RADIUS change of authorization (CoA)
NOTE: For increased security, each subnet interface that will be receiving CoA requests must be configured with the set allowaccess radius-acct
command.
NOTE: Starting in FortiSwitchOS 6.2.1, RADIUS accounting and CoA support EAP and MAB 802.1X authentication.
The FortiSwitch unit supports two types of RADIUS messages:
- CoA messages to change session authorization attributes (such as data filters and the session-timeout setting) during an active session. To change the session timeout for an authenticated session, the CoA-Request message needs to use the IEEE session-timeout attribute.
- Disconnect messages (DMs) to flush an existing session. For MAC-based authentication, all other sessions are unchanged, and the port stays up. For port-based authentication, only one session is deleted.
RADIUS CoA messages use the following Fortinet proprietary attribute:
Fortinet-Host-Port-AVPair 42 string
The format of the value is as follows:
Attribute |
Value |
Description |
---|---|---|
Fortinet-Host-Port-AVPair |
action=bounce-port |
The FortiSwitch unit disconnects all sessions on a port. The port goes down for 10 seconds and then up again. |
Fortinet-Host-Port-AVPair |
action=disable-port |
The FortiSwitch unit disconnects all session on a port. The port goes down until the user resets it. |
Fortinet-Host-Port-AVPair |
action=reauth-port |
The FortiSwitch unit forces the reauthentication of the current session. |
In addition, RADIUS CoA uses the following attributes:
Attribute | Value | Description |
---|---|---|
session-timeout |
<session_timeout_value> |
The FortiSwitch unit disconnects a session after the specified number of seconds of idleness. This value must be more than 60 seconds. NOTE: To use the session-timeout attribute, you must enable the |
Tunnel-Private-Group-Id |
VLAN ID or name (10) |
This attribute requires FortiSwitchOS 6.4.12 or 7.2.2 or higher. |
Tunnel-Medium-Type |
IEEE-802 (6) |
This attribute requires FortiSwitchOS 6.4.12 or 7.2.2 or higher. |
Tunnel-Type |
VLAN (13) |
This attribute requires FortiSwitchOS 6.4.12 or 7.2.2 or higher. |
The FortiSwitch unit sends the following Error-Cause codes in RADIUS CoA-NAK and Disconnect-NAK messages:
Error Cause |
Error Code |
Description |
---|---|---|
Unsupported Attribute |
401 |
This error is a fatal error, which is sent if a request contains an attribute that is not supported. |
NAS Identification Mismatch |
403 |
This error is a fatal error, which is sent if one or more NAS-Identifier Attributes do not match the identity of the NAS receiving the request. |
Invalid Attribute Value |
407 |
This error is a fatal error, which is sent if a CoA-Request or Disconnect-Request message contains an attribute with an unsupported value. |
Session Context Not Found |
503 |
This error is a fatal error if the session context identified in the CoA-Request or Disconnect-Request message does not exist on the NAS. |
Configuring CoA and disconnect messages
Use the following commands to enable a FortiSwitch unit to receive CoA and disconnect messages from a RADIUS server:
config system interface
edit "mgmt"
set ip <address> <netmask>
set allowaccess <access_types>
set type physical
next
config user radius
edit <RADIUS_server_name>
set radius-coa {enable | disable}
set radius-port <port_number>
set secret <secret_key>
set server <server_name_ipv4_ipv6>
set addr-mode {ipv4 | ipv6}
end
Variable |
Description |
config system interface |
|
ip <address> <netmask> |
Enter the interface IP address and netmask. |
allowaccess <access_types> |
Enter the types of management access permitted on this
interface. Valid types are as follows: |
<RADIUS_server_name> |
Enter the name of the RADIUS server that will be sending CoA and disconnect messages to the FortiSwitch unit. By default, the messages use port 3799. |
config user radius |
|
radius-coa {enable | disable} |
Enable or disable whether the FortiSwitch unit will accept CoA and disconnect messages. The default is disable. |
radius-port <port_number> |
Enter the RADIUS port number. By default, the value is 1812. |
secret <secret_key> |
Enter the shared secret key for authentication with the RADIUS server. |
server <server_name_ipv4_ipv6> |
Enter the domain name, IPv4 address, or IPv6 address for the RADIUS server. There is no default. |
addr-mode {ipv4 | ipv6} |
Select whether to connect to the RADIUS server with IPv4 or IPv6. |
Example: RADIUS CoA
The following example enables the FortiSwitch unit to receive CoA and disconnect messages from the specified RADIUS server:
config system interface
edit "mgmt"
set ip 10.105.4.14 255.255.255.0
set allowaccess ping https http ssh snmp telnet radius-acct
set type physical
next
config user radius
edit "Radius-188-200"
set radius-coa enable
set secret ENC +2NyBcp8JF3/OijWl/w5nOC++aDKQPWnlC8Ug2HKwn4RcmhqVYE+q07yI9eSDhtiIw63kR/oMBLGwFQoeZfOQWengIlGTb+YQo/lYJn1V3Nwp9sdkcblfyayfc9gTeqe+mFltKl5IWNI7WRYiJC8sxaF9Iyr2/l4hpCiVUMiPOU6fSrj
set server "10.105.188.200"
set addr-mode ipv4
next
end
Viewing the CoA configuration
Use the following command to check the CoA settings:
S524DF4K15000024 # diagnose user radius coa 90075.874 DAS: :radius_das_diag_handler: RADIUS DAS Server List: radius2: Type: RADIUS_8021X, IP: 10.105.252.79, Last CoA/DM Client IP Addr : 10.105.252.79 Disc Reqs : 2 Disc ACKs : 1 Disc NAKs : 1 CoA Reqs : 0 CoA ACKs : 0 CoA NAKs : 0 radius3: Type: RADIUS_8021X, IP: 10.105.252.76, Last CoA/DM Client IP Addr : Disc Reqs : 0 Disc ACKs : 0 Disc NAKs : 0 CoA Reqs : 0 CoA ACKs : 0 CoA NAKs : 0