RFC 3576 support

Arran Cudbard-Bell A.Cudbard-Bell at sussex.ac.uk
Fri Apr 11 13:15:38 CEST 2008 

Alan DeKok wrote:
> Arran Cudbard-Bell wrote:
>   
>> Ok just the asynchronous nature of CoA requests...  It's not really the
>> servers job to process feedback from the various SNMP probes, IDS's , or
>> track changes in the authorisation of users or their equipment.
>>     
>
>   Yes.  That's what proxying is for.
>
>   
>> I guess I can see very few usage cases for CoA where the server will
>> actually make the decision to send a CoA request on it's own, so why not
>> just use the client or client libraries ?
>>     
>
>   if user uses more than 2G of bandwidth, then kick them off.  This is a
> valid decision for a server to make.
>   
(that was one of the very few)
>   Forking an external program means that it's independent of the server
> core, and is more difficult to integrate with SQL, etc.
>
>   
It's useful knowing the secrets for the NAS you want to send a CoA 
request too. In which case if you are going to include CoA generation, 
it would be good to have a way of signalling the server to generate a 
CoA request.

In our implementation were not looking to trigger CoA as a result of 
anything available in the RADIUS protocol, but instead from data 
received from the aforementioned probes and systems.
>> How were you thinking of triggering CoA events? Didn't you say there
>> were issues with an instance of the server being both a CoA proxy and a
>> CoA generator ?
>>     
>
>   Yes.  If you're going to proxy CoA requests, there's no need to
> *generate* a CoA request for the one you're proxying.
>   
Ok take eduroam for example. A change in user authorisation at their 
home site may result in the generation of a CoA request for the user to 
be disconnected at the remote site, this would be proxied by the remote 
sites RADIUS server. That same server may also wish to generate it's own 
CoA request for the same user, because a local IDS system / traffic 
analysis probe has detected a bot net etc.. running on their equipment.

Thus you have CoA requests being proxied, and CoA requests being 
generated, both going to the same NAS. If that's not the kind of 
conflict you were talking about...?
>   On the other hand, if you're receiving an accounting request, it may
> make sense to generate a CoA request.
>
>   
>> Have to wait for vendor support *grumble*.
>>
>> Let me know when you get your trapeze kit so we can compare notes :)
>>     
>
>   Will do.
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>   


-- 
Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk)
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08 
University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900

More information about the Freeradius-Users mailing list