Cisco IOS Intelligent Service Gateway Configuration Guide, Release 12.2 SB - Configuring ISG as a RADIUS Proxy [Cisco IOS Software Releases 12.2 SB]

Table Of Contents

Configuring ISG as a RADIUS Proxy

Contents

Prerequisites for ISG RADIUS Proxy

Restrictions for ISG RADIUS Proxy

Information About ISG RADIUS Proxy

Overview of ISG RADIUS Proxy

ISG RADIUS Proxy Handling of Accounting Packets

RADIUS Client Subnet Definition

Benefits of ISG RADIUS Proxy

How to Configure ISG as a RADIUS Proxy

Initiating ISG RADIUS Proxy IP Sessions

Configuring ISG RADIUS Proxy Global Parameters

Configuring ISG RADIUS Proxy Client-Specific Parameters

Defining an ISG Policy for RADIUS Proxy Events

Verifying ISG RADIUS Proxy

Clearing ISG RADIUS Proxy Sessions

Configuration Examples for ISG RADIUS Proxy

ISG RADIUS Proxy Configuration: Example

ISG RADIUS Proxy and Layer 4 Redirect: Example

Additional References

Related Documents

Technical Assistance

Feature Information for ISG RADIUS Proxy

Configuring ISG as a RADIUS Proxy

First Published: December 5, 2006

Last Updated: December 5, 2006

Intelligent Service Gateway (ISG) is a Cisco IOS software feature set that provides a structured framework in which edge devices can deliver flexible and scalable services to subscribers. The ISG RADIUS proxy feature enables ISG to serve as a proxy between a client device that uses RADIUS authentication and a authentication, authorization, and accounting (AAA) server. When configured as a RADIUS proxy, ISG is able to "sniff" (look at) the RADIUS packet flows and, upon successful authentication, transparently create a corresponding ISG session. This document describes how to configure ISG as a RADIUS proxy.

Finding Feature Information in This Module

Your Cisco IOS software release may not support all of the features documented in this module. To reach links to specific feature documentation in this module and to see a list of the releases in which each feature is supported, use the "Feature Information for ISG RADIUS Proxy" section on page 15.

Finding Support Information for Platforms and Cisco IOS Software Images

Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.

Contents

•Prerequisites for ISG RADIUS Proxy, page 2

•Restrictions for ISG RADIUS Proxy, page 2

•Information About ISG RADIUS Proxy, page 2

•How to Configure ISG as a RADIUS Proxy, page 3

•Configuration Examples for ISG RADIUS Proxy, page 11

•Additional References, page 13

•Command Reference, page 14

•Feature Information for ISG RADIUS Proxy, page 15

Prerequisites for ISG RADIUS Proxy

The Cisco IOS image must support authentication, authorization, and accounting (AAA) and ISG.

Restrictions for ISG RADIUS Proxy

Wireless Internet service provider roaming (WISPr) attributes are not supported.

Information About ISG RADIUS Proxy

Before you configure ISG to serve as a RADIUS proxy, you should understand the following concepts:

•Overview of ISG RADIUS Proxy, page 2

•ISG RADIUS Proxy Handling of Accounting Packets, page 3

•RADIUS Client Subnet Definition, page 3

•Benefits of ISG RADIUS Proxy, page 3

Overview of ISG RADIUS Proxy

Public wireless LANs (PWLANs) and wireless mesh networks can contain hundreds of access points, each of which must send RADIUS authentication requests to a AAA server. The ISG RADIUS proxy functionality allows the access points to send authentication requests to ISG, rather than directly to the AAA server. ISG relays the requests to the AAA server. The AAA server sends a response to ISG, which then relays the response back to the appropriate access point.

When serving as a RADIUS proxy, ISG can pull user-specific data from the RADIUS flows that occur during subscriber authentication and authorization, and transparently create a corresponding IP session upon successful authentication. This functionality provides an automatic logon facility with respect to ISG for subscribers that are authenticated by devices that are closer to the network edge.

When configured as a RADIUS proxy, ISG proxies all RADIUS requests generated by a client device and all RADIUS responses generated by the corresponding AAA server, as described in RFCs 2865, 2866, and 2869.

ISG RADIUS proxy functionality is independent of the type of client device and supports standard authentication (that is, a single Access-Request/Response exchange) using both Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP), Access-Challenge packets, and Extensible Authentication Protocol (EAP) mechanisms.

