Intelligent Services Gateway Configuration Guide, Cisco IOS XE Release 3S
Configuring ISG as a RADIUS Proxy
Downloads: This chapterpdf (PDF - 1.39MB) The complete bookPDF (PDF - 5.67MB) | The complete bookePub (ePub - 1.6MB) | Feedback

Configuring ISG as a RADIUS Proxy

Contents

Configuring ISG as a RADIUS Proxy

Intelligent Services Gateway (ISG) is a Cisco software feature set that provides a structured framework in which edge devices can deliver flexible and scalable services to subscribers. The ISG RADIUS proxy feature enables ISG to serve as a proxy between a client device that uses RADIUS authentication and an authentication, authorization, and accounting (AAA) server. When configured as a RADIUS proxy, ISG is able to “sniff” (look at) the RADIUS packet flows and, on successful authentication, it can transparently create a corresponding ISG session. This module describes how to configure ISG as a RADIUS proxy.

In public wireless LAN (PWLAN) deployments, service providers must absolutely ensure the billing accuracy of a user’s session. The billing accuracy must also be met in case of a network component failure. The RADIUS proxy billing accuracy feature ensures that the start and stop session events are accurate and the events are the main references for session management.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Prerequisites for ISG RADIUS Proxy

The Cisco software image must support authentication, accountability and authorization (AAA) and Intelligent Services Gateway (ISG).

Restrictions for ISG RADIUS Proxy

Wireless Internet service provider roaming (WISPr) attributes are not supported.

Information About ISG RADIUS Proxy

Overview of ISG RADIUS Proxy

Public wireless LANs (PWLANs) and wireless mesh networks can contain hundreds of access points, each of which must send RADIUS authentication requests to an authentication, addressing and authorization (AAA) server. The Intelligent Services Gateway (ISG) RADIUS proxy functionality allows the access points to send authentication requests to ISG, rather than directly to the AAA server. ISG relays the requests to the AAA server. The AAA server sends a response to ISG, which then relays the response to the appropriate access point.

When serving as a RADIUS proxy, ISG can pull user-specific data from the RADIUS flows that occur during subscriber authentication and authorization, and transparently create a corresponding IP session upon successful authentication. This functionality provides an automatic login facility with respect to ISG for subscribers that are authenticated by devices that are closer to the network edge.

When configured as a RADIUS proxy, ISG proxies all RADIUS requests generated by a client device and all RADIUS responses generated by the corresponding AAA server, as described in RFC 2865, RFC 2866, and RFC 2869.

ISG RADIUS proxy functionality is independent of the type of client device and supports standard authentication (that is, a single Access-Request/Response exchange) using both Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP), Access-Challenge packets, and Extensible Authentication Protocol (EAP) mechanisms.

In cases where authentication and accounting requests originate from separate RADIUS client devices, ISG associates all requests with the appropriate session through the use of correlation rules. For example, in a centralized PWLAN deployment, authentication requests originate from the wireless LAN (WLAN) access point, and accounting requests are generated by the Access Zone Router (AZR). The association of the disparate RADIUS flows with the underlying session is performed automatically when the Calling-Station-ID (Attribute 31) is sufficient to make the association reliable.

Following a successful authentication, authorization data collected from the RADIUS response is applied to the corresponding ISG session.

Sessions that were created using ISG RADIUS proxy operation are generally terminated by receipt of an Accounting-Stop packet.

To configure RADIUS proxy billing, you can use the timer reconnect command and show radius-proxy session command in the appropriate configuration modes.

To enable session reconnection for ISG RADIUS proxy servers and clients, use pwlan-session reconnect command in the appropriate configuration mode.

ISG RADIUS Proxy Handling of Accounting Packets

By default, ISG RADIUS proxy responds locally to accounting packets it receives. The accounting method-list command can be used to configure ISG to forward RADIUS proxy client accounting packets to a specified server. Forwarding of accounting packets can be configured globally for all RADIUS proxy clients or on a per-client basis.

RADIUS Client Subnet Definition

If Intelligent Services Gateway (ISG) is acting as a proxy for more than one client device, all of which reside on the same subnet, the clients may be configured using a subnet definition rather than a discrete IP address for each device. This configuration method results in the sharing of a single configuration by all the client devices.

ISG RADIUS Proxy Support for Mobile Wireless Environments

ISG RADIUS proxy uses mobile wireless-specific processes to provide support for Gateway General Packet Radio Service (GPRS) Support Node (GGSN) environments.

