 |
» |
|
|
|
When adding a proxy entry to the server configuration or modifying
an existing entry, you must supply values for the proxy attributes
through the Server Manager’s Proxy Attributes Screen. To add a new proxy, or modify an existing proxy, complete
the following steps: From the navigation
tree, click Proxies, and then
click New Proxy if you are creating
a new proxy. If you are modifying an existing proxy, select the
proxy you want to modify. The Proxy Attributes screen appears as shown in Figure 9-3 “Server Manager’s Proxy Attributes
Screen”.
Fill up the form on the Proxy Attributes screen according
to the information given in Table 9-1 “Proxy Configuration Options”. Table 9-1 Proxy Configuration Options Option | Function |
|---|
Name | Enter the network location of the proxy
server. The name can be an IPv4 address (in dotted-quad notation),
an IPv6 address (in colon-separated notation), a valid fully qualified
DNS name, or an IP (IPv4 or IPv6) address that contains a wildcard
pattern. When specifying Name as a DNS host name, you
must use the name returned by the hostname command. | Shared Secret | Enter the shared secret held between
the two authentication servers. The shared secret must be less than
255 characters. A request from a forwarding server for which the
remote server does not have a shared secret will not be authenticated. | Confirm Shared Secret | Enter the shared secret once more to confirm
it. | Vendor | Enter the vendor-specific attributes
to be returned to the proxy server in a reply. Select Generic (the
default) if you do not want any vendor-specific attributes to be
returned. If you select Generic (the default) no vendor-specific
attributes are returned. You can make multiple selections by holding
down the control key as you select vendor names. | Response Options | Select any of the check boxes to specify
additional message-handling options. The following options are valid: - RAD_RFC
Verifies that the Access-Request
conforms with the RADIUS RFC. Nonconforming messages are dropped. - ACCT_RFC
Verifies that the Accounting-Request
conforms with the Accounting RFC. Nonconforming messages are dropped. - CHECK_ALL
Checks all attributes to
determine if the request is a duplicate (for messages from a proxy
server). This occurs if the remote server sends nonstandard messages
that are not easily detected as duplicates. - PRUNE
Forces pruning as if the
response is being returned to an access device. When this option
is checked, the Generic vendor prunes all vendor-specific attributes before
a message is returned to the proxy server. This can be used to help
prevent problems that might occur if unencapsulated vendor attribute
is not correctly mapped in the vendors file.
The
server prunes vendor-specific attributes for a given vendor if that vendor
is not properly defined in the vendors file, and its attributes are
not properly defined in the dictionary file. | | | |  | IMPORTANT: If
you have specified the Prune response option for the proxy server
and the HP-UX AAA server is using the MS-CHAP protocol for authentication,
you must select Microsoft as one of the vendors. | | | | |
|
If you are adding a new proxy
entry, click Create to submit
the new proxy to the Server Manager. If you are modifying an existing entry, click Modify to submit changes made to the
proxy entry to the Server Manager. Click Cancel to return
to the Proxy screen without making any changes to your server configuration. From the navigation tree, click
Save Configuration. On the Save Configuration screen
that appears, click Save. | | | |  | NOTE: Clicking Save saves the entire server configuration
(access devices, proxies, local realms, users, and server properties)
to the servers you specify. | | | | |
Forwarding
Authentication Requests From a Proxy Server | |
To forward authentication requests from a proxy server, complete
the following steps: Follow the steps listed
in “Creating or Modifying
a Proxy”. In the Proxy Configuration Form,
configure the options described in Table 9-2 “Options for Forwarding Requests”. Table 9-2 Options for Forwarding Requests Option | Description |
|---|
Realms to forward | All requests originating from the realm
listed in this drop-down list will be forwarded to the remote server.
To add a realm to the list, select Add Realm from
the list. To modify or delete a listed realm, select the realm name
from the drop-down list. When you add or modify a realm, you specify
the realm name and whether its accounting messages should be forwarded
to the remote server. By default, accounting messages are forwarded
to the proxy server. | Authentication relay port | This port number value overrides the
servers startup switches that specify the UDP port used to relay
authentication requests. The default (when no value is entered in
this field and no startup switch is specified) is 1812. | Accounting relay port | This port number value overrides the
servers startup switches that specify the UDP port used to relay
accounting requests. The default (when no value is entered in this
field and no startup switch is specified) is 1813. | Append Attributes | When receiving a response from a remote
server, Yes will instruct the server to append all the forwarded
A-V pairs to new A-V pairs included in the response. This setting
is useful when a remote server does not return all of the A-V pairs
that it received. |
Click Create. From the Navigation pane, click
Save Configuration. On the Save Configuration screen
that appears, click Save.
| | | |  | CAUTION: Clicking Save saves the entire server configuration
(access devices, proxies, local realms, users, and server properties)
to the servers you specify. | | | | |
| | | | | NOTE: By default, accounting requests originating from the
realm are also forwarded to the remote server. | | | | |
Forwarding
Authentication Requests to a Remote Server | |
To forward authentication requests to a remove server, complete
the following steps: Follow the steps listed
in “Creating or Modifying
a Proxy”. In the Realms to Forward field,
select the Add Realms option. Complete the Proxy Realm screen
that appears by entering the name of the realm. Select Yes if accounting requests
are not to be forwarded to the proxy server. On the Proxy Realm screen, click
Save. Repeat steps 2 to 4 for each
realm that must be forwarded to the remote server. To remove a realm
that has been added, select the realm name from the Realms to forward
drop-down list and click Delete. Complete the remaining fields
if necessary. Click Create. From the navigation tree, click
Save Configuration. On the Save Configuration screen
that appears, click Save. | | | | | NOTE: Clicking Save saves the entire server configuration
(access devices, proxies, local realms, users, and server properties)
to the servers you specify.By default, accounting requests originating from the
realm are also forwarded to the remote server. | | | | |
|
Printable version
