Proxy CoA packet from network control to NAS(same as CoA server) configs in case of many many NASes.

Fri Jul 17 15:15:56 CEST 2015

Hello Alan,

On Fri, Jul 17, 2015 at 3:26 PM, Alan DeKok <aland at deployingradius.com>
wrote:

>   Are you sure you're running 3.0.9?  Because that code was buggy in 3.0.8.
>

Yes, I'm using 3.0.9: FreeRADIUS Version 3.0.9, for host
x86_64-unknown-linux-gnu, built on Jul 14 2015 at 19:39:49
Linux version 2.6.32-504.el6.x86_64 (mockbuild at c6b9.bsys.dev.centos.org)
(gcc version 4.4.7 20120313 (Red Hat 4.4.7-11) (GCC) ) #1 SMP Wed Oct 15
04:27:16 UTC 2014

>   And the code to proxy based on Packet-Dst-IP-Address is the *same* for
> normal packets, and for CoA packets.  So please try it for authentication
> packets.  If it works there and not for CoA... something is wrong with your
> system.  Make sure to install (and use) 3.0.9.
>
>   If Packet-Dst-IP-Address doesn't work for authentication packets, then
> there's something magically broken about the code.
>
>   Try to come up with a simple example which we can add to the unit test
> framework...
>
>
(7) Received Access-Request Id 82 from 10.56.33.174:32770 to 10.1.1.174:1812
length 267
(7)   User-Name = "84-8e-df-ea-e9-62"
(7)   Called-Station-Id = "44-ad-d9-f1-9b-10:SSIDNAME"
(7)   Calling-Station-Id = "84-8e-df-ea-e9-62"
(7)   NAS-Port = 1
(7)   NAS-IP-Address = 10.56.33.174
(7)   NAS-Identifier = "WLC2504"
(7)   Airespace-Wlan-Id = 1
(7)   User-Password = "xxxxxx"
(7)   Service-Type = Call-Check
(7)   Framed-MTU = 1300
(7)   NAS-Port-Type = Wireless-802.11
(7)   Tunnel-Type:0 = VLAN
(7)   Tunnel-Medium-Type:0 = IEEE-802
(7)   Tunnel-Private-Group-Id:0 = "63"
(7)   Cisco-AVPair = "audit-session-id=0a3821ae000023bd55a8fab6"
(7)   Acct-Session-Id = "55a8fab6/84:8e:df:ea:e9:62/9166"
(7) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(7)   authorize {
............. sql queries and checks skipped ............
(7)          --> 1
(7)         case 1 {
(7)           update reply {
(7)             Cisco-AVPair += "url-redirect-acl=acl"
(7)             EXPAND url-redirect=http://login.domain...
(7)                --> url-redirect=http://login.domain
(7)             Cisco-AVPair += url-redirect=http://login.domain
(7)             Packet-Dst-IP-Address := 10.56.33.190  <------------ here I
just override real NAS IP with another NAS fixed address (it present in
clients too)
(7)           } # update reply = noop
(7)           update control {
(7)             Auth-Type := Accept
(7)           } # update control = noop
(7)         } # case 1 = noop
(7)       } # switch %{sql:select state from radiusdb.radcheck where
username='%{Calling-Station-Id}'} = noop
(7)     } # else = noop
(7)   } # authorize = noop
(7) Found Auth-Type = Accept
(7) Auth-Type = Accept, accepting the user
(7) Sent Access-Accept Id 82 from 10.1.1.174:1812 to 10.56.33.174:32770
length 0   <-------- here looks like override ignored
(7)   Cisco-AVPair += "url-redirect-acl=acl"
(7)   Cisco-AVPair += "url-redirect=
http://login.wi-fi.ru/am/UI/Login?org=mac&service=coa&client_mac=84-8e-df-ea-e9-62&ForceAuth=true
"
(7) Finished request

FreeRadius still sends to NAS IP instead of my override IP. So it doesn't
matter in CoA or in authorize section it is same behavior - FreeRadius
ignores NAS ip override via Packet-DST.

Could you please check any simple scenario - just try to override
Packet-Dst-IP-Address and than add to override Packet-Dst-Port?

Best Regards, Sergey Komaroff