Filtering out Proxy-State in COA to fix broken Cisco NAS

Fraser McGlinn fraser at frizianz.com
Mon Aug 13 09:56:26 CEST 2018


Thanks Alan, that helps a lot. Great info in that draft RFC.

On 2018-08-10 22:12, Alan DeKok wrote:
> On Aug 8, 2018, at 9:19 PM, Fraser McGlinn <fraser at frizianz.com> wrote:
>> 
>> Trying to get COA proxying working with a Cisco NAS. Unfortunately 
>> they have a broken implementation where if Proxy-State is in the 
>> request it drops it.
> 
>   That's based on a naive reading of RFC 5176.  Happily, my new draft
> clarifies this.  It should be an RFC this year:
> 
> https://tools.ietf.org/html/draft-ietf-radext-coa-proxy-03
> 
>> I dug and found this old thread 
>> http://lists.freeradius.org/pipermail/freeradius-users/2012-April/060456.html 
>> implying that we can filter out Proxy-State in attr_filter, however 
>> i've had some issues getting this working. Although this was relevant 
>> to freeradius 2x, i'm running 3.0.16.
>> 
>> Any other ways to achieve this? Hoping someone can point me in the 
>> right direction.
> 
>   You can delete the Proxy-State attribute in the "pre-proxy" section:
> 
> pre-proxy {
> 	...
> 	update proxy-request {
> 		Proxy-State !* ANY
> 	}
> 	...
> }
> 
>   Hope that helps.
> 
>   Alan DeKok.
> 
> 
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list