I am attempting to use a CoA request to change the Session-Timeout of a radius session. This session is tied to a DHCP lease. The purpose for this is that I want to tie our Billing system to our Radius server, and use a disconnect request to disable delinquent accounts. Currently we are using PPP, and we are trying to move away from PPP as it scaling poorly as the network increases in size. The desired behavior is as follows:
DHCP Lease time → Short, Device has to renew on a short interval
Radius Session Time → Long, Radius does not re-authenticate unless updates are made to the account
When a device authenticates it is added to one of two address lists which either allows the user to browse normally, or redirects the user to a billing page if their account is delinquent.
This works fine when I simply set a short Radius Session-Timeout, however I would like to avoid this method as this would cause a user to get disconnected if for some reason the router is unable to authenticate. This could result in unwanted session drops.
When an account is disabled I would like to send a CoA request to the router to change the Session-Timeout, which appears to be supported:
https://wiki.mikrotik.com/wiki/Manual:RADIUS_Client#Change_of_Authorization
I have found other people doing the same thing, and it appears to work. One of the most similar cases can be found here:
http://forum.mikrotik.com/t/dhcp-radius-renew-does-not-check-radius/114793/1
When the lease is handed out the device is authorized via its MAC address to a radius server:
From the logs on the router:
sending Access-Request with id 20 to 172.28.32.191:1812
Called-Station-Id = “D-DATA”
Calling-Station-Id = “1:24:a4:3c:fa:d1:2d”
Framed-IP-Address = 10.120.0.254
Framed-Pool = “DHCP-POOL”
MT-Address-List = “ENABLE_LIST”
MT-Realm = 1145586512
NAS-IP-Address = 10.99.223.254
NAS-Identifier = “DEVBENCH-BASE”
NAS-Port = 2204106964
NAS-Port-Type = 15
Session-Timeout = 60
Signature = 0x4f09a5ab4badf36a459ea5388c6462df
Signature = 0x3189544e441c355c666e3b1131035eb3
User-Name = “24:A4:3C:FA:D1:2D”
User-Password = 0x
User-Password = 0x
received Access-Accept with id 26 from 172.28.32.191:1812
received reply for 17:4642
sending 17:4642 to 172.28.32.191:1812
The session is created just fine, and I can see the session on my FreeRadius server. I also see a DHCP lease created and the device is added to the appropriate address list.
I then try to send a CoA request to the Mikrotik router to try to force the session to Authenticate again. In one case I found the advice that a longer lease time than the original lease time has to be provided, I have also seen the suggestion that a shorter lease time is needed. I have tried both, but it looks like the request fails well before this point is reached. I attempt to send a disconnect request as follows:
echo > packet.txt
echo “Acct-Session-Id=‘836000d4’” >> packet.txt
echo “User-Name=‘24:A4:3C:FA:D1:2D’” >> packet.txt
echo “Framed-IP-Address=‘10.120.0.254’” >> packet.txt
echo “Session-Timeout=‘10’”
cat packet.txt | radclient -s -x 10.99.223.254:1700 disconnect radtest
Where I get the response:
Sent Disconnect-Request Id 157 from 0.0.0.0:35828 to 10.99.223.254:1700 length 55
Acct-Session-Id = “836000d4”
User-Name = “24:A4:3C:FA:D1:2D”
Framed-IP-Address = 10.120.0.254
Received Disconnect-NAK Id 157 from 10.99.223.254:1700 to 0.0.0.0:0 length 41
Error-Cause = Unsupported-Extension
NAS-Identifier = “DEVBENCH-BASE”
(0) -: Expected Disconnect-ACK got Disconnect-NAK
Packet summary:
Accepted : 0
Rejected : 1
Lost : 0
Passed filter : 0
Failed filter : 1
In the logs of the router I get the following entries:
Acct-Session-Id = “836000d4”
Error-Cause = 406
Framed-IP-Address = 10.120.0.254
NAS-Identifier = “DEVBENCH-BASE”
Signature = 0xc4d92bf83d3f2b530c202bd51fc55a39
Signature = 0x7fc349078b2e1430563eaeb6d9244410
User-Name = “24:A4:3C:FA:D1:2D”
User-Password = 0x
new request 17:467b code=Access-Request service=dhcp called-id=D-DATA
received Access-Accept with id 46 from 172.28.32.191:1812
received reply for 17:467e
sending 17:4681 to 172.28.32.191:1812
sending Access-Request with id 47 to 172.28.32.191:1812
The 406 error means that the Extension is not supported:
https://freeradius.org/rfc/rfc5176.html
I found it suggested that I am missing information in my disconnect request, and I tried adding additional data to my request, for example NAS-IP-Address etc. However adding more data to the request did not change this behavior.
Has anyone found a way to update a Session-Timeout for a radius session created for a DHCP Lease?
Thank you for any assistance.
-Haniel Goertz