Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 HP-UX AAA Server A.06.00 Administration and Authentication Guide: HP-UX 11.0, 11i v1 > Chapter 6 Access Devices and Proxies

Proxying
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

The proxy feature forwards authentication (and accounting messages) to another server. It can be used for carriers, roaming users, and other applications where different organizations share resources.

The following figure illustrates both ends of a proxy configuration relative to the local host. When the local host receives a request that it will authenticate, the server that forwarded the request is called the proxy server. When the local host forwards a request for another server to authenticate, the other server is called the remote (or home) server. A request may be forwarded through several networks before it reaches the home server.

Figure 6-2 Proxy Set-up

Proxy Set-up

Forwarding Authentication Requests

Receiving Authentication Requests From a Proxy Server

  1. Access the AAA Server Manager.

  2. Select the Proxies link from the Navigation Tree located in the left frame of the browser and then select the New Proxy link. The Proxy Attributes screen will appear.

    Figure 6-3  Add Proxy Screen from Server Manager's Proxies Link

    Add Proxy Screen from Server Manager's Proxies Link

  3. In the Name field, enter the IP address or DNS name of the remote server.

  4. In the Shared secret field identify the encryption key, or shared secret, between the network device and the AAA server.

  5. From the Vendor listbox, select Generic or the vendor of the server.

  6. Select any of the Response options check boxes to define additional instructions to handle the forwarded Access-Request. Unless you have special requirements (see page 131), you probably do not need to select any options.

  7. Select the Create button.

  8. Select Save Configuration from the Navigation Frame. If you have multiple remote servers, you will prompted to select and confirm which servers you wish to add the access device entry to.

CAUTION: Save Configuration will save the entire server configuration (access devices, proxies, local realms, users, and server properties) to the servers you specify.

Forwarding Authentication Requests to a Remote Server

  1. Follow steps 1. to 5. of the "Receiving Authentication Requests From a Proxy Server" procedure.

  2. Select Add Realm from the Realms to forward drop-down list under Forwarding Options to specify the requests (identified by originating realm) that should be forwarded.

  3. Complete the Proxy Realm screen that appears by specifying the name of the realm.

    Figure 6-4  Proxy Realm Screen

    Proxy Realm Screen

  4. Select the Save button.

  5. Repeat steps 2 to 4 for each realm that should be forwarded to the remote server. To remove a realm that has been added, select the realm name from the Realms to forward drop-down list and then select the Delete button.

  6. Complete the remaining fields if necessary.

  7. Select the Create button.

  8. Select Save Configuration from the Navigation Frame. If you have multiple remote servers, you will be prompted to select and confirm which servers you wish to add the access device entry to.

CAUTION: Save Configuration will save the entire server configuration (access devices, proxies, local realms, users, and server properties) to the servers you specify.

Changing RADIUS Port Numbers

If a remote server is listening for authentication or accounting requests on ports that are not the RADIUS defaults, you must configure the local server to forward messages to the correct port. The current RADIUS default ports are 1812 and 1813. Many older RADIUS servers listen for requests on ports 1645 and 1646.

Forwarding Requests to Alternate RADIUS Ports

  1. If you have not already configured the remote server, follow the procedure to proxy authentication requests. If the proxy configuration already exists, access it from the proxy screen.

  2. Specify the alternate ports in the Authentication relay port and Accounting relay port fields of the Proxy attributes screen.

  3. Select the Create button.

  4. Select Save Configuration from the Navigation Frame. If you have multiple remote servers, you will be prompted to select and confirm which servers you wish to add the access device entry to.

CAUTION: Save Configuration will save the entire server configuration (access devices, proxies, local realms, users, and server properties) to the servers you specify.

Forwarding Accounting Requests

The HP-UX AAA server records accounting start and stop messages locally to log session information. The server can be configured to forward these messages to a remote server. The following account message logging combinations are possible:

Table 6-1 Accounting Logging Options

ConfigurationLogging Location

  • Account forwarding set to Yes for a proxy configuration

  • No Account forwarding to a central server

  • Local

  • Proxy accounting forwarded to remote server

  • Account forwarding set to No for a proxy configuration

  • No Account forwarding to a central server

  • Local only

  • Account forwarding set to Yes for a proxy configuration

  • Account forwarding to a central server

  • No local logging

  • Proxy accounting forwarded to remote server

  • All accounting forwarded to central server

  • Account forwarding set to No for a proxy configuration

  • Account forwarding to a central server

  • No local or proxy accounting

  • All accounting forwarded to central server

 

Follow the steps in the “Proxying Authentication and Accounting Messages to the Same Server” section to set account forwarding to yes for a proxy configuration. Follow the steps in the “Proxying Accounting Requests to a Central Server” section to forward accounting requests to a central server.

Proxying Authentication and Accounting Messages to the Same Server

  1. If you have not already configured the remote server, follow the procedure to forward authentication requests. If the proxy configuration already exists, access it from the proxy screen.

  2. From the Realms to forward drop-down list select the name for the realm that you want to forwarded accounting messages. If the realm is not already in the drop-down list, select Add Realm.

  3. Select the Yes Forward Accounting radio button in the Proxy Realm window.

  4. Select the Save button in the Proxy Realm window.

  5. Select the Create button.

  6. Select Save Configuration from the Navigation Frame. If you have multiple remote servers, you will prompted to select and confirm which servers you wish to add the access device entry to.

CAUTION: Save Configuration will save the entire server configuration (access devices, proxies, local realms, users, and server properties) to the servers you specify.

Proxying Accounting Requests to a Central Server

By modifying the finite state table, you can forward all received accounting messages to a central server. This configuration will disable all local accounting.

  1. Copy the file /opt/aaa/examples/config/proxyacct.fsm to the radius.fsm file. (Both files should be in the configuration directory, /etc/opt/aaa/ by default.)

  2. Open radius.fsm in a text editor and locate the following lines:

    ACCTwait:
       *.*.ACK      RAD2RAD REPLYHold Xstring="default.accounting.proxy.server"
       *.*.ACCT_DUP RAD2RAD REPLYHold Xstring="default.accounting.proxy.server"

  3. Replace the two instances of default.accounting.proxy.server with the DNS name or IP address of the server that you want to forward the accounting messages to. To forward the accounting to a different port, use the following syntax: Acct:Port.

    IMPORTANT: The server you specify must be added to your proxy configuration.

  4. Save radius.fsm

  5. Restart the server if it is already running.



Setting Up Access Devices
  		 


Chapter 7 Logging and Monitoring  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2003 Hewlett-Packard Development Company, L.P.