Change of Authorization

Change of Authorization requests are sent from the DA initiator to the DA controller when it is determined that a session‘s authorization parameters will be changed. The request is sent to UDP port 3799.

When a Change-of-Authorization (CoA) packet is received, it is determined whether it is an authorized request from a configured server. The source IP address of the packet is used to check for a match of the configured Dynamic Authorization Servers. If the source IP address has not been configured, then the request is immediately dropped with no further validation. If the IP address is present in the configuration, a validation of the Message-Authenticator attribute occurs as indicated in RFC2869. If validation is not successful, then the packet is dropped with no further processing. If it is determined that this is a retry, the packet is also dropped with no further processing.

The message indicates which DA controller the message is for, as well as, which session should be terminated. If the DA controller indicated by the included attributes in the packet does not match the receiver, then the request is responded to with a Change-of-Authorization-NAK. The appropriate DA controller receiving this RADIUS extension packet identifies the session(s) using the attributes provided and attempts to change the authorization level of the user as newly defined in the request packet.

DA Controller Identification

The DA controller is identified for CoA Requests in the same way that Disconnect Request identification occurs.

User Session Identification

Session identification for CoA occur in the same way that Disconnect Request identification does.

Supported Authorization Attributes

Policy authorization levels can be changed using this functionality. These attributes are the same ones that are used to define the initial authorization level of a session when authenticated by the DA controller. The processing of these attributes will result in the same authorization conditions that would have occurred if they were to have been received as the initial authorization level.
  • Filter-Id —The filter ID identifies the name of the policy profile that is used for the session.
  • RFC3580 Attributes—Three attributes are used to determine the RFC3580 authorization levels: Tunnel-Type, Tunnel-Medium-Type, and Tunnel-Private-Group-Id.
These values are used in concert with local policy settings to determine both the correct policy profile and VLAN settings for the session.

Change-of-Authorization Responses

If the CoA request is determined to be of appropriate format, matching session(s) are found, and their authorization levels are changed appropriately, then a Change-Of-Authorization-Ack is sent in response. If all the attributes in the packet are not understood within this context or do not result in a matching DA controller and session, then the DA controller sends a Change-Of-Authorization-NAK in response. If the DA controller is unable to appropriately change the matching session(s) authorization level for some reason, a Change-Of-Authorization-NAK is sent in response.