COA (Change of Authorization) from Freeradius Server

There are many resources and questions/answers related to this topic but most of them are not useful, so I decided to write this article.

Freeradius is an open source RADIUS server that is mostly used by Internet service providers, captive portals, etc. to perform authentication, authorization and accounting (AAA) of users. Freeradius also allows you to implement your own CRM that manages your network users in an easy way, thanks to its well defined data structure and configuration.

When a user requests AAA, Access-Request data is sent from NAS (Network Access Server) to RADIUS server. This Access-Request data may contain the following information:

• NAS-IP-Address
• NAS-PortUser-Name
• Framed-IP-Address (user’s IP)
• and etc.

End user’s AAA request comes through a NAS and RADIUS server responses the session context (if the user has successfully logged in) to the NAS rather than to the user. Once the user authenticated (Access-Accept) this session context may contain the following information.

• Framed-IP-Address
• Framed-IP-Netmask
• Mikrotik-Rate-Limit
• Mikrotik-Group
• Session-Timeout
• and etc.

The above information is stored on NAS to manage the user’s session like allowing the user to use assigned IP and band-width (Rate-Limit) and etc.
At any given time ISP operators may need to change the user’s session context. For instance; ISP may want to give more band-width to its users after rush hours, like after 00:00. So user’s session context must be changed to change download and upload rates.
There are two ways to update user session context managed by NAS:

• Packet of Disconnect (PoD)
• Change of Authorization (CoA)

Packet of disconnect, disconnects user and allow the user to request AAA (hence all updated session context) again from the RADIUS server. But this method breaks user’s connections and user may lost their sessions and face with interruption on their experiences, i.e. they lost their video conference communications for a while, until the system establish the session again.

Second method that is CoA request updates user session with out disconnecting the user. So this method is more useful than PoD method.

What we need to do to make CoA work?

It is assumed that Freeradius installed together with radclient and they work properly for the required settings in this section. It is also assumed that NAS is configured properly and sends request to Freeradius.

Configure Freeredius: You need to have root permission for the following configuration. Simply create link for coa file from sites-available to sites-enabled:

ln -s /etc/freeradius/sites-available/coa /etc/freeradius/sites-enabled/

Restart the Freeradius to load the new configuration:

service freeradius stop

service freeradius start

Configure NAS to accept PoD and CoA messages from Freeradius. Following figure is an example from Mikrotik, to accept Radius messages from port 1700. This window is accessible from Radius>Incoming section.

Example to accept request from port:1700

Then you can test if your CoA works, from the Freeradius terminal.

echo "User-Name:=testuser124,Mikrotik-Rate-Limit:=\"10000k/12000k\"" | /usr/bin/radclient -r 1 10.0.0.60:1700 coa secret_code

Notice that we should mention the username and rate-limit separated with comma and both enclosed with double quotation marks.

You should get the following messages once the above command executed:

Sent CoA-Request Id 31 from 0.0.0.0:58294 to 10.0.0.60:1700 length 57
Received CoA-ACK Id 31 from 10.0.0.60:1700 to <radius_ip>:58294 length 36

This means that we have change the download and upload rates of user testuser124 on NAS 10.0.0.60 to 10M upload and 12M download, without disconnecting the user.

Once this is successful, you can embed this property into your application. Following code snippet can be used in your PHP application. I assumed that you have an SQL Result set of your application that retrieves required results, prior to this code.

while ($row = mysqli_fetch_assoc($my_result)) {
   $nasname   = $row['nasip'];
   $secret       = $row['secret'];
   $user_name = $row['uname'];
   $new_download = round($row['down'] * $ratio);
   $new_upload   = round($row['up'] * $ratio);
   exec ("echo \"User-Name=$user_name\",Mikrotik-Rate-Limit:=\"$new_upload"."k/$new_download"."k\" | /usr/bin/radclient -r 1 ".$nasname.":1700 coa ".$secret, $retval);
   sleep( 0.0001 );
   echo $user_name . " COA sended to ". $nasname . "\n";
}