Networking Software (IOS & NX-OS)

Table Of Contents

Configuring ISG as a RADIUS Proxy

Finding Feature Information

Contents

Prerequisites for ISG RADIUS Proxy

Restrictions for ISG RADIUS Proxy

Information About ISG RADIUS Proxy

Overview of ISG RADIUS Proxy

ISG RADIUS Proxy Handling of Accounting Packets

RADIUS Client Subnet Definition

ISG RADIUS Proxy Support for Mobile Wireless Environments

Attribute Processing and RADIUS Request Correlation

3GPP Attribute Support

Benefits of ISG RADIUS Proxy

How to Configure ISG as a RADIUS Proxy

Initiating ISG RADIUS Proxy IP Sessions

Configuring ISG RADIUS Proxy Global Parameters

Configuring ISG RADIUS Proxy Client-Specific Parameters

Defining an ISG Policy for RADIUS Proxy Events

Verifying ISG RADIUS Proxy Configuration

Clearing ISG RADIUS Proxy Sessions

Configuration Examples for ISG RADIUS Proxy

ISG RADIUS Proxy Configuration: Example

ISG RADIUS Proxy and Layer 4 Redirect: Example

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Feature Information for ISG RADIUS Proxy

Configuring ISG as a RADIUS Proxy

---

First Published: December 5, 2006

Last Updated: November 25, 2009

Intelligent Services Gateway (ISG) is a Cisco IOS software feature set that provides a structured framework in which edge devices can deliver flexible and scalable services to subscribers. The ISG RADIUS proxy feature enables ISG to serve as a proxy between a client device that uses RADIUS authentication and an authentication, authorization, and accounting (AAA) server. When configured as a RADIUS proxy, ISG is able to "sniff" (look at) the RADIUS packet flows and, on successful authentication, it can transparently create a corresponding ISG session. This document describes how to configure ISG as a RADIUS proxy.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for ISG RADIUS Proxy" section.

Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Contents

•Prerequisites for ISG RADIUS Proxy

•Restrictions for ISG RADIUS Proxy

•Information About ISG RADIUS Proxy

•How to Configure ISG as a RADIUS Proxy

•Configuration Examples for ISG RADIUS Proxy

•Additional References

•Feature Information for ISG RADIUS Proxy

Prerequisites for ISG RADIUS Proxy

The Cisco IOS image must support AAA and ISG.

Restrictions for ISG RADIUS Proxy

Wireless Internet service provider roaming (WISPr) attributes are not supported.

Information About ISG RADIUS Proxy

Before you configure ISG to serve as a RADIUS proxy, you should understand the following concepts:

•Overview of ISG RADIUS Proxy

•ISG RADIUS Proxy Handling of Accounting Packets

•RADIUS Client Subnet Definition

•ISG RADIUS Proxy Support for Mobile Wireless Environments

•Benefits of ISG RADIUS Proxy

Overview of ISG RADIUS Proxy

Public wireless LANs (PWLANs) and wireless mesh networks can contain hundreds of access points, each of which must send RADIUS authentication requests to a AAA server. The ISG RADIUS proxy functionality allows the access points to send authentication requests to ISG, rather than directly to the AAA server. ISG relays the requests to the AAA server. The AAA server sends a response to ISG, which then relays the response to the appropriate access point.

When serving as a RADIUS proxy, ISG can pull user-specific data from the RADIUS flows that occur during subscriber authentication and authorization, and transparently create a corresponding IP session upon successful authentication. This functionality provides an automatic login facility with respect to ISG for subscribers that are authenticated by devices that are closer to the network edge.

When configured as a RADIUS proxy, ISG proxies all RADIUS requests generated by a client device and all RADIUS responses generated by the corresponding AAA server, as described in RFC 2865, RFC 2866, and RFC 2869.

ISG RADIUS proxy functionality is independent of the type of client device and supports standard authentication (that is, a single Access-Request/Response exchange) using both Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP), Access-Challenge packets, and Extensible Authentication Protocol (EAP) mechanisms.

