coa proxy'ing with a NAC device

Alan DeKok aland at
Thu Jul 29 09:05:34 CEST 2010

Kevin Ehlers wrote:
>  I'm having a really hard time with proxying or just dealing with
> CoA's.  The documentation just isn't working for me.

  Well... it's as clear as we know how.

> I can configure the coa server.  I can get the originate-coa server up
> too.  I can send CoA's to the server, but I can't get it to proxy them
> or re-send them as if it was originating the CoA.  I see that they're
> being processed when looking at debug mode.  But I just don't know how
> to do anything with them.

  See raddb/sites-available/coa.  It says you can set Proxy-To-Realm in
order to proxy the packets.  This is *exactly* like setting
Proxy-To-Realm for any other packet.

	recv-coa {
		update control {
			Proxy-To-Realm := "foo"

> I want to be able to send a CoA request from PacketFence (or another
> management server) to freeradius, and have it relay that CoA to a
> specific switch.  E.g. I have determined that a user needs to be
> quarantined, so I run a script on the backend, and part of that
> requires having that user re-authenticate and get assigned a
> quarantine vlan.  PF determines which switch they're on, sends a CoA
> to FreeRadius, FreeRadius then sends the CoA to the correct switch.

  That should work.  It's been tested...

> Is there a way to do this without configuring a client entry for every
> edge device? 

  No.  RADIUS requires a shared secret for every edge device.
FreeRADIUS can do networks (192.168/16), but that's about it.

> Should I be using the proxy.conf in some way?  I'm not
> really clear about how to use the virtual servers in regard to proxying.

  You don't.  They're independent.  You configure virtual servers.  You
configure home servers.  You tie them together with Proxy-To-Realm.

  Alan DeKok.

More information about the Freeradius-Users mailing list