Change of authorization and disconnect-request

In a typical RADIUS environment, the network element serves as a RADIUS client, which means the messages are originated by a routers. In some cases, such as mid-session changes, it is desirable that the RADIUS server initiates a CoA request to impose a change in policies applicable to the subscriber, as defined by RFC 3576.

To configure a RADIUS server to accept CoA and Disconnect Messages is achieved in one of the following ways:

Configure up to 64 RADIUS CoA servers per routing instance:

    config>router>radius-server#
    config>service>vprn>radius-server#
     server "coa-1" address 10.1.1.1 secret <shared-secret> hash2 create
         accept-coa
     exit

This is the preferred method.

Configure up to 16 RADIUS CoA servers per authentication policy.
```
    config>subscr-mgmt>auth-plcy#
     accept-authorization-change
```
The UDP port for CoA and Disconnect Messages is configurable per system with the command:
```
    config>aaa#
    radius-coa-port {1647|1700|1812|3799}
```

Note:

There is a priority in the functions that can be performed by CoA. The first matching one is performed:

If the CoA packet contains a Force-Renew attribute, the subscriber gets a FORCERENEW DHCP packet. This function is not supported for PPPoE or ARP hosts.
If the CoA packet contains a create-host attribute, a new lease-state is created. Only DHCP lease-states can be created by a CoA message. PPPoE sessions and ARP hosts cannot be created.
Otherwise, the ESM strings are updated.

There are several reasons for using RADIUS initiated CoA messages:

Changing ESM attributes (SLA or subscriber profiles) or queues/policers/schedulers rates of the specific subscriber host. CoA messages containing the identification of the specified subscriber-host along with new ESM attributes.
Changing (or triggering the change) of IP configuration of the specified subscriber-host. CoA messages containing the identification of the specified subscriber-host along with VSA indicating request of FORCERENEW generation.
Configuring new subscriber-host. CoA messages containing the full configuration for the specific host.

If the changes to ESM attributes are required, the RADIUS server sends CoA messages to the network element requesting the change in attributes included in the CoA request:

attributes to identify a single or multiple subscriber hosts: NAS-Port-Id + IP address/prefix or Acct-Session-Id or Alc-Subsc-ID-Str
- Nas-Port-Id attribute + single IP address/prefix attribute:
  - Framed-IP-Address
  - Alc-Ipv6-Address
  - Framed-Ipv6-Prefix
  - Delegated-Ipv6-Prefix
  - Alc-Client-Hardware-Addr (Required for private-retail subnet. For more information, see the 7450 ESS, 7750 SR, and VSR RADIUS Attributes Reference Guide.)
- Acct-Session-Id (number format)
- Alc-Subsc-ID-Str
- User-Name (Possible to use in combination with the following. For more information, see the 7450 ESS, 7750 SR, and VSR RADIUS Attributes Reference Guide.)
  - Framed-Ip-Address
  - Alc-Ipv6-Address
  - Framed-Ipv6-Prefix
  - Delegated-Ipv6-Prefix
  - Alc-Client-Hardware-Addr
alc-subscriber-profile-string
alc-sla-profile-string
alc-ancp-string
alc-app-profile-string
alc-int-dest-id-string
alc-subscriber-id-string
alc-subscriber-qos-override

Note: If the subscriber-id-string is changed while the ANCP string is explicitly set, the ANCP-string must be changed simultaneously. When changing the alc-subscriber-id-string, the lease state is temporarily duplicated, causing two identical ANCP-strings to be in the system at the same time. This is not allowed.

As a reaction to such message, the router changes the ESM settings applicable to the specified host.

If changes to the IP configuration (including the VRF-ID in the case of wholesaling) of the specified host are needed, the RADIUS server may send a CoA message containing VSA indicating request for FORCERENEW generation:

attributes to identify a single or multiple subscriber hosts: ‟NAS-Port-Id + IP address/prefix” or ‟Acct-Session-Id” or ‟Alc-Subsc-ID-Str” or ‟user-name”:
- Nas-Port-Id attribute + single IP address/prefix attribute:
  - Framed-IP-Address
  - Alc-Ipv6-Address
  - Framed-Ipv6-Prefix
  - Delegated-Ipv6-Prefix
- Acct-Session-Id (number format)
- Alc-Subsc-ID-Str
- User-Name
alc-force-renew
alc-force-nak

As a reaction to a message, router generates a DHCP FORCERENEW message for the specified subscriber host. Consequently, during the re-authentication, new configuration parameters can be populated based on attributes included in Authentication-response message. The force-NAK attribute has the same function as the Force-Renew attribute, but causes the BNG to reply with a NAK to the next DHCP renew. This invalidates the lease state on the BNG and force the client to completely recreate its lease, making it possible to update parameters that cannot be updated through normal CoA messages, such as IP address or address pool.

