Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Understanding RADIUS-Initiated Change of Authorization

    This section describes the RADIUS dynamic-request server’s support for COA messages. COA messages are used by the E Series router’s RADIUS-initiated packet mirroring feature, which is described in the Configuring RADIUS-Based Packet Mirroring chapter in the JunosE Policy Management Configuration Guide, and by Service Manager, which is described in the Configuring Service Manager chapter of this guide.

    Change-of-Authorization Messages

    The RADIUS dynamic-request server receives and processes the unsolicited COA messages from RADIUS servers. The RADIUS-initiated COA feature uses the following codes in its RADIUS request and response messages:

    • COA-Request (43)
    • COA-ACK (44)
    • COA-NAK (45)

    Message Exchange

    The RADIUS server and the router’s RADIUS dynamic-request server exchange messages using UDP. The COA-Request message sent by the RADIUS server has the same format as the Disconnect-Request packet that is sent for a disconnect operation.

    The response is either a COA-ACK or a COA-NAK message:

    • If AAA successfully changes the authorization, the response is a RADIUS-formatted packet with a COA-ACK message, and the data filter is applied to the session.
    • If AAA is unsuccessful, the request is malformed, or attributes are missing, the response is a RADIUS-formatted packet with a COA-NAK message.

    Supported Error-Cause Codes (RADIUS Attribute 101)

    When AAA is unsuccessful, the RADIUS dynamic-request server includes an error-cause attribute (RADIUS attribute 101) in the COA-NAK message that it sends back to the RADIUS server. If the detected error does not map to one of the supported error-cause attributes, the router sends the COA-NAK without an error-cause attribute. Table 1 lists the supported error-cause codes.

    Table 1: Error-Cause Codes (RADIUS Attribute 101)





    Unsupported attribute

    The request contains an attribute that is not supported (for example, a third-party attribute).


    Missing attribute

    A critical attribute (for example, the session identification attribute) is missing from a request.


    Invalid request

    Some other aspect of the request is invalid, such as if one or more attributes (for example, the packet mirroring Mirror Identifier value) are not formatted properly.


    Session context not found

    The session context identified in the request does not exist on the NAS.


    Session context not removable

    The subscriber identified by attributes in the disconnect request is owned by a component that does not support RADIUS-initiated disconnect (for example, IP LAC subscribers cannot be disconnected).


    Resources unavailable

    A request could not be honored due to lack of available NAS resources (such as memory).

    Qualifications for Change of Authorization

    To complete the change of authorization for a user, the COA-Request must contain one of the following RADIUS attributes or pairs of attributes. AAA services handle the actual request.

    • User-Name [attribute 1] with Virtual-Router [attribute 26–1] to identify the user per virtual router context
    • Framed-IP-Address [attribute 8] with Virtual-Router [attribute 26–1] to identify the address per virtual router context
    • Calling-Station-ID [attribute 31]
    • Acct-Session-ID [attribute 44] (mandatory for all COA requests, except when the request is for packet mirroring)
    • Nas-Port-ID [attribute 5]
    • DHCP-Option-82 [attribute 26–159], Vendor ID 4874
    • Agent-Circuit-ID [attribute 26–1], Vendor ID 3561
    • Agent-Remote-ID [attribute 26–2], Vendor ID 3561

    Note: The Calling-Station-ID attribute is valid only for the tunneled subscribers and on the LNS. Additionally, the Calling-Station-ID and Nas-Port-ID attributes are valid only if there is no RADIUS override setting.


    For change-of-authorization operations, the RADIUS server calculates the authenticator as specified for an Accounting-Request message in RFC 2866. The RADIUS dynamic-request server verifies the request using authenticator calculation as specified for an Accounting-Request in RFC 2866. A key (secret), as specified in RFC 2865, must be configured and used in the calculation of the authenticator. The response authenticator is calculated as specified for an Accounting-Response message in RFC 2866.

    Published: 2014-08-20