Table of Contents

Setting Up CoA Proxy

Jennifer Trower Updated by Jennifer Trower

Read Time: 4 mins

A limitation of provisioning with RADIUS is that attribute changes don’t always take effect right away. For example, with PPPoE, updates typically won’t apply until the PPPoE session disconnects and reconnects. Some settings can be applied immediately using a Change of Authorization (CoA) request, but many still require a disconnect.

Sonar can automatically disconnect a customer when certain events occur by sending a Disconnect or CoA (Change of Authorization) packet to your RADIUS server. This can force customer updates without manually dropping their PPPoE session.

For this to work, your RADIUS server must be configured to proxy CoA/Disconnect packets to the NAS, since Sonar sends these packets to the RADIUS server directly. The basic FreeRADIUS configuration shown below enables this proxying and was tested on version 3.2.5 (you may need to adjust it for other versions).

When using CoA proxying, you must disable use of the nas SQL table, because the coa_server setting can’t be defined in SQL.

CoA Proxy in this manner will only work with FreeRADIUS 3.x, not any of the 2.x versions.
These commands assume root access. If you’re not already running as root, switch first (for example, sudo su) or prefix commands with sudo.
Make sure your NAS is set up to accept CoA on port 3799 (MikroTik: RADIUS > Incoming > Enable Accept and set 3799). If this isn’t enabled, CoA requests may fail.

  1. SSH to RADIUS server and navigate to the freeradius directory by typing the following command:
    cd /etc/freeradius/3.0
    If you type ll to view the directory, you should see the following files:
    radiusd.conf
    clients.conf
    proxy.conf
  2. Use a text editor to look at radiusd.conf
    nano radiusd.conf
    This file should not require any modification, but confirm the following lines are written:
    proxy_requests = yes
    $INCLUDE proxy.conf
  3. Use a text editor to look at clients.conf
    nano clients.conf
    Put every NAS listed in clients.conf into the same coa_server group. Then add your Sonar instance as a client, setting ipaddr to your Sonar server’s IP (as shown in client sonar { }). The secret value in that Sonar client entry is what you’ll enter in Sonar’s CoA Secret field when setting up CoA proxying.
    Here is an example of a finished clients.conf:
    client myroutername1  {
            ipaddr = 10.220.5.1 # Your NAS IP
            secret = reallysecret # RADIUS secret for this NAS
            nas_type = mikrotik
            coa_server = concentrators
    }

    client myroutername2  {
            ipaddr = 10.220.5.2 # Another NAS IP
            secret = reallysecret # RADIUS secret for this NAS
            nas_type = mikrotik
            coa_server = concentrators
    }

    client sonar1 {
            ipaddr = 20.221.112.37 # Sonar Instance IP
            secret = sonarcoasecret # Sonar CoA Secret
            nas_type = other
            coa_server = concentrators
    }

    client sonar2 {
            ipaddr = 20.221.114.13 
            secret = sonarcoasecret
            nas_type = other
            coa_server = concentrators
    }

    client sonar3 {
            ipaddr = 52.158.209.86
            secret = sonarcoasecret
            nas_type = other
            coa_server = concentrators
    }

    client sonar4 {
            ipaddr = 20.15.246.160/28
            secret = sonarcoasecret
            nas_type = other
            coa_server = concentrators
    }

    client sonar5 {
            ipaddr = 20.84.143.0/28
            secret = sonarcoasecret
            nas_type = other
            coa_server = concentrators
    }
    You can also use the tool at https://jemnetworks.com/coa to generate clients.conf and proxy.conf. Enter your NAS details as comma- or tab-separated values in this format:

    NAS-Name, IP-Address, CoA-Secret, CoA-Port
  4. Use a text editor to modify proxy.conf
    nano proxy.conf
    Add each NAS as a home_server in proxy.conf, using the same ipaddr values from your NAS entries in clients.conf. Then list all of those home_server entries in the home_server_pool section (one per line). You need a pool entry for each IP so the update control section in sites-enabled/coa works.
    Here is an example of a filled-out proxy.conf:
    home_server myroutername1 {
            type = coa
            ipaddr = 10.220.5.1
            port = 3799
            secret = reallysecret
            require_message_authenticator = no
            response_window = 20
            zombie_period = 40
            revive_interval = 120
            status_check = none
            check_interval = 30
            num_answers_to_alive = 3
            coa {
                    irt = 2
                    mrt = 16
                    mrc = 5
                    mrd = 30
            }
    }

    home_server myroutername2 {
            type = coa
            ipaddr = 10.220.5.2
            port = 3799
            secret = reallysecret
            require_message_authenticator = no
            response_window = 20
            zombie_period = 40
            revive_interval = 120
            status_check = none
            check_interval = 30
            num_answers_to_alive = 3
            coa {
                    irt = 2
                    mrt = 16
                    mrc = 5
                    mrd = 30
            }
    }

    home_server_pool concentrators {
            home_server = myroutername1
            home_server = myroutername2
    }

    home_server_pool 10.220.5.1 {
            home_server = myroutername1
    }

    home_server_pool 10.220.5.2 {
            home_server = myroutername2
    }
  5. Navigate to the following directory
    cd /etc/freeradius/3.0/sites-enabled
    Run the following command to create a new file called "coa"
    nano coa
  6. Copy the text exactly as is below and paste and save this in the "coa" file.
    listen {
            type = coa
            ipaddr = *
            port = 3799
            virtual_server = coa
    }

    server coa {
            recv-coa {
                    update control {
                            Home-Server-Pool := "%{NAS-IP-Address}"
                    }
                    ok
            }
            send-coa {
                    ok
            }
    }
  7. If you haven’t already, disable the NAS table as mentioned earlier. To accomplish this, reopen the setup wizard (“genie”) you used to configure the RADIUS database:
    cd /home/<user>/freeradius_genie-v3
    php genie
    The genie installs under the home directory of the user who ran the installer (for example, /home/<user>). If you set up the genie as root, your home directory will be /root, so file paths (and screenshots) may look different.
    If you can’t find the genie folder, locate it with:

    find / -type d -name "freeradius_genie-v3" -print 2>/dev/null
  8. Open the NAS configuration screen, then scroll to Remove NAS and delete the NAS entries you added when setting up the server. Remove them because they’re now configured under the CoA settings instead.
  9. systemctl restart freeradius
  10. Enter: systemctl status freeradius
    To confirm it’s working, disconnect an active session from the customer’s account.
    1. Look at the Start Time next to the active session. After you disconnect it, the session should reconnect automatically within a few seconds (sometimes up to 1–2 minutes), and the Start Time will update to the current time.
    2. On the NAS (MikroTik), you can watch this in real time in PPP > Active Connections (or Queues > Simple Queues). The client will disappear, then reappear with a refreshed session—and a new queue if the service changed.

How did we do?

RADIUS: Building Reply Attributes

Sonar Flow

Contact