< Home

RADIUS CoA/DM

The device supports the RADIUS Change of Authorization (CoA) and Disconnect Message (DM) functions. CoA provides a mechanism to change the rights of online users, and DM provides a mechanism to forcibly disconnect users. This section contains the following contents:

RADIUS CoA/DM packet

Table 1 describes types of the CoA/DM packets.

Table 1 RADIUS CoA/DM packet

Packet Name

Description

CoA-Request

When an administrator needs to modify the rights of an online user (for example, prohibit the user from accessing a website), the RADIUS server sends this packet to the RADIUS client, requesting the client to modify the user rights.

CoA-ACK

If the RADIUS client successfully modifies the user rights, it returns this packet to the RADIUS server.

CoA-NAK

If the RADIUS client fails to modify the user rights, it returns this packet to the RADIUS server.

DM-Request

When an administrator needs to disconnect a user, the server sends this packet to the RADIUS client, requesting the client to disconnect the user.

DM-ACK

If the RADIUS client has disconnected the user, it returns this packet to the RADIUS server.

DM-NAK

If the RADIUS client fails to disconnect the user, it returns this packet to the RADIUS server.

Exchange Procedure

CoA allows the administrator to change the rights of an online user or perform reauthentication for the user through RADIUS after the user passes authentication. Figure 1 shows the CoA interaction process.

Figure 1 CoA interaction process

  1. The RADIUS server sends a CoA-Request packet to the device according to service information, requesting the device to modify user authorization information. This packet can contain authorization information including the ACL.
  2. Upon receiving the CoA-Request packet, the device performs a match check between the packet and user information on the device to identify the user. If the match succeeds, the device modifies authorization information of the user. Otherwise, the device retains the original authorization information of the user.
  3. The device returns a CoA-ACK or CoA-NAK packet as follows:
    • If authorization information is successfully modified, the device sends a CoA-ACK packet to the RADIUS server.
    • If authorization information fails to be modified, the device sends a CoA-NAK packet to the RADIUS server.

When a user needs to be disconnected forcibly, the RADIUS server sends a DM packet to the device. Figure 2 shows the DM interaction process.

Figure 2 DM interaction process

  1. The administrator forcibly disconnects a user on the RADIUS server. The RADIUS server sends a DM-Request packet to the device, requesting the device to disconnect the user.
  2. Upon receiving the DM-Request packet, the device performs a match check between the packet and user information on the device to identify the user. If the match succeeds, the user is notified to go offline. Otherwise, the user remains online.

  3. The device returns a DM-ACK or DM-NAK packet as follows:

    • If the user successfully goes offline, the device sends a DM-ACK packet to the RADIUS server.
    • Otherwise, the device sends a DM-NAK packet to the RADIUS server.

Different from the process in which authorization is performed for an online user or a user proactively goes offline, the server sends a request packet and the device sends a response packet in the CoA/DM process. If CoA/DM succeeds, the device returns an ACK packet. Otherwise, the device returns a NAK packet.

Session Identification

Each service provided by the NAS to a user constitutes a session, with the beginning of the session defined as the point where service is first provided and the end of the session defined as the point where service is ended.

After the device receives a CoA-Request or DM-Request packet from the RADIUS server, it identifies the user depending on some RADIUS attributes in the packet. The following RADIUS attributes can be used to identify users:
  • User-Name (IETF attribute #1)
  • Acct-Session-ID (IETF attribute #4)
  • Framed-IP-Address (IETF attribute #8)
  • Calling-Station-Id (IETF attribute #31)

The match methods are as follows:

  • any method

    The device performs a match check between an attribute and user information on the device. The priority for identifying the RADIUS attributes used by the users is as follows: Acct-Session-ID (4) > Calling-Station-Id (31) > Framed-IP-Address (8). The device searches for the attributes in the request packet based on the priority, and performs a match check between the first found attribute and user information on the device. If the attribute is successfully matched, the device responds with an ACK packet; otherwise, the device responds with a NAK packet.

  • all method

    The device performs a match check between all attributes and user information on the device. The device identifies the following RADIUS attributes used by the users: Acct-Session-ID (4), Calling-Station-Id (31), Framed-IP-Address (8), and User-Name (1). The device performs a match check between all the preceding attributes in the Request packet and user information on the device. If all the preceding attributes are successfully matched, the device responds with an ACK packet; otherwise, the device responds with a NAK packet.

Error Code Description

When the CoA-Request or DM-Request packet from the RADIUS server fails to match user information on the device, the device describes the failure cause using the error code in the CoA-NAK or DM-NAK packet. For the error code description, see Table 2 and Table 3.

Table 2 Error codes in a CoA-NAK packet

Name

Value

Description
RD_DM_ERRCODE_MISSING_ATTRIBUTE 402 The request packet lacks key attributes, so that the integrity check of the RADIUS attributes fails.
RD_DM_ERRCODE_INVALID_REQUEST 404 Parsing the attributes in the request packet fails.
RD_DM_ERRCODE_INVALID_ATTRIBUTE_VALUE 407 The request packet contains attributes that are not supported by the device or do not exist, so that the attribute check fails.

Contents of the authorization check include VLAN, ACL, CAR, number of the ACL used for redirection, and whether Huawei RADIUS extended attributes RD_hw_URL_Flag and RD_hw_Portal_URL can be authorized to the interface-based authenticated user.

Errors that may occur are as follows:
  • The authorized service scheme does not exist.
  • The authorized QoS profile does not exist or no user queue is configured in the QoS profile.
  • The authorized values of upstream and downstream priorities exceed the maximum values.
  • The authorized index value of the UCL group is not within the specification.
  • The ISP VLAN and outbound interface information are incorrectly parsed.
  • Reauthentication attributes and other attributes are authorized simultaneously.
RD_DM_ERRCODE_SESSION_CONTEXT_NOT_FOUND 503 The session request fails. The cause includes:
  • Authorization for the current request user is being processed.
  • The temporary RADIUS table fails to be requested.
  • User information does not match or no user is found.
  • The user is a non-RADIUS authentication user.
RD_DM_ERRCODE_RESOURCES_UNAVAILABLE 506 This error code is used for other authorization failures.
Table 3 Error codes in a DM-NAK packet

Name

Value

Description
RD_DM_ERRCODE_INVALID_REQUEST 404 Parsing the attributes in the request packet fails.
RD_DM_ERRCODE_SESSION_CONTEXT_NOT_REMOVABLE 504 The user fails to be deleted or the user does not exist.
Parent Topic: RADIUS AAA
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >