Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Change of Authorization/Disconnect Messages Overview


The RADIUS protocol, as defined in RFC 2865, does not support unsolicited messages from a RADIUS server to a network access server (NAS). Under some circumstances, you may need to make changes in subscriber session characteristics without requiring the NAS to initiate the change. For example, you may want to terminate an active user’s session (using a Disconnect Message), or if a user changes authorization level, you may have to add, modify or delete authorization attributes for the user’s session (using a CoA message). RFC 3576, “Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS),” describes extended commands that provide support for unsolicited messages sent from the RADIUS server to the NAS.

The Steel-Belted Radius Carrier CoA/DM functionality is designed for mobile and wire-line operators who want to offer dynamic service changes to reinforce current service offerings. In order to use the CoA/DM functionality in Steel-Belted Radius Carrier, your NAS must support RFC 3576 Change of Authorization (CoA), Disconnect Message (DM), or the Cisco proprietary Packet of Disconnect (PoD). You can configure Steel-Belted Radius Carrier to send different requests of these packet types to deploy any of the following services:

  • Prepaid scenarios—You can use CoA/DM functions to support control of data services where usage is metered by time or traffic volume, such as prepaid services or bandwidth-on-demand. When subscribers exhaust their prepaid service quota, the CoA/DM functionality enables you to either disconnect or redirect them to a webpage where they can purchase more time or data in mid-session, ensuring subscribers do not exceed their purchased limit.

  • Lawful intercept—As a service provider, you may be required to comply with lawful intercept regulations by providing legal organizations with voice and data intercept capabilities. These might include monitoring both connection related information and actual session data of a specific subscriber including phone calls, e-mail, VoIP, or instant messaging, and providing this data to Law Enforcement Agencies (LEAs). These legal intercept capabilities can be performed by issuing a CoA request.

  • Tiered services— CoA/DM functions can be used to provide new services, that provide new revenue creation opportunities. For example, if you are a fixed-line carrier, you may want to supplement your basic broadband service with a turbo option which provides subscribers with increased bandwidth-on-demand.

  • Abuse control and threat mitigation—You can disconnect or quarantine subscribers who are using the network in an unauthorized manner, or who are logged in to multiple sessions concurrently. Abuse control can be managed manually or triggered by intrusion detection devices or network firewalls.

  • Subscriber self-service—Subscribers can be redirected to portals where troubleshooting tips can be conveyed, decreasing the burden on your help desk team and providing faster resolution to common problems and concerns.


    For the remainder of this discussion, the functionality of CoA, DM, and PoD is referred to as CoA/DM.

How Disconnect Messages Work

How Disconnect Messages Work

When you want to terminate a user session, you or your Operations Support System (OSS) need to trigger Steel-Belted Radius Carrier to send a Disconnect-Request message to the NAS on UDP port 3799. The Disconnect-Request message identifies the NAS and the user session to be terminated. If the Disconnect-Request message correctly identifies a user session being maintained by the NAS, the NAS disconnects the user session and sends a confirmation message (Disconnect-ACK) back to Steel-Belted Radius Carrier. For a detailed example of a Disconnect-Request message sequence, see Figure 250.

How Change of Authorization Messages Work

How Change of Authorization Messages Work

When you want to change session authorizations, such as data filters associated with a user session, you or your Operations Support System (OSS) need to trigger Steel-Belted Radius Carrier to send a CoA-Request message to the NAS on UDP port 3799. The CoA-Request message may indicate the name of a data filter list to be applied for the session. If the NAS is able to change the authorizations for the user session, the NAS returns a confirmation message (CoA-ACK) to Steel-Belted Radius Carrier. If the request is unsuccessful, the NAS sends back a failure message (CoA-NAK).