Filtering out Proxy-State in COA to fix broken Cisco NAS

Alan DeKok aland at deployingradius.com
Fri Aug 10 14:12:35 CEST 2018


On Aug 8, 2018, at 9:19 PM, Fraser McGlinn <fraser at frizianz.com> wrote:
> 
> Trying to get COA proxying working with a Cisco NAS. Unfortunately they have a broken implementation where if Proxy-State is in the request it drops it.

  That's based on a naive reading of RFC 5176.  Happily, my new draft clarifies this.  It should be an RFC this year:

https://tools.ietf.org/html/draft-ietf-radext-coa-proxy-03

> I dug and found this old thread http://lists.freeradius.org/pipermail/freeradius-users/2012-April/060456.html implying that we can filter out Proxy-State in attr_filter, however i've had some issues getting this working. Although this was relevant to freeradius 2x, i'm running 3.0.16.
> 
> Any other ways to achieve this? Hoping someone can point me in the right direction.

  You can delete the Proxy-State attribute in the "pre-proxy" section:

pre-proxy {
	...
	update proxy-request {
		Proxy-State !* ANY
	}
	...
}

  Hope that helps.

  Alan DeKok.




More information about the Freeradius-Users mailing list