New Member

Question

FortiADC L7 RADIUS APPLICATION FROFILE AND COA

Forum|Forum|7 months ago
October 13, 2025
3 replies
384 views

Hi to all,

I noticed that on a L7 Radius Application profile one can switch on "Dynamic Auth" option a configure a destination port for COA.

I am wondering if such a configuration option could be useful to handle COA "back requests " from a node of the radius pool towards a radius client. Suppose that a on the network switch or a wireless controller the ip address of the Radius VIP is both configured as AAA server and COA authorized ip address. I was wondering whether the "Dynamic Auth" switch purpose was to apply source nat to COA requests coming from any of the radius servers in the pool . On our current F5 bigip LTM I use a forwarding virtual ip address listening on the COA port to source nat COA requests from the radius servers so that Radius Clinet receives COA packests having the radius VIP as source address.

BR

MM

Anthony_E

Staff

Hello,

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

Thanks,

Best Regards

Anthony_E

Staff

Hello,

We are still looking for someone to help you.

We will come back to you ASAP.

Thanks,

Best Regards

Anthony_E

Staff

Hello Marco,

To configure an L7 RADIUS application profile with Change of Authorization (CoA) on FortiADC, follow these steps:

Client Address and Source Port:
- Decide whether to use the original client IP address and port as the source when connecting to the real server. By default, these are set to "Off."
Timeout RADIUS Session:
- Set the session timeout for RADIUS. The default is 300 seconds, but you can configure it between 1 and 3,600 seconds.
Dynamic Authorization (CoA):
- Enable or disable Dynamic Authorization for RADIUS CoA. By default, this is disabled.
Dynamic Auth Port:
- Configure the UDP port for CoA requests. The default port is 3799.
Geo IP Blocklist and Allowlist:
- Configure Geo IP blocklist and allowlist as needed. By default, these are set to "None."

Ensure that the predefined RADIUS profile LB_PROF_RADIUS is configured according to your requirements, with the default settings as mentioned above.

Best Regards

MarcoMerloAuthor

New Member

Hi, thanks for the reply. I am afraid I was not clear enough. Here is an example of COA flow

Radius Client (e.g. a network switch) A send an Access Request to Radius Server B (udp port 1812)

Radius server replies with an access request.

After some time an administrator decide that the previously authenticated user need to be disconnected and can ask the radius server B to send a Radius COA packet to the network swicht A instructing it to disconnect the user. In this flow radius server B is the COA client and the client A is the server listening on UDP port 1700 and accepting Radius COA packets just from authorized ip addresses . Now suppose the radius server B is part of a radius pool behind a VIP C. Radius Client A sends AAA requests to C ip address and, as a COA client, accept COA packets just from C ip address (I want to be free to add and remove real server from the pool so I want that my radius servers are known to the switches with ip address C both for sendig aaa requests and getting COA requests ....) . So when server B sends the COA request ti client port 1700 its sourceip address must be natted to C in order to have the client accepting the packet. I was just wondering whether forty ADC radius profile uses dynamic port value to perform nat source from UDP packets coming from one of the real server of the radius pool when the destination port is 1700.

BR

MM

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded