Proxy-State in a CoA proxied request

Frédéric Gabut-Deloraine FGABUT at
Sun Apr 29 01:52:43 CEST 2012

Hello list,

I run a very simple architecture for broadband access with 2 routers, 2 radius proxies and 2 radius home servers. On the side of this architecture I run a homemade script that sends PoD directly to the two routers and everything works fine. 

I would like to change the direct access to the routers and have all my radius messages go through the 2 proxies, including the PoD. I have upgraded in 2.1.12 because of a bug in CoA proxyfication and now the PoD are handled correctly, sent to the routers through the proxy !

But there is a problem : the two cisco routers don't support the Proxy-State attribute and send me a very clear message :

fgabut at savon:~$ cat toto | radclient -x a.b.c.d:3799 disconnect toto1234
Sending Disconnect-Request of id 138 to a.b.c.d port 3799
	NAS-IP-Address = x.x.x.x
	User-Name = "xxx at"
rad_recv: Disconnect-NAK packet from host a.b.c.d port 3799, id=138, length=47
	Reply-Message = "No Matching Session"
	Error-Cause = Invalid-Request

The debug message I have on the router is :

Apr 28 23:42:29.980: POD: a.b.c.d Unsupported attribute type 33 for component
Apr 28 23:42:29.980: POD: a.b.c.d user xxx at sessid 0x0 key 0x0 DROPPED
Apr 28 23:42:29.980: POD: Added Reply Message: No Matching Session
Apr 28 23:42:29.980: POD: Added NACK Error Cause: Invalid Request
Apr 28 23:42:29.980: POD: Sending NAK from port 1700 to a.b.c.d/1814

I can't find any option to not use the attribute 33 (Proxy-State) in the process of matching the session on the router. So I guess the only solution left is to filter the Proxy-State directly on the exit of the radius proxy.

The RFC3576 states that :

      When using a forwarding proxy, the proxy must be able to alter the
      packet as it passes through in each direction.  When the proxy
      forwards a Disconnect or CoA-Request, it MAY add a Proxy-State
      Attribute, and when the proxy forwards a response, it MUST remove
      its Proxy-State Attribute if it added one. 

So I was wondering if there were any option to disable the add of the attribute Proxy-State when the radius server proxyfies a CoA request ? I think that the usual attr filter method won't fit there.

Thanks in advance,

Best regards,

Frederic Gabut-Deloraine
Network Engineer
21 rue La Boetie
75008 Paris
Tel : +33
Mob : +33
skype : fgabutdeloraine

More information about the Freeradius-Users mailing list