In cases where authentication and accounting requests originate from separate RADIUS client devices, ISG associates all requests with the appropriate session through the use of correlation rules. For example, in a centralized PWLAN deployment, authentication requests originate from the wireless LAN (WLAN) access point, and accounting requests are generated by the Access Zone Router (AZR). The association of the disparate RADIUS flows with the underlying session is performed automatically when the Calling-Station-ID (Attribute 31) is sufficient to make the association reliable.

Following a successful authentication, authorization data collected from the RADIUS response is applied to the corresponding ISG session.

Sessions that were created using ISG RADIUS proxy operation are generally terminated by receipt of an Accounting-Stop packet.

ISG RADIUS Proxy Handling of Accounting Packets

By default, ISG RADIUS proxy responds locally to accounting packets it receives. The accounting method-list command can be used to configure ISG to forward RADIUS proxy client accounting packets to a specified server. Forwarding of accounting packets can be configured globally for all RADIUS proxy clients or on a per-client basis.

RADIUS Client Subnet Definition

If ISG is acting as a proxy for more than one client device, all of which reside on the same subnet, the clients may be configured using a subnet definition rather than a discrete IP address for each device. This configuration method results in the sharing of a single configuration by all the client devices.

ISG RADIUS Proxy Support for Mobile Wireless Environments

ISG RADIUS proxy uses mobile wireless-specific processes to provide support for Gateway General Packet Radio Servie (GPRS) Support Node (GGSN) environments. The following sections describe ISG RADIUS proxy attribute support and processing:

•Attribute Processing and RADIUS Request Correlation

•3GPP Attribute Support

Attribute Processing and RADIUS Request Correlation

When authentication and accounting requests originate from separate RADIUS client devices, ISG uses correlation rules to associate all the requests with the appropriate session. The association of the disparate RADIUS flows with the underlying session is performed automatically when the Calling-Station-ID (Attribute 31) is sufficient to make the association reliable.

In mobile wireless environments attribute processing and the correlation of RADIUS requests with a session are implemented differently than in a PWLAN environment. For example, in a PWLAN environment the Attribute 31 is a MAC address, and in a GGSN environment Attribute 31 is a Mobile Station Integrated Services Digital Network (MSISDN), which is a plain number or alphanumeric string. In addition, in a GGSN environment the correlation of RADIUS requests can be performed using attributes other than Attribute 31.

ISG RADIUS proxy supports mobile wireless environments by allowing you to specify whether the RADIUS-proxy client uses a MAC or MSISDN format for Attribute 31. The format is specified using the calling-station-id format command. In addition, you can use the session-identifier command to configure ISG RADIUS proxy to use other attributes (apart from Attribute 31) to perform RADIUS request correlation.

3GPP Attribute Support

In GGSN environments ISG RADIUS proxy must understand and parse the Third Generation Partnership Project (3GPP) attributes described in Table 1. These attributes form part of the accounting requests.

Table 1 3GPP Attributes Supported by ISG RADIUS Proxy

Attribute	Description	Vendor ID/type
3GPP-IMSI	The International Mobile Subscriber Identity (IMSI) for the user.	10415/1
3GPP-Charging-Id	The charging ID for this Packet Data Protocol (PDP) context (this together with the GGSN address constitutes a unique identifier for PDP context).	10415/2
3GPP-SGSN-Address	The Serving GPRS Support Node (SGSN) address that is used by the GPRS Tunneling Protocol (GTP) control plane for handling of control messages. It may be used to identify the Public Line Mobile Network (PLMN) to which the user is attached.	10415/6

Benefits of ISG RADIUS Proxy

Use of ISG RADIUS proxy has the following benefits:

•Allows the complete set of ISG functionality to be applied to EAP subscriber sessions.

•Allows an ISG device to be introduced into a network with minimum disruption to the existing network access server (NAS) and AAA servers.

