Hi All
Just a quick one. We run a cloud based captive portal server and RADIUS that is outside the customer LAN. What is the correct solution when using more than a single IAP on site with an external RADIUS server, to allow us to send CoA / Disconnect messages back to the IAP(s) should we wish to change the role or disconnect a session?
The challenge will of course be the firewall too because we'll need to enable CoA support on the IAPs and also open UDP 3799 from our RADIUS server(s) to the internet network that hosts the IAPs. But, we can't port forward 3799 to multiple internal IP addresses, so where do we send the CoA to - the IAP that authenticated the user, or the master, or?
I was thinking that if we used the "Dynamic radius proxy" option within the IAP settings, this would make the master perform all RADIUS and Accounting transactions with our RADIUS server, so we should direct CoA / DM packets back at this master IAP?
Finally, what RADIUS attributes (as a minumum) are required to identify the user? Is Calling-Station-Id enough?
Thanks
James