At work, for the past few weeks, we have been looking into using the User Manager for managing hotspots on customer premises. There is a lot we have figured out, but one thing we aren't sure about is the "CoA support" option in the User Manager under "Routers".
1. What does it do? Do we need it?
We also noticed that the NAS (router) devices also have an "incoming radius" port that you can configure in RouterOS. Our guess is that:
When you configure an incoming radius port on the User Manager, the NAS devices can send it messages like "this user just logged out - stop his login timers".
When you configure an incoming radius port on the NAS, the User Manager can send it messages like "this user's active profile just changed, so if he's already logged in, update it".
Does this sound right?
2. How does one configure it? When you set the "CoA port" on the User Manager, or the incoming radius port on the NAS, how does the other end know which port you set?
-
-
joegoldman
Forum Veteran
- Posts: 767
- Joined:
Re: What is CoA (Radius Incoming), and how is it configured?
To what CoA is, you are mostly correct.
CoA is 'Change of Authorisation', meaning its the RADIUS server (User manager in your use case) tells the NAS (router) that the authorisation parameters have changed. This could be to say Auth is no longer valid, or to set shaping policy to something different (good for on peak/off peak / over quota shaping).
I honestly haven't used User Manager so I cant be sure on how to configure CoA to talk back to the NAS but it should be a configuration option somewhere, or User Manager uses a default port that may be in documentation, that you'll have to configure the NAS to.
CoA is 'Change of Authorisation', meaning its the RADIUS server (User manager in your use case) tells the NAS (router) that the authorisation parameters have changed. This could be to say Auth is no longer valid, or to set shaping policy to something different (good for on peak/off peak / over quota shaping).
I honestly haven't used User Manager so I cant be sure on how to configure CoA to talk back to the NAS but it should be a configuration option somewhere, or User Manager uses a default port that may be in documentation, that you'll have to configure the NAS to.
Re: What is CoA (Radius Incoming), and how is it configured?
I don't suppose Radius Accounting Port is the same thing as CoA, is it?
On a NAS, under Radius --> New Radius Server, you can set 2 things:
1. Authentication Port
2. Accounting Port
Is it possible that the "Radius Incoming" port is setup on the server, and the Accounting Port is setup on the client to tell it which port on the server to connect to?
It's either that, or the NAS gets configured using Winbox (Radius --> Incoming --> Port) and the User Manager gets configured through the User Manager web interface (Routers --> Your NAS --> Radius Incoming --> CoA Port).
Or am I totally off?
On a NAS, under Radius --> New Radius Server, you can set 2 things:
1. Authentication Port
2. Accounting Port
Is it possible that the "Radius Incoming" port is setup on the server, and the Accounting Port is setup on the client to tell it which port on the server to connect to?
It's either that, or the NAS gets configured using Winbox (Radius --> Incoming --> Port) and the User Manager gets configured through the User Manager web interface (Routers --> Your NAS --> Radius Incoming --> CoA Port).
Or am I totally off?
Re: What is CoA (Radius Incoming), and how is it configured?
Tested - it appears that the second theory was correct.
On the User Manager:
User Manager --> Routers --> YOUR NAS --> Radius Incoming --> CoA port
This is the UDP port the User Manager will send the CoA packets to (destination port)
On the NAS:
Radius --> Incoming --> Port
This is the UDP port that will be listening for CoA packets.
===
To verify, I created a user, logged in as the user on a client device (behind the NAS), and disabled the user on the User Manager.
I can see a single packet being sent from the User Manager to the NAS destined to the configured port, and immediately after, the client is forcefully logged out.
On the User Manager:
User Manager --> Routers --> YOUR NAS --> Radius Incoming --> CoA port
This is the UDP port the User Manager will send the CoA packets to (destination port)
On the NAS:
Radius --> Incoming --> Port
This is the UDP port that will be listening for CoA packets.
===
To verify, I created a user, logged in as the user on a client device (behind the NAS), and disabled the user on the User Manager.
I can see a single packet being sent from the User Manager to the NAS destined to the configured port, and immediately after, the client is forcefully logged out.
Who is online
Users browsing this forum: Semrush [Bot] and 43 guests