Skip to main content

RADIUS Change of Authorization

Dynamic rate changes via RADIUS CoA.

Overview

RADIUS Change of Authorization (CoA) allows your RADIUS server to modify subscriber session parameters in real-time without requiring session reconnection.

How It Works

1. RADIUS server sends CoA-Request
   ├─ Acct-Session-Id: abng-1709312400-1
   ├─ Athena-Rate-Down: 25mbit
   └─ Athena-Rate-Up: 10mbit

2. abngd receives CoA on UDP 3799
   ├─ Looks up session by Acct-Session-Id
   └─ Updates session rates

3. abng-qos updates CAKE qdisc
   ├─ Uses tc qdisc change (no packet loss)
   ├─ Updates egress: 25mbit
   └─ Updates ingress: 10mbit

4. abngd sends CoA-ACK
   └─ Confirms rate change accepted

Configuration

Enable CoA in config:

radius:
  servers:
    - host: "10.255.0.10"
      port: 1812
      acct_port: 1813
  coa_enabled: true
  coa_port: 3799

Sending CoA

Using radclient

echo "Acct-Session-Id = 'abng-1709312400-42', Athena-Rate-Down = '200mbit', Athena-Rate-Up = '80mbit'" | \
  radclient -x 10.255.0.1:3799 coa YourCoaSecret

Using FreeRADIUS

In FreeRADIUS, send CoA via radclient:

#!/bin/bash
SESSION_ID=$1
RATE_DOWN=$2
RATE_UP=$3

echo "Acct-Session-Id = '$SESSION_ID', Athena-Rate-Down = '$RATE_DOWN', Athena-Rate-Up = '$RATE_UP'" | \
  radclient -x 10.255.0.1:3799 coa my-secret

Supported Attributes

AttributeTypeDescription
Acct-Session-IdStringSession ID (required)
Athena-Rate-DownStringDownload rate (e.g., "50mbit")
Athena-Rate-UpStringUpload rate (e.g., "20mbit")

Use Cases

Upgrade/Downgrade

Subscriber upgrades plan:

radclient -x 10.255.0.1:3799 coa secret <<EOF
Acct-Session-Id = "abng-1709312400-42"
Athena-Rate-Down = "200mbit"
Athena-Rate-Up = "80mbit"
EOF

Throttle for Abuse

Subscriber violates terms:

radclient -x 10.255.0.1:3799 coa secret <<EOF
Acct-Session-Id = "abng-1709312400-42"
Athena-Rate-Down = "1mbit"
Athena-Rate-Up = "1mbit"
EOF

Restore Normal Rate

Subscriber resolves issue:

radclient -x 10.255.0.1:3799 coa secret <<EOF
Acct-Session-Id = "abng-1709312400-42"
Athena-Rate-Down = "100mbit"
Athena-Rate-Up = "40mbit"
EOF

Troubleshooting

CoA Not Working

  1. Check CoA is enabled:

    abng> show configuration | match coa

  2. Check CoA port is correct:

    sudo netstat -tlnp | grep 3799

  3. Check firewall allows UDP 3799:

    sudo ufw allow 3799/udp

  4. Check abngd logs:

    sudo journalctl -u abngd -f | grep -i coa

Session Not Found

CoA-NAK: Session not found

Solution: Verify Acct-Session-Id matches session in show subscribers.

Next Steps