[EXT] Multiple NAS ips in home_server for COA packets

Alan DeKok aland at deployingradius.com
Thu Apr 7 15:31:52 UTC 2022

On Apr 7, 2022, at 10:58 AM, Brian Julin <BJulin at clarku.edu> wrote:
> That's been a longstanding limitation of originate_coa.  In many deployments
> a common secret is not used and the NAS data is taken from a flat file or database.
> IIRC there may be support for doing corresponding home server definitions like this.
> Possibly this will be enhanced in FreeRADIUS4 since ISTR talk of a dynamic home server
> mechanism and this feature could potentially be a beneficiary of that.

  Given that we have 3.2.x now, it would be useful to add *small* changes to support this functionality.  Even allowing a network/mask for CoA "home_server" definitions would help a lot.

  Allowing for custom shared secrets would be harder, unfortunately.

> It is indeed a pain to have to sync up records on other systems every time you add
> move or change a NAS when you have hundreds of them.   If you have the time to
> tool that into your NAS onboarding procedure it's a lot less painful, but then
> you have to maintain that tooling over the long term.

  It's likely not too hard to add functionality which gets the "CoA" fields from SQL.  That just has to have a schema / queries defined, and maybe 100 lines of code.

> Note that, depending on the NAS, CoA can often use a different secret and/or be
> entirely different servers than the one that took the auth+acct, as long as they get the
> session ID from accounting.  So there are two workaround options: generate the CoA from
> a shelled out script instead, or relay to a 3rd party product which can usually send CoAs
> directly to the NAS.  (If this is HPEAruba, there's a special nuanced trick to that.)

  See also sites-available/coa-relay, which makes it much easier to send coa / disconnect packets to a NAS.  You don't even need to know where the user is, the virtual server figures it out.

  Alan DeKok.

More information about the Freeradius-Users mailing list