update-disconnect and originate-coa

Matthew Newton mcn at freeradius.org
Mon May 30 09:38:32 UTC 2022



On 30/05/2022 09:08, Antonios Kalkakos wrote:
> Let's say that a user configured in user's file "testuser 
> Cleartext-Password := "password", Login-Time := "Wk1000-1400"" should be 
> disconnected after the permitted Login-Time has passed. I enabled and 
> changed the contents of the originate-coa according to it's 
> documentation, using the correct NAS IP address, secret etc and added 
> the coa_server = coa under the appropriate NAS section in clients.conf.
> 
> According to my understanding FreeRADIUS should have generated coa 
> messages to the NAS but it didn't do anything.

No. FreeRADIUS needs some trigger to tell it to do something. For 
example during an accounting Interim-Update you may see that the user is 
outside their time window, therefore send a CoA disconnect. 
originate-coa gives examples of how you would set the home server (the 
NAS) to send the CoA to, and how you create a virtual server to process 
the CoA packets before they are sent, and when the reply is received.


> Using radclient (cat packet.txt | radclient -x <nas ip address>:3799 
> disconnect "secret"") with the Acct-Session-Id obtained from freeradius 
> -X output and the NAS coa secret, the user was disconnected normally.

Yes. That's good. At least you know CoA packets work... they are often 
ignored.

If you don't have frequent enough Interim-Updates, then you could for 
example use radclient (or something else) to send CoA packets to 
FreeRADIUS. That can then for example look up in the database to fill 
out the full CoA attributes that the NAS needs to see (for example, look 
up the NAS the user session is on and add the Acct-Session-Id), and 
generate a new CoA to send to the correct NAS. See the 
sites-available/coa-relay for an example of this.

This is useful for e.g. billing systems that know the User-Name, but 
nothing else. FreeRADIUS will take care of the hard work of ensuring the 
CoA packet is correct, and is sent to the correct place.

-- 
Matthew


More information about the Freeradius-Users mailing list