In cases where authentication and accounting requests originate from separate RADIUS client devices, ISG associates all requests with the appropriate session through the use of correlation rules. For example, in a centralized PWLAN deployment, authentication requests originate from the wireless LAN (WLAN) access point, and accounting requests are generated by the AZR. The association of the disparate RADIUS flows with the underlying session is performed automatically when the Calling-Station-ID (Attribute 31) is sufficient to make the association reliable.

Following a successful authentication, authorization data collected from the RADIUS response is applied to the corresponding ISG session.

Sessions that were created using ISG RADIUS proxy operation are generally terminated by receipt of an Accounting-Stop packet.

ISG RADIUS Proxy Handling of Accounting Packets

By default, ISG RADIUS proxy responds locally to accounting packets it receives. The accounting method-list command can be used to configure ISG to forward RADIUS proxy client accounting packets to a specified server. Forwarding of accounting packets can be configured globally for all RADIUS proxy clients or on a per-client basis.

RADIUS Client Subnet Definition

If ISG is acting as a proxy for more than one client device, all of which reside on the same subnet, the clients may be configured using a subnet definition rather than a discrete IP address for each device. This configuration method results in the sharing of a single configuration by all the client devices.

Benefits of ISG RADIUS Proxy

•Allows the complete set of ISG functionality to be applied to EAP subscriber sessions

•Allows an ISG device to be introduced into a network with minimum disruption to the existing network access server (NAS) and AAA servers

•Simplifies RADIUS server configuration because only the ISG, not every access point, must be configured as a client

How to Configure ISG as a RADIUS Proxy

This section contains the following procedures.:

•Initiating ISG RADIUS Proxy IP Sessions

•Configuring ISG RADIUS Proxy Global Parameters

•Configuring ISG RADIUS Proxy Client-Specific Parameters

•Defining an ISG Policy for RADIUS Proxy Events

•Verifying ISG RADIUS Proxy

•Clearing ISG RADIUS Proxy Sessions

Initiating ISG RADIUS Proxy IP Sessions

Perform this task to configure ISG to initiate an IP session upon receipt of a RADIUS proxy message from a RADIUS client.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface type number

4. ip subscriber {l2-connected | routed}

5. initiator radius-proxy

DETAILED STEPS

Command or Action

Purpose

Step 1

enable
Example:

Router> enable

Enables privileged EXEC mode.

•Enter your password if prompted.

Step 2

configure terminal
Example:

Router# configure terminal

Enters global configuration mode.

Step 3

interface type number
Example:

Router(config)# interface fastethernet 1/0/0

Specifies an interface for configuration and enters interface configuration mode.

Step 4

ip subscriber {l2-connected | routed}
Example:

Router(config-if)# ip subscriber routed

Enables ISG IP subscriber support on an interface and specifies the access method that IP subscribers will use to connect to ISG on an interface.

Step 5

initiator radius-proxy
Example:

Router(config-subscriber)# initiator radius-proxy

Configures ISG to initiate IP sessions upon receipt of any RADIUS packet.

Configuring ISG RADIUS Proxy Global Parameters

Perform this task to configure ISG RADIUS proxy parameters that are applied by default to all RADIUS proxy clients. Client-specific parameters can also be configured and take precedence over this global configuration. To specify a client-specific configuration, see the "Configuring ISG RADIUS Proxy Client-Specific Parameters" section on page 7.

SUMMARY STEPS

1. enable

2. configure terminal

3. aaa new-model

4. aaa server radius proxy

5. accounting method-list {method-list-name | default}

6. accounting port port-number

7. authentication port port-number

8. key [0 | 7] word

9. timer {ip-address | request} seconds

DETAILED STEPS

Command or Action

Purpose

Step 1

enable
Example:

Router> enable

Enables privileged EXEC mode.

•Enter your password if prompted.

Step 2

configure terminal
Example:

Router# configure terminal

Enters global configuration mode.

Step 3

aaa new-model
Example:

Router(config)# aaa new-model

Enables the AAA access control model.

Step 4

aaa server radius proxy
Example:

Router(config)# aaa server radius proxy

Enters ISG RADIUS proxy server configuration mode.

Step 5

accounting method-list {method-list-name | default}
Example:

Router(config-locsvr-proxy-radius)# accounting method-list fwdacct

Specifies the server to which accounting packets from RADIUS clients are forwarded.

Note By default, ISG RADIUS proxy handles accounting packets locally.

Step 6

accounting port port-number
Example:

Router(config-locsvr-proxy-radius)# accounting port 2222

Specifies the port on which the ISG listens for accounting packets from RADIUS clients.

•The default port is 1646.

