Proxy CoA packet from network control to NAS(same as CoA server) configs in case of many many NASes.

Brian Julin BJulin at clarku.edu
Thu Jul 16 15:30:56 CEST 2015


The problem is that the architecture of the server currently demands a home
server instance be constructed for each and every NAS receiving CoAs, and AFAICT
there's no way to build these dynamically based on arbitrary IPs encountered at runtime.

We sidestepped it and just shell out to a script to use radclient to send them.
As long as you don't have a giant volume of CoA traffic and can easily figure
out secrets for any given NAS from its IP address, that might be your best option.

e.g. to send one out when you see a special access-accept from a home server
one would:

  exec punchdhcp {
    wait = no
    input_pairs = request
    program = "/etc/raddb/punchdhcp.sh %{request:NAS-IP-Address}' '%{control:NAS-Identifier}' '%{control:Calling-Station-Id}'"
    packet_type = Access-Accept
  }

...then call the punchdhcp in unlang at the appropriate time...

...Then the script would have something like:
#!/bin/sh
echo "Calling-Station-Id := $3
Aruba-Port-Bounce-Host := 5" | /bin/radclient $1:3799 disconnect -i $(($RANDOM % 250 + 1)) -s -S secret.txt

________________________________________
From: Freeradius-Users [freeradius-users-bounces+bjulin=clarku.edu at lists.freeradius.org] on behalf of Sergey Komarov [sergey.komaroff at gmail.com]
Sent: Thursday, July 16, 2015 9:14 AM
To: FreeRadius users mailing list
Subject: Re: Proxy CoA packet from network control to NAS(same as CoA server) configs in case of many many NASes.

Hello Alan and colleagues,


Yes, I've tried to do so.
In case I write as you said I get:

Waking up in 0.4 seconds.
(22) Received CoA-Request Id 187 from 10.1.1.1:17809 to 10.1.1.174:3799
length 113
(22)   User-Name = "78-6c-1c-94-d2-07"
(22)   Calling-Station-Id = "78-6c-1c-94-d2-07"
(22)   Cisco-AVPair = "subscriber:command=account-reauthenticate"
(22)   NAS-IP-Address = 10.56.33.190
(22) # Executing section recv-coa from file
/usr/local/etc/raddb/sites-enabled/coa
(22)   recv-coa {
(22)     [suffix] = noop
(22)     update control {
(22)       Packet-Dst-IP-Address := &NAS-IP-Address -> 10.56.33.190
(22)       Packet-Dst-Port := 1700
(22)     } # update control = noop
(22)     [ok] = ok
(22)   } # recv-coa = ok
*No such home server 10.56.33.190 port 14346*
(22) Not sending reply to client.
(22) Finished request
(22) <done>: Cleaning up request packet ID 187 with timestamp +5
Waking up in 0.2 seconds.

In case I add also port (Packet-Dst-Port := 1700) I get this:

Waking up in 2.9 seconds.
(13) Received CoA-Request Id 198 from 10.1.1.1:11374 to 10.1.1.174:3799
length 113
(13)   User-Name = "60-d9-c7-32-4f-02"
(13)   Calling-Station-Id = "60-d9-c7-32-4f-02"
(13)   Cisco-AVPair = "subscriber:command=account-reauthenticate"
(13)   NAS-IP-Address = 10.56.33.174
(13) # Executing section recv-coa from file
/usr/local/etc/raddb/sites-enabled/coa
(13)   recv-coa {
(13)     [suffix] = noop
(13)     update control {
(13)       Packet-Dst-IP-Address := &NAS-IP-Address -> 10.56.33.174
(13)       Packet-Dst-Port := 1700
(13)     } # update control = noop
(13)     [ok] = ok
(13)   } # recv-coa = ok
*No such home server 10.56.33.174 port 14346*
(13) Not sending reply to client.
(13) Finished request
(13) <done>: Cleaning up request packet ID 198 with timestamp +2
Waking up in 2.8 seconds.


Thank you in advance for your comments!


Best Regards, Sergey Komaroff




On Thu, Jul 16, 2015 at 3:01 PM, Alan DeKok <aland at deployingradius.com>
wrote:

> On Jul 16, 2015, at 4:19 AM, Sergey Komarov <sergey.komaroff at gmail.com>
> wrote:
> >
> > I've tried to use clients.conf and derive home servers from that section
> as
> > announced in 3.0.7. It would simplify but I can't proxy to such kind of
> > unnamed home server (or I can? This is what I didn't find in any docs
> too.
> > Sorry).
>
>   Just do:
>
>         update control {
>                 Packet-Dst-IP-Address := 192.0.2.4
>         }
>
>   which is the IP of the NAS.
>
> > 2. Is there any way to use something in coa section like update control
> > Home-Server := "%{NAS-IP-Address}" or some other options to proxy CoA
> > packets to NAS/CoA server?
>
>   Yes.
>
>   update control {
>         Packet-Dst-IP-Address := &NAS-IP-Address
>   }
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list