Proxy CoA packet from network control to NAS(same as CoA server) configs in case of many many NASes.

Sergey Komarov sergey.komaroff at gmail.com
Thu Jul 16 10:19:08 CEST 2015 

Hello, Freeradius team and users community!


First of all thanks to all creators of FreeRadius! It makes a lot of people
happy )

I use FreeRadius 3.0.9 builded from a source on CentOS 6. Everything is
fine. But I still can't find some details in documentation. So I need short
comments to clarify.

My pain. I have about 800 NASes in our network and all of them is home
servers (CoA servers) (no redundancy due to small areas for each NAS). I do
proxy CoA from my network control server (CoA client) to NASes that same
time are CoA servers (Cisco WLCs) and configuration below works with small
trick but as I expected. I named my home server pools same name as "IP"
address and it helps me to avoid additional operations, it's good anyway.

My question is if I have any chances to simplify configuration and avoid to
write 800 home servers and home server pools (each pool still one server
unfortunately)? I understand that templates technique may simplify home
server sections little bit, but I still need 800 home servers and 800 home
server pools? :(

I've tried to use clients.conf and derive home servers from that section as
announced in 3.0.7. It would simplify but I can't proxy to such kind of
unnamed home server (or I can? This is what I didn't find in any docs too.
Sorry).

As I understand that NAS and CoA server can be same in case I add section
in clients.conf.. If it possible to identify this CoA server somehow and
send proxy packet to exact server (in my case IP same as NAS IP) it would
be nice?

1. Could you please tell me if there is a way to send proxy packet to such
unnamed home server (derived from clients) based on IP of my NAS? I've
tried to use Packet-DST-IP-Address = "%{NAS-IP-Address}" together with
Packet-Dst-Port = 1700 or without it, but seems it doesn't work. Freeradius
in debug writes random port number and message like "home server
10.56.33.174 doesn't exists". Later I read in docs that I can't add name to
such unnamed home servers so I can't use such home servers in combination
with pools (for example) and than use Home-Server-Pool :=
"%{NAS-IP-Address}"...

2. Is there any way to use something in coa section like update control
Home-Server := "%{NAS-IP-Address}" or some other options to proxy CoA
packets to NAS/CoA server?

Have I missed some important part?

Sorry in advance if it is awkward moment. Thank you in advance for your
help!


Best Regards, Sergey Komaroff


How it works now:

---sites enabled/сoa---------------------------------

server coa {
        recv-coa {
                suffix
                update control {
                       # It works:
                       Home-Server-Pool := "%{NAS-IP-Address}"

                       # Tested to switch to this but it makes error home
server X.X.X.X not found when home server derived from clients.conf
                       # Packet-DST-IP-Address = "%{NAS-IP-Address}"
                       # Packet-DST-Port = 1700
                        }
                #  Insert your own policies here.
                ok
                }

        send-coa {
                #  Sample module.
                ok
        }
}

------------------------
clients.conf ---------


client wlc_1 {
        ipaddr          = 10.56.33.174
        secret          = secret
        nas_type        = cisco
        coa_server      = wlc1
}

client wlc_2 {
        ipaddr          = 10.56.33.190
        secret          = secret
        nas_type        = cisco
        coa_server      = wlc2
}

client wlc_3 {
        ipaddr          = 10.0.249.253
        secret          = secret
        nas_type        = cisco
        coa_server      = wlc3
}

......
----------------proxy.conf------------------------

home_server wlc1 {
        type = coa
        ipaddr = 10.56.33.174
        port = 1700
        secret = secret
        require_message_authenticator = no
        response_window = 20
        zombie_period = 40
        revive_interval = 120
        status_check = none
        check_interval = 30
        num_answers_to_alive = 3
    coa {
        irt = 2
        mrt = 16
        mrc = 5
        mrd = 30
        }
}

home_server wlc2 {
        type = coa
        ipaddr = 10.0.249.253
        port = 1700
        secret = secret
        require_message_authenticator = no
        response_window = 20
        zombie_period = 40
        revive_interval = 120
        status_check = none
        check_interval = 30
        num_answers_to_alive = 3
    coa {
        irt = 2
        mrt = 16
        mrc = 5
        mrd = 30
        }
}

home_server wlc3 {
        type = coa
        ipaddr = 10.56.33.190
        port = 1700
        secret = secret
        require_message_authenticator = no
        response_window = 20
        zombie_period = 40
        revive_interval = 120
        status_check = none
        check_interval = 30
        num_answers_to_alive = 3
    coa {
        irt = 2
        mrt = 16
        mrc = 5
        mrd = 30
        }
}
.....
home_server_pool 10.56.33.174 {
            home_server = wlc1
            }
home_server_pool 10.0.249.253 {
            home_server = wlc2
            }
home_server_pool 10.56.33.190 {
            home_server = wlc3
            }
.....
-----------------------------------------------------------------------------------

More information about the Freeradius-Users mailing list