[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Proxies and dead home servers
Alan DeKok Writes ...
> In addition, proxies can't know if the client sending them packets is
> a NAS or is instead another proxy.
Why not? Every RADIUS client-server "hop" is protected by a hop-by-hop
shared secret, keyed at the server by the client's source IP address.
What's to prevent a server implementation (e.g. in a proxy) from storing a
NAS/Proxy flag in the local configurations store, along with the shared
> So at the minimum, *one* server in the proxy chain (the one local
> to the NAS) needs to always respond to the NAS, otherwise the NAS
> will think it's down.
Unless NASes have implemented a form of NAI routing. I remember one such
implementation in the DECserver NAS (circa 1985). It was "pre-NAI" but
worked similarly, using Kerberos domain syntax. The "domain decoration" was
used to select from an arbitrarily long list of possible RADIUS servers.
to unsubscribe send a message to email@example.com with
the word 'unsubscribe' in a single line as the message text body.