Proxy-State in a CoA proxied request

fab junkmail fabjunkmail at gmail.com
Fri Jun 1 10:36:25 CEST 2012 

Hi All.

I have tried filtering out Proxy-State attribute for proxied CoA in
pre.proxy section but it does not seem to work for me. Debug mentions
the following which makes me think it is not using the DEFAULT section
of attrs.pre-proxy:

[attr_filter.pre-proxy] 	expand: %{Realm} ->
++[attr_filter.pre-proxy] returns noop

(more debug in context below)

Have you got this filtering to work Frédéric? If so, can you show me
relevant parts of your config that shows how to make it work?

Does anyone have any advice on how I can fix my config to be able to
filter out (or not add) Proxy-State attribute for proxied CoA? I have
included relevant parts of my config and debug below.

Regards,
Anthony



!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!


FreeRADIUS Version 2.1.12

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

contents of sites-enabled/coa:


listen {
	type = coa
	ipaddr = *
	port = 1700
	server = coa
}
server coa {
	recv-coa {
		if ("%{NAS-IP-Address}" == "10.0.72.14") {
                        update control {
                                Home-Server-Pool := bng01-coa-pool
                        }
                }
		if ("%{NAS-IP-Address}" == "10.0.72.15") {
                        update control {
                                Home-Server-Pool := bng02-coa-pool
                        }
                }
		ok
	}
	send-coa {
		ok
	}
        pre-proxy {
        attr_filter.pre-proxy
        pre_proxy_log
        }
}






contents of attrs.pre-proxy:

DEFAULT
        User-Name =* ANY,
        Acct-Session-Id =* ANY,
        NAS-IP-Address =* ANY,
        Cisco-AVPair =* ANY



partial contents of modules/attr_filter:

attr_filter attr_filter.pre-proxy {
	attrsfile = ${confdir}/attrs.pre-proxy
	relaxed = no
}





!!!!!!!!!!!!!!!!!


example radsniff:

# radsniff -p 1700 -x
Device: [eth0]
PCAP filter: [udp port 1700 or 1701]
RADIUS secret: [testing123]
CoA-Request Id 239	10.0.91.203:49184 -> 10.0.91.204:1700	(1 packets)	+0.000
	User-Name = "test at testdomain.com"
	Acct-Session-Id = "00000016"
	Cisco-AVPair = "ip:sub-qos-policy-out=UNSHAPE"
	NAS-IP-Address = 10.0.72.14

CoA-Request Id 243	10.0.91.204:1814 -> 10.0.72.14:1700	(2 packets)	+0.000
	User-Name = "test at testdomain.com"
	Acct-Session-Id = "00000016"
	Cisco-AVPair = "ip:sub-qos-policy-out=UNSHAPE"
	NAS-IP-Address = 10.0.72.14
	Proxy-State = 0x323339

CoA-NAK Id 243	10.0.72.14:1700 -> 10.0.91.204:1814	(3 packets)	+0.001
	Reply-Message = "Unsupported Attribute"
	Error-Cause = Unsupported-Attribute

CoA-NAK Id 239	10.0.91.204:1700 -> 10.0.91.203:49184	(4 packets)	+0.001
	Reply-Message = "Unsupported Attribute"
	Error-Cause = Unsupported-Attribute


!!!!!!!!!!!!!!

example debug:

Ready to process requests.
rad_recv: CoA-Request packet from host 10.0.91.203 port 50769, id=33, length=101
	User-Name = "test at testdomain.com"
	Acct-Session-Id = "00000016"
	Cisco-AVPair = "ip:sub-qos-policy-out=UNSHAPE"
	NAS-IP-Address = 10.0.72.14
server coa {
# Executing section recv-coa from file /etc/freeradius/sites-enabled/coa
+- entering group recv-coa {...}
++? if ("%{NAS-IP-Address}" == "10.0.72.14")
	expand: %{NAS-IP-Address} -> 10.0.72.14
? Evaluating ("%{NAS-IP-Address}" == "10.0.72.14") -> TRUE
++? if ("%{NAS-IP-Address}" == "10.0.72.14") -> TRUE
++- entering if ("%{NAS-IP-Address}" == "10.0.72.14") {...}
+++[control] returns noop
++- if ("%{NAS-IP-Address}" == "10.0.72.14") returns noop
++? if ("%{NAS-IP-Address}" == "10.0.72.15")
	expand: %{NAS-IP-Address} -> 10.0.72.14
? Evaluating ("%{NAS-IP-Address}" == "10.0.72.15") -> FALSE
++? if ("%{NAS-IP-Address}" == "10.0.72.15") -> FALSE
++[ok] returns ok
} # server coa
# Executing section pre-proxy from file /etc/freeradius/sites-enabled/coa
+- entering group pre-proxy {...}
[attr_filter.pre-proxy] 	expand: %{Realm} ->
++[attr_filter.pre-proxy] returns noop
[pre_proxy_log] 	expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d
-> /var/log/freeradius/radacct/10.0.91.203/pre-proxy-detail-20120601
[pre_proxy_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d
expands to /var/log/freeradius/radacct/10.0.91.203/pre-proxy-detail-20120601
[pre_proxy_log] 	expand: %t -> Fri Jun  1 07:58:56 2012
++[pre_proxy_log] returns ok
Sending CoA-Request of id 162 to 10.0.72.14 port 1700
	User-Name = "test at testdomain.com"
	Acct-Session-Id = "00000016"
	Cisco-AVPair = "ip:sub-qos-policy-out=UNSHAPE"
	NAS-IP-Address = 10.0.72.14
	Proxy-State = 0x3333
Proxying request 0 to home server 10.0.72.14 port 1700
Sending CoA-Request of id 162 to 10.0.72.14 port 1700
	User-Name = "test at testdomain.com"
	Acct-Session-Id = "00000016"
	Cisco-AVPair = "ip:sub-qos-policy-out=UNSHAPE"
	NAS-IP-Address = 10.0.72.14
	Proxy-State = 0x3333
Going to the next request
Waking up in 0.9 seconds.
rad_recv: CoA-NAK packet from host 10.0.72.14 port 1700, id=162, length=49
	Reply-Message = "Unsupported Attribute"
	Error-Cause = Unsupported-Attribute
  WARNING: Empty post-proxy section.  Using default return values.
server coa {
# Executing section send-coa from file /etc/freeradius/sites-enabled/coa
+- entering group send-coa {...}
++[ok] returns ok
} # server coa
Sending CoA-NAK of id 33 to 10.0.91.203 port 50769
	Reply-Message = "Unsupported Attribute"
	Error-Cause = Unsupported-Attribute
Finished request 0.

More information about the Freeradius-Users mailing list