Step 7

authentication port port-number
Example:

Router(config-locsvr-proxy-radius)# authentication port 1111

Specifies the port on which the ISG listens for authentication packets from RADIUS clients.

•The default port is 1645.

Step 8

key [0 | 7] word
Example:

Router(config-locsvr-proxy-radius)# key radpro

Configures the encryption key to be shared between ISG and RADIUS clients.

Step 9

timer {ip-address | request} seconds
Example:

Router(config-locsvr-proxy-radius)# timer ip-address 5

Specifies the amount of time ISG waits for the specified event before terminating the session.

•ip-address—Specifies the amount of time ISG waits for an IP address to be assigned to the session.

•request—Specifies the amount of time ISG waits to receive an Access-Request from a client device.

Configuring ISG RADIUS Proxy Client-Specific Parameters

Perform this task to configure client-specific parameters for the ISG RADIUS proxy. This configuration applies to the specified client or subnet only. The client-specific configuration takes precedence over the global ISG RADIUS proxy configuration.

SUMMARY STEPS

1. enable

2. configure terminal

3. aaa new-model

4. aaa server radius proxy

5. client {name | ip-address} [subnet-mask [vrf vrf-id]]

6. accounting method-list {method-list-name | default}

7. accounting port port-number

8. authentication port port-number

9. key [0 | 7] word

10. timer {ip-address | request} seconds

DETAILED STEPS

Command or Action

Purpose

Step 1

enable
Example:

Router> enable

Enables privileged EXEC mode.

•Enter your password if prompted.

Step 2

configure terminal
Example:

Router# configure terminal

Enters global configuration mode.

Step 3

aaa new-model
Example:

Router(config)# aaa new-model

Enables the AAA access control model.

Step 4

aaa server radius proxy
Example:

Router(config)# aaa server radius proxy

Enters ISG RADIUS proxy server configuration mode.

Step 5

client {ip-address | hostname} [subnet-mask]
Example:

Router(config-locsvr-proxy-radius)#

Specifies a RADIUS proxy client for which client-specific parameters can be configured, and enters RADIUS client configuration mode.

Step 6

accounting method-list {method-list-name | default}
Example:

Router(config-locsvr-radius-client)# accounting method-list fwdacct

Specifies the server to which accounting packets from RADIUS clients are forwarded.

Step 7

accounting port port-number
Example:

Router(config-locsvr-radius-client)# accounting port 2222

Specifies the port on which the ISG listens for accounting packets from RADIUS clients.

•The default port is 1646.

Step 8

authentication port port-number
Example:

Router(config-locsvr-radius-client)# authentication port 1111

Specifies the port on which the ISG listens for authentication packets from RADIUS clients.

•The default port is 1645.

Step 9

key [0 | 7] word
Example:

Router(config-locsvr-radius-client)# key radpro

Configures the encryption key to be shared between ISG and RADIUS clients.

Step 10

timer {ip-address | request} seconds
Example:

Router(config-locsvr-radius-client)# timer ip-address 5

Specifies the amount of time ISG waits for the specified event before terminating the session.

•ip-address—Specifies the amount of time ISG waits for an IP address to be assigned to the session.

•request—Specifies the amount of time ISG waits to receive an Access-Request from a client device.

Defining an ISG Policy for RADIUS Proxy Events

Perform this task to configure a policy that is applied at session start and causes ISG to proxy RADIUS packets to a specified server.

SUMMARY STEPS

1. enable

2. configure terminal

3. aaa new-model

4. aaa authorization radius-proxy {default | list-name} method1 [method2 [method3...]]

5. policy-map type control policy-map-name

6. class type control {control-class-name | always} event session-start

7. action-number proxy [aaa list {default | list-name}

DETAILED STEPS

Command or Action

Purpose

Step 1

enable
Example:

Router> enable

Enables privileged EXEC mode.

•Enter your password if prompted.

Step 2

configure terminal
Example:

Router# configure terminal

Enters global configuration mode.

Step 3

aaa new-model
Example:

Router(config)# aaa new-model

Enables the AAA access control model.

Step 4

aaa authorization radius-proxy {default | list-name} method1 [method2 [method3...]]
Example:

Router(config)# aaa authorization radius-proxy RP group radius

Configures AAA authorization methods for ISG RADIUS proxy subscribers.

•A method may be any one of the following:

–group group-name—Uses a subset of RADIUS servers for authorization as defined by the server group group-name command.

–group radius—Uses the list of all RADIUS servers for authorization as defined by the aaa group server radius command.

