Filtering out Proxy-State in COA to fix broken Cisco NAS

Alan DeKok aland at
Fri Aug 10 14:12:35 CEST 2018

On Aug 8, 2018, at 9:19 PM, Fraser McGlinn <fraser at> wrote:
> Trying to get COA proxying working with a Cisco NAS. Unfortunately they have a broken implementation where if Proxy-State is in the request it drops it.

  That's based on a naive reading of RFC 5176.  Happily, my new draft clarifies this.  It should be an RFC this year:

> I dug and found this old thread implying that we can filter out Proxy-State in attr_filter, however i've had some issues getting this working. Although this was relevant to freeradius 2x, i'm running 3.0.16.
> Any other ways to achieve this? Hoping someone can point me in the right direction.

  You can delete the Proxy-State attribute in the "pre-proxy" section:

pre-proxy {
	update proxy-request {
		Proxy-State !* ANY

  Hope that helps.

  Alan DeKok.

More information about the Freeradius-Users mailing list