Originate CoA Request After Receiving Access-Accept

Alan DeKok aland at deployingradius.com
Fri Apr 26 15:15:35 CEST 2013

Okis Chuang wrote:
> From the originate-coa documentation, it seems I can’t originate
> coa-request at the section of pre-proxy or post-proxy.
> It’s documented, pretty clear.

  It's nice to hear that the documentation helps. :)

> I’m not sure whether it is the cause of my following questions.

  It is.

> But what if I need two steps below finished continually both in the same
> move:
> 1.      **proxy** auth request to other AAA dispatcher(also FreeRADIUS)
> to decide where to authenticate.

  That's easy.

> 2.      Getting Access-Accept in post-auth, then originate coa request
> at once in order to change redirect profile to forward profile for
> subscriber.

  That's hard.  At least with "originate-coa".

  The short answer is that you can run "radclient" as an external
program from the post-proxy section.  It's ugly, but it will work.

> But I got the warning that **cannot proxy and originate CoA packets at
> the same time**.

  Yes.  We're looking into fixing that for 3.0.

> Actually I move the coa origination to my AAA dispatcher, it also can’t
> works and occurs the same warning.(It makes sense because both are doing
> coa request after proxying auth request I guess.

  Originating a CoA packet is really proxying it.  And the server can't
proxy to two different destinations.

> So here are my questions:
> 1.      Does this flow works possibly in my scenario? I mean can I
> originate coa at once after getting Access-Accept?

  Not today.

> 2.      What if I set a **virtual coa server** for receiving coa request
> from itself, then send to gateway at the section of

  That won't change anything.

  It may be easy to originate CoA packets *after* proxying.  Just so
long as it doesn't do both at the same time.

  I'll see if I have time to look into it.

  Alan DeKok.

More information about the Freeradius-Users mailing list