Introduction
Prior to 13.4, the SM can receive configuration parameters from a Radius server when authentication is performed. This feature in 13.4 allows an administrator to control these configuration parameters in the SM while it is in session. This is done using the Radius Change of authorization (RFC 3576) method. A typical use case could be changing the QOS parameters after a certain amount of bandwidth usage by an SM.
Feature Description
The Radius CoA feature enables initiating a return communication from the Radius server(s) to the AP/SM. The AP listens and accepts CoA requests from the configured Radius servers. The CoA request from the Radius server needs an identifier which can identify the SM for which the configuration change has to be made. The MAC address of the SM is put in the 'User-Name' attribute of the CoA request which acts as the identifier. All other SM configuration parameters are also added into the CoA request as attributes. For security reasons a timestamp also needs to be added as ‘Event-Timestamp’ attribute. Hence the time should also be synchronized between the Radius server(s) and the AP to fit within a window of 300 seconds. If a valid CoA request is received, the AP applies the configuration parameters based on the attributes in the CoA request to the SM followed by a CoA-ACK response to the Radius server. If the CoA request is invalid, the AP sends a CoA-NACK response to the Radius server with proper error code.
The feature can be enabled or disabled from the Configuration->Security page. The authentication mode should be 'Radius AAA' to change this setting. The device needs to be rebooted when this configuration is changed. By default the feature is disabled.
Refer to the Canopy Radius dictionary file to know what configuration parameters can be sent from the radius server.
Caveats
RFC 5176 is not supported and only the RFC 3576 is supported
Radius Disconnect message is not supported now and it will respond with NACK saying 'Unsupported Extension'