diff options
Diffstat (limited to 'raddb/sites-available/originate-coa')
-rw-r--r-- | raddb/sites-available/originate-coa | 185 |
1 files changed, 185 insertions, 0 deletions
diff --git a/raddb/sites-available/originate-coa b/raddb/sites-available/originate-coa new file mode 100644 index 0000000..3325b88 --- /dev/null +++ b/raddb/sites-available/originate-coa @@ -0,0 +1,185 @@ +# -*- text -*- +###################################################################### +# +# The server can originate Change of Authorization (CoA) or +# Disconnect request packets. These packets are used to dynamically +# change the parameters of a users session (bandwidth, etc.), or +# to forcibly disconnect the user. +# +# There are some caveats. Not all NAS vendors support this +# functionality. Even for the ones that do, it may be difficult to +# find out what needs to go into a CoA-Request or Disconnect-Request +# packet. All we can suggest is to read the NAS documentation +# available from the vendor. That documentation SHOULD describe +# what information their equipment needs to see in a CoA packet. +# +# This information is usually a list of attributes such as: +# +# NAS-IP-Address (or NAS-IPv6 address) +# NAS-Identifier +# User-Name +# Acct-Session-Id +# +# CoA packets can be originated when a normal Access-Request or +# Accounting-Request packet is received. Simply update the +# "coa" list: +# +# update coa { +# &User-Name = "%{User-Name}" +# &Acct-Session-Id = "%{Acct-Session-Id}" +# &NAS-IP-Address = "%{NAS-IP-Address}" +# } +# +# And the CoA packet will be sent. You can also send Disconnect +# packets by using "update disconnect { ...". +# +# This "update coa" entry can be placed in any section (authorize, +# preacct, etc.), EXCEPT for pre-proxy and post-proxy. The CoA +# packets CANNOT be sent if the original request has been proxied. +# +# The CoA functionality works best when the RADIUS server and +# the NAS receiving CoA packets are on the same network. +# +# If "update coa { ... " is used, and then later it becomes necessary +# to not send a CoA request, the following example can suppress the +# CoA packet: +# +# update control { +# &Send-CoA-Request = No +# } +# +# The default destination of a CoA packet is the NAS (or client) +# the sent the original Access-Request or Accounting-Request. See +# raddb/clients.conf for a "coa_server" configuration that ties +# a client to a specific home server, or to a home server pool. +# +# If you need to send the packet to a different destination, update +# the "coa" list with one of: +# +# Packet-Dst-IP-Address = ... +# Packet-Dst-IPv6-Address = ... +# Home-Server-Pool = ... +# +# That specifies an Ipv4 or IPv6 address, or a home server pool +# (such as the "coa" pool example below). This use is not +# recommended, however, It is much better to point the client +# configuration directly at the CoA server/pool, as outlined +# earlier. +# +# If the CoA port is non-standard, you can also set: +# +# Packet-Dst-Port +# +# to have the value of the port. +# +###################################################################### + +# +# When CoA packets are sent to a NAS, the NAS is acting as a +# server (see RFC 5176). i.e. it has a type (accepts CoA and/or +# Disconnect packets), an IP address (or IPv6 address), a +# destination port, and a shared secret. +# +home_server example-coa { + type = coa + + # + # Note that a home server of type "coa" MUST be a real NAS, + # with an ipaddr or ipv6addr. It CANNOT point to a virtual + # server. + # + # Change this IP address to the IP address of the NAS. + # + ipaddr = 192.0.2.42 + port = 3799 + + # This secret SHOULD NOT be the same as the shared + # secret in a "client" section. + secret = testing1234 + + # CoA specific parameters. See raddb/proxy.conf for details. + coa { + irt = 2 + mrt = 16 + mrc = 5 + mrd = 30 + } +} + +# +# CoA servers can be put into pools, just like normal servers. +# +home_server_pool coa { + type = fail-over + + # Point to the CoA server above. + home_server = example-coa + + # CoA requests are run through the pre-proxy section. + # CoA responses are run through the post-proxy section. + virtual_server = originate-coa.example.com + + # + # Home server pools of type "coa" cannot (currently) have + # a "fallback" configuration. + # +} + +# +# When this virtual server is run, the original request has FINISHED +# processing. i.e. the reply has already been sent to the NAS. +# You can access the attributes in the original packet, reply, and +# control items, but changing them will have NO EFFECT. +# +# The CoA packet is in the "proxy-request" attribute list. +# The CoA reply (if any) is in the "proxy-reply" attribute list. +# +server originate-coa.example.com { + pre-proxy { + update proxy-request { + NAS-IP-Address = 192.0.2.42 + } + } + + # + # Handle the responses here. + # + post-proxy { + switch &proxy-reply:Packet-Type { + case CoA-ACK { + ok + } + + case CoA-NAK { + # the NAS didn't like the CoA request + ok + } + + case Disconnect-ACK { + ok + } + + case Disconnect-NAK { + # the NAS didn't like the Disconnect request + ok + } + + # Invalid packet type. This shouldn't happen. + case { + fail + } + } + + # + # These methods are run when there is NO response + # to the request. + # + Post-Proxy-Type Fail-CoA { + ok + } + + Post-Proxy-Type Fail-Disconnect { + ok + } + } +} |