Proxy-State in a CoA proxied request
FGABUT at neotelecoms.com
Sun Apr 29 09:22:40 CEST 2012
Le 29 avr. 2012 à 09:05, Alan DeKok a écrit :
> Frédéric Gabut-Deloraine wrote:
>> But there is a problem : the two cisco routers don't support the Proxy-State attribute and send me a very clear message :
> The router shouldn't support Proxy-State. They don't need to.
> But they shouldn't *drop* the packet when they receive a Proxy-State
They don't drop the packet but consider the request as an "Invalid-Request" and return a Disconnect-NAK as shown below :
>> fgabut at savon:~$ cat toto | radclient -x a.b.c.d:3799 disconnect toto1234
>> Sending Disconnect-Request of id 138 to a.b.c.d port 3799
>> NAS-IP-Address = x.x.x.x
>> User-Name = "xxx at nautile.nc"
>> rad_recv: Disconnect-NAK packet from host a.b.c.d port 3799, id=138, length=47
>> Reply-Message = "No Matching Session"
>> Error-Cause = Invalid-Request
> And there's no Proxy-State attribute there, or *ANY OTHER* session
> information. What is this command supposed to test?
That was supposed to show the "Invalid-Request" answer from the router.
>> I can't find any option to not use the attribute 33 (Proxy-State) in the process of matching the session on the router. So I guess the only solution left is to filter the Proxy-State directly on the exit of the radius proxy.
> See the "attr_filter" module.
>> The RFC3576 states that :
>> When using a forwarding proxy, the proxy must be able to alter the
>> packet as it passes through in each direction. When the proxy
>> forwards a Disconnect or CoA-Request, it MAY add a Proxy-State
>> Attribute, and when the proxy forwards a response, it MUST remove
>> its Proxy-State Attribute if it added one.
> That has been replaced by RFC 5176. Which has similar text.
>> So I was wondering if there were any option to disable the add of the attribute Proxy-State when the radius server proxyfies a CoA request ? I think that the usual attr filter method won't fit there.
> No. But you can delete it before the packet is sent. See "attr_filter".
Ok, I thought that attr_filter wouldn't help me because I thought that Proxy-State was added just before going on the wire. I have tried briefly and gave up. I'll try again.
> My $0.02 is to file a bug with Cisco, and tell them that their
> software is broken. RFC 5176 Section 3.1 says that the NAS is supposed
> to echo back Proxy-State from the request to the reply. Discarding the
> packet means that this is impossible.
> The Cisco NAS is violating the RFCs.
I totally agree, however it's often easier to fix the origin of the bug than the bug itself with network vendors ;-).
NEO TELECOMS - AS8218
21 rue La Boetie
Tel : +33 1.49.97.07.47
Mob : +33 6.15.07.10.30
skype : fgabutdeloraine
More information about the Freeradius-Users