CoA Over TLS (radsec) Support

Yusuf Güngör 1yusufgungor at
Tue Jan 9 16:42:15 CET 2018

Hi Alan,

Thanks for the quick reply.

We have APs which located at different locations. APs are behind nat.

Clients authenticated over cloud radius server. But the radius server can
not make CoA requests to APs if there is not firewall rules exist. For some
reason we can not add firewall rules to forward CoA port to APs.

Using the same TLS connection is not a must for us if there exists any
other methods to send CoA requests to APs.

So, can we use freeradius as proxy to achieve this purpose?


9 Oca 2018 6:09 PM tarihinde "Alan DeKok" <aland at> yazdı:

On Jan 9, 2018, at 9:43 AM, Yusuf Güngör <1yusufgungor at> wrote:
> Radius clients who are behind NAT can successfully initiate traffic to
> radius server over freeradius proxy.
> Can radius server initiate traffic for CoA requests to clients which are
> behind NAT over freeradius (via already established TLS connection with
> clients) ?

  No.  There is no standard specification for this behaviour.  No RADIUS
server *or* NAS supports it.

> Does freeradius support CoA-Requests over tls? (RFC 3576 - RFC 5176)

  According to the docs and config files... yes.

> I have found a similar question which sent to mail list at 2014. (
> )
> Can i learn if it is not supported still?

  Feel free to send patches.

  But the larger question is why?  And what NAS supports this?

  You can add this to FreeRADIUS all you want, but nothing else supports
it.  So it's a cute idea, but utterly useless in practice.

  Alan DeKok.

List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list