Fortinet white logo
Fortinet white logo

Administration Guide

RADIUS change of authorization (CoA)

RADIUS change of authorization (CoA)

NOTE: For increased security, each subnet interface that will be receiving CoA requests must be configured with the set allowaccess radius-acct command.

NOTE: Starting in FortiSwitchOS 6.2.1, RADIUS accounting and CoA support EAP and MAB 802.1X authentication.

The FortiSwitch unit supports two types of RADIUS messages:

  • CoA messages to change session authorization attributes (such as data filters and the session-timeout setting) during an active session. To change the session timeout for an authenticated session, the CoA-Request message needs to use the IEEE session-timeout attribute.
  • Disconnect messages (DMs) to flush an existing session. For MAC-based authentication, all other sessions are unchanged, and the port stays up. For port-based authentication, only one session is deleted.

RADIUS CoA messages use the following Fortinet proprietary attribute:

Fortinet-Host-Port-AVPair 42 string

The format of the value is as follows:

Attribute

Value

Description

Fortinet-Host-Port-AVPair

action=bounce-port

The FortiSwitch unit disconnects all sessions on a port. The port goes down for 10 seconds and then up again.

Fortinet-Host-Port-AVPair

action=disable-port

The FortiSwitch unit disconnects all session on a port. The port goes down until the user resets it.

Fortinet-Host-Port-AVPair

action=reauth-port

The FortiSwitch unit forces the reauthentication of the current session.

In addition, RADIUS CoA uses the following attributes:

Attribute Value Description

session-timeout

<session_timeout_value>

The FortiSwitch unit disconnects a session after the specified number of seconds of idleness. This value must be more than 60 seconds. NOTE: To use the session-timeout attribute, you must enable the set radius-timeoutoverwrite command first.

Tunnel-Private-Group-Id

VLAN ID or name (10)

This attribute requires FortiSwitchOS 6.4.12 or 7.2.2 or higher.

Tunnel-Medium-Type

IEEE-802 (6)

This attribute requires FortiSwitchOS 6.4.12 or 7.2.2 or higher.

Tunnel-Type

VLAN (13)

This attribute requires FortiSwitchOS 6.4.12 or 7.2.2 or higher.

The FortiSwitch unit sends the following Error-Cause codes in RADIUS CoA-NAK and Disconnect-NAK messages:

Error Cause

Error Code

Description

Unsupported Attribute

401

This error is a fatal error, which is sent if a request contains an attribute that is not supported.

NAS Identification Mismatch

403

This error is a fatal error, which is sent if one or more NAS-Identifier Attributes do not match the identity of the NAS receiving the request.

Invalid Attribute Value

407

This error is a fatal error, which is sent if a CoA-Request or Disconnect-Request message contains an attribute with an unsupported value.

Session Context Not Found

503

This error is a fatal error if the session context identified in the CoA-Request or Disconnect-Request message does not exist on the NAS.

Configuring CoA and disconnect messages

Use the following commands to enable a FortiSwitch unit to receive CoA and disconnect messages from a RADIUS server:

config system interface

edit "mgmt"

set ip <address> <netmask>

set allowaccess <access_types>

set type physical

next

config user radius

edit <RADIUS_server_name>

set radius-coa {enable | disable}

set radius-port <port_number>

set secret <secret_key>

set server <server_name_ipv4_ipv6>

set addr-mode {ipv4 | ipv6}

end

Variable

Description

config system interface

ip <address> <netmask>

Enter the interface IP address and netmask.

allowaccess <access_types>

Enter the types of management access permitted on this interface. Valid types are as follows: http https ping snmp ssh telnet radius-acct. Separate each type with a space. You must include radius-acct to receive CoA and disconnect messages.

<RADIUS_server_name>

Enter the name of the RADIUS server that will be sending CoA and disconnect messages to the FortiSwitch unit. By default, the messages use port 3799.

config user radius

radius-coa {enable | disable}

Enable or disable whether the FortiSwitch unit will accept CoA and disconnect messages. The default is disable.

radius-port <port_number>

Enter the RADIUS port number. By default, the value is 1812.

secret <secret_key>

Enter the shared secret key for authentication with the RADIUS server.

server <server_name_ipv4_ipv6>

Enter the domain name, IPv4 address, or IPv6 address for the RADIUS server. There is no default.

addr-mode {ipv4 | ipv6}

Select whether to connect to the RADIUS server with IPv4 or IPv6.

Example: RADIUS CoA

The following example enables the FortiSwitch unit to receive CoA and disconnect messages from the specified RADIUS server:

config system interface

edit "mgmt"

set ip 10.105.4.14 255.255.255.0

set allowaccess ping https http ssh snmp telnet radius-acct

set type physical

next

config user radius

edit "Radius-188-200"

set radius-coa enable

set secret ENC +2NyBcp8JF3/OijWl/w5nOC++aDKQPWnlC8Ug2HKwn4RcmhqVYE+q07yI9eSDhtiIw63kR/oMBLGwFQoeZfOQWengIlGTb+YQo/lYJn1V3Nwp9sdkcblfyayfc9gTeqe+mFltKl5IWNI7WRYiJC8sxaF9Iyr2/l4hpCiVUMiPOU6fSrj

set server "10.105.188.200"

set addr-mode ipv4

next

end

Viewing the CoA configuration

Use the following command to check the CoA settings:

S524DF4K15000024 # diagnose user radius coa

90075.874 DAS: :radius_das_diag_handler:
RADIUS DAS Server List:
radius2:
Type: RADIUS_8021X, IP: 10.105.252.79,
Last CoA/DM Client IP Addr    : 10.105.252.79
Disc Reqs     : 2
Disc ACKs     : 1
Disc NAKs     : 1
CoA  Reqs     : 0
CoA  ACKs     : 0
CoA  NAKs     : 0
radius3:
Type: RADIUS_8021X, IP: 10.105.252.76,
Last CoA/DM Client IP Addr    :
Disc Reqs     : 0
Disc ACKs     : 0
Disc NAKs     : 0
CoA  Reqs     : 0
CoA  ACKs     : 0
CoA  NAKs     : 0

RADIUS change of authorization (CoA)

RADIUS change of authorization (CoA)

NOTE: For increased security, each subnet interface that will be receiving CoA requests must be configured with the set allowaccess radius-acct command.

NOTE: Starting in FortiSwitchOS 6.2.1, RADIUS accounting and CoA support EAP and MAB 802.1X authentication.

The FortiSwitch unit supports two types of RADIUS messages:

  • CoA messages to change session authorization attributes (such as data filters and the session-timeout setting) during an active session. To change the session timeout for an authenticated session, the CoA-Request message needs to use the IEEE session-timeout attribute.
  • Disconnect messages (DMs) to flush an existing session. For MAC-based authentication, all other sessions are unchanged, and the port stays up. For port-based authentication, only one session is deleted.

RADIUS CoA messages use the following Fortinet proprietary attribute:

Fortinet-Host-Port-AVPair 42 string

The format of the value is as follows:

Attribute

Value

Description

Fortinet-Host-Port-AVPair

action=bounce-port

The FortiSwitch unit disconnects all sessions on a port. The port goes down for 10 seconds and then up again.

Fortinet-Host-Port-AVPair

action=disable-port

The FortiSwitch unit disconnects all session on a port. The port goes down until the user resets it.

Fortinet-Host-Port-AVPair

action=reauth-port

The FortiSwitch unit forces the reauthentication of the current session.

In addition, RADIUS CoA uses the following attributes:

Attribute Value Description

session-timeout

<session_timeout_value>

The FortiSwitch unit disconnects a session after the specified number of seconds of idleness. This value must be more than 60 seconds. NOTE: To use the session-timeout attribute, you must enable the set radius-timeoutoverwrite command first.

Tunnel-Private-Group-Id

VLAN ID or name (10)

This attribute requires FortiSwitchOS 6.4.12 or 7.2.2 or higher.

Tunnel-Medium-Type

IEEE-802 (6)

This attribute requires FortiSwitchOS 6.4.12 or 7.2.2 or higher.

Tunnel-Type

VLAN (13)

This attribute requires FortiSwitchOS 6.4.12 or 7.2.2 or higher.

The FortiSwitch unit sends the following Error-Cause codes in RADIUS CoA-NAK and Disconnect-NAK messages:

Error Cause

Error Code

Description

Unsupported Attribute

401

This error is a fatal error, which is sent if a request contains an attribute that is not supported.

NAS Identification Mismatch

403

This error is a fatal error, which is sent if one or more NAS-Identifier Attributes do not match the identity of the NAS receiving the request.

Invalid Attribute Value

407

This error is a fatal error, which is sent if a CoA-Request or Disconnect-Request message contains an attribute with an unsupported value.

Session Context Not Found

503

This error is a fatal error if the session context identified in the CoA-Request or Disconnect-Request message does not exist on the NAS.

Configuring CoA and disconnect messages

Use the following commands to enable a FortiSwitch unit to receive CoA and disconnect messages from a RADIUS server:

config system interface

edit "mgmt"

set ip <address> <netmask>

set allowaccess <access_types>

set type physical

next

config user radius

edit <RADIUS_server_name>

set radius-coa {enable | disable}

set radius-port <port_number>

set secret <secret_key>

set server <server_name_ipv4_ipv6>

set addr-mode {ipv4 | ipv6}

end

Variable

Description

config system interface

ip <address> <netmask>

Enter the interface IP address and netmask.

allowaccess <access_types>

Enter the types of management access permitted on this interface. Valid types are as follows: http https ping snmp ssh telnet radius-acct. Separate each type with a space. You must include radius-acct to receive CoA and disconnect messages.

<RADIUS_server_name>

Enter the name of the RADIUS server that will be sending CoA and disconnect messages to the FortiSwitch unit. By default, the messages use port 3799.

config user radius

radius-coa {enable | disable}

Enable or disable whether the FortiSwitch unit will accept CoA and disconnect messages. The default is disable.

radius-port <port_number>

Enter the RADIUS port number. By default, the value is 1812.

secret <secret_key>

Enter the shared secret key for authentication with the RADIUS server.

server <server_name_ipv4_ipv6>

Enter the domain name, IPv4 address, or IPv6 address for the RADIUS server. There is no default.

addr-mode {ipv4 | ipv6}

Select whether to connect to the RADIUS server with IPv4 or IPv6.

Example: RADIUS CoA

The following example enables the FortiSwitch unit to receive CoA and disconnect messages from the specified RADIUS server:

config system interface

edit "mgmt"

set ip 10.105.4.14 255.255.255.0

set allowaccess ping https http ssh snmp telnet radius-acct

set type physical

next

config user radius

edit "Radius-188-200"

set radius-coa enable

set secret ENC +2NyBcp8JF3/OijWl/w5nOC++aDKQPWnlC8Ug2HKwn4RcmhqVYE+q07yI9eSDhtiIw63kR/oMBLGwFQoeZfOQWengIlGTb+YQo/lYJn1V3Nwp9sdkcblfyayfc9gTeqe+mFltKl5IWNI7WRYiJC8sxaF9Iyr2/l4hpCiVUMiPOU6fSrj

set server "10.105.188.200"

set addr-mode ipv4

next

end

Viewing the CoA configuration

Use the following command to check the CoA settings:

S524DF4K15000024 # diagnose user radius coa

90075.874 DAS: :radius_das_diag_handler:
RADIUS DAS Server List:
radius2:
Type: RADIUS_8021X, IP: 10.105.252.79,
Last CoA/DM Client IP Addr    : 10.105.252.79
Disc Reqs     : 2
Disc ACKs     : 1
Disc NAKs     : 1
CoA  Reqs     : 0
CoA  ACKs     : 0
CoA  NAKs     : 0
radius3:
Type: RADIUS_8021X, IP: 10.105.252.76,
Last CoA/DM Client IP Addr    :
Disc Reqs     : 0
Disc ACKs     : 0
Disc NAKs     : 0
CoA  Reqs     : 0
CoA  ACKs     : 0
CoA  NAKs     : 0