Disconnect Requests are sent from the DA initiator to the DA controller when it is determined that a session will be terminated. The request is sent to UDP port 3799.
When a Disconnect Request packet is received, it is determined whether it is an authorized request from a configured server. The source IP address of the packet is used to check for a match of the configured Dynamic Authorization Servers. If the source IP address has not been configured, then the request is immediately dropped with no further validation. If the IP address is present in the configuration, a validation of the Message-Authenticator attribute occurs as indicated in RFC2869. If validation is not successful, then the packet is dropped with no further processing. If it is determined that this is a retry, the packet is also dropped with no further processing.
The authorized request indicates which DA controller the message is for, as well as which session should be terminated. If the DA controller indicated by the included attributes in the packet does not match the receiver, then the request is responded to with a Disconnect-NAK. The appropriate DA controller receiving this RADIUS extension packet identifies the session using the attributes provided and immediately terminates the session.
NoteIn order to use CoA/Disconnect, ONEPolicy must be enabled with NetLogin.