Proxy CoA packet from network control to NAS(same as CoA server) configs in case of many many NASes.

Sergey Komarov sergey.komaroff at gmail.com
Thu Jul 16 15:44:34 CEST 2015


Hello,


Thank you Brian! But actually what I do now is that our external network
controls(CoA portal) sends these coa packets to change users policy(I don't
need to bind it to access req) and I wanted just proxy it via FreeRadius
(to have more control about contents of these packets and have ability to
modify something on the fly in CoA packet later if needed just inside of
FreeRadius).

I understand that all home servers must be in configs to address them
correctly and I did it. Problem is that my home servers are in config, but
packet doesn't proxy in case of Dst-IP usage (home server not found)...

So currently I have to send CoA directly to NAS(I don't like this idea) or
I have to use home server pools with name as workaround and it works now.
I expected that it is possible to send via Packet-Dst-IP-Address :=
&NAS-IP-Address as Alan said to me and I tested but seems that it doesn't
find home server in this case... BTW thank you for your scripts I will hold
it to some other options, but currently this is not my case.


Best Regards, Sergey Komaroff


On Thu, Jul 16, 2015 at 4:30 PM, Brian Julin <BJulin at clarku.edu> wrote:

>
> The problem is that the architecture of the server currently demands a home
> server instance be constructed for each and every NAS receiving CoAs, and
> AFAICT
> there's no way to build these dynamically based on arbitrary IPs
> encountered at runtime.
>
> We sidestepped it and just shell out to a script to use radclient to send
> them.
> As long as you don't have a giant volume of CoA traffic and can easily
> figure
> out secrets for any given NAS from its IP address, that might be your best
> option.
>
> e.g. to send one out when you see a special access-accept from a home
> server
> one would:
>
>   exec punchdhcp {
>     wait = no
>     input_pairs = request
>     program = "/etc/raddb/punchdhcp.sh %{request:NAS-IP-Address}'
> '%{control:NAS-Identifier}' '%{control:Calling-Station-Id}'"
>     packet_type = Access-Accept
>   }
>
> ...then call the punchdhcp in unlang at the appropriate time...
>
> ...Then the script would have something like:
> #!/bin/sh
> echo "Calling-Station-Id := $3
> Aruba-Port-Bounce-Host := 5" | /bin/radclient $1:3799 disconnect -i
> $(($RANDOM % 250 + 1)) -s -S secret.txt
>
>


More information about the Freeradius-Users mailing list