global/wildcard config for COA server?

Alan DeKok aland at
Sun Dec 15 01:09:56 CET 2019

On Dec 14, 2019, at 6:54 PM, P. R.M. <romero619 at> wrote:
> I need to configure freeradius so that it will send COA/disconnect messages to a given NAS using a 'global COA configuration' for COA-related settings such as port #, shared secret, retransmit, etc., yet without having to hard-code the IP address of the NAS within a home_server section (in a similar way to how a client can be setup with wildcard host/network address).  I tried using a wildcard IP address within a home_server configuration, but it doesn't work; I received a "Wildcard '*' addresses are not permitted for home servers" error.

  Yes.  That's not supported, unfortunately.

> According to the documentation, freeradius will supposedly try to send a COA/disconnect message to the same NAS that sent the original RADIUS request. However, in practice, it doesn't work; it produces an error "Unknown destination {IP:PORT} for CoA request." since it cannot match the NAS to an existing home_server config.  So, even though it auto-detects the target for the COA packet, it's not very useful in situations where you need a wildcard "open-to-any-client" setup.

  We don't recommend that, either.  It's supported, but is generally less than optimal.

> Ideally, it would be useful to have freeradius respond to a given client/NAS using the same 'shared secret' that was used to connect to that particular client (even if the client is configured with a wildcard IP), and/or perhaps also global configuration for the other COA settings (UDP port # and the retransmit settings). At the very least, a wildcard IP address for a COA home_server config would be very helpful.

  The issue is not just a wildcard address.  The issue is that the shared secret changes for each destination address.  And in v3, the home servers are static.  It's difficult to add them at run time.

> Is there already a way to set something like this up? Or, is it possible via a work-around? If not, can this be put in as a feature request?

  If it's a minor change to v3, perhaps.  Otherwise it will have to wait until v4.

  In the short term, you can always run "radclient" to send CoA packets.  It's imperfect, but it definitely works.

  Alan DeKok.

More information about the Freeradius-Users mailing list