Attribute Processing and RADIUS Request Correlation

When authentication and accounting requests originate from separate RADIUS client devices, ISG uses correlation rules to associate all the requests with the appropriate session. The association of the disparate RADIUS flows with the underlying session is performed automatically when the Calling-Station-ID (Attribute 31) is sufficient to make the association reliable.

In mobile wireless environments, attribute processing and the correlation of RADIUS requests with a session are implemented differently than in a PWLAN environment. For example, in a PWLAN environment the Attribute 31 is a MAC address, and in a GGSN environment Attribute 31 is a Mobile Station Integrated Services Digital Network (MSISDN), which is a plain number or alphanumeric string. In addition, in a GGSN environment the correlation of RADIUS requests can be performed using attributes other than Attribute 31.

ISG RADIUS proxy supports mobile wireless environments by allowing you to specify whether the RADIUS-proxy client uses a MAC or MSISDN format for Attribute 31. The format is specified using the calling-station-id format command. In addition, you can use the session-identifier command to configure ISG RADIUS proxy to use other attributes (apart from Attribute 31) to perform RADIUS request correlation.

3GPP Attribute Support

In GGSN environments, ISG RADIUS proxy must understand and parse the Third Generation Partnership Project (3GPP) attributes described in the table below. These attributes form part of the accounting requests.

Table 1 3GPP Attributes Supported by ISG RADIUS Proxy

Attribute

Description

Vendor ID/type

3GPP-IMSI

International Mobile Subscriber Identity (IMSI) for the user.

10415/1

3GPP-Charging-ID

Charging ID for this Packet Data Protocol (PDP) context (this together with the GGSN address constitutes a unique identifier for PDP context).

10415/2

3GPP-SGSN-Address

Serving GPRS Support Node (SGSN) address that is used by the GPRS Tunneling Protocol (GTP) control plane for handling of control messages. It may be used to identify the Public Line Mobile Network (PLMN) to which the user is attached.

10415/6

Benefits of ISG RADIUS Proxy

Use of Intelligent Services Gateway (ISG) RADIUS proxy has the following benefits:

  • Allows the complete set of ISG functionality to be applied to extensible authentication protocol (EAP) subscriber sessions.
  • Allows an ISG device to be introduced into a network with minimum disruption to the existing network access server (NAS) and authentication, authorization and accounting (AAA) servers.
  • Simplifies RADIUS server configuration because only the ISG, not every access point, must be configured as a client.

How to Configure ISG as a RADIUS Proxy

Initiating ISG RADIUS Proxy IP Sessions

SUMMARY STEPS

    1.    enable

    2.    configure terminal

    3.    interface type slot/subslot/port

    4.    ip subscriber {interface | l2-connected | routed}

    5.    initiator radius-proxy

    6.    end


DETAILED STEPS
     Command or ActionPurpose
    Step 1 enable


    Example:
    Device> enable
     

    Enables privileged EXEC mode.

    • Enter your password if prompted.
     
    Step 2 configure terminal


    Example:
    Device# configure terminal
     

    Enters global configuration mode.

     
    Step 3 interface type slot/subslot/port


    Example:
    Device(config)# interface GigabitEthernet 2/1/0
     

    Specifies an interface for configuration and enters interface configuration mode.

     
    Step 4 ip subscriber {interface | l2-connected | routed}


    Example:
    Device(config-if)# ip subscriber routed
     

    Enables Intelligent Services Gateway (ISG) IP subscriber support on an interface, specifies the access method used by IP subscribers to connect to ISG on an interface, and enters subscriber configuration mode.

     
    Step 5 initiator radius-proxy


    Example:
    Device(config-subscriber)# initiator radius-proxy
     

    Configures ISG to initiate IP sessions upon receipt of any RADIUS packet.

     
    Step 6 end


    Example:
    Device(config-subscriber)# end
     

    Exits the subscriber configuration mode and returns to privileged EXEC mode.

     

    Configuring ISG RADIUS Proxy Global Parameters

    SUMMARY STEPS

      1.    enable

      2.    configure terminal

      3.    aaa new-model

      4.    aaa server radius proxy

      5.    pwlan-session reconnect

      6.    session-identifier {attribute number | vsa vendor id type number}

      7.    calling-station-id format {mac-address | msisdn}

      8.    accounting method-list {method-list-name | default}

      9.    accounting port port-number

      10.    authentication port port-number

      11.    key [0 | 7] word

      12.    timer {ip-address | request} seconds

      13.    end


    DETAILED STEPS
       Command or ActionPurpose
      Step 1 enable


      Example:
      Device> enable
       

      Enables privileged EXEC mode.

