Hello Alan, Thanks for reply. > CoA is about changing authorization. i.e. "change from 10Mbps to 100Mbps". It's not about reauthenticating subscribers. > > If you want to reauthenticate subscribers, you have to use disconnect messages. There are no provisions for reauthenticating users while keeping their connection "up". > > The underlying protocols simply don't work that way, and don't support it. It's impossible. Actually it’s not 100% true. Many NAS vendors support CoA in a way to reauthenticate session without disconnect. For example Cisco/Meraki supports CoA with special VSA 'subscriber:command=reauthenticate’ to force dot1x auth process for existing client session. As from Meraki documentation: > When the server sends a CoA request, the client is not completely disassociated from its RADIUS session. Instead, the AP sends a new EAP request to the client to reauthenticate Anyway if there are any other options (not with RADIUS - like wpa_cli or ubus) to reauth the client session - it would be great to hear them. Thanks in advance! Kind regards, Daniil Sliusar > On 1 Sep 2022, at 00:19, Alan DeKok <aland@xxxxxxxxxxxxxxxxxxx> wrote: > > On Aug 31, 2022, at 11:55 AM, Daniil Sliusar <sliusardaniil@xxxxxxxxx> wrote: >> There is anyone who used CoA to reauthenticate subscribers without their disassoc / deauth >> from Wi-Fi network? Could you please provide an example? > > I'll speak from the RADIUS perspective. > > CoA is about changing authorization. i.e. "change from 10Mbps to 100Mbps". It's not about reauthenticating subscribers. > > If you want to reauthenticate subscribers, you have to use disconnect messages. There are no provisions for reauthenticating users while keeping their connection "up". > > The underlying protocols simply don't work that way, and don't support it. It's impossible. > >> I'm confused about the RADIUS CoA interface, that was implemented in commit "HS 2.0: CoA-Request >> processing for Terms and Conditions filtering" (f456940ef359b420b54df2f2578b49c6ff2baa04). >> There are no examples or any info on Google about it. We use build with CONFIG_HS20 enabled. >> >> Current examples: >>>> echo "Calling-Station-ID=7e:1a:bb:1d:4f:33" | radclient -x IP:3799 disconnect XXXXX >> Works well. >> >> But: >>>> echo "Calling-Station-ID=7e:1a:bb:1d:4f:33" | radclient -x IP:3799 coa XXXXX >> Stuck on >>>> hostapd: DAS: No supported authorization change attribute in CoA-Request from > > I'd look at the hostap code to see what authorization changes it supports. > > But it doesn't make much sense to say "Change authorization for user X", and then have no *new* authorization attributes in the packet. hostap is correct to complain here. > > Alan DeKok. > _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