Step 5

policy-map type control policy-map-name
Example:

Router(config)# policy-map type control proxyrule

Creates or modifies a control policy map, which defines an ISG control policy.

Step 6

class type control {control-class-name | always} event session-start
Example:

Router(config-control-policymap)# class type control always event session-start

Specifies a control class for which actions may be configured.

Step 7

action-number proxy [aaa list {default | list-name}
Example:

Router(config-control-policymap-class-control)# 1 proxy aaa list RP

Sends RADIUS packets to the specified server.

•Use this command to configure ISG to forward RADIUS proxy packets to the server specified by the aaa authorization radius-proxy command in Step 4.

Verifying ISG RADIUS Proxy

Use one or more of the following commands to verify ISG RADIUS proxy configuration. The commands may be entered in any order.

SUMMARY STEPS

1. show radius-proxy client ip-address

2. show radius-proxy session {id id-number | ip ip-address}

3. show subscriber session [identifier {authen-status {authenticated | unauthenticated} | authenticated-domain domain-name | authenticated-username username | dnis dnis | media type | nas-port identifier | protocol type | source-ip-address ip-address subnet-mask | timer timer-name | tunnel-name name | unauthenticated-domain domain-name | unauthenticated-username username} | uid session-identifier | username username] [detailed]

DETAILED STEPS

Command or Action

Purpose

Step 1

show radius-proxy client ip-address [vrf vrf-id]
Example:

Router# show radius-proxy client 10.10.10.10

Displays RADIUS proxy configuration information and a summary of sessions for an ISG RADIUS proxy client.

Step 2

show radius-proxy session {id id-number | ip ip-address}
Example:

Router# show radius-proxy session ip 10.10.10.10

Displays information about an ISG RADIUS proxy session.

Note The ID can be found in the output of the show radius-proxy client command.

Step 3

show subscriber session [identifier {authen-status {authenticated | unauthenticated} | authenticated-domain domain-name | authenticated-username username | dnis dnis | media type | nas-port identifier | protocol type | source-ip-address ip-address subnet-mask | timer timer-name | tunnel-name name | unauthenticated-domain domain-name | unauthenticated-username username} | uid session-identifier | username username] [detailed]
Example:

Router# show subscriber session detailed

Displays information about subscriber sessions on an ISG device.

Clearing ISG RADIUS Proxy Sessions

Perform this task to clear ISG RADIUS proxy sessions.

SUMMARY STEPS

1. enable

2. clear radius-proxy client ip-address

3. clear radius-proxy session {id id-number | ip ip-address}

DETAILED STEPS

Command or Action

Purpose

Step 1

enable
Example:

Router> enable

Enables privileged EXEC mode.

•Enter your password if prompted.

Step 2

clear radius-proxy client ip-address
Example:

Router# clear radius-proxy client 10.10.10.10

Clears all ISG RADIUS proxy sessions that are associated with the specified client device.

Step 3

clear radius-proxy session {id id-number | ip ip-address}
Example:

Router# clear radius-proxy session ip 10.10.10.10

Clears a specific ISG RADIUS proxy session.

Note The ID can be found in the output of the show radius-proxy client command.

Configuration Examples for ISG RADIUS Proxy

This section contains the following examples:

•ISG RADIUS Proxy Configuration: Example

•ISG RADIUS Proxy and Layer 4 Redirect: Example

ISG RADIUS Proxy Configuration: Example

The following example configures ISG to serve as a RADIUS proxy and to send RADIUS packets to the method list called "RP". FastEthernet interface 0/0 is configured to initiate IP sessions upon receipt of RADIUS packets.
!  
aaa new-model  
!  
aaa group server radius EAP  
server 10.2.36.253 auth-port 1812 acct-port 1813  
! 
aaa authorization radius-proxy RP group EAP  
aaa accounting network FWDACCT start-stop group EAP  
aaa accounting network FLOWACCT start-stop group EAP  
!   
aaa server radius proxy 
authentication port 1111  
accounting port 2222  
key radpro  
message-authenticator ignore 
! The method list "FWDACCT" was configured by the aaa accounting network FWDACCT 
! start-stop group EAP command above. 
accounting method-list FWDACCT  
client 45.45.45.2  
timer request 5  
!  
client 10.45.45.3  
key aashica#@!$%&/  
timer ip-address 120  
!  
!  
! This control policy references the method list called "RP" that was configured using the 
aaa authorization radius-proxy command above.
policy-map type control PROXYRULE  
class type control always event session-start  
1 proxy aaa list RP   
!  
!   
!  
bba-group pppoe global  
!  
!  
interface FastEthernet0/0  
ip address 10.45.45.1 255.255.255.0  
ip subscriber routed 
initiator radius-proxy  
no ip route-cache cef  
no ip route-cache  
duplex auto  
speed auto  
no cdp enable 
!
! The control policy "PROXYRULE" is applied to the interface. 
service-policy type control PROXYRULE  
!  
!  
radius-server host 10.2.36.253 auth-port 1812 acct-port 1813 key cisco  
radius-server host 10.76.86.83 auth-port 1665 acct-port 1666 key rad123  
radius-server vsa send accounting  
radius-server vsa send authentication 
aaa new-model 
! 
! 
aaa group server radius EAP 
server 10.2.36.253 auth-port 1812 acct-port 1813 
! 
ISG RADIUS Proxy and Layer 4 Redirect: Example

