Supported Platforms
RADIUS-Initiated Change of Authorization (CoA) Overview
The AAA Service Framework uses CoA messages to dynamically modify active subscriber sessions. For example, RADIUS attributes in CoA messages might instruct the framework to create, modify, or terminate a subscriber service.
CoA Messages
Dynamic request support enables the router to receive and process unsolicited CoA messages from external RADIUS servers. RADIUS-initiated CoA messages use the following codes in request and response messages:
- CoA-Request (43)
- CoA-ACK (44)
- CoA-NAK (45)
Qualifications for Change of Authorization
To complete the change of authorization for a user, you specify identification attributes and session attributes. The identification attributes identify the subscriber. Session attributes specify the operation (activation or deactivation) to perform on the subscriber’s session and also include any client attributes for the session (for example, QoS attributes). The AAA Service Framework handles the actual request.
Table 1 shows the identification attributes for CoA operations.
 | Note: Using the Acct-Session-ID attribute to identify the subscriber session is more explicit than using the User-Name attribute. When you use the Acct-Session-ID, the attribute identifies the specific subscriber and session. When you use the User-Name as the identifier, the CoA operation is applied to the first session that was logged in with the specified username. However, because a subscriber might have multiple sessions associated with the same username, the first session might not be the correct session for the CoA operation. |
Table 1: Identification Attributes
Attribute | Description |
|---|---|
User-Name [RADIUS attribute 1] | Subscriber username. |
Acct-Session-ID [RADIUS attribute 44] | Specific subscriber and session. |
Table 2 shows the session attributes for CoA operations. Any additional client attributes that you include depend on your particular session requirements.
Table 2: Session Attributes
Attribute | Description |
|---|---|
Activate-Service [Juniper Networks VSA 26–65] | Service to activate for the subscriber. |
Deactivate-Service [Juniper Networks VSA 26–66] | Service to deactivate for the subscriber. |
Message Exchange
The RADIUS server and the AAA Service Framework on the router exchange messages using UDP. The CoA-Request message sent by the RADIUS server has the same format as the Disconnect-Request packet that is sent for a disconnect operation.
The response is either a CoA-ACK or a CoA-NAK message:
- If the AAA Service Framework successfully changes the authorization, the response is a RADIUS-formatted packet with a CoA-ACK message, and the data filter is applied to the session.
- If AAA Service Framework is unsuccessful, the request is malformed, or attributes are missing, the response is a RADIUS-formatted packet with a CoA-NAK message.
| Note: The AAA Service Framework processes one dynamic request at a time per subscriber. If the framework receives a second dynamic request (either another CoA or a Disconnect-Request) while processing a previous request for the same subscriber, the framework responds with a CoA-NAK message. |
