Originate CoA Request After Receiving Access-Accept

Okis Chuang okischuang at outlook.com
Sat Apr 27 07:41:26 CEST 2013 

> Okis Chuang wrote:

> > From the originate-coa documentation, it seems I can?t originate 

> > coa-request at the section of pre-proxy or post-proxy.

> >

> > It?s documented, pretty clear.

> 

>   It's nice to hear that the documentation helps. :)

        

        I thought docs are very helpful at most of time. :p

 

> > I?m not sure whether it is the cause of my following questions.

> 

>   It is.

> 

> > But what if I need two steps below finished continually both in the 

> > same

> > move:

> >

> > 1.      **proxy** auth request to other AAA dispatcher(also FreeRADIUS)

> > to decide where to authenticate.

> 

>   That's easy.

> 

> > 2.      Getting Access-Accept in post-auth, then originate coa request

> > at once in order to change redirect profile to forward profile for 

> > subscriber.

> 

>   That's hard.  At least with "originate-coa".

 

        So.. the core concept of *originate-coa* is just "proxy-the-coa"
instead of initiating a coa request?

 

> 

>   The short answer is that you can run "radclient" as an external 

> program from the post-proxy section.  It's ugly, but it will work.

>  

        Hmm..that is indeed an alternative, but like you said, it's kind of
not a neat way to achieve my goal.

        And I'm worrying that might have some performance issue if supposed
I will have high traffic.

 

> > But I got the warning that **cannot proxy and originate CoA packets 

> > at the same time**.

> 

>   Yes.  We're looking into fixing that for 3.0.

        

        No offense, I'm curious that why can't view these two request:
"Proxy-Auth Request" and "CoA Request" as two independent request?

        Or this is about some kind of concern on designation? I thought that
was intuitive until I saw the result and got your kind but hopeless response
: (

 

> > Actually I move the coa origination to my AAA dispatcher, it also 

> > can?t works and occurs the same warning.(It makes sense because both 

> > are doing coa request after proxying auth request I guess.

> 

>   Originating a CoA packet is really proxying it.  And the server 

> can't proxy to two different destinations.

        

        Ok. I got your point.

> > So here are my questions:

> >

> > 1.      Does this flow works possibly in my scenario? I mean can I

> > originate coa at once after getting Access-Accept?

> 

>   Not today.

 

        Does this would be a difficult demand? 

> 

> > 2.      What if I set a **virtual coa server** for receiving coa request

> > from itself, then send to gateway at the section of

> 

>   That won't change anything.

> 

>   It may be easy to originate CoA packets *after* proxying.  Just so 

> long as it doesn't do both at the same time.

 

        What do you mean *after*? The next any-kind-of request?

        But I really need they do it in the same sequence. It a bit upset
me.

 

>   I'll see if I have time to look into it.

        

        Thanks Alan! Thanks your contribution and devotion to FreeRADIUS. 

        It's really impressive. Not a compliment at all. lol

 

>   Alan DeKok.

> 

> 

> ------------------------------

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130427/f21b9dbd/attachment-0001.html>

More information about the Freeradius-Users mailing list