The following example shows an ISG policy configured for both ISG RADIUS proxy and Layer 4 redirection:
aaa authorization network default local
!
redirect server-group REDIRECT
 server ip 126.255.255.28 port 23
 !
class-map type traffic match-any traffic1
match access-group input 101
! 
policy-map type service service1
 class type traffic traffic1
  redirect list 101 to group REDIRECT
!
policy-map type control PROXYRULE 
 class type control always event session-start
  1 proxy aaa list RP
  2 service-policy type service name service1 
!
access-list 101 permit tcp host 10.45.45.2 any
The following example shows corresponding sample output from the show subscriber session command:
Router# show subscriber session username  12345675@cisco
Unique Session ID: 66
Identifier: aash
SIP subscriber access type(s): IP
Current SIP options: Req Fwding/Req Fwded
Session Up-time: 00:00:40, Last Changed: 00:00:00
Policy information:
  Authentication status: authen
  Active services associated with session:
    name "service1", applied before account logon
  Rules, actions and conditions executed:
    subscriber rule-map PROXYRULE
      condition always event session-start
        1 proxy aaa list RP 
        2 service-policy type service name service1
Session inbound features:
Feature: Layer 4 Redirect ------>>> L4 redirect is applied to the session at session start
  Rule table is empty
Traffic classes:
  Traffic class session ID: 67
   ACL Name: 101, Packets = 0, Bytes = 0
Unmatched Packets (dropped) = 0, Re-classified packets (redirected) = 0
Configuration sources associated with this session:
Service: service1, Active Time = 00:00:40
Interface: FastEthernet0/1, Active Time = 00:00:40
Additional References

The following sections provide references related to ISG RADIUS proxy.

Related Documents

Related Topic

Document Title

ISG commands

Cisco IOS Intelligent Service Gateway Command Reference

ISG design and deployment

Cisco ISG Design and Deployment Guide: ATM Aggregation

Cisco ISG Design and Deployment Guide: Gigabit Ethernet Aggregation

Technical Assistance

Description

Link

The Cisco Technical Support & Documentation website contains thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.

http://www.cisco.com/techsupport

Feature Information for ISG RADIUS Proxy

Table 1 lists the features in this module and provides links to specific configuration information. Only features that were introduced or modified in Cisco IOS Release 12.2(1) or a later release appear in the table.

For information on a feature in this technology that is not documented here, see the "ISG Features Roadmap."

Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.

Cisco IOS software images are specific to a Cisco IOS software release, a feature set, and a platform. Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.

Note Table 1 lists only the Cisco IOS software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS software release train also support that feature.

Table 10 Feature Information for ISG RADIUS Proxy

Feature Name

Releases

Feature Information

RADIUS Proxy Enhancements for ISG

12.2(31)SB2

This feature enables ISG to serve as a proxy between a client device that uses RADIUS authentication and a AAA server. This functionality enables ISG to be deployed in PWLAN and wireless mesh networks where authentication requests for mobile subscribers must to be sent to specific RADIUS servers.

The following sections provide information about this feature:

•Information About ISG RADIUS Proxy, page 2

•How to Configure ISG as a RADIUS Proxy, page 3

The following commands were introduced or modified by this feature: aaa authorization radius-proxy, aaa server radius proxy, accounting method-list, accounting port, authentication port, clear radius-proxy client, clear radius-proxy session, client (ISG RADIUS proxy), debug radius-proxy, initiator radius-proxy, key (ISG RADIUS proxy), message-authenticator ignore, proxy (ISG RADIUS proxy), show radius-proxy client, show radius-proxy session, timer (ISG RADIUS proxy).

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

© 2006 Cisco Systems, Inc. All rights reserved.