•Simplifies RADIUS server configuration because only the ISG, not every access point, must be configured as a client.

How to Configure ISG as a RADIUS Proxy

This section contains the following procedures:

•Initiating ISG RADIUS Proxy IP Sessions (required)

•Configuring ISG RADIUS Proxy Global Parameters (required)

•Configuring ISG RADIUS Proxy Client-Specific Parameters (optional)

•Defining an ISG Policy for RADIUS Proxy Events (required)

•Verifying ISG RADIUS Proxy Configuration (optional)

•Clearing ISG RADIUS Proxy Sessions (optional)

Initiating ISG RADIUS Proxy IP Sessions

Perform this task to configure ISG to initiate an IP session upon receipt of a RADIUS proxy message from a RADIUS client.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface type number

4. ip subscriber {interface | l2-connected | routed}

5. initiator radius-proxy

6. end

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	interface type number Example: Router(config)# interface fastethernet 1/0/0	Specifies an interface for configuration and enters interface configuration mode.
Step 4	ip subscriber {interface | l2-connected | routed} Example: Router(config-if)# ip subscriber routed	Enables ISG IP subscriber support on an interface, specifies the access method that IP subscribers will use to connect to ISG on an interface and enters subscriber configuration mode.
Step 5	initiator radius-proxy Example: Router(config-subscriber)# initiator radius-proxy	Configures ISG to initiate IP sessions upon receipt of any RADIUS packet.
Step 6	end Example: Router(config-subscriber)# end	Exits the current configuration mode and returns to privileged EXEC mode.

Configuring ISG RADIUS Proxy Global Parameters

Perform this task to configure ISG RADIUS proxy parameters that are applied by default to all RADIUS proxy clients. Client-specific parameters can also be configured and take precedence over this global configuration. To specify a client-specific configuration, see the Configuring ISG RADIUS Proxy Client-Specific Parameters.

SUMMARY STEPS

1. enable

2. configure terminal

3. aaa new-model

4. aaa server radius proxy

5. session-identifier {attribute number | vsa vendor id type number}

6. calling-station-id format {mac-address | msisdn}

7. accounting method-list {method-list-name | default}

8. accounting port port-number

9. authentication port port-number

10. key [0 | 7] word

11. timer {ip-address | request} seconds

12. end

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	aaa new-model Example: Router(config)# aaa new-model	Enables the AAA access control model.
Step 4	aaa server radius proxy Example: Router(config)# aaa server radius proxy	Enters ISG RADIUS proxy server configuration mode.
Step 5	session-identifier {attribute number | vsa vendor id type number} Example: Router(config-locsvr-proxy-radius)# session-identifier attribute 1	(Optional) Correlates the RADIUS server requests of a session and identifies the session in the RADIUS proxy module.
Step 6	calling-station-id format {mac-address | msisdn} Example: Router(config-locsvr-proxy-radius)# calling-station-id format msisdn	Specifies the calling-station-id format.
Step 7	accounting method-list {method-list-name | default} Example: Router(config-locsvr-proxy-radius)# accounting method-list fwdacct	Specifies the server to which accounting packets from RADIUS clients are forwarded. Note By default, ISG RADIUS proxy handles accounting packets locally.
Step 8	accounting port port-number Example: Router(config-locsvr-proxy-radius)# accounting port 2222	Specifies the port on which the ISG listens for accounting packets from RADIUS clients. •The default port is 1646.
Step 9	authentication port port-number Example: Router(config-locsvr-proxy-radius)# authentication port 1111	Specifies the port on which the ISG listens for authentication packets from RADIUS clients. •The default port is 1645.
Step 10	key [0 | 7] word Example: Router(config-locsvr-proxy-radius)# key radpro	Configures the encryption key to be shared between ISG and RADIUS clients. •0 specifies that an unencrypted key will follow. •7 specifies a hidden key will follow.
Step 11	timer {ip-address | request} seconds Example: Router(config-locsvr-proxy-radius)# timer ip-address 5	Specifies the amount of time ISG waits for the specified event before terminating the session. •ip-address—Specifies the amount of time ISG waits for an IP address to be assigned to the session. •request—Specifies the amount of time ISG waits to receive an Access-Request from a client device.
Step 12	end Example: Router(config-locsvr-proxy-radius)# end	Exits the current configuration mode and returns to privileged EXEC mode.