If the configuration of the new subscriber-host is required, RADIUS server sends a CoA message containing VSA request new host generation along with VSAs specifying all required parameters.

alc-create-host
alc-subscriber-id-string

This attribute is mandatory in case ESM is enabled, and optional for new subscriber host creation otherwise.
NAS-port-id

This attribute indicates the SAP where the host should be created.
framed-ip-address

the framed IP address
alc-client-hw-address

A string in the xx:xx:xx:xx:xx:xx format. This attribute is mandatory for new subscriber-host creation.
alc-lease-time

Specifies the lease time. If both session-timeout and alc-lease-time are not present, then a default lease time of 7 days is used.
session-timeout

Specifies the lease time in absence of the alc-lease-time attribute. If both session-timeout and alc-lease-time are not present, then a default lease time of 7 days is used.
alc-retail-svc-id

This is only used in case of wholesaling for selection of the retail service. Indicates the service-id of the required retail VPRN service configured on the system.
Optionally other VSAs describing a specified subscriber host. If the ESM is enabled, but the CoA message does not contain ESM attributes, the new host is not created.

After executing the requested action, the router element responds with an ACK or NAK message depending on the success/failure of the operation. In case of failure (and then, a NAK response), the element includes the error code in accordance with RFC 3576 definitions if an appropriate error code is available.

Supporting CoA messages has security risks as it essentially requires action to unsolicited messages from the RADIUS server. This can be primarily the case in an environment where RADIUS servers from multiple ISPs share the same aggregation network. To minimize the security risks, the following rules apply:

Support of CoA messages is disabled by default. They can be enabled on a per RADIUS server or authentication-policy basis.
When CoA is enabled, the node listens and react only to CoA messages received from RADIUS servers. In addition, CoA messages must be protected with the key corresponding to the specified RADIUS server. All other CoA messages are silently discarded.

In all cases (creation, modification, force-renew) subscriber host identification attributes are mandatory in the CoA request: ‟NAS-Port-Id + IP” or ‟Acct-Session-Id” or ‟Alc-Subsc-ID-Str” or ‟user-name”.

Nas-Port-Id + single IP address/prefix:
- Nas-Port-Id
- Framed-IP-Address
- Alc-Ipv6-Address
- Framed-Ipv6-Prefix
- Delegated-Ipv6-Prefix
- Alc-Client-Hardware-Addr (may be required for private retail subnet. For more information, see the RADIUS Attributes Reference Guide.)
Acct-Session-Id (number format)
Alc-Subsc-ID-Str
User-Name (Possible to use in combination with the following. For more information, see the 7450 ESS, 7750 SR, and VSR RADIUS Attributes Reference Guide.)
- Framed-Ip-Address
- Alc-Ipv6-Address
- Framed-Ipv6-Prefix
- Delegated-Ipv6-Prefix
- Alc-Client-Hardware-Addr

When there are no subscriber host identification attributes present in the CoA, the message is NAK’d with corresponding error code.

Receiving CoA message with the same attributes as currently applicable to the specified host responds with an ACK message.
In case of dual homing (through SRRP), the RADIUS server should send CoA messages to both redundant nodes and this with all corresponding attributes (NAS-port-id with its local meaning to corresponding node).
In the case of change requests, the node which has the specified host active (active SAP or SAP associated with a group interface in SRRP master state) processes the RADIUS message and reply to RADIUS. The standby node always replies with a NAK.
In the case of create requests, the active node (the SAP described by NAS-port-id is active or associated with a group-interface in SRRP master state). Both nodes reply, but the standby NAKs the request.

The properties of an existing RADIUS-authenticated PPPoE session can be changed by sending a Change of Authorization (CoA) message from the RADIUS server. Processing of a CoA is done in the same way as for DHCP hosts, with the exception that only the ESM settings can be changed for a PPPoE session (the Force-Renew attribute is not supported for PPPoE sessions and a Create-Host CoA always generates a DHCP host).

For terminating PPPoE sessions from the RADIUS server, the disconnect-request message can be sent from the RADIUS server. This message triggers a shut down of the PPPoE session. The attributes needed to identify the PPPoE session are the same as for DHCP hosts.