Frédéric Gabut-Deloraine wrote:
> But there is a problem : the two cisco routers don't support the Proxy-State 
> attribute and send me a very clear message :

  The router shouldn't support Proxy-State.  They don't need to.

  But they shouldn't *drop* the packet when they receive a Proxy-State
attribute.

> fgabut@savon:~$ cat toto | radclient -x a.b.c.d:3799 disconnect toto1234
> Sending Disconnect-Request of id 138 to a.b.c.d port 3799
>       NAS-IP-Address = x.x.x.x
>       User-Name = "x...@nautile.nc"
> rad_recv: Disconnect-NAK packet from host a.b.c.d port 3799, id=138, length=47
>       Reply-Message = "No Matching Session"
>       Error-Cause = Invalid-Request

  And there's no Proxy-State attribute there, or *ANY OTHER* session
information.  What is this command supposed to test?

> I can't find any option to not use the attribute 33 (Proxy-State) in the 
> process of matching the session on the router. So I guess the only solution 
> left is to filter the Proxy-State directly on the exit of the radius proxy.

  See the "attr_filter" module.

> The RFC3576 states that :
> 
>       When using a forwarding proxy, the proxy must be able to alter the
>       packet as it passes through in each direction.  When the proxy
>       forwards a Disconnect or CoA-Request, it MAY add a Proxy-State
>       Attribute, and when the proxy forwards a response, it MUST remove
>       its Proxy-State Attribute if it added one. 

  That has been replaced by RFC 5176.  Which has similar text.

> So I was wondering if there were any option to disable the add of the 
> attribute Proxy-State when the radius server proxyfies a CoA request ? I 
> think that the usual attr filter method won't fit there.

  No.  But you can delete it before the packet is sent.  See "attr_filter".

  My $0.02 is to file a bug with Cisco, and tell them that their
software is broken.  RFC 5176 Section 3.1 says that the NAS is supposed
to echo back Proxy-State from the request to the reply.  Discarding the
packet means that this is impossible.

  The Cisco NAS is violating the RFCs.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to