Configuring ISG RADIUS Proxy Client-Specific Parameters

Perform this task to configure client-specific parameters for the ISG RADIUS proxy. This configuration applies to the specified client or subnet only. The client-specific configuration takes precedence over the global ISG RADIUS proxy configuration.

SUMMARY STEPS

1. enable

2. configure terminal

3. aaa new-model

4. aaa server radius proxy

5. client {name | ip-address} [subnet-mask [vrf vrf-id]]

6. session-identifier {attribute number | vsa vendor id type number}

7. calling-station-id format {mac-address | msisdn}

8. accounting method-list {method-list-name | default}

9. accounting port port-number

10. authentication port port-number

11. key [0 | 7] word

12. timer {ip-address | request} seconds

13. end

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	aaa new-model Example: Router(config)# aaa new-model	Enables the AAA access control model.
Step 4	aaa server radius proxy Example: Router(config)# aaa server radius proxy	Enters ISG RADIUS proxy server configuration mode.
Step 5	client {name | ip-address} [subnet-mask [vrf vrf-id]] Example: Router(config-locsvr-proxy-radius)# client 172.16.54.45 vrf myvrftable	Specifies a RADIUS proxy client for which client-specific parameters can be configured, and enters RADIUS client configuration mode.
Step 6	session-identifier {attribute number | vsa vendor id type number} Example: Router(config-locsvr-radius-client)# session-identifier vsa vendor 5335 type 123	(Optional) Correlates the RADIUS requests of a session and identifies the session in the RADIUS proxy module.
Step 7	calling-station-id format {mac-address | msisdn} Example: Router(config-locsvr-radius-client)# calling-station-id format msisdn	Specifies the calling-station-id format.
Step 8	accounting method-list {method-list-name | default} Example: Router(config-locsvr-radius-client)# accounting method-list fwdacct	Specifies the server to which accounting packets from RADIUS clients are forwarded.
Step 9	accounting port port-number Example: Router(config-locsvr-radius-client)# accounting port 2222	Specifies the port on which the ISG listens for accounting packets from RADIUS clients. •The default port is 1646.
Step 10	authentication port port-number Example: Router(config-locsvr-radius-client)# authentication port 1111	Specifies the port on which the ISG listens for authentication packets from RADIUS clients. •The default port is 1645.
Step 11	key [0 | 7] word Example: Router(config-locsvr-radius-client)# key radpro	Configures the encryption key to be shared between ISG and RADIUS clients. •0 specifies that an unencrypted key will follow. •7 specifies a hidden key will follow.
Step 12	timer {ip-address | request} seconds Example: Router(config-locsvr-radius-client)# timer ip-address 5	Specifies the amount of time ISG waits for the specified event before terminating the session. •ip-address—Specifies the amount of time ISG waits for an IP address to be assigned to the session. •request—Specifies the amount of time ISG waits to receive an Access-Request from a client device.
Step 13	end Example: Router(config-locsvr-radius-client)# end	Exits the current configuration mode and returns to privileged EXEC mode.

Defining an ISG Policy for RADIUS Proxy Events

Perform this task to configure a policy that is applied at session start and causes ISG to proxy RADIUS packets to a specified server.

SUMMARY STEPS

1. enable

2. configure terminal

3. aaa new-model

4. aaa authorization radius-proxy {default | list-name} method1 [method2 [method3...]]

