Table of Contents
Setting Up CoA Proxy
Updated
by Alex Moore
Read Time: 4 mins
One challenge with using RADIUS to provision is that changes made to RADIUS attributes are not necessarily applied to the user immediately. If you are, for example, using PPPoE, then any attribute changes will not apply until the PPPoE session is disconnected or connected. Some attributes can be updated on the fly using a CoA (Change of Authorization) request, but many attributes require a disconnect.
Sonar allows you to trigger a disconnect upon certain events by issuing a disconnect or CoA packet to the RADIUS server. This allows you to force an update to the customer without manually disconnecting their PPPoE session. In order for this to work, your RADIUS server must be setup to proxy CoA/disconnect packets to the NAS - Sonar will send these packets directly to the RADIUS server. A basic configuration is shown below to enable CoA/Disconnect proxying for FreeRADIUS - this was tested on version 2.1.12 and may require some modification for other versions. You must disable the use of the nas table in the SQL database when using CoA proxying, as there is no way to define the coa_server property in SQL.
- SSH to RADIUS server and navigate to the freeradius directory by typing the following command:
cd /etc/freeradius
radiusd.conf
clients.conf
proxy.conf
- use a text editor to look at radiusd.conf
nano radiusd.conf
This file should not require any modification but confirm the following lines are written:
proxy_requests = yes
$INCLUDE proxy.conf
- use a text editor to look at clients.conf
nano clients.conf
coa_server group. You also need to add your Sonar instance as a client, replacing the ipaddr value with the IP address of your Sonar instance. This is shown above inside client sonar { }. The secret listed in the secret section of your Sonar clients entry is the value you will enter in the CoA Secret field inside Sonar when configuring CoA proxying.Here is an example of a finished clients.conf:
client myroutername1 {
ipaddr = 10.220.5.1 # Your NAS IP
secret = reallysecret # RADIUS secret for this NAS
nas_type = mikrotik
coa_server = concentrators
}
client myroutername2 {
ipaddr = 10.220.5.2 # Another NAS IP
secret = reallysecret # RADIUS secret for this NAS
nas_type = mikrotik
coa_server = concentrators
}
client sonar {
ipaddr = x.x.x.x # sonar instance IP
secret = sonarcoasecret # the CoA secret entered in Sonar
nas_type = other
coa_server = concentrators
}NAS-Name,IP-Address,CoA-Secret,CoA-Port
- use a text editor to modify proxy.conf
nano proxy.conf
home_server in proxy.conf. Match up the ipaddr values to your NAS definitions in clients.conf. List each defined home_server inside the home_server_pool section by adding an additional home_server entry on another line. You need the home_server_pool lines for each IP, so that the update control section in sites-enabled/coa works.Here is an example of a filled out proxy.conf:
home_server myroutername1 {
type = coa
ipaddr = 10.220.5.1
port = 3799
secret = reallysecret
require_message_authenticator = no
response_window = 20
zombie_period = 40
revive_interval = 120
status_check = none
check_interval = 30
num_answers_to_alive = 3
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server myroutername2 {
type = coa
ipaddr = 10.220.5.2
port = 3799
secret = reallysecret
require_message_authenticator = no
response_window = 20
zombie_period = 40
revive_interval = 120
status_check = none
check_interval = 30
num_answers_to_alive = 3
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool concentrators {
home_server = myroutername1
home_server = myroutername2
}
home_server_pool 10.220.5.1 {
home_server = myroutername1
}
home_server_pool 10.220.5.2 {
home_server = myroutername2
}- Navigate to the following directory
cd /etc/freeradius/sites-enabled
Run the following command to create a new file called "coa"
nano coa
- Copy the text exactly as is below and paste and save this in the "coa" file.
listen {
type = coa
ipaddr = *
port = 3799
server = coa
}
server coa {
recv-coa {
update control {
Home-Server-Pool := "%{NAS-IP-Address}"
}
ok
}
send-coa {
ok
}
}- If you haven't done so already, you should now disable the NAS table as mentioned in the beginning of this article. You do this by going back into the genie you used to setup the radius database:
cd ~
php freeradius_genie-master/genie
- Enter the NAS configuration screen, then scroll down to "Remove NAS" and delete the NAS entries you initially setup when building the server. These need to be removed since they are now set up in the CoA location instead:
- systemctl restart freeradius
- Enter: systemctl status freeradius
- Note the "Start Time" to the left of the active session - after disconnecting, within a few seconds, or even 1-2 minutes, the session will reconnect automatically and you will see this time update to the current time.
- In the NAS (MikroTik) you can also watch this happen in real-time from the PPP > Active Connections (or Queues > Simple Queues) Windows and see the client disappear and then reappear with the updated session and new queue if there was a service change.