      • Enter your password if prompted.
       
      Step 2 configure terminal


      Example:
      Device# configure terminal
       

      Enters global configuration mode.

       
      Step 3 aaa new-model


      Example:
      Device(config)# aaa new-model
       

      Enables the authentication, authorization and accounting (AAA) access control model.

       
      Step 4 aaa server radius proxy


      Example:
      Device(config)# aaa server radius proxy
      
       

      Enters Intelligent Services Gateway (ISG) RADIUS proxy server configuration mode.

       
      Step 5pwlan-session reconnect


      Example:
      Device(config-locsvr-proxy-radius)# pwlan-session reconnect
       

      Enables the Public Wireless LAN (PWLAN) session reconnect feature.

       
      Step 6 session-identifier {attribute number | vsa vendor id type number}


      Example:
      Device(config-locsvr-proxy-radius)# session-identifier attribute 1
       

      (Optional) Correlates the RADIUS server requests of a session and identifies the session in the RADIUS proxy module.

       
      Step 7 calling-station-id format {mac-address | msisdn}


      Example:
      Device(config-locsvr-proxy-radius)# Calling-Station-ID format msisdn
       

      Specifies the Calling-Station-ID format.

       
      Step 8 accounting method-list {method-list-name | default}


      Example:
      Device(config-locsvr-proxy-radius)# accounting method-list fwdacct
       

      Specifies the server to which accounting packets from RADIUS clients are forwarded.

      Note   

      By default, ISG RADIUS proxy handles accounting packets locally.

       
      Step 9 accounting port port-number


      Example:
      Device(config-locsvr-proxy-radius)# accounting port 2222
       

      Specifies the port on which the ISG listens for accounting packets from RADIUS clients.

      • The default port is 1646.
       
      Step 10 authentication port port-number


      Example:
      Device(config-locsvr-proxy-radius)# authentication port 1111
       

      Specifies the port for which the ISG listens for authentication packets from RADIUS clients.

      • The default port is 1645.
       
      Step 11 key [0 | 7] word


      Example:
      Device(config-locsvr-proxy-radius)# key radpro
       

      Configures the encryption key to be shared between ISG and RADIUS clients.

      • 0 specifies that an unencrypted key will follow.
      • 7 specifies a hidden key will follow.
       
      Step 12 timer {ip-address | request} seconds


      Example:
      Device(config-locsvr-proxy-radius)# timer ip-address 5
       

      Specifies the amount of time for which ISG waits for the specified event before terminating the session.

       
      Step 13 end


      Example:
      Device(config-locsvr-proxy-radius)# end
       

      Exits the ISG RADIUS proxy server configuration mode and returns to privileged EXEC mode.

       

      Configuring ISG RADIUS Proxy Client-Specific Parameters

      SUMMARY STEPS

        1.    enable

        2.    configure terminal

        3.    aaa new-model

        4.    aaa server radius proxy

        5.    client {name | ip-address} [subnet-mask [vrf vrf-id]]

        6.    pwlan-session reconnect

        7.    session-identifier {attribute number | vsa vendor id type number}

        8.    calling-station-id format {mac-address | msisdn}

        9.    accounting method-list {method-list-name | default}

        10.    accounting port port-number

        11.    authentication port port-number

        12.    key [0 | 7] word

        13.    timer {ip-address | reconnect | request} seconds

        14.    end


      DETAILED STEPS
         Command or ActionPurpose
        Step 1 enable


        Example:
        Device> enable
         

        Enables privileged EXEC mode.

        • Enter your password if prompted.
         
        Step 2 configure terminal


        Example:
        Device# configure terminal
         

        Enters global configuration mode.

         
        Step 3 aaa new-model


        Example:
        Device(config)# new-model
         

        Enables the authentication, authorization and accounting(AAA) access control model.

         
        Step 4 aaa server radius proxy


        Example:
        Device(config)# aaa server radius proxy
         

        Enters Intelligent Services Gateway (ISG) RADIUS proxy server configuration mode.