5. policy-map type control policy-map-name

6. class type control {control-class-name | always} event session-start

7. action-number proxy [aaa list {default | list-name}

8. end

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	aaa new-model Example: Router(config)# aaa new-model	Enables the AAA access control model.
Step 4	aaa authorization radius-proxy {default | list-name} method1 [method2 [method3...]] Example: Router(config)# aaa authorization radius-proxy RP group radius	Configures AAA authorization methods for ISG RADIUS proxy subscribers. •A method may be either of the following: –group group-name——Uses a subset of RADIUS servers for authorization as defined by the server group group-name command. –group radius——Uses the list of all RADIUS servers for authorization as defined by the aaa group server radius command.
Step 5	policy-map type control policy-map-name Example: Router(config)# policy-map type control proxyrule	Creates or modifies a control policy map, which defines an ISG control policy and enters control policy-map configuration mode.
Step 6	class type control {control-class-name | always} event session-start Example: Router(config-control-policymap)# class type control always event session-start	Specifies a control class for which actions may be configured and enters control policy-map class configuration mode.
Step 7	action-number proxy [aaa list {default | list-name} Example: Router(config-control-policymap-class-control)# 1 proxy aaa list RP	Sends RADIUS packets to the specified server. •Use this command to configure ISG to forward RADIUS proxy packets to the server specified by the aaa authorization radius-proxy command in Step 4.
Step 8	end Example: Router(config-control-policymap-class-contro)# end	Exits the current configuration mode and returns to privileged EXEC mode.

Verifying ISG RADIUS Proxy Configuration

Use one or more of the following commands to verify ISG RADIUS proxy configuration. The commands may be entered in any order.

SUMMARY STEPS

1. show radius-proxy client ip-address [vrf vrf-name]

2. show radius-proxy session {id id-number | ip ip-address}

3. show subscriber session [identifier {authen-status {authenticated | unauthenticated} | authenticated-domain domain-name | authenticated-username username | dnis dnis | media type | nas-port identifier | protocol type | source-ip-address ip-address subnet-mask | timer timer-name | tunnel-name name | unauthenticated-domain domain-name | unauthenticated-username username} | uid session-identifier | username username] [detailed]

DETAILED STEPS

	Command or Action	Purpose
Step 1	show radius-proxy client ip-address [vrf vrf-id] Example: Router# show radius-proxy client 10.10.10.10	Displays RADIUS proxy configuration information and a summary of sessions for an ISG RADIUS proxy client.
Step 2	show radius-proxy session {id id-number | ip ip-address} Example: Router# show radius-proxy session ip 10.10.10.10	Displays information about an ISG RADIUS proxy session. Note The ID can be found in the output of the show radius-proxy client command.
Step 3	show subscriber session [identifier {authen-status {authenticated | unauthenticated} | authenticated-domain domain-name | authenticated-username username | dnis dnis | media type | nas-port identifier | protocol type | source-ip-address ip-address subnet-mask | timer timer-name | tunnel-name name | unauthenticated-domain domain-name | unauthenticated-username username} | uid session-identifier| username username] [detailed] Example: Router# show subscriber session detailed	Displays information about subscriber sessions on an ISG device.

Clearing ISG RADIUS Proxy Sessions

Perform this task to clear ISG RADIUS proxy sessions.

SUMMARY STEPS

1. enable

2. clear radius-proxy client ip-address

3. clear radius-proxy session {id id-number | ip ip-address}

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	clear radius-proxy client ip-address Example: Router# clear radius-proxy client 10.10.10.10	Clears all ISG RADIUS proxy sessions that are associated with the specified client device.
Step 3	clear radius-proxy session {id id-number | ip ip-address} Example: Router# clear radius-proxy session ip 10.10.10.10	Clears a specific ISG RADIUS proxy session. Note The ID can be found in the output of the show radius-proxy client command.

Configuration Examples for ISG RADIUS Proxy

This section contains the following examples:

•ISG RADIUS Proxy Configuration: Example

•ISG RADIUS Proxy and Layer 4 Redirect: Example

ISG RADIