Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation  Back up to About Overview 
  
[+] Expand All
[-] Collapse All

Processing Dynamic Authorization (CoA/DM) Messages as a Proxy Server

When you configure SBRC as a proxy server, all authentication and accounting requests are forwarded from an upstream device (usually a NAS client) to a downstream device (the proxy target). In the case of CoA/DM functionality, the unsolicited CoA/DM messages are routed from the proxy target to the NAS client that created the session. SBRC as a proxy server listens for unsolicited CoA/DM messages on a configurable UDP port. In addition to listening on a configurable UDP port, SBRC creates the associated threads to handle these requests.

SBRC processes the proxy CoA/DM requests in a similar way that it handles the proxy authentication or accounting requests. SBRC checks the packet for duplicate requests, verifies the shared secret of the sender (which needs to match the configured proxy target), verifies the attributes, and determines the upstream device based on the NAS-Identifier/NAS-IP-Address and Acct-Session-Id attributes in the request, and then the proxy request is sent to the upstream device. When a response to a proxied CoA/DM request is received, the response is matched with an outstanding proxy request and forwarded to the originating device.

Attributes and CoA/DM Forwarding Methods

Attribute filtering and script support is a feature that can be configured to apply to forwarded CoA/DM requests. To enable forwarding of incoming CoA/DM requests to the upstream device that originated the session, a new field in the Current Sessions Table (CST), Sbr_NasClientName, associates a session record with the name of the client that created the session. By default, the Sbr_NasClientName field is disabled, and to enable it you need to add it in the CST. The attribute, Funk-NAS-Identifier, is used by SBRC to refer to the Sbr_NasClientName field.

There are three methods that SBRC uses to forward a received proxy CoA/DM request.

  • Method 1—SBRC checks the Current Sessions Table (CST) for a session matching the received attributes (either NAS-Identifier or NAS-IP-Address plus Acct-Session-Id) and forwards the request to the NAS named in the Sbr_NasClientName field. This is the default setting.
  • Method 2—SBRC forwards the request directly to the configured client that matches either the NAS-IP-Address or NAS-Identifier attribute in the received proxy CoA/DM request.
  • Method 3—This is a combination of methods 1 and 2. If a matching session is not found in the CST (or if there are duplicate matches), an attempt is made to forward the request by matching the attributes with the configured clients.

In all these three methods, if an appropriate NAS target is not found, a CoA/DM NAK response is sent as a reply.

If Reverse Path Forwarding check is enabled, SBRC verifies that the sender of the CoA/DM request is in the proxy realm associated with a session. If Reverse Path Forwarding check is enabled and fails, then a CoA/DM NAK response is sent.

You notice functionality differences if a CoA/DM request is forwarded using the CST, or if it is forwarded directly to a NAS. When a request is forwarded directly, the Reverse Path Forwarding check is disabled because there is no session associated with the request and there is no mechanism to check which proxy realm is associated with a particular request. When a request is forwarded directly and there is no realm associated with it, the realm configuration to use for the attribute filter and CheckMessageAuthenticator settings is a proxy realm the proxy target belongs to. If the proxy target belongs to more than one realm, the realm that is randomly selected remains the same until the proxy realm configuration is changed. If the proxy target does not belong to a proxy realm, a NAK response with an Error-Cause attribute of 505 (Other Proxy Processing Error) is sent in response to a CoA/DM request.

Modified: 2016-10-25