[radsecproxy] Re: Adding support for dynamic authorisation messages (CoA/Disconnect)

Hi Harshit, On 23.11.20, 08:03, "Harshit Jain" <hjain(a)arista.com> wrote: Regarding proxying of CoA/Disconnect messages, I was thinking we could look at NAS-IP-Address/NAS-IPv6-Address present in the CoA/Disconnect request to determine where to proxy the request. I am not entirely sure if this will work for clients/servers configured with a domain name (FQDN) though as it might get resolved to multiple IP addresses. Were you referring to this when you mentioned that there was no concise way to determine where to proxy the requests? Can you elaborate a little on this? Yes exactly. I mostly have the use-case for federated WPA-enterprise wifi access in mind (as that's what radsecproxy was designed for). There, the presence of NAS-IP-Address attribute is not guaranteed, and even if it is present, you might often see some local (RFC1918) IP address in there. However, I noticed that the RFC5176 got an update with RFC 8559 [https://tools.ietf.org/html/rfc5176] which tackles exactly this issue. Haven't looked at it in detail thought. Regards, Fabian -- SWITCH Fabian Mauchle, Network Engineer Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland Phone +41 44 268 15 30, direct +41 44 268 15 39