Change of Authorization (RFC 3576 / 5176)

Fajar A. Nugraha fajar at
Thu Jun 11 06:03:55 CEST 2009

On Thu, Jun 11, 2009 at 10:22 AM, Kanwar Ranbir
Sandhu<m3freak at> wrote:
> On Wed, 2009-06-10 at 15:09 -0400, Kanwar Ranbir Sandhu wrote:
>> I have a related question, although it's a bit off topic.
>> On Tue, 2009-05-19 at 14:08 +0200, Alan DeKok wrote:
>> >   In 2.1.6, the server could *originate* CoA packets.  e.g. If the users
>> > bandwidth consumption is over a quota, send a packet to disconnect them.
>> Does this include things like changing the group a user in?  For
>> example, if a user in the "allowed" group is updated to be in the
>> "disallowed" group (and auth/acct are in mysql), freeradius would
>> originate a CoA packet to disconnect the user.  Can this be done with
>> unlang, or am I mad?
> Anyone?

It should be possible.

If I'm reading Alan's post correctly, freeradius supports CoA packets,
but you need to write your own rule/policy to send it. For
over-bandwidth scenario, the rule should be while examining
interim-update acct packets, so instead of simply writing to database
it can also do some calculations and send CoA packet if the user is
over quota.

For your purpose, you'd need to put the rule/policy to check user
group (possibly on interim-update as well) and disconnect them if
necessary. Note that in this way the disconnect would happen after
interim update, and NOT immediately after you chane the group in


More information about the Freeradius-Users mailing list