         
        Step 5 client {name | ip-address} [subnet-mask [vrf vrf-id]]


        Example:
        Device(config-locsvr-proxy-radius)# client 172.16.54.45 vrf myvrftable
         

        Specifies a RADIUS proxy client for which client-specific parameters can be configured, and enters RADIUS client configuration mode.

         
        Step 6pwlan-session reconnect


        Example:
        Device(config-locsvr-radius-client)# pwlan-session reconnect
         

        Enables the Public Wireless LAN (PWLAN) session reconnect feature.

         
        Step 7 session-identifier {attribute number | vsa vendor id type number}


        Example:
        Device(config-locsvr-radius-client)# session-identifier vsa vendor 5335 type 123
         

        (Optional) Correlates the RADIUS requests of a session and identifies the session in the RADIUS proxy module.

         
        Step 8 calling-station-id format {mac-address | msisdn}


        Example:
        Device(config-locsvr-radius-client)# calling-station-id format msisdn
         

        Specifies the Calling-Station-ID format.

         
        Step 9 accounting method-list {method-list-name | default}


        Example:
        Device(config-locsvr-radius-client)# accounting method-list fwdacct
         

        Specifies the server to which accounting packets from RADIUS clients are forwarded.

         
        Step 10 accounting port port-number


        Example:
        Device(config-locsvr-radius-client)# accounting port 2222
         

        Specifies the port on which the ISG listens for accounting packets from RADIUS clients.

        • The default port is 1646.
         
        Step 11 authentication port port-number


        Example:
        Device(config-locsvr-radius-client)# authentication port 1111
         

        Specifies the port on which the ISG listens for authentication packets from RADIUS clients.

        • The default port is 1645.
         
        Step 12 key [0 | 7] word


        Example:
        Device(config-locsvr-radius-client)# key radpro
         

        Configures the encryption key to be shared between ISG and RADIUS clients.

        • 0 specifies that an unencrypted key will follow.
        • 7 specifies a hidden key will follow.
         
        Step 13 timer {ip-address | reconnect | request} seconds


        Example:
        Device(config-locsvr-radius-client)# timer ip-address 5
         

        Specifies the amount of time ISG waits for the specified event before terminating the session.

         
        Step 14 end


        Example:
        Device(config-locsvr-radius-client)# end
         

        Exits the ISG RADIUS client configuration mode and returns to privileged EXEC mode.

         

        Defining an ISG Policy for RADIUS Proxy Events

        SUMMARY STEPS

          1.    enable

          2.    configure terminal

          3.    aaa new-model

          4.    aaa authorization radius-proxy {default | list-name} method1 [method2 [method3...]]

          5.    policy-map type control policy-map-name

          6.    class type control {control-class-name | always} event session-start

          7.    action-number proxy [aaa list {default | list-name}]

          8.    end


        DETAILED STEPS
           Command or ActionPurpose
          Step 1 enable


          Example:
          Device> enable
           

          Enables privileged EXEC mode.

          • Enter your password if prompted.
           
          Step 2 configure terminal


          Example:
          Device# configure terminal
           

          Enters global configuration mode.

           
          Step 3 aaa new-model


          Example:
          Device(config)# aaa new-model
           

          Enables the AAA access control model.

           
          Step 4 aaa authorization radius-proxy {default | list-name} method1 [method2 [method3...]]


          Example:
          Device(config)# aaa authorization radius-proxy RP group radius
           

          Configures AAA authorization methods for ISG RADIUS proxy subscribers.

           
          Step 5 policy-map type control policy-map-name


          Example:
          Device(config)# policy-map type control proxyrule
           

          Creates or modifies a control policy map, which defines an ISG control policy and enters control policy-map configuration mode.

           
          Step 6 class type control {control-class-name | always} event session-start


          Example:
          Device(config-control-policymap-class-control)# class type control always event session-start 
           

          Specifies a control class for which actions may be configured and enters control policy-map class configuration mode.

           
          Step 7 action-number proxy [aaa list {default | list-name}]


          Example:
          Device(config-control-policymap-class-control)# 1 proxy aaa list RP
           

          Sends RADIUS packets to the specified server.

          • Use this command to configure ISG to forward RADIUS proxy packets to the server specified by the aaa authorization radius-proxy command in Step 4.
           
          Step 8 end


          Example:
          Device(config-control-policymap-class-control)# end
           

          Exits the config-control policymap-class-control mode and returns to privileged EXEC mode.

