Originate CoA Request After Receiving Access-Accept

Okis Chuang okischuang at outlook.com
Sat Apr 27 07:41:26 CEST 2013

> Okis Chuang wrote:

> > From the originate-coa documentation, it seems I can?t originate 

> > coa-request at the section of pre-proxy or post-proxy.

> >

> > It?s documented, pretty clear.


>   It's nice to hear that the documentation helps. :)


        I thought docs are very helpful at most of time. :p


> > I?m not sure whether it is the cause of my following questions.


>   It is.


> > But what if I need two steps below finished continually both in the 

> > same

> > move:

> >

> > 1.      **proxy** auth request to other AAA dispatcher(also FreeRADIUS)

> > to decide where to authenticate.


>   That's easy.


> > 2.      Getting Access-Accept in post-auth, then originate coa request

> > at once in order to change redirect profile to forward profile for 

> > subscriber.


>   That's hard.  At least with "originate-coa".


        So.. the core concept of *originate-coa* is just "proxy-the-coa"
instead of initiating a coa request?



>   The short answer is that you can run "radclient" as an external 

> program from the post-proxy section.  It's ugly, but it will work.


        Hmm..that is indeed an alternative, but like you said, it's kind of
not a neat way to achieve my goal.

        And I'm worrying that might have some performance issue if supposed
I will have high traffic.


> > But I got the warning that **cannot proxy and originate CoA packets 

> > at the same time**.


>   Yes.  We're looking into fixing that for 3.0.


        No offense, I'm curious that why can't view these two request:
"Proxy-Auth Request" and "CoA Request" as two independent request?

        Or this is about some kind of concern on designation? I thought that
was intuitive until I saw the result and got your kind but hopeless response
: (


> > Actually I move the coa origination to my AAA dispatcher, it also 

> > can?t works and occurs the same warning.(It makes sense because both 

> > are doing coa request after proxying auth request I guess.


>   Originating a CoA packet is really proxying it.  And the server 

> can't proxy to two different destinations.


        Ok. I got your point.

> > So here are my questions:

> >

> > 1.      Does this flow works possibly in my scenario? I mean can I

> > originate coa at once after getting Access-Accept?


>   Not today.


        Does this would be a difficult demand? 


> > 2.      What if I set a **virtual coa server** for receiving coa request

> > from itself, then send to gateway at the section of


>   That won't change anything.


>   It may be easy to originate CoA packets *after* proxying.  Just so 

> long as it doesn't do both at the same time.


        What do you mean *after*? The next any-kind-of request?

        But I really need they do it in the same sequence. It a bit upset


>   I'll see if I have time to look into it.


        Thanks Alan! Thanks your contribution and devotion to FreeRADIUS. 

        It's really impressive. Not a compliment at all. lol


>   Alan DeKok.



> ------------------------------


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130427/f21b9dbd/attachment-0001.html>

More information about the Freeradius-Users mailing list