Change of Authorization (CoA)
Important
The Change of Authorization (CoA) is disabled by default.
In order to enable this feature you have it enable it via global setting or from the admin interface.
The openwisp-radius module supports the Change of Authorization (CoA) specification of the RADIUS protocol described in RFC 5176.
Whenever the RADIUS Group of a user is changed, openwisp-radius updates the NAS with the user’s latest RADIUS Attributes. This is achieved by sending CoA RADIUS packet to NAS for all open RADIUS sessions of the user. This allows enforcing RADIUS limits without requiring the user to re-authenticate with the NAS.
The CoA RADIUS packet contains the RADIUS Attributes defined in the new RADIUS Group of the user. If the new RADIUS Group does not specify any attributes, the CoA RADIUS packet will unset the attributes set by the previous RADIUS Group.
Consider the following example with two RADIUS Groups:
RADIUS Group Name |
RADIUS Group Checks |
||||||
users |
|
||||||
power-users |
Note: This group intentionally does not define any limits. |
A user, Jane is assigned users RADIUS Group and is currently using the
network, i.e. has an open RADIUS session. The administrator of the system
decided to upgrade the RADIUS Group of Jane to power-users, allowing
Jane to use the network without any limits. Without CoA, Jane will have to
logout of the captive portal (NAS) and log-in again to browse the network
without any limits. But when CoA is enabled in openwisp-radius, openwisp-radius
will update the NAS with the limits defined in Jane’s new RADIUS Group. In this
case, openwisp-radius will tell the NAS to unset the limits that were configured
by the previous RADIUS Group.
If the system administrators later decided to downgrade the RADIUS Group
of Jane to users, hence enforcing limits to the usage of the network,
openwisp-radius will update the NAS with the limits defined for the users
group for all active RADIUS sessions if CoA is enabled in openwisp-radius.