           

          Verifying ISG RADIUS Proxy Configuration

          SUMMARY STEPS

            1.    show radius-proxy client ip-address [vrf vrf-id]

            2.    show radius-proxy session {id id-number | ip ip-address}

            3.    show subscriber session [identifier {authen-status {authenticated | unauthenticated} | authenticated-domain domain-name | authenticated-username username | dnis dnis | media type | nas-port identifier | protocol type | source-ip-address ip-address subnet-mask | timer timer-name | tunnel-name name | unauthenticated-domain domain-name | unauthenticated-username username} | uid session-identifier | username username] [detailed]


          DETAILED STEPS
             Command or ActionPurpose
            Step 1 show radius-proxy client ip-address [vrf vrf-id]


            Example:
            Device# show radius-proxy client 10.10.10.10
             

            Displays RADIUS proxy configuration information and a summary of sessions for an ISG RADIUS proxy client.

             
            Step 2 show radius-proxy session {id id-number | ip ip-address}


            Example:
            Device# show radius-proxy session ip 10.10.10.10
             

            Displays information about an ISG RADIUS proxy session.

            Note   

            The ID can be found in the output of the show radius-proxy client command.

             
            Step 3 show subscriber session [identifier {authen-status {authenticated | unauthenticated} | authenticated-domain domain-name | authenticated-username username | dnis dnis | media type | nas-port identifier | protocol type | source-ip-address ip-address subnet-mask | timer timer-name | tunnel-name name | unauthenticated-domain domain-name | unauthenticated-username username} | uid session-identifier | username username] [detailed]


            Example:
            Device# show subscriber session detailed
             

            Displays information about subscriber sessions on an ISG device.

             

            Clearing ISG RADIUS Proxy Sessions

            SUMMARY STEPS

              1.    enable

              2.    clear radius-proxy client ip-address

              3.    clear radius-proxy session {id id-number | ip ip-address}


            DETAILED STEPS
               Command or ActionPurpose
              Step 1 enable


              Example:
              Device> enable
               

              Enables privileged EXEC mode.

              • Enter your password if prompted.
               
              Step 2 clear radius-proxy client ip-address


              Example:
              Device# clear radius-proxy client 10.10.10.10
               

              Clears all ISG RADIUS proxy sessions that are associated with the specified client device.

               
              Step 3 clear radius-proxy session {id id-number | ip ip-address}


              Example:
              Device# clear radius-proxy session ip 10.10.10.10
               

              Clears a specific ISG RADIUS proxy session.

              Note   

              The ID can be found in the output of the show radius-proxy client command.

               

              Examples for Configuring ISG as a RADIUS Proxy

              ISG RADIUS Proxy Configuration Example

              The following example configures ISG to serve as a RADIUS proxy and to send RADIUS packets to the method list called RP. FastEthernet interface 0/0 is configured to initiate IP sessions upon receipt of RADIUS packets.

              ! 
              aaa new-model 
              ! 
              aaa group server radius EAP 
              server 10.2.36.253 auth-port 1812 acct-port 1813 
              ! 
              aaa authorization radius-proxy RP group EAP  
              aaa accounting network FWDACCT start-stop group EAP 
              aaa accounting network FLOWACCT start-stop group EAP 
              !  
              aaa server radius proxy 
              session-identifier attribute 1
              calling-station-id format msisdn
              authentication port 1111 
              accounting port 2222 
              key radpro 
              message-authenticator ignore 
              ! The method list "FWDACCT" was configured by the aaa accounting network FWDACCT
              ! start-stop group EAP command above. 
              accounting method-list FWDACCT 
              client 10.45.45.2 
              timer request 5 
              ! 
              client 10.45.45.3 
              key aashica#@!$%&/ 
              timer ip-address 120 
              ! 
              ! 
              ! This control policy references the method list called "RP" that was configured using the aaa authorization radius-proxy command above.
              policy-map type control PROXYRULE 
              class type control always event session-start 
              1 proxy aaa list RP  
              ! 
              !  
              ! 
              bba-group pppoe global 
              ! 
              ! 
              interface GigabitEthernet 2/1/0
              ip address 10.45.45.1 255.255.255.0 
              ip subscriber routed
              initiator radius-proxy 
              no ip route-cache cef 
              no ip route-cache 
              no cdp enable 
              !
              ! The control policy "PROXYRULE" is applied to the interface.
              service-policy type control PROXYRULE 
              ! 
              ! 
              radius-server host 10.2.36.253 auth-port 1812 acct-port 1813 key cisco 
              radius-server host 10.76.86.83 auth-port 1665 acct-port 1666 key rad123 
              radius-server vsa send accounting 
              radius-server vsa send authentication 
              aaa new-model 
              ! 
              ! 
              aaa group server radius EAP 
              server 10.2.36.253 auth-port 1812 acct-port 1813 
              ! 

