COA | Change of authorization
RFC 3576
UDP port 3766 | IEEE
>Change of authorization is used to ask NETWORK SWITCH/ROUTER/WIFI-CONTROLLER to disconnect-user, session timeout, bounce port of the existing user session on network.
>Mostly AAA server is user to record the user accounting information and based on the user activity or time the user is then disconnected from the network or session timed out.
>The Network device will send the accounting information to a AAA server.
>The AAA server keeps track of user information like Device MAC-ADDRESS, User SESSION-ID, USERNAME, FRAMED-IP-ADDRESS and more based on what it gets from accounting request.
>The radius accounting request traffic will be send only after a successful authentication.
>You could configure to send interim accounting update about the user to accounting server.This interim update can help in scenarios where you want to disconnect the user after usage of certain amount of bandwidth in network. Default time:300 Sec
#Things to remember while working on a COA setup:
>Make sure the network device is configured to except the COA request from COA server on respected port.
>NAS devices wants to see particular attriutes in COA request to identify the user session and perform COA, So sending the right attributes on COA request is important and it depends on the NAS device vendor.
>The expected COA user identification attribute might be different for a Captive portal authenticated user and Dot1.x user.
>Some vendor ignote the unsupported or unknown attributes in COA request and still ACK your COA request. However some vendor devices dont like you sending a unsupported COA attributes, so they respond with disconnect-NAK
#Here in case of Fortigate Firewall you might need to send the right COA supported attribute to identify the user session.
*supported attributes: WPA-Enterprise&UserGroup and Captive Portal supports:
USER_NAME,
FRAMED_IP_ADDRESS,
EVENT_TIMESTAMP,
MESSAGE_AUTHENTICATOR,
*User-name” and “Frame-ip” were supported in DM request and both MUST be involved, other attributes like “Calling-Station-Id”, “Called-Station-Id” could not be supported and would cause 503 error message.
*The attributes “EVENT_TIMESTAMP” and “MESSAGE_AUTHENTICATOR” are options.
*Note: Supported attributes as on the latest firmware v5.4
#In case of ARUBA MOBILIY CONTROLLER:
The mobility controller supports the following attributes for identifying the users who authenticate with an RFC 3576 server:
* user-name: Name of the user to be authenticated.
* framed-ip-address: User’s IP address.
* calling-station-id: Phone number of a station that originated a call.
* accounting-session-id: Unique accounting ID for the user session
–> Other attribute might cause 503 error.
#Other ports to Remember:
*Radus Accounting request and Response is on UDP1813
*Radius Authentication is on UDP1812
#Some snapshots attached here to see what’s there inside Disconnect-request,Disconnect-,ACK,Disconnect-NAK.
Accounting Request:
Disconnect Request:
Disconnect-ACK:
Disconnect-NAK:
If would like to look at the entire pcap, let me know I can share with your guys.
