Proxies

The server configuration must include all the servers that may forward messages to or receive forwarded messages from the AAA server. If a remote server is not included in the configuration, the server will not handle or forward requests. The Proxies screen allows you to add a new proxy to or modify or delete an existing proxy in the server configuration.

Navigating the Define Access Device Screen

Figure 4-5 Server Manager’s Proxy Screen

Selecting the New Proxy link or the following icon will display a form of proxy attributes to define a new entry:
Selecting an existing proxy or the following icon will display a form of the corresponding clients attributes for modification:
Selecting the following icon will display a confirmation screen before deleting the corresponding entry:
Selecting the following icon will display a context sensitive HTML help screen:

Creating or Modifying a Proxy

When adding a new proxy entry to the server configuration or modifying an existing entry, you supply values for the proxy attributes through a forms fields.

Figure 4-6 Server Manager’s Proxy Attributes Screen

Name:

Network location of the network device as follows:

It may be an IP address (in dotted-quad notation) or a valid domain name system (DNS) host name. When specifying Name as a DNS host name, you should use the name returned by the hostname command.




	NOTE: Make sure that your DNS is configured correctly (with both forward and reverse entries) for your AAA server(s). The AAA server determines the name of the machine that its running on. If this name does not match your local DNS servers database, you will not be able to correctly configure the access device and will experience problems with some server operations.

Shared Secret:

Encryption key, or shared secret, between the client in this entry and the server. The field must be less than 255 characters. A request from a client for which the server does not have a shared secret will be silently discarded.

Vendor:

Indicates what vendor-specific attributes should be returned to the access device in a reply. In most applications, you will select the hardware vendor of the device or Generic if the device is not listed. You can make multiple selections by holding down the control key as you select vendor names.




	IMPORTANT: If you have specified the Prune response option for the proxy server and the AAA server will be using the MS-CHAP protocol for authentication, Microsoft must be one of the vendor selections.

The server will prune vendor-specific attributes for a given vendor if that vendor’s name is not properly defined in the vendors file, and its attributes are not properly defined in the dictionary file.

Response Options:

Select any of the check boxes to specify additional message-handling options.

The following options are valid:

Table 4-2 Proxy Message Handling Options

Option	Definition
ACCT_RFC	Verifies that the Accounting-Request conforms with the Acounting RFC. Nonconforming messages are dropped.
CHECK_ALL	Checks all attributes to determine if the request is a duplicate (for messages from a proxy server). This may be necessary if the remote server sends nonstandard messages that can’t easily be detected as duplicates.
PRUNE	Forces pruning as if the response were being returned to an access device. With this option the Generic vendor prunes all vendor-specific attributes before a message is returned to the proxy server. This may be used to help prevent problems that might occur if unencapsulated vendor attribute is not correctly mapped in the vendors file.
RAD_RFC	Verifies that the Access-Request conforms with the RADIUS RFC. Nonconforming messages are dropped.

Forwarding Options

These options are configured if the AAA server will forward requests to the remote server.

Realms to forward:: All requests originating from the realm listed in this drop-down list will be forwarded to the remote server. To add a realm to the list, select Add Realm from the list. To modify or delete a listed realm, select the realm name from the drop-down list. When you add or modify a realm, you specify the realms name and whether its accounting messages should be forwarded to the remote server.
Authentication relay port:: This port number value overrides the servers startup switches that specify the UDP port used to relay authentication requests. The default (when no value is entered in this field and no startup switch is specified) is 1812.
Accounting relay port:: This port number value overrides the servers startup switches that specify the UDP port used to relay accounting requests. The default (when no value is entered in this field and no startup switch is specified) is 1813.
Append Attributes:: When receiving a response from a remote server, Yes will instruct the server to append all the forwarded A-V pairs to new A-V pairs included in the response. This setting is useful when a remote server does not return all of the A-V pairs that it received.

When adding a new proxy entry, you select the Create button to submit the new proxy to the Server Manager. When modifying an existing entry, you select the Modify button to submit changes to the proxy entry. In either case if each field contains a valid value, the client will be created or modified; otherwise, an error message is displayed. You can always select the Cancel button and return to the Proxy screen without making any changes to your server configuration.

Deleting a Proxy

The Delete Proxy screen allows you to preview an entry before you confirm deletion. Select the Delete button to delete the displayed proxy entry. You can select the Cancel button and return to the Proxy screen without deleting the entry.

Local Host Entry

To use the server testing utilities, the AAA server should always have its own local host client entry that specifies its name, the shared secret used by the local server when talking to itself, and Interlink as the vendor.

Proxies

Technical documentation

» Table of Contents

» Glossary

» Index

Navigating the Define Access Device Screen

Creating or Modifying a Proxy

Forwarding Options

Deleting a Proxy

Local Host Entry