Proxy-State in a CoA proxied request

[Frédéric Gabut-Deloraine]

Hello list,

I run a very simple architecture for broadband access with 2 routers, 2 radius 
proxies and 2 radius home servers. On the side of this architecture I run a 
homemade script that sends PoD directly to the two routers and everything works 
fine. 

I would like to change the direct access to the routers and have all my radius 
messages go through the 2 proxies, including the PoD. I have upgraded in 2.1.12 
because of a bug in CoA proxyfication and now the PoD are handled correctly, 
sent to the routers through the proxy !

But there is a problem : the two cisco routers don't support the Proxy-State 
attribute and send me a very clear message :

fgabut@savon:~$ cat toto | radclient -x a.b.c.d:3799 disconnect toto1234
Sending Disconnect-Request of id 138 to a.b.c.d port 3799
        NAS-IP-Address = x.x.x.x
        User-Name = "x...@nautile.nc"
rad_recv: Disconnect-NAK packet from host a.b.c.d port 3799, id=138, length=47
        Reply-Message = "No Matching Session"
        Error-Cause = Invalid-Request

The debug message I have on the router is :

Apr 28 23:42:29.980: POD: a.b.c.d Unsupported attribute type 33 for component
Apr 28 23:42:29.980: POD: a.b.c.d user x...@nautile.nc 0.0.0.0 sessid 0x0 key 
0x0 DROPPED
Apr 28 23:42:29.980: POD: Added Reply Message: No Matching Session
Apr 28 23:42:29.980: POD: Added NACK Error Cause: Invalid Request
Apr 28 23:42:29.980: POD: Sending NAK from port 1700 to a.b.c.d/1814

I can't find any option to not use the attribute 33 (Proxy-State) in the 
process of matching the session on the router. So I guess the only solution 
left is to filter the Proxy-State directly on the exit of the radius proxy.

The RFC3576 states that :

      When using a forwarding proxy, the proxy must be able to alter the
      packet as it passes through in each direction.  When the proxy
      forwards a Disconnect or CoA-Request, it MAY add a Proxy-State
      Attribute, and when the proxy forwards a response, it MUST remove
      its Proxy-State Attribute if it added one. 

So I was wondering if there were any option to disable the add of the attribute 
Proxy-State when the radius server proxyfies a CoA request ? I think that the 
usual attr filter method won't fit there.

Thanks in advance,

Best regards,

-- 
Frederic Gabut-Deloraine
Network Engineer
NEO TELECOMS - AS8218
21 rue La Boetie
75008 Paris
Tel : +33 1.49.97.07.47
Mob : +33 6.15.07.10.30
skype : fgabutdeloraine

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html