Le 29 avr. 2012 à 09:05, Alan DeKok a écrit : > Frédéric Gabut-Deloraine wrote: >> But there is a problem : the two cisco routers don't support the Proxy-State >> attribute and send me a very clear message : > > The router shouldn't support Proxy-State. They don't need to. > > But they shouldn't *drop* the packet when they receive a Proxy-State > attribute.
They don't drop the packet but consider the request as an "Invalid-Request" and return a Disconnect-NAK as shown below : > >> fgabut@savon:~$ cat toto | radclient -x a.b.c.d:3799 disconnect toto1234 >> Sending Disconnect-Request of id 138 to a.b.c.d port 3799 >> NAS-IP-Address = x.x.x.x >> User-Name = "[email protected]" >> rad_recv: Disconnect-NAK packet from host a.b.c.d port 3799, id=138, >> length=47 >> Reply-Message = "No Matching Session" >> Error-Cause = Invalid-Request > > And there's no Proxy-State attribute there, or *ANY OTHER* session > information. What is this command supposed to test? That was supposed to show the "Invalid-Request" answer from the router. > >> I can't find any option to not use the attribute 33 (Proxy-State) in the >> process of matching the session on the router. So I guess the only solution >> left is to filter the Proxy-State directly on the exit of the radius proxy. > > See the "attr_filter" module. > >> The RFC3576 states that : >> >> When using a forwarding proxy, the proxy must be able to alter the >> packet as it passes through in each direction. When the proxy >> forwards a Disconnect or CoA-Request, it MAY add a Proxy-State >> Attribute, and when the proxy forwards a response, it MUST remove >> its Proxy-State Attribute if it added one. > > That has been replaced by RFC 5176. Which has similar text. > >> So I was wondering if there were any option to disable the add of the >> attribute Proxy-State when the radius server proxyfies a CoA request ? I >> think that the usual attr filter method won't fit there. > > No. But you can delete it before the packet is sent. See "attr_filter". Ok, I thought that attr_filter wouldn't help me because I thought that Proxy-State was added just before going on the wire. I have tried briefly and gave up. I'll try again. > My $0.02 is to file a bug with Cisco, and tell them that their > software is broken. RFC 5176 Section 3.1 says that the NAS is supposed > to echo back Proxy-State from the request to the reply. Discarding the > packet means that this is impossible. > > The Cisco NAS is violating the RFCs. I totally agree, however it's often easier to fix the origin of the bug than the bug itself with network vendors ;-). -- Frederic Gabut-Deloraine Network Engineer NEO TELECOMS - AS8218 21 rue La Boetie 75008 Paris Tel : +33 1.49.97.07.47 Mob : +33 6.15.07.10.30 skype : fgabutdeloraine - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
