CoA proxying again

Alan DeKok aland at deployingradius.com
Tue Sep 6 18:50:59 CEST 2011 

Bjørn Mork wrote:
> I am trying to setup CoA proxying to a number of Juniper MXes.  These
> are a bit clumsy to configure as CoA servers: The CoA clients cannot be
> configured explicitly.  Instead they reuse the auth/acct configuration,
> including secret, for CoA clients.

  Hmmm...  no.  Clients are global across *all* "listen" sockets.  If
you want clients tied to a particular socket (auth/acct/coa), see the
"clients" entry in the "listen" section.  This is documented in
radiusd.conf.

> So I have a few hundred CoA servers (NASes), and 3 radius servers
> authorized as CoA clients.  Using FreeRADIUS to proxy CoA requests from
> ther real CoA clients looks like a perfect solution.
> 
> My problem is that the configuration seems a bit clumsy, given that I
> cannot really change neither IP address nor secret from what's already
> there in the FreeRADIUS client definition.  It would have been ideal to
> just add a flag or whatever, saying that "this client is also a CoA
> server", and allowing direct proxy to it using some virtual attribute.

  Hmm.. so that would re-use the normal client IP && shared secret for
CoA servers?

> My current working configuration requires a separate static home_server
> and home_server_pool definition pointing to it for *each* NAS, as the
> only way I've found to redirect the CoA packets is by setting
> Home-Server-Pool.

  Yeah... that's a bit awkward.

> The documentation talks about Proxy-To-Realm as well, but I've been
> unable to find any parameter allowing me to configure a realm for
> CoA. realms only have auth{_pool,host} and acct{_pool,host} AFAICT.

  Yeah, you can't proxy to a CoA realm.

> The per client CoA configuration doesn't look like anything I can use at
> all.  If I understand it correctly, that's only for the *CoA clients*.

  Yes.

> Is this a correct view of the current (2.1.x) state of CoA proxying, or
> did I miss something?

  It's pretty much correct.

> I believe I saw a request for dynamic home servers recently.  Looks like
> that might be something for me as well. 

  Maybe.  Or, having less work to say "this client can also receive CoA
requests".

  That might be easy to add for 3.0.

  Alan DeKok.

More information about the Freeradius-Users mailing list