Proxy-State in a CoA proxied request

Frédéric Gabut-Deloraine FGABUT at
Sun Apr 29 09:22:40 CEST 2012

Le 29 avr. 2012 à 09:05, Alan DeKok a écrit :

> Frédéric Gabut-Deloraine wrote:
>> But there is a problem : the two cisco routers don't support the Proxy-State attribute and send me a very clear message :
>  The router shouldn't support Proxy-State.  They don't need to.
>  But they shouldn't *drop* the packet when they receive a Proxy-State
> attribute.

They don't drop the packet but consider the request as an "Invalid-Request" and return a Disconnect-NAK as shown below :
>> fgabut at savon:~$ cat toto | radclient -x a.b.c.d:3799 disconnect toto1234
>> Sending Disconnect-Request of id 138 to a.b.c.d port 3799
>> 	NAS-IP-Address = x.x.x.x
>> 	User-Name = "xxx at"
>> rad_recv: Disconnect-NAK packet from host a.b.c.d port 3799, id=138, length=47
>> 	Reply-Message = "No Matching Session"
>> 	Error-Cause = Invalid-Request
>  And there's no Proxy-State attribute there, or *ANY OTHER* session
> information.  What is this command supposed to test?

That was supposed to show the "Invalid-Request" answer from the router.

>> I can't find any option to not use the attribute 33 (Proxy-State) in the process of matching the session on the router. So I guess the only solution left is to filter the Proxy-State directly on the exit of the radius proxy.
>  See the "attr_filter" module.
>> The RFC3576 states that :
>>      When using a forwarding proxy, the proxy must be able to alter the
>>      packet as it passes through in each direction.  When the proxy
>>      forwards a Disconnect or CoA-Request, it MAY add a Proxy-State
>>      Attribute, and when the proxy forwards a response, it MUST remove
>>      its Proxy-State Attribute if it added one. 
>  That has been replaced by RFC 5176.  Which has similar text.
>> So I was wondering if there were any option to disable the add of the attribute Proxy-State when the radius server proxyfies a CoA request ? I think that the usual attr filter method won't fit there.
>  No.  But you can delete it before the packet is sent.  See "attr_filter".

Ok, I thought that attr_filter wouldn't help me because I thought that Proxy-State was added just before going on the wire. I have tried briefly and gave up. I'll try again.

>  My $0.02 is to file a bug with Cisco, and tell them that their
> software is broken.  RFC 5176 Section 3.1 says that the NAS is supposed
> to echo back Proxy-State from the request to the reply.  Discarding the
> packet means that this is impossible.
>  The Cisco NAS is violating the RFCs.

I totally agree, however it's often easier to fix the origin of the bug than the bug itself with network vendors ;-).

Frederic Gabut-Deloraine
Network Engineer
21 rue La Boetie
75008 Paris
Tel : +33
Mob : +33
skype : fgabutdeloraine

More information about the Freeradius-Users mailing list