CoA support

[niammuddin]

Dear TOUGHRADIUS Team,

I would like to kindly request the implementation or enhancement of robust CoA (Change of Authorization) support within the TOUGHRADIUS project.

The goal is to enable dynamic, real-time updates to user sessions—such as changing bandwidth profiles, QoS policies, or service attributes—without causing any downtime or disruption to active PPPoE connections. Currently, modifying a user's profile often requires re-authentication or session termination, which results in connection drops and negatively impacts user experience.

With full CoA support, when an administrator updates a user’s service plan or network policy on the RADIUS server, TOUGHRADIUS should automatically send a CoA-Request (or CoA-NAK/CoA-ACK as appropriate) to the NAS/BAS device to update the session parameters in real time. This functionality is critical for service providers aiming to deliver seamless service upgrades or policy changes.

Key features desired:

• Real-time application of profile changes without disconnecting active PPPoE sessions.
• Support for standard CoA messages (RFC 3576 and RFC 5176), including:
  • Session modification (e.g., bandwidth update via Filter-Id, Acct-Interim-Interval, etc.)
  • Dynamic QoS updates
  • VLAN or policy changes
• Compatibility with common NAS devices (e.g., MikroTik, Cisco, ZTE, Huawei).
• Secure CoA communication over RadSec (RADIUS over TLS) where possible.

This feature will significantly enhance the operational efficiency and user experience for network operators using TOUGHRADIUS.

Thank you for your continued development and support of this powerful open-source RADIUS solution.

[jamiesun]

Hi @niammuddin,

Thank you for this detailed feature request! CoA (Change of Authorization) support is indeed a valuable addition for service providers.

Current Status

ToughRADIUS already has partial CoA support:

• ✅ Disconnect-Request Client - We can send Disconnect-Request to NAS devices to force users offline (used in admin "Force Offline" feature)
• ❌ CoA-Request Client - Not yet implemented (for real-time session attribute changes)
• ❌ Dynamic Authorization Server (DAS) - Not listening on UDP 3799

Proposed Implementation Plan

We're planning to implement a comprehensive CoA Task Scheduling System with the following features:

1. CoA Actions Support

• Bandwidth updates (Upload/Download rate changes)
• Session-Timeout modifications
• VLAN/QoS policy changes
• Disconnect (already working)

2. Task Scheduling (Like an Alarm Clock)

• One-time execution - Execute at a specific time
• Periodic execution - Cron-based scheduling (e.g., "every day at 2:00 AM")
• Approval workflow - Optional admin approval before execution for critical operations

3. Kubernetes-style Label Selector for User Targeting

Instead of targeting individual users, we'll support flexible user group selection:

# Examples
plan=gold                           # Users with gold plan
region in (east,south),vip          # VIP users in east or south region
plan in (gold,platinum),!trial      # Gold/Platinum users, excluding trial

4. Vendor Compatibility

Priority support for:

• MikroTik (already have VSA implementation)
• Huawei
• Cisco
• ZTE

Timeline

This is a significant feature. We'll break it into phases:

1. Phase 1: CoA-Request client + basic API (bandwidth/disconnect)
2. Phase 2: Task scheduling with cron support
3. Phase 3: Label selector + approval workflow
4. Phase 4: Frontend management UI

Would love to hear your feedback on this plan! Are there specific use cases or NAS devices you'd like us to prioritize?

---

Related RFC documents in our repo:

• docs/rfcs/rfc5176-coa-disconnect.txt
• docs/rfcs/rfc3576-dynamic-authorization.txt