Handling RADIUS Disconnect and CoA Requests

Dynamic Authorization Client (DAC) initiates Disconnect-Request packet through UDP port to terminate the user session(s) on Network Access Server (NAS). It also discards all the associated session contexts.

The NAS responds with a Disconnect-ACK message if the session is identified, removed, and no longer valid. The NAS sends a Disconnect-NAK message if it is unable to disconnect the session.

This feature uses a combination of the following session keys to identify the sessions for termination:

  • 3GPP-IMSI + 3GPP-NSAPI

  • ACCT-SESSION-ID

  • CALLED-STATION-ID (DNN) + FRAMED-IP-ADDR

  • CALLED-STATION-ID (DNN) + FRAMED-IPV6-PREFIX

Important

If multiple key combination is provided for the same session, it is accepted. However, if the multiple key combination leads to multiple session contexts or non-existing session context, the behavior is non-deterministic.

The SMF supports only one session context per Disconnect-Message (DM) request. The SMF supports the following attributes in the DM request to identify the NAS and the user sessions to be terminated.

Attribute Reference Specification Encoding Type
3GPP-IMSI 3GPP 29.061 - 16.4.7.2-1 String
3GPP-NSAPI

3GPP 29.061 - 16.4.7.2-10

3GPP 29.561 – 11.3

String
Accounting-Session-Id RFC2866 String
FRAMED-IP RFC2865 - 5.1 IPV4 Address

FRAMED-IPV6-PREFIX

RFC3162

PrefixLen & String

CALLED-STATION-ID (DNN)

RFC2865 - 5.30

String

NAS-IP-Address

RFC2865 – 5.4 (optional)

String

NAS-Identifier

RFC2864 – 5.32 (optional)

String

The SMF silently discards other attributes present in the DM request if the packet decoding is successful.

The SMF supports the following attributes in the DM ACK or NAK response.

Attribute Reference Specification Encoding Type
ERROR-CAUSE RFC5176 – 3.5 Integer
REPLY-MESSAGE RFC2865 – 5.18 String

The RADIUS endpoint (radius-ep) pod supports the following error codes if the Disconnect Request is rejected by radius-ep:

  • 402 (Missing Attribute) - Triggered due to invalid key combination

  • 403 (NAS Identification Mismatch) - Triggered if NAS-IP attribute in DM request does not match the endpoint COA-NAS VIP-IP or if NAS-Identifier attribute in the request does NAS identifier configuration within RADIUS Dynamic Authorization or CoA configuration

  • 407 (Invalid Attribute) - Triggered due to format error, encode error, and so on

  • 405 (Unsupported Service) - Triggered if the request is not a disconnect request

  • 503 (Session Context Not Found) - Triggered if the session cannot be located

For more information on configuring this feature, see the Configuring the Session Disconnect Feature section.