191 lines
5.1 KiB
Plaintext
191 lines
5.1 KiB
Plaintext
# -*- text -*-
|
|
######################################################################
|
|
#
|
|
# The server can originate Change of Authorization (CoA) or
|
|
# Disconnect request packets. These packets are used to dynamically
|
|
# change the parameters of a users session (bandwidth, etc.), or
|
|
# to forcibly disconnect the user.
|
|
#
|
|
# There are some caveats. Not all NAS vendors support this
|
|
# functionality. Even for the ones that do, it may be difficult to
|
|
# find out what needs to go into a CoA-Request or Disconnect-Request
|
|
# packet. All we can suggest is to read the NAS documentation
|
|
# available from the vendor. That documentation SHOULD describe
|
|
# what information their equipment needs to see in a CoA packet.
|
|
#
|
|
# This information is usually a list of attributes such as:
|
|
#
|
|
# NAS-IP-Address (or NAS-IPv6 address)
|
|
# NAS-Identifier
|
|
# User-Name
|
|
# Acct-Session-Id
|
|
#
|
|
# CoA packets can be originated when a normal Access-Request or
|
|
# Accounting-Request packet is received. Simply update the
|
|
# "coa" list:
|
|
#
|
|
# update coa {
|
|
# User-Name = "%{User-Name}"
|
|
# Acct-Session-Id = "%{Acct-Session-Id}"
|
|
# NAS-IP-Address = "%{NAS-IP-Address}"
|
|
# }
|
|
#
|
|
# And the CoA packet will be sent. You can also send Disconnect
|
|
# packets by using "update disconnect { ...".
|
|
#
|
|
# This "update coa" entry can be placed in any section (authorize,
|
|
# preacct, etc.), EXCEPT for pre-proxy and post-proxy. The CoA
|
|
# packets CANNOT be sent if the original request has been proxied.
|
|
#
|
|
# The CoA functionality works best when the RADIUS server and
|
|
# the NAS receiving CoA packets are on the same network.
|
|
#
|
|
# If "update coa { ... " is used, and then later it becomes necessary
|
|
# to not send a CoA request, the following example can suppress the
|
|
# CoA packet:
|
|
#
|
|
# update control {
|
|
# Send-CoA-Request = No
|
|
# }
|
|
#
|
|
# The default destination of a CoA packet is the NAS (or client)
|
|
# the sent the original Access-Request or Accounting-Request. See
|
|
# raddb/clients.conf for a "coa_server" configuration that ties
|
|
# a client to a specific home server, or to a home server pool.
|
|
#
|
|
# If you need to send the packet to a different destination, update
|
|
# the "coa" list with one of:
|
|
#
|
|
# Packet-Dst-IP-Address = ...
|
|
# Packet-Dst-IPv6-Address = ...
|
|
# Home-Server-Pool = ...
|
|
#
|
|
# That specifies an Ipv4 or IPv6 address, or a home server pool
|
|
# (such as the "coa" pool example below). This use is not
|
|
# recommended, however, It is much better to point the client
|
|
# configuration directly at the CoA server/pool, as outlined
|
|
# earlier.
|
|
#
|
|
# If the CoA port is non-standard, you can also set:
|
|
#
|
|
# Packet-Dst-Port
|
|
#
|
|
# to have the value of the port.
|
|
#
|
|
######################################################################
|
|
|
|
#
|
|
# When CoA packets are sent to a NAS, the NAS is acting as a
|
|
# server (see RFC 5176). i.e. it has a type (accepts CoA and/or
|
|
# Disconnect packets), an IP address (or IPv6 address), a
|
|
# destination port, and a shared secret.
|
|
#
|
|
# This information *cannot* go into a "client" section. In the future,
|
|
# FreeRADIUS will be able to receive, and to proxy CoA packets.
|
|
# Having the CoA configuration as below means that we can later do
|
|
# load-balancing, fail-over, etc. of CoA servers. If the CoA
|
|
# configuration went into a "client" section, it would be impossible
|
|
# to do proper proxying of CoA requests.
|
|
#
|
|
home_server localhost-coa {
|
|
type = coa
|
|
|
|
#
|
|
# Note that a home server of type "coa" MUST be a real NAS,
|
|
# with an ipaddr or ipv6addr. It CANNOT point to a virtual
|
|
# server.
|
|
#
|
|
ipaddr = 127.0.0.1
|
|
port = 3799
|
|
|
|
# This secret SHOULD NOT be the same as the shared
|
|
# secret in a "client" section.
|
|
secret = testing1234
|
|
|
|
# CoA specific parameters. See raddb/proxy.conf for details.
|
|
coa {
|
|
irt = 2
|
|
mrt = 16
|
|
mrc = 5
|
|
mrd = 30
|
|
}
|
|
}
|
|
|
|
#
|
|
# CoA servers can be put into pools, just like normal servers.
|
|
#
|
|
home_server_pool coa {
|
|
type = fail-over
|
|
|
|
# Point to the CoA server above.
|
|
home_server = localhost-coa
|
|
|
|
# CoA requests are run through the pre-proxy section.
|
|
# CoA responses are run through the post-proxy section.
|
|
virtual_server = originate-coa.example.com
|
|
|
|
#
|
|
# Home server pools of type "coa" cannot (currently) have
|
|
# a "fallback" configuration.
|
|
#
|
|
}
|
|
|
|
#
|
|
# When this virtual server is run, the original request has FINISHED
|
|
# processing. i.e. the reply has already been sent to the NAS.
|
|
# You can access the attributes in the original packet, reply, and
|
|
# control items, but changing them will have NO EFFECT.
|
|
#
|
|
# The CoA packet is in the "proxy-request" attribute list.
|
|
# The CoA reply (if any) is in the "proxy-reply" attribute list.
|
|
#
|
|
server originate-coa.example.com {
|
|
pre-proxy {
|
|
update proxy-request {
|
|
NAS-IP-Address = 127.0.0.1
|
|
}
|
|
}
|
|
|
|
#
|
|
# Handle the responses here.
|
|
#
|
|
post-proxy {
|
|
switch "%{proxy-reply:Packet-Type}" {
|
|
case CoA-ACK {
|
|
ok
|
|
}
|
|
|
|
case CoA-NAK {
|
|
# the NAS didn't like the CoA request
|
|
ok
|
|
}
|
|
|
|
case Disconnect-ACK {
|
|
ok
|
|
}
|
|
|
|
case Disconnect-NAK {
|
|
# the NAS didn't like the Disconnect request
|
|
ok
|
|
}
|
|
|
|
# Invalid packet type. This shouldn't happen.
|
|
case {
|
|
fail
|
|
}
|
|
}
|
|
|
|
#
|
|
# These methods are run when there is NO response
|
|
# to the request.
|
|
#
|
|
Post-Proxy-Type Fail-CoA {
|
|
ok
|
|
}
|
|
|
|
Post-Proxy-Type Fail-Disconnect {
|
|
ok
|
|
}
|
|
}
|
|
}
|