FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pksubramanian
Article Id 198689

Description


This article describes how to disconnect COA request from Radius server which responded back with Disconnect-NAK.

 

Scope

 

FortiGate.


Solution

 

When a wireless client establishes a connection using an SSID (Service Set Identifier) configured with both WPA-Enterprise security and a User-Group that utilizes a RADIUS server for authentication, certain dynamic management capabilities come into play. One of these capabilities is the RADIUS Change of Authorization (COA) mechanism.

 

The RADIUS COA functionality allows for real-time modifications to a user's network access sessions. Specifically, it can be used to abruptly disconnect a user's active session. This can be valuable in situations where an immediate termination of a user's access is necessary due to security concerns or policy violations.

 

However, for FortiGate to effectively leverage this COA feature and identify which specific session to terminate, it requires specific attributes from the RADIUS server. These attributes serve as unique identifiers for the session in question, ensuring the right session is targeted. Without these precise attributes, FortiGate would be unable to correctly identify and subsequently disconnect the relevant wireless client session.


'Framed_IP_Address' and 'User_Name'.

Note.
WPA-Enterprise&UserGroup and Captive Portal.

USER_NAME and FRAMED_IP_ADDRESS have to be sent together in the request.

FOS radius-coa supports the attributes.

 

  1.  WPA-Enterprise & RadiusServer:

 

USER_NAME: Represents the username of the client attempting to authenticate.
NAS_IP_ADDRESS: Stands for Network Access Server IP Address. It identifies the IP address of the device requesting authentication.
FRAMED_IP_ADDRESS: Specifies the IP address to be configured for a user.
CALLING_STATION_ID: Usually indicates the MAC address of the user trying to authenticate, particularly in wireless scenarios.
NAS_IDENTIFIER: A string that identifies the NAS originating the request. This is more of a friendly name or description than an address.
ACCT_SESSION_ID: A unique identifier generated by the NAS to distinguish between different sessions from the same user.
EVENT_TIMESTAMP: Indicates the time at which a particular event (like login or logout) occurred.
MESSAGE_AUTHENTICATOR: A field used to ensure the integrity and authenticity of a RADIUS message.

 

  1. WPA-Enterprise & UserGroup and Captive Portal:

USER_NAME: (As above) Represents the username of the client attempting to authenticate.
FRAMED_IP_ADDRESS: (As above) Specifies the IP address to be configured for a user.
EVENT_TIMESTAMP: (As above) Indicates the time at which a particular event occurred.
MESSAGE_AUTHENTICATOR: (As above) A field used to ensure the integrity and authenticity of a RADIUS message.

In summary, these attributes are the building blocks of RADIUS communication. Depending on the context in which RADIUS is used (like WPA-Enterprise authentication or captive portal access), different attributes become relevant.

WPA.