Steel-Belted Radius Carrier 7.2.x Administration and Configuration Guide > RADIUS Basics > Proxy RADIUS

Proxy RADIUS

The Steel-Belted Radius Carrier server can forward a RADIUS request to another server for processing and relay the other server's result back to its client. In such cases, Steel-Belted Radius Carrier is acting as a proxy for the target server, and Steel-Belted Radius Carrier is proxy-forwarding the request to the target server.

Steel-Belted Radius Carrier supports proxy RADIUS; any Steel-Belted Radius Carrier server can act as proxy or target for authentication or accounting messages.

NOTE: If you are using the change of authorization/disconnect message (CoA/DM) feature, you cannot use proxy RADIUS. However, a simple proxy without routed proxy accounting is possible.

Proxy RADIUS Authentication

RADIUS authentication messages are forwarded by proxy as follows:

1. An access client requests authentication from a RADIUS client, which sends an authentication request to a RADIUS proxy server.
2. The proxy RADIUS server forwards the message to a RADIUS target server.
3. The target RADIUS server performs the authentication services indicated by the message, then returns a response message to the proxy RADIUS server.
4. The proxy RADIUS server relays the acknowledgement response message to the RADIUS client.

Figure 10: RADIUS Proxy Forwarding

Proxy RADIUS Accounting

RADIUS accounting messages are proxy-forwarded as follows:

1. A RADIUS server receives an accounting request.
2. Depending on its configuration, the RADIUS proxy server forwards the accounting message to a target accounting server or records accounting attributes locally (or does both).
3. If the proxy server does not receive an acknowledgement of the forwarded accounting message, it re-sends periodically according to its retry policy.
4. When the target server acknowledges the request, the proxy server forwards an acknowledgement to the RADIUS client.