CoA Over TLS (radsec) Support

Alan DeKok aland at
Tue Jan 9 16:57:04 CET 2018

On Jan 9, 2018, at 10:42 AM, Yusuf Güngör <1yusufgungor at> wrote:
> We have APs which located at different locations. APs are behind nat.

  That's nice... you already said that.

> Clients authenticated over cloud radius server. But the radius server can
> not make CoA requests to APs if there is not firewall rules exist. For some
> reason we can not add firewall rules to forward CoA port to APs.

  Yes, that's what the email was about.  Why are you saying it again?

> Using the same TLS connection is not a must for us if there exists any
> other methods to send CoA requests to APs.

  Use IPSec.

> So, can we use freeradius as proxy to achieve this purpose?


  This isn't a FreeRADIUS problem.  It's a networking problem.  You can't route packets to clients behind a NAT.  No amount of poking the RADIUS server will change that.  Because RADIUS doesn't do routing.  It does RADIUS.

  Use IPSec between the NAS and RADIUS server.  You've then solved the routing problem, and RADIUS can use normal network routing to get packets from A to B.

  i.e. if you deploy a broken network, don't try to fix it with RADIUS.  Fix the network.  RADIUS will then work.

  Alan DeKok.

More information about the Freeradius-Users mailing list