HP-UX AAA Server A.08.02 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX AAA Server (RADIUS) Software

Table 17 Proxy Configuration Options (continued)

FunctionOption

Notes:

• To accept forwarded requests from any IPv4 address or from any IPv4 address of a

particular subnet, specify a wildcard pattern. Examples of valid IPv4 wildcard patterns

are:

◦ *

◦ 192.*

◦ 192.0.*

◦ 192.0.2.*

• To allow access from any IPv6 address or from a group of IPv6 addresses, specify

an IPv6 wildcard pattern. The allowed IPv6 wildcard patterns are constructed by

appending an ‘*’ to a partial IPv6 address or by specifying a single ‘*’. Examples

of valid IPv6 wildcard patterns are:

◦ *

◦ fedc:ba98:7654:3210:fe*

◦ fedc:ba98:7654:3210*

The special IPv6 syntax of compressing zeroes using "::" is not allowed in IPv6

Wildcard patterns. For example- ‘fedc::ba98:fe*’ is not allowed.

Enter the shared secret held between the two authentication servers. The shared secret

must be less than 255 characters. A request from a forwarding server for which the

remote server does not have a shared secret will not be authenticated.

Shared Secret

Enter the shared secret once more to confirm it.Confirm Shared Secret

Enter the vendor-specific attributes to be returned to the proxy server in a reply. Select

Generic (the default) if you do not want any vendor-specific attributes to be returned.

Vendor

If you select Generic (the default) no vendor-specific attributes are returned. You can

make multiple selections by holding down the control key as you select vendor names.

Select any of the check boxes to specify additional message-handling options. The

following options are valid:

Response Options

RAD_RFC Verifies that the Access-Request conforms with the RADIUS RFC.

Nonconforming messages are dropped.

ACCT_RFC Verifies that the Accounting-Request conforms with the Accounting RFC.

Nonconforming messages are dropped.

CHECK_ALL Checks all attributes to determine if the request is a duplicate (for

messages from a proxy server). This occurs if the remote server sends

nonstandard messages that are not easily detected as duplicates.

PRUNE Forces pruning as if the response is being returned to an access device.

When this option is checked, the Generic vendor prunes all

vendor-specific attributes before a message is returned to the proxy

server. This can be used to help prevent problems that might occur if

unencapsulated vendor attribute is not correctly mapped in the vendors

file.

The server prunes vendor-specific attributes for a given vendor if that vendor is not

properly defined in the vendors file, and its attributes are not properly defined in the

dictionary file.

IMPORTANT: If you have specified the Prune response option for the proxy server and

the HP-UX AAA server is using the MS-CHAP protocol for authentication, you must select

Microsoft as one of the vendors.

Creating or Modifying a Proxy 83