Table of Contents

Setting Up CoA Proxy

Alex Moore Updated by Alex Moore

One challenge with using RADIUS to provision is that changes made to RADIUS attributes are not necessarily applied to the user immediately. If you are, for example, using PPPoE, then any attribute changes will not apply until the PPPoE session is disconnected or connected. Some attributes can be updated on the fly using a CoA (Change of Authorization) request, but many attributes require a disconnect.

Sonar allows you to trigger a disconnect upon certain events by issuing a disconnect or CoA packet to the RADIUS server. This allows you to force an update to the customer without manually disconnecting their PPPoE session. In order for this to work, your RADIUS server must be setup to proxy CoA/disconnect packets to the NAS - Sonar will send these packets directly to the RADIUS server. A basic configuration is shown below to enable CoA/Disconnect proxying for FreeRADIUS - this was tested on version 2.1.12 and may require some modification for other versions. You must disable the use of the nas table in the SQL database when using CoA proxying, as there is no way to define the coa_server property in SQL.

  1. SSH to RADIUS server and navigate to the freeradius directory by typing the following command:
cd /etc/freeradius
If you type ll to view the directory, you should see the following files
radiusd.conf
clients.conf
proxy.conf
  1. use a text editor to look at radiusd.conf
vi radiusd.conf

This file should not require any modification but confirm the following lines are written:

proxy_requests = yes
$INCLUDE proxy.conf
  1. use a text editor to look at clients.conf
vi clients.conf
Each NAS you have listed in clients.conf needs to be placed into the same coa_server group. You also need to add your Sonar instance as a client, replacing the ipaddr value with the IP address of your Sonar instance. This is shown above inside client sonar { }. The secret listed in the secret section of your Sonar clients entry is the value you will enter in the CoA Secret field inside Sonar when configuring CoA proxying.

Here is an example of a finished clients.conf:

client myroutername1  {
ipaddr = 10.220.5.1 # Your NAS IP
secret = reallysecret # RADIUS secret for this NAS
nas_type = mikrotik
coa_server = concentrators
}

client myroutername2 {
ipaddr = 10.220.5.2 # Another NAS IP
secret = reallysecret # RADIUS secret for this NAS
nas_type = mikrotik
coa_server = concentrators
}

client sonar {
ipaddr = x.x.x.x # sonar instance IP
secret = sonarcoasecret # the CoA secret entered in Sonar
nas_type = other
coa_server = concentrators
}
  1. use a text editor to modify proxy.conf
vi proxy.conf
Each NAS must be listed as a home_server in proxy.conf. Match up the ipaddr values to your NAS definitions in clients.conf. List each defined home_server inside the home_server_pool section by adding an additional home_server entry on another line. You need the home_server_pool lines for each IP, so that the update control section in sites-enabled/coa works.

Here is an example of a filled out proxy.conf:

home_server myroutername1 {
type = coa
ipaddr = 10.220.5.1
port = 3799
secret = reallysecret
require_message_authenticator = no
response_window = 20
zombie_period = 40
revive_interval = 120
status_check = none
check_interval = 30
num_answers_to_alive = 3
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}

home_server myroutername2 {
type = coa
ipaddr = 10.220.5.2
port = 3799
secret = reallysecret
require_message_authenticator = no
response_window = 20
zombie_period = 40
revive_interval = 120
status_check = none
check_interval = 30
num_answers_to_alive = 3
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}

home_server_pool concentrators {
home_server = myroutername1
home_server = myroutername2
}

home_server_pool 10.220.5.1 {
home_server = myroutername1
}

home_server_pool 10.220.5.2 {
home_server = myroutername2
}
  1. Navigate to the following directory
cd /etc/freeradius/sites-enabled

Run the following command to create a new file called "coa"

vi coa
  1. Copy the text exactly as is below and paste and save this in the "coa" file.
listen {
type = coa
ipaddr = *
port = 3799
server = coa
}

server coa {
recv-coa {
update control {
Home-Server-Pool := "%{NAS-IP-Address}"
}
ok
}
send-coa {
ok
}
}
  1. If you haven't done so already, you should now disable the NAS table as mentioned in the beginning of this article. You do this by going back into the genie you used to setup the radius database:
cd ~
php freeradius_genie-master/genie
  1. Enter the NAS configuration screen, then scroll down to "Remove NAS" and delete the NAS entries you initially setup when building the server. These need to be removed since they are now set up in the CoA location instead:
  2. systemctl restart freeradius
  3. Enter: systemctl status freeradius
Test it is working by disconnecting an active session from within a customer account
    • Note the "Start Time" to the left of the active session - after disconnecting, within a few seconds, or even 1-2 minutes, the session will reconnect automatically and you will see this time update to the current time.
    • In the NAS (MikroTik) you can also watch this happen in real time from the PPP > Active Connections (or Queues > Simple Queues) Windows and see the client disappear and then reappear with the updated session and new queue if there was a service change.

How did we do?

MikroTik: Controlling Access

RADIUS: Building Reply Attributes

Contact