Skip to main content
CoA and PoD are dynamic authorization controls for active RADIUS sessions. Use them when Altostrat needs to change or terminate a user’s current session after authentication has already succeeded.
  • CoA means Change of Authorization. It asks the NAS to update an active session’s authorization.
  • PoD means Packet of Disconnect. It sends a Disconnect-Request to terminate an active session.
In the RADIUS UI, both are configured on the NAS device as CoA and PoD Replies. Dynamic authorization uses a different path from ordinary authentication. Access requests come from the NAS to Altostrat. CoA and PoD requests are sent from Altostrat toward the NAS, so the NAS must expose an inbound dynamic-authorization listener and accept the configured source, port, and secret.

Prerequisites

Before you enable CoA or PoD, confirm that:
  • The NAS supports dynamic authorization.
  • The NAS can receive dynamic authorization traffic on the configured inbound port.
  • The NAS firewall allows the message source address shown on the device page.
  • The CoA and PoD shared secret matches between Altostrat and the NAS.
  • Accounting is enabled so active sessions include the identifiers needed for disconnect workflows.

Configure CoA And PoD On A NAS

1

Open the NAS device

Go to Settings, select Devices, and open the NAS device.
2

Edit the device

Select Edit and enable CoA and PoD Replies.
3

Enter the NAS IP address

Use the address where the NAS accepts dynamic authorization requests.
4

Set the inbound port

Use the port configured on the NAS. The UI defaults to 3799.
5

Set the secret

Enter or generate the shared secret used for CoA and PoD messages.
6

Allow the source address

Configure the NAS firewall to accept messages from the source address shown in the device page.
The current UI shows 18.214.81.214 as the message source address for CoA and PoD. Use the value in the live device page if it differs.

Manual Disconnect

The user detail page can show Disconnect Session when a user has an active or recent session. When you disconnect a user, Altostrat:
  1. Finds the user.
  2. Looks up the user’s most recent NAS log.
  3. Resolves the NAS device and its CoA/PoD reply settings.
  4. Builds a Disconnect-Request using available session attributes such as User-Name, NAS-IP-Address, and Acct-Session-Id.
  5. Sends the request to the NAS using the configured NAS IP, port, and secret.
  6. Writes the disconnect attempt to NAS logs.
If recent session attributes are missing, the disconnect request may fail even when CoA and PoD are enabled.

CoA Versus PoD

ControlRADIUS packetWhat you use it for
Packet of DisconnectDisconnect-RequestTerminate a user’s active session so the NAS forces the client off or requires a new login.
Change of AuthorizationCoA-RequestAsk the NAS to change authorization for an active session, such as applying a different role, filter, or rate limit when the NAS supports it.
The NAS answers dynamic authorization requests with an acknowledgement or a negative acknowledgement. Use the NAS dashboard, user dashboard, and device-side logs together when you need to tell whether the packet was sent, accepted, rejected, or ignored by the device.

Quota-Triggered Disconnects

When quota attributes are configured on groups, the quota worker checks usage against accounting data. If a user crosses the effective quota, Altostrat can dispatch a disconnect job for that user. Top-ups increase the user’s effective allowance. If a top-up brings the user back within allowance, the quota marker is recalculated. Use quota-triggered disconnects only when:
  • Accounting is reliable.
  • The NAS sends interim updates often enough for your enforcement window.
  • CoA and PoD settings are configured on the NAS.
  • Operators understand how top-ups affect the allowance.
If the user has multiple quota-enabled groups, the lowest group quota is the effective quota. Top-ups add allowance on top of that effective quota and recalculate whether the user is still exceeded.

Monitoring Dynamic Authorization

Dynamic authorization activity appears in logs and metrics as admin request activity. Where packet details are available, the platform records Disconnect and CoA request type, username, workspace, organization, and NAS context. Use:
  • The NAS dashboard to review device-scoped logs.
  • The user dashboard to confirm the session state.
  • Live View to inspect nearby authentication and accounting events.

Troubleshooting

If manual disconnect or quota disconnect does not work:
  • Confirm the NAS IP address is reachable from the message source address.
  • Confirm the inbound port is open. The default is 3799.
  • Confirm the secret matches exactly.
  • Confirm accounting is sending Acct-Session-Id.
  • Confirm accounting Start, Stop, and Interim-Update packets are enabled if you rely on session and quota enforcement.
  • Confirm the user has a recent NAS log.
  • Confirm the NAS supports Disconnect-Request for the access technology in use.
  • Confirm the NAS supports CoA-Request before expecting an in-place authorization change.
  • Confirm the NAS firewall allows the source address shown in the UI.
CoA and PoD are live session controls. Test on one device and one user before enabling them broadly.