              Example: ISG RADIUS Proxy and Layer 4 Redirect

              aaa authorization network default local
              !
              redirect server-group REDIRECT
               server ip 10.255.255.28 port 23
               !
              class-map type traffic match-any traffic1
              match access-group input 101
              ! 
              policy-map type service service1
               class type traffic traffic1
                redirect list 101 to group REDIRECT
              !
              policy-map type control PROXYRULE 
               class type control always event session-start
                1 proxy aaa list RP
                2 service-policy type service name service1 
              !
              access-list 101 permit tcp host 10.45.45.2 any

              The following is sample output from the containing RADIUS proxy details using the show subscriber session command, which displays RADIUS proxy details:

              Device# show subscriber session username 12345675@example
              
              Unique Session ID: 66
              Identifier: aash
              SIP subscriber access type(s): IP
              Current SIP options: Req Fwding/Req Fwded
              Session Up-time: 00:00:40, Last Changed: 00:00:00
              Policy information:
                Authentication status: authen
                Active services associated with session:
                  name "service1", applied before account logon
                Rules, actions and conditions executed:
                  subscriber rule-map PROXYRULE
                    condition always event session-start
                      1 proxy aaa list RP 
                      2 service-policy type service name service1
              Session inbound features:
              Feature: Layer 4 Redirect 
              Traffic classes:
                Traffic class session ID: 67
                 ACL Name: 101, Packets = 0, Bytes = 0
              Unmatched Packets (dropped) = 0, Re-classified packets (redirected) = 0
              Configuration sources associated with this session:
              Service: service1, Active Time = 00:00:40
              Interface: FastEthernet0/1, Active Time = 00:00:40

              Additional References for Configuring ISG as a RADIUS Proxy

              Related Documents

              Related Topic

              Document Title

              Cisco IOS commands

              Cisco IOS Master Command List, All Releases

              ISG commands

              Cisco IOS Intelligent Services Gateway Command Reference

              Overview of ISG RADIUS proxy

              Configuring Intelligent Service Gateway Configuration Guide

              Standards and RFCs

              Technical Assistance

              Description

              Link

              The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

              http:/​/​www.cisco.com/​cisco/​web/​support/​index.html

              Feature Information for Configuring ISG as a RADIUS Proxy

              The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

              Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

              Table 2 Feature Information for Configuring ISG as a RADIUS Proxy

              Feature Name

              Releases

              Feature Information

              RADIUS Proxy Enhancements for ISG

              Cisco IOS XE Release 2.2

              RADIUS proxy enhancements enable ISG to serve as a proxy between a client device that uses RADIUS authentication and an AAA server. This functionality enables ISG to be deployed in PWLAN and wireless mesh networks where authentication requests for mobile subscribers must be sent to specific RADIUS servers.

              The following commands were introduced or modified by this feature: aaa authorization radius-proxy, aaa server radius proxy, accounting method-list, accounting port, authentication port, clear radius-proxy client, clear radius-proxy session, client (ISG RADIUS proxy), debug radius-proxy, initiator radius-proxy, key (ISG RADIUS proxy), message-authenticator ignore, proxy (ISG RADIUS proxy), show radius-proxy client, show radius-proxy session,

              timer (ISG RADIUS proxy).

              ISG—AAA Wireless Enhancements

              Cisco IOS XE Release 2.5.0

              AAA Wireless Enhancements enable ISG RADIUS proxy to provide additional support for mobile wireless environments. It includes changes to RADIUS attribute 31 processing.

              The following commands were introduced by this feature: session-identifier, calling-station-id format.

              ISG—Authentication:RADIUS Proxy WiMax Enhancements

              Cisco IOS XE Release 2.5.0

              This feature enhances ISG RADIUS proxy to provide additional support for WiMax broadband environments.

              ISG—PWLAN Reconnect

              Cisco IOS XE Release 3.8S

              PWLAN Reconnect enhances user authentication and security while authenticating over PWLAN networks.

              The following command was introduced by this feature: pwlan-session reconnect.