COA to NAS behind proxy
Sachin Yadav
sachin0235 at yahoo.com
Mon Oct 12 09:29:16 CEST 2015
Apologies for my ignorance but that was may be due to mail program, i had it well decorated in yahoo mail :).....nevertheless i need to learn how to post to a mailing-list
My remote NAS is behind a NAT, like -
ISP =========== (222.xxx.xxx.xxx)Modem ======== (192.168.2.10)chillispot ======= (192.168.182.xxx)user
What i get at radius server is 222.xxx.xxx.xxx. So no matter what is do, COA will be lost at modem itself :( ........ Is there any fix like port forward or DMZ for this?
On Monday, October 12, 2015 3:09 AM, Alan DeKok <aland at deployingradius.com> wrote:
On Oct 11, 2015, at 5:33 PM, Sachin Yadav via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> I am trying it kick out user once monthly data limited is reached while account-update packet is received. My setup is -
> Freeradius ====== internet =========== ISP ===== modem ===== router(running chillispot)
> At freeradius i get public IP assigned to modem from ISP and now no matter what IP i try to send COA packet it fails. I have following entry -
> Client.confclient 0.0.0.0/0 { secret = xxxxx nastype = other coa_server = localhost-coa}
> originate-coahome_server localhost-coa { type = coa ipaddr = localhost
> port = 3799 secret = testing1234
You do realize that's unreadable, right?
> # rest all is default......
>
> default (in accounting section)
> update control { Tmp-Integer-0 := "%{sql:#query}" Tmp-Integer-1 := #query}if ("%{control:Tmp-Integer-0}" > "%{control:Tmp-Integer-1}") {
> update disconnect { User-Name = "%{request:User-Name}" Acct-Session-Id = "%{Acct-Session-Id}" NAS-IP-Address = "%{NAS-IP-Address}"}}
>
>
> Logs shows -
>
> ++++[disconnect] returns ok+++- if ("%{control:Tmp-Integer-0}" > "%{control:Tmp-Integer-1}") returns ok++-
It helps to post the logs as *readable* text. And not all randomly mashed together.
> if ("%{control:Tmp-Integer-1}" != 0) returns ok++[exec] returns noop[attr_filter.accounting_response] expand: %{User-Name} -> xxxxxxxxxattr_filter: Matched entry DEFAULT at line 12++[attr_filter.accounting_response] returns updatedSending Accounting-Response of id 80 to 12x.162.x94.1x7 port 22626 WARNING: Empty pre-proxy section. Using default return values.Sending Disconnect-Request of id 188 to 127.0.0.1 port 3799 User-Name = "xxxxxxxxxx" Acct-Session-Id = "561ad05c00000001" NAS-IP-Address = 192.168.182.1Finished request 0.Cleaning up request 0 ID 80 with timestamp +26Going to the next requestWaking up in 2.0 seconds.Sending Disconnect-Request of id 188 to 127.0.0.1 port 3799 User-Name = "xxxxxxx" Acct-Session-Id = "561ad05c00000001" NAS-IP-Address = 192.168.182.1Waking up in 4.3 seconds.Sending Disconnect-Request of id 188 to 127.0.0.1 port 3799 User-Name = "xxxxxxx" Acct-Session-Id = "561ad05c00000001" NAS-IP-Address = 192.168.182.1Waking up in 8.6 seconds.Sending Disconnect-Request of id 188 to 127.0.0.1 port 3799 User-Name = "xxxxxx" Acct-Session-Id = "561ad05c00000001" NAS-IP-Address = 192.168.182.1Waking up in 14.9 seconds.No response to CoA request sent to 127.0.0.1 Found Post-Proxy-Type WARNING: Unknown value specified for Post-Proxy-Type. Cannot perform requested action.# Executing group from file /etc/freeradius/sites-enabled/defaultFinished request 0.
>
> Can someone please guide me if i am missing some conf. somewhere or it is not possible considering my network topology above. Also, i have set coaport 3799 and coanoipcheck in chilli.
You need to send the CoA packet to the NAS. Or, to the RADIUS server which sent the Access-Request packet to you.
Unfortunately, there's no standard for proxying CoA requests. I've been pushing one in the IETF for ~3 years, but there's been no progress.
Alan DeKok.
More information about the Freeradius-Users
mailing list