Frédéric Gabut-Deloraine wrote: > But there is a problem : the two cisco routers don't support the Proxy-State > attribute and send me a very clear message :
The router shouldn't support Proxy-State. They don't need to. But they shouldn't *drop* the packet when they receive a Proxy-State attribute. > fgabut@savon:~$ cat toto | radclient -x a.b.c.d:3799 disconnect toto1234 > Sending Disconnect-Request of id 138 to a.b.c.d port 3799 > NAS-IP-Address = x.x.x.x > User-Name = "x...@nautile.nc" > rad_recv: Disconnect-NAK packet from host a.b.c.d port 3799, id=138, length=47 > Reply-Message = "No Matching Session" > Error-Cause = Invalid-Request And there's no Proxy-State attribute there, or *ANY OTHER* session information. What is this command supposed to test? > I can't find any option to not use the attribute 33 (Proxy-State) in the > process of matching the session on the router. So I guess the only solution > left is to filter the Proxy-State directly on the exit of the radius proxy. See the "attr_filter" module. > The RFC3576 states that : > > When using a forwarding proxy, the proxy must be able to alter the > packet as it passes through in each direction. When the proxy > forwards a Disconnect or CoA-Request, it MAY add a Proxy-State > Attribute, and when the proxy forwards a response, it MUST remove > its Proxy-State Attribute if it added one. That has been replaced by RFC 5176. Which has similar text. > So I was wondering if there were any option to disable the add of the > attribute Proxy-State when the radius server proxyfies a CoA request ? I > think that the usual attr filter method won't fit there. No. But you can delete it before the packet is sent. See "attr_filter". My $0.02 is to file a bug with Cisco, and tell them that their software is broken. RFC 5176 Section 3.1 says that the NAS is supposed to echo back Proxy-State from the request to the reply. Discarding the packet means that this is impossible. The Cisco NAS is violating the RFCs. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html