The gateway device NAS in the RADIUS protocol is the client, and the service that implements the RADIUS protocol is the service side (for example, Freeradius), in which case the RADIUS server is not able to proactively send information to the NAS. A RADIUS extension is defined in rfc3576 Dynamic Authorization Extensions to radius, which Change-of-Authorization (CoA)
can be initiated from RADIUS server to the RADIUS client. , such as user offline, the user's Internet bandwidth dynamic modification requirements can be done through the COA.
Here is the request to complete a COA with Pyrad, the requirement is to send the COA via Python to the gateway, the gateway correctly answers the ACK.
Note: The latest version of Pyrad in PyPI does not implement the COA, and you can install pyrad : http://github.com/andreynpetrov/pyrad.git
this version on GitHub itself with this part of the implementation.
The code defined in the COA
-Disconnect-Request[RFC2882] -Disconnect-ACK[RFC2882] -Disconnect-NAK[RFC2882] -CoA-Request[RFC2882] coa-CoA-ACK[RFC2882] coa-CoA-NAK[RFC2882] coa不正常
Python simulated COA
The COA request here is customized by the gateway device manufacturer, which is used to complete the user authentication, and the package structure definition can only be implemented by reference to the RFC and the manufacturer's definition, which only records how the program is written. A few important points in debugging are: The Gateway vendor's dictionary, which is the correct white list for the meaning and value of the Vendor custom field in the dictionary. If it is not always possible to turn it on, grab the packet contrast and test again.
#coding: Utf-8ImportSocket, SYSImportPyrad.packet fromPyrad.clientImportClient fromPyrad.dictionaryImportDictionary#NAS and Radius same note the loading of the dictionaryDict_dir ="./dictionary"SECRET ="Test"Nasip ="172.16.15.188" def send_coa_auth(uname, acl="Auth_sla", qos="32m_full"): "" " send COA message to NAS, the attributes is User-name Calling-station-id Benu-acl-poli Cy Benu-qos-policy "" "SRV = Client (Server=nasip, Secret=secret, Dict=dictionary (dict_dir)) req = srv. Createcoapacket (Code=pyrad.packet.coarequest, User_name=uname) req["Calling-station-id"] = uname req["Nas-ip-address"] = Nasip req["Benu-acl-policy"] = ACL# Benu begins with a vendor-defined fieldreq["Benu-qos-policy"] = QoSTry:Print "Sending COA request"Reply = srv. Sendpacket (req)exceptPyrad.client.Timeout:Print "DAS (NAS or Bas) does not reply" return exceptSocket.error, Error:Print "Network Error:"+ error[1]return ifReply.code==pyrad.packet.coaack:Print "Coa accepted" elifReply.code==pyrad.packet.coanak:Print "Coa Nak" Else:PrintReply.codePrint "Attributes returned by NAS:" forIinchReply.keys ():Print '%s:%s '% (I, reply[i][0])if__name__ = ="__main__": Send_coa_auth ("F8-CF-C5-83-09-B9")' # python coa_auth.pyimport settings failuresending COA requestcoa acceptedattributes returned by NAS: event-timestamp:1452219598 ""
Reference
Using Python to send COA messages dynamically changing RADIUS user attributes This blogger has a lot of relevant research to show thanks
"Python" simulates radius COA messages