coa proxy'ing with a NAC device

Kevin Ehlers kevin at
Tue Jul 27 22:34:11 CEST 2010

 I'm having a really hard time with proxying or just dealing with
CoA's.  The documentation just isn't working for me.

I can configure the coa server.  I can get the originate-coa server up
too.  I can send CoA's to the server, but I can't get it to proxy them
or re-send them as if it was originating the CoA.  I see that they're
being processed when looking at debug mode.  But I just don't know how
to do anything with them.

This is what I want to do:
[lots of switches doing dot1x]<->[freeradius]<->[NAC device,
PacketFence in this case]

I want to be able to send a CoA request from PacketFence (or another
management server) to freeradius, and have it relay that CoA to a
specific switch.  E.g. I have determined that a user needs to be
quarantined, so I run a script on the backend, and part of that
requires having that user re-authenticate and get assigned a
quarantine vlan.  PF determines which switch they're on, sends a CoA
to FreeRadius, FreeRadius then sends the CoA to the correct switch.

Is there a way to do this without configuring a client entry for every
edge device?  Should I be using the proxy.conf in some way?  I'm not
really clear about how to use the virtual servers in regard to proxying.


Kevin Ehlers
Network Engineer
University of Oregon

More information about the Freeradius-Users mailing list