Packet Forwarding

ClearBox Server can forward a RADIUS request to another server for processing and relay the other server's result back to its client. We say that ClearBox Server is acting as a "proxy" for the other, "target" server, and that ClearBox Server is "proxy-forwarding", or simply "forwarding" the request to the target server. ClearBox Server fully supports Proxy RADIUS, in that it can act as either proxy or target for either authentication or accounting messages. The proxy functionality can be combined with realms, to provide very flexible roaming services.

Proxy RADIUS Authentication

RADIUS authentication messages are proxy-forwarded as follows:

1. A RADIUS server receives an authentication message.
2. The first RADIUS server (the "proxy") forwards the message to the second RADIUS server (the "target").
3. The target performs the authentication services indicated by the message, and then returns a response message to the proxy.
4. The proxy relays the response message to its original RADIUS client.

Proxy RADIUS Accounting

RADIUS accounting messages are proxy-forwarded as follows:

1. A RADIUS server receives an accounting request.
2. What the RADIUS server does next depends upon how it is designed and configured for proxy accounting. The options are to:
   (a) Forward the accounting message to a target server;
   (b) Record accounting attributes locally on the proxy server; or
   (c) Both (a) and (b).
3. If the proxy server does not receive an acknowledgement of the forwarded packet, it will re-send periodically according to its retry policy.

During proxy forwarding, ClearBox Server acts as the RADIUS client of another RADIUS server. Since RADIUS clients take responsibility for delivering RADIUS packets, all of them have a "retry policy" that determines how often and for how long they will continue to try to deliver a packet until they receive the response that they expect from the RADIUS server. This includes ClearBox Server when it acts as the RADIUS client of a Proxy RADIUS target server.

ClearBox Server is sending a packet to a target, and if it is not getting a response within the amount of time it expects, it keeps trying periodically to send the packet until it has used up the number of attempts in its retry policy.

Attribute Filtering

ClearBox Server is able to filter specific RADIUS attribute/value pairs into and out of RADIUS packets as they travel to and from a target RADIUS server. This can be useful, for example, if there is data in the packets that is needed for routing, but not for authentication or accounting. Attribute filtering is able to add, remove or change any RADIUS attributes in both request and response packets.

See how to set up packet forwarding.

Useful reading about proxy chaining, its advantages and implementation is RFC 2607: Proxy Chaining and Policy Implementation in Roaming.