The RADIUS Change of Authorization (CoA) feature provides a mechanism to change the attributes of an authentication, authorization, and accounting (AAA) session after it is authenticated. Administrator can send CoA packets from the AAA server. For example using “radclient” tool administrator can send CoA packet from Freeradius AAA server. By default, CoA supports 3799 port.
Configuration
Goto “Configure >> WLAN >> Radius Server” and Enable Dynamic Authorization.
Dynamic Authorization(CoA)
CnPilot E-Series AP supports following CoA types:
- Disconnection
- Session Timeout
- WISPr Bandwidth Limit
Sections below provides you more information on each CoA types and its functionality:
- Disconnection:
The Disconnect Request message is sent by RADIUS server or Policy server to force a client disconnection due to policy reasons. Like client is no longer meant to be authorized on the network, to be disconnected and to attempt to login again.
Here is the list of attributes which cnPilot AP expects in a CoA or Disconnect Request :
- User name
- NAS-IP-Address
- Calling Station ID
Please find the below sample command to generate Disconnect CoA from Freeradius AAA server(Ubuntu) using radclient tool:
echo "User-Name=<Radius User Name> ,NAS-IP-Address =<AP IP>,Calling-Station-Id =<Client's MAC address>" | radclient <AP IP>:3799 disconnect <radius secret key>
Please find the Wireshark trace, which contains Disconnect-Request and followed by Disconnect-Ack.
- Session Timeout:
Dynamic Authorization supports changing the session timeout of the client. This can be useful in scenarios such as paid Wi-Fi access where a user might have had 60 minutes of free access, but has purchased a longer session time during that period. The client will now have its session seamless extended to the new session time.
Here is the list of attributes which cnPilot AP expects in a CoA Request :
- User name
- NAS-IP-Address
- Calling Station ID
- Session-Timeout(in Seconds)
Please find the below sample command to generate Session-timeout CoA from Freeradius AAA server(Ubuntu) using radclient tool:
echo "User-Name=<Radius User Name> ,NAS-IP-Address =<AP IP>,Session-timeout=<in Seconds>,Calling-Station-Id =<Client's MAC address>" | radclient <AP IP>:3799 coa <radius secret key>
Please find the Wireshark trace, which contains CoA-Request and followed by CoA-ACK
- WISPr Bandwidth limit:
Dynamic Authorization supports WISPr Bandwidth limit updation such as consider the Internet policy is 5Mbps limit for 1GB data and after consumption of 1GB data the bandwidth rate limit should drop to 500Kbps, this is sent by AAA server with CoA packet. Similarly, if customer purchases data pack with bandwidth rate limit of of 10Mbps then AAA server will update this limit by sending CoA.
Here is the list of attributes, which cnPilot AP expects in a CoA Request:
- User name
- NAS-IP-Address
- Calling Station ID
- WISPr-Bandwidth-Max-Down(in bits/second)
- WISPr-Bandwidth-Max-Up(in bits/second)
Please find the below sample command to generate WISPr rate limit CoA from Freeradius AAA server(Ubuntu) using radclient tool:
echo "User-Name=<Radius User Name> ,NAS-IP-Address =<AP IP>,Calling-Station-Id =<Client's MAC address>,WISPr-Bandwidth-Max-Down = <in bits/sec>,WISPr-Bandwidth-Max-Up = <in bits/sec>" | radclient <AP IP>:3799 coa <radius secret key>
Please find the Wireshark trace, which contains CoA-Request and followed by CoA-ACK.
- CoA configuration with Proxy through cnMaestro:
By enabling Proxy through cnMaestro, cnMaestro will act as NAS for radius server.
So any CoA packet sent by radius server destined to particular Calling-Station-Id, than cnMaestro should forward that CoA packet to particular AP where Calling-Station-Id is associated.But how does cnMaestro will know that Calling-Station-Id is associated with which AP. For this reason radius server should send CoA packet with Acct-Session-Id attribute which is mandatory.
Please find the below sample command to generate CoA from Freeradius AAA server(Ubuntu) using radclient tool when proxy through cnMaestro is enabled:
echo "User-Name=<Radius User Name>,NAS-IP-Address =<cnMaestro IP>,Acct-Session-Id=<Accounting Session ID>" | radclient <cnMaestro IP>:3799 coa <radius secret key>
Please find the Wireshark trace, which contains Acct-Session-Id.
Example CoA Message
AP Based: AP IP:<10.50.0.7>:
echo "User-Name=cportal,NAS-IP-Address=10.50.0.7,Session-Timeout=1000,Calling-Station-Id=78-7B-8A-1A-1E-11,NAS-Identifier=E500-AABBCC" | radclient 10.50.0.7:3799 coa cambium
CnMaestro Based: CnMaestro IP:<10.110.219.62>:
echo "User-Name=cportal,NAS-IP-Address=10.110.219.62,CAMB-WIFI-QUOTA-UP = 10000000,CAMB-WIFI-QUOTA-DOWN = 10000000,Acct-Session-Id=00-04-56-C8-F3-33-12-93-86-44-78-7B-8A-1A-1E-11,Calling-Station-Id=78-7B-8A-1A-1E-11,NAS-Identifier=E425-AABBCC" | radclient 10.110.219.62:3799 coa cambium
Please find the Wireshark trace, which contains Acct-Session-Id.
Note : Guest Access needs to be enabled on WLAN for CoA feature.