RE: Proxies and dead home servers

["David B. Nelson" <d.b.nelson@comcast.net>]

Alan DeKok Writes ...
 
>   In addition, proxies can't know if the client sending them packets is
> a NAS or is instead another proxy.

Why not?  Every RADIUS client-server "hop" is protected by a hop-by-hop
shared secret, keyed at the server by the client's source IP address.
What's to prevent a server implementation (e.g. in a proxy) from storing a
NAS/Proxy flag in the local configurations store, along with the shared
secret?

> So at the minimum, *one* server in the proxy chain (the one local 
> to the NAS) needs to always respond to the NAS, otherwise the NAS 
> will think it's down.

Unless NASes have implemented a form of NAI routing.  I remember one such
implementation in the DECserver NAS (circa 1985).  It was "pre-NAI" but
worked similarly, using Kerberos domain syntax.  The "domain decoration" was
used to select from an arbitrarily long list of possible RADIUS servers.




--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>