CoA over inbound radsec session

Natarajan M natarajan.m at gmail.com
Mon Jul 17 14:43:03 UTC 2023 

Seeing from an old thread that currently CoA over radsec is possible for
outbound radsec sessions from Freeradius, in order to  do the same using
existing inbound radsec tunnel, required some testing? By any chance, did
that change, if it still requires testing, I can pick up the PR for testing
and bring it back for review with tested results?

Thanks
Natarajan

On 9/14/20, 4:06 PM, "Alan DeKok" <aland at deployingradius.com
<http://lists.freeradius.org/mailman/listinfo/freeradius-users>>
wrote:

    On Sep 14, 2020, at 8:58 AM, Vadim Cargatser (vcargats) via
Freeradius-Users <freeradius-users at lists.freeradius.org
<http://lists.freeradius.org/mailman/listinfo/freeradius-users>>
wrote:
    > We'd like to trigger a CoA based on an external event. Is this possible?

      Not really.

    > There was a mail thread back in 2010 I was just wondering if
something has been changed so far:
    > http://freeradius.1045715.n5.nabble.com/Freeradius-COA-trigger-td3204376.html

      FreeRADIUS isn't a web server, so it doesn't know that the admin
clicked on something in a web UI.  The only way to do this is via
RADIUS.

    > I know the basic approach is to use radclient for that scenario.
Unfortunately, radclient does not support TLS/RADSEC which is critical
for us.
    >
    > In case this is not currently possible, can we just implement
that? Say to allow getting external events for example from RabbitMQ?

      FreeRADIUS doesn't listen for events from RabbitMQ.  That's hard
to add.  (Though in v4 it's likely a lot easier)

      The solution here is to use v3.0.x from GitHub, because earlier
versions don't support CoA over TLS (oops).  Then, use radclient to
send packets to FreeRADIUS.

      FreeRADIUS can receive the packets from radclient, and then
forward them over TLS to another server.  See
sites-available/coa-relay for an example.  You just have to define a
home_server which uses TLS for CoA.

      Note that the server can only send CoA packets over connections
to home servers.  i.e. connections where FreeRADIUS creates the
outbound connection.

      CoA packets *cannot* be sent in the "reverse" path over TLS
connections which the client made to FreeRADIUS.  There is no standard
for how this should work.  I have patches, but they need testing.

      Alan DeKok.

More information about the Freeradius-Devel mailing list