RADIUS Accounting and CoA

RADIUS Accounting and CoA

Summary

RouterOS sends RADIUS accounting messages to track subscriber sessions and supports incoming Change of Authorization (CoA) and Disconnect Messages (DM) from the RADIUS server. Together these enable:

• Billing — exact session start/stop times and byte counters
• Real-time usage tracking — periodic interim-update packets during active sessions
• Dynamic policy changes — CoA lets the RADIUS server push new attributes (e.g. rate limits, ACLs) to an active session without disconnecting it
• Forced disconnect — Disconnect Messages terminate a session immediately

Accounting Messages

RouterOS sends three types of accounting packets:

Message	Sent When
Accounting-Start	Session established
Accounting-Interim-Update	Periodically during session (if configured)
Accounting-Stop	Session terminated

Enabling Accounting

PPP services:

/ppp aaa
set use-radius=yes accounting=yes interim-update=5m

DHCP server:

/ip dhcp-server
set [find name=dhcp1] use-radius=yes accounting=yes interim-update=5m

interim-update accepts:

• none — no interim updates (only Start/Stop)
• received — use the interval requested by the RADIUS server (Acct-Interim-Interval attribute)
• A time value (e.g. 5m, 1h) — override with a fixed local interval

Key Accounting Attributes

RouterOS includes these attributes in accounting packets:

Attribute	Description
Acct-Session-Id	Unique ID per session; used to correlate Start/Stop/CoA
Acct-Session-Time	Seconds since session start
Acct-Input-Octets / Acct-Output-Octets	Bytes received/sent by client
Acct-Input-Gigawords / Acct-Output-Gigawords	High-order 32 bits of octet counters (for high-volume sessions)
Acct-Terminate-Cause	Reason for session termination (e.g. User-Request, Idle-Timeout)
NAS-Port	Encoded as <type><slot><port>; identifies the access interface
NAS-Port-Id	Interface name (e.g. pppoe-out1); human-readable alternative
Calling-Station-Id	Client identifier (MAC address for PPPoE/DHCP)
Called-Station-Id	NAS interface identifier
Framed-IP-Address	IP address assigned to the client
User-Name	Authenticated username

NAS-Port Encoding

For non-DHCP services, NAS-Port is encoded as a numeric type prefix followed by interface identifiers:

Interface type	Prefix
Ethernet	1000000
Wireless	2000000
PPPoE	5000000

/radius incoming — CoA and Disconnect Messages

RouterOS implements RFC 5176 (Dynamic Authorization Extensions to RADIUS). The RADIUS server initiates unsolicited requests to the router to modify or terminate active sessions.

Enable with:

/radius incoming
set accept=yes port=3799

accept=yes is required — by default RouterOS does not listen for incoming CoA/DM.

Properties

Property	Default	Description
accept	no	Enable CoA/DM listener
port	3799	UDP port to listen on (RFC 5176 default)

Change of Authorization (CoA)

CoA-Request allows the RADIUS server to push updated attributes to a live session. RouterOS applies the new attributes without disconnecting the client.

Typical CoA use cases:

• Changing subscriber bandwidth limit (Mikrotik-Rate-Limit)
• Updating session timeout
• Applying a new filter list

The CoA-Request must identify the target session. RouterOS matches on any of:

Identifier Attribute	Example
Acct-Session-Id	00000001
Framed-IP-Address	100.64.0.5
Calling-Station-Id	AA:BB:CC:DD:EE:FF
User-Name	[email protected]

If multiple sessions match a single identifier, all matching sessions are affected. Use Acct-Session-Id for precise targeting.

Disconnect Message (DM)

A Disconnect-Request (also called Packet of Disconnect, PoD) forces immediate session termination. The client must re-authenticate.

Matching uses the same identifier attributes as CoA. Send a Disconnect-Request from your RADIUS server with the appropriate session identifier; RouterOS responds with Disconnect-ACK on success or Disconnect-NAK on failure.

Full Configuration Example

# RADIUS server — enable both accounting and CoA
/radius
add address=10.10.0.5 \
    secret=BillingSecret \
    service=ppp \
    authentication-port=1812 \
    accounting-port=1813

# PPP AAA — enable RADIUS auth + accounting with 5-minute interim updates
/ppp aaa
set use-radius=yes \
    accounting=yes \
    interim-update=5m

# Accept CoA and Disconnect Messages from RADIUS server
/radius incoming
set accept=yes port=3799

Verifying Accounting

Check active sessions with their RADIUS session IDs:

/ppp active print

Enable PPP + RADIUS logging to trace accounting packets:

/system logging
add topics=radius action=memory
add topics=ppp,accounting action=memory

View recent log entries:

/log print where topics~"radius"

Troubleshooting

No accounting packets sent

Verify accounting=yes is set in /ppp aaa (or the DHCP server). Confirm the RADIUS server’s accounting port matches /radius accounting-port.

Interim updates not arriving at RADIUS server

Check interim-update is not none. If using received, confirm the RADIUS server returns Acct-Interim-Interval in Access-Accept.

CoA-Request ignored

Confirm /radius incoming accept=yes. Verify the source IP of the CoA packet matches the configured /radius address. RouterOS only accepts CoA/DM from IPs of configured RADIUS servers.

Disconnect-NAK returned

Session may have already terminated. Check /ppp active or /ip dhcp-server lease for the session. Ensure the identifier attribute uniquely matches a live session.

Related Documentation

• RADIUS Client — Server setup and general RADIUS configuration
• RADIUS Dynamic Address Assignment — Framed-IP-Address and Framed-Pool
• ISP Subscriber Management — End-to-end PPPoE/DHCP subscriber design with RADIUS