top of page
Search
  • Writer's pictureBhanu Prasad
    • Jun 11, 2022
    • 2 min read

RADIUS Attribute Proxy-State

Updated: Aug 16, 2022

RADIUS is a networking Protocol that provides AAA services and is commonly seen in any Enterprise network.


In this article, we will discuss the importance Radius attribute Proxy-state which is seen only when there is a Radius Proxy server. Below is a Lab setup that I recently worked on to set up a Public Wi-Fi.


The Setup is simple, the User is prompted with the Captive Portal page, once the user provides the requested information and Clicks Submit, the Access point will receive the information using HTTP/HTTPS and the Access point converts the information received as Radius Packet and sends to radius server to Validate the user.



The setup contains Omni access stellar AP 1221 managed by the OV2500 and UPAM on OV2500 acts as Radius Proxy and External Portal & Radius server is ClearPass.


Note OV2500 - Alcatel-Lucent Enterprise Omni Vista 2500 Network Management System.


External Portal & Radius Server with 192.168.2.227 hosts the captive portal page.


The flow of the traffic is as below.


  • When the user associates to open SSID (with captive portal), Access Point prompts the captive portal page to the user to provide user credentials like username or Password OR Accept Terms & Conditions and Click Submit. All the information between the User & Access Point is using HTTP/HTTPS.


  • The Captive Portal Page lands on the user's device from the Portal Server as the Portal server is added to WALL GARDEN.


WALL GARDEN - is a way to whitelist the captive page/domain, etc to have communication between the portal server and the user device. For example, At hotels, we are allowed to connect to their websites without authentication and will not allow any other websites until we are authenticated.


  • Once the user provides Username & Password, AP will convert the user information into Radius Packet and forward to UPAM.(192.168.2.223).

  • As UPAM is acting as Radius Proxy server, UPAM will add the Radius Proxy-State attribute and forwards Radius Request to External Radius Server (192.168.2.227).


Radius Proxy-state Attribute: If the Proxy-State attribute is found in an Access-Request packet, the information must be included unmodified in the response to the packet, whether the packet is accepted, challenged, or rejected. The Radius Server acting a Proxy-server uses this attribute to track the Radius request sent out to actual / External Radius server and awaits for the Response.




Please note the Radius Proxy-state value is same in both Radius Request and Radius Accept.



  • Based on the Radius Response with proxy-state attribute value unmodified from the External Radius server (192.168.2.227) , UPAM will respond to the Access Point, in the above it is Radius Accept. So user will be allowed to surf Internet.

While working on this Project in the Customer setup, we were Receiving Radius Accept from External Radius Server but the Radius Proxy server was dropping it.


Later by comparing the Radius Accept packets in the LAB and Actual Customer setup we found the External Radius Server was not sending the Radius response with Proxy-state attribute and Radius-Proxy server was dropping the Radius response and not forwarding it to AP.


Screenshot RFC 2865 regarding Radius Proxy State Attribute.




112 views0 comments

Recent Posts

See All

Opportunistic Wireless Encryption(OWE)

Opportunistic Wireless Encryption (OWE) /enhanced open authentication helps secure the data to be precise encrypt data. If a hacker/anyone eavesdropping will not understand the data collected, the inf

Wireless Dauthentication / Diassociation Attacks

The Wireless Deauthentication /Disassociation frame sent by an AP to the user device is unicast. In the recent past, I visited one of my customers as the customer complained, saying the Apple devices

bottom of page