Due to the way that RADIUS protocol works, the access controller (NAS, hotspot, ppp server,...) acts autonomously and only sends request to RADIUS at log-on time and then (optional) updates at intervals during the session life - the /end/ of session is set by radius only at 'log on' time in the 'authentication reply' message (e.g. 'disconnect session when data transfer exceeds 'x', or disconnect the session after 'y' minutes) Once the session is started, traditional radius has no way to /initiate/ session termination after the customer auth is approved.
There are two ways to cause a session disconnect after the session has been started :
1. instruct the client to disconnect (either log on to the client device and terminate the session, or power cycle the CPE device)
2. instruct the NAS router to terminate the request - for example, log on to the router and terminate the relevant connection.
DuxAdmin provides two methods to achieve the second option - both of these options require some configuration in duxAdmin and the NAS router:
a) MikroTik API call - only supported for RouterOS access controller devices. View ''detail" log of radius 'usage' report, and click on the red 'stop' icon beside the active session. This action will cause duxAdmin to connect to the NAS Router address recorded under 'devices' configuration, and log on to routerOS API with username 'duxadmin' and the same password as set for device VPN connection to duxAdmin infrastructure.
b) Radius 'CoA' (change of Authority) - supported by many modern NAS devices (including MikroTik) CoA can cause duxRadius to initiate a disconnect action by sending a disconnect control message to the access controller. In such cases, session disconnect triggers can be set via the access plan matching the active session - look for 'CoA triggers' under 'advanced' section of the access plan configuration panel in DuxAdmin. For CoA to work, the access controller router must be configured to accept Radius CoA messages (for MikroTik, it is called 'Radius Incoming', configured under 'radius' menu in winbox/routerOS) When active, the 'disconnect session' action described in point a) above is implemented via CoA message rather than RouterOS API.
I hope it offers sufficient guidance - further questions are welcome! Contact
us