Re: CoA proxying again
Johan Meiring wrote: This would essentially automatically add a coa home server for the client?? If it was configured, yes. This would also be a GREAT feature for me. How far is 3.0 off? I keep saying a month or two... 2.12 (or 2.13) maybe? Ideally, no. New features are hard to do for 2.1.x. Alan DeKok - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
CoA proxying again
Hello,
I am trying to setup CoA proxying to a number of Juniper MXes. These
are a bit clumsy to configure as CoA servers: The CoA clients cannot be
configured explicitly. Instead they reuse the auth/acct configuration,
including secret, for CoA clients.
So I have a few hundred CoA servers (NASes), and 3 radius servers
authorized as CoA clients. Using FreeRADIUS to proxy CoA requests from
ther real CoA clients looks like a perfect solution.
My problem is that the configuration seems a bit clumsy, given that I
cannot really change neither IP address nor secret from what's already
there in the FreeRADIUS client definition. It would have been ideal to
just add a flag or whatever, saying that this client is also a CoA
server, and allowing direct proxy to it using some virtual attribute.
My current working configuration requires a separate static home_server
and home_server_pool definition pointing to it for *each* NAS, as the
only way I've found to redirect the CoA packets is by setting
Home-Server-Pool.
The documentation talks about Proxy-To-Realm as well, but I've been
unable to find any parameter allowing me to configure a realm for
CoA. realms only have auth{_pool,host} and acct{_pool,host} AFAICT.
The per client CoA configuration doesn't look like anything I can use at
all. If I understand it correctly, that's only for the *CoA clients*.
Is this a correct view of the current (2.1.x) state of CoA proxying, or
did I miss something?
I believe I saw a request for dynamic home servers recently. Looks like
that might be something for me as well.
Bjørn
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CoA proxying again
Bjørn Mork wrote:
I am trying to setup CoA proxying to a number of Juniper MXes. These
are a bit clumsy to configure as CoA servers: The CoA clients cannot be
configured explicitly. Instead they reuse the auth/acct configuration,
including secret, for CoA clients.
Hmmm... no. Clients are global across *all* listen sockets. If
you want clients tied to a particular socket (auth/acct/coa), see the
clients entry in the listen section. This is documented in
radiusd.conf.
So I have a few hundred CoA servers (NASes), and 3 radius servers
authorized as CoA clients. Using FreeRADIUS to proxy CoA requests from
ther real CoA clients looks like a perfect solution.
My problem is that the configuration seems a bit clumsy, given that I
cannot really change neither IP address nor secret from what's already
there in the FreeRADIUS client definition. It would have been ideal to
just add a flag or whatever, saying that this client is also a CoA
server, and allowing direct proxy to it using some virtual attribute.
Hmm.. so that would re-use the normal client IP shared secret for
CoA servers?
My current working configuration requires a separate static home_server
and home_server_pool definition pointing to it for *each* NAS, as the
only way I've found to redirect the CoA packets is by setting
Home-Server-Pool.
Yeah... that's a bit awkward.
The documentation talks about Proxy-To-Realm as well, but I've been
unable to find any parameter allowing me to configure a realm for
CoA. realms only have auth{_pool,host} and acct{_pool,host} AFAICT.
Yeah, you can't proxy to a CoA realm.
The per client CoA configuration doesn't look like anything I can use at
all. If I understand it correctly, that's only for the *CoA clients*.
Yes.
Is this a correct view of the current (2.1.x) state of CoA proxying, or
did I miss something?
It's pretty much correct.
I believe I saw a request for dynamic home servers recently. Looks like
that might be something for me as well.
Maybe. Or, having less work to say this client can also receive CoA
requests.
That might be easy to add for 3.0.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CoA proxying again
Alan DeKok al...@deployingradius.com writes: Bjørn Mork wrote: My problem is that the configuration seems a bit clumsy, given that I cannot really change neither IP address nor secret from what's already there in the FreeRADIUS client definition. It would have been ideal to just add a flag or whatever, saying that this client is also a CoA server, and allowing direct proxy to it using some virtual attribute. Hmm.. so that would re-use the normal client IP shared secret for CoA servers? Yes, that would Just Work. Is this a correct view of the current (2.1.x) state of CoA proxying, or did I miss something? It's pretty much correct. I believe I saw a request for dynamic home servers recently. Looks like that might be something for me as well. Maybe. Or, having less work to say this client can also receive CoA requests. That might be easy to add for 3.0. Thanks for the encouraging answer. Such a feature would probably be useful for other types of NASes with CoA servers as well. Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CoA proxying again
On 2011/09/06 06:50 PM, Alan DeKok wrote: I believe I saw a request for dynamic home servers recently. Looks like that might be something for me as well. Maybe. Or, having less work to say this client can also receive CoA requests. This would essentially automatically add a coa home server for the client?? That might be easy to add for 3.0. +1 This would also be a GREAT feature for me. How far is 3.0 off? 2.12 (or 2.13) maybe? -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
