 14:08 +0200, Alan DeKok wrote:
In 2.1.6, the server could *originate* CoA packets. e.g. If the users bandwidth consumption is over a quota, send a packet to disconnect them.
Does this include things like changing the group a user in? For example, if a user in the "allowed" group is updated to be in the "disallowed" group (and auth/acct are in mysql), freeradius would originate a CoA packet to disconnect the user. Can this be done with unlang, or am I mad?
Anyone? -- Kanwar Ranbir Sandhu Linux 2.6.27.21-170.2.56.fc10.x86_64 x86_64 GNU/Linux 23:22:03 up 18 days, 31 min, 3 users, load average: 0.57, 0.45, 0.33
On Thu, Jun 11, 2009 at 10:22 AM, Kanwar Ranbir Sandhu<m3freak@thesandhufamily.ca> wrote:
On Wed, 2009-06-10 at 15:09 -0400, Kanwar Ranbir Sandhu wrote:
I have a related question, although it's a bit off topic.
On Tue, 2009-05-19 at 14:08 +0200, Alan DeKok wrote:
In 2.1.6, the server could *originate* CoA packets. e.g. If the users bandwidth consumption is over a quota, send a packet to disconnect them.
Does this include things like changing the group a user in? For example, if a user in the "allowed" group is updated to be in the "disallowed" group (and auth/acct are in mysql), freeradius would originate a CoA packet to disconnect the user. Can this be done with unlang, or am I mad?
Anyone?
It should be possible. If I'm reading Alan's post correctly, freeradius supports CoA packets, but you need to write your own rule/policy to send it. For over-bandwidth scenario, the rule should be while examining interim-update acct packets, so instead of simply writing to database it can also do some calculations and send CoA packet if the user is over quota. For your purpose, you'd need to put the rule/policy to check user group (possibly on interim-update as well) and disconnect them if necessary. Note that in this way the disconnect would happen after interim update, and NOT immediately after you chane the group in database. -- Fajar
On Thu, 11 Jun 2009, Fajar A. Nugraha wrote:
If I'm reading Alan's post correctly, freeradius supports CoA packets, but you need to write your own rule/policy to send it. For over-bandwidth scenario, the rule should be while examining interim-update acct packets...
I've never heard of these... How often are they sent to a radius server during a dialup call (AS5400)? Into what section could I put a script so that it triggers only on interim updates? I wouldn't mind being able to dynamically extend a caller's session if they buy more time online.... - Charles
On Thu, 11 Jun 2009, Fajar A. Nugraha wrote:
If I'm reading Alan's post correctly, freeradius supports CoA packets, but you need to write your own rule/policy to send it. For over-bandwidth scenario, the rule should be while examining interim-update acct packets...
I've never heard of these...
http://freeradius.org/rfc/rfc2869.html#Acct-Interim-Interval
How often are they sent to a radius server during a dialup call (AS5400)?
As often as you feel like it. There usually isn't a default set. You can also set it (fix it) in Cisco configuration.
Into what section could I put a script so that it triggers only on interim updates?
Accounting. See man unlang to find out how to execute only on chosen packets.
I wouldn't mind being able to dynamically extend a caller's session if they buy more time online....
You would normaly use radius *client* to send CoA for administrative event (like this one). You would use server for a network event (like you can't be bothered to write a script that updates customer session for online payment - you just recaclulate session duration on every accounting update to see if anything changed; that's poor administration - lots of wasted CPU time). Server is more commonly used to send CoA on accounting updates for vendors that have support for CoA but not for session bandwidth/data limiters. Ivan Kalik Kalik Informatika ISP
On Thu, 11 Jun 2009, Ivan Kalik wrote:
http://freeradius.org/rfc/rfc2869.html#Acct-Interim-Interval
Interesting, but I agree I don't like the bandwidth implications. I would only have used them if they were already occuring by default.
You would normaly use radius *client* to send CoA for administrative event (like this one).
I read about that, but it requires that I have radius 'track' accounting sessions. A layer of complexity that doesn't justify the occasional use. Thanks for the help! - C
Kanwar Ranbir Sandhu wrote:
On Wed, 2009-06-10 at 15:09 -0400, Kanwar Ranbir Sandhu wrote:
I have a related question, although it's a bit off topic.
On Tue, 2009-05-19 at 14:08 +0200, Alan DeKok wrote:
In 2.1.6, the server could *originate* CoA packets. e.g. If the users bandwidth consumption is over a quota, send a packet to disconnect them. Does this include things like changing the group a user in? For example, if a user in the "allowed" group is updated to be in the "disallowed" group (and auth/acct are in mysql), freeradius would originate a CoA packet to disconnect the user. Can this be done with unlang, or am I mad?
Anyone?
Not all messages get *immediate* responses. And how would the server know if you changed the group? If the group changes, you'll need to tell FreeRADIUS to re-evaluate the policies. Alan DeKok.
On Thu, 2009-06-11 at 07:46 +0200, Alan DeKok wrote:
And how would the server know if you changed the group?
This is what I was thinking as well.
If the group changes, you'll need to tell FreeRADIUS to re-evaluate the policies.
Ok, makes sense. Regards, Ranbir -- Kanwar Ranbir Sandhu Linux 2.6.27.21-170.2.56.fc10.x86_64 x86_64 GNU/Linux 15:06:26 up 18 days, 16:16, 3 users, load average: 1.65, 1.22, 0.64
participants (5)
-
Alan DeKok -
Charles Gregory -
Fajar A. Nugraha -
Ivan Kalik -
Kanwar Ranbir Sandhu