CoA Over TLS (radsec) Support
Hi, Radius clients who are behind NAT can successfully initiate traffic to radius server over freeradius proxy. Can radius server initiate traffic for CoA requests to clients which are behind NAT over freeradius (via already established TLS connection with the clients) ? Does freeradius support CoA-Requests over tls? (RFC 3576 - RFC 5176) I have found a similar question which sent to mail list at 2014. ( http://lists.freeradius.org/pipermail/freeradius-users/2014-June/072715.html ) Can i learn if it is not supported still? Thanks for replies.
On Jan 9, 2018, at 9:43 AM, Yusuf Güngör <1yusufgungor@gmail.com> wrote:
Radius clients who are behind NAT can successfully initiate traffic to radius server over freeradius proxy.
Can radius server initiate traffic for CoA requests to clients which are behind NAT over freeradius (via already established TLS connection with the clients) ?
No. There is no standard specification for this behaviour. No RADIUS server *or* NAS supports it.
Does freeradius support CoA-Requests over tls? (RFC 3576 - RFC 5176)
According to the docs and config files... yes.
I have found a similar question which sent to mail list at 2014. ( http://lists.freeradius.org/pipermail/freeradius-users/2014-June/072715.html )
Can i learn if it is not supported still?
Feel free to send patches. But the larger question is why? And what NAS supports this? You can add this to FreeRADIUS all you want, but nothing else supports it. So it's a cute idea, but utterly useless in practice. Alan DeKok.
Hi Alan, Thanks for the quick reply. We have APs which located at different locations. APs are behind nat. Clients authenticated over cloud radius server. But the radius server can not make CoA requests to APs if there is not firewall rules exist. For some reason we can not add firewall rules to forward CoA port to APs. Using the same TLS connection is not a must for us if there exists any other methods to send CoA requests to APs. So, can we use freeradius as proxy to achieve this purpose? Thanks. 9 Oca 2018 6:09 PM tarihinde "Alan DeKok" <aland@deployingradius.com> yazdı: On Jan 9, 2018, at 9:43 AM, Yusuf Güngör <1yusufgungor@gmail.com> wrote:
Radius clients who are behind NAT can successfully initiate traffic to radius server over freeradius proxy.
Can radius server initiate traffic for CoA requests to clients which are behind NAT over freeradius (via already established TLS connection with the clients) ?
No. There is no standard specification for this behaviour. No RADIUS server *or* NAS supports it.
Does freeradius support CoA-Requests over tls? (RFC 3576 - RFC 5176)
According to the docs and config files... yes.
I have found a similar question which sent to mail list at 2014. ( http://lists.freeradius.org/pipermail/freeradius-users/ 2014-June/072715.html )
Can i learn if it is not supported still?
Feel free to send patches. But the larger question is why? And what NAS supports this? You can add this to FreeRADIUS all you want, but nothing else supports it. So it's a cute idea, but utterly useless in practice. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
On Jan 9, 2018, at 10:42 AM, Yusuf Güngör <1yusufgungor@gmail.com> wrote:
We have APs which located at different locations. APs are behind nat.
That's nice... you already said that.
Clients authenticated over cloud radius server. But the radius server can not make CoA requests to APs if there is not firewall rules exist. For some reason we can not add firewall rules to forward CoA port to APs.
Yes, that's what the email was about. Why are you saying it again?
Using the same TLS connection is not a must for us if there exists any other methods to send CoA requests to APs.
Use IPSec.
So, can we use freeradius as proxy to achieve this purpose?
No. This isn't a FreeRADIUS problem. It's a networking problem. You can't route packets to clients behind a NAT. No amount of poking the RADIUS server will change that. Because RADIUS doesn't do routing. It does RADIUS. Use IPSec between the NAS and RADIUS server. You've then solved the routing problem, and RADIUS can use normal network routing to get packets from A to B. i.e. if you deploy a broken network, don't try to fix it with RADIUS. Fix the network. RADIUS will then work. Alan DeKok.
participants (2)
-
Alan DeKok -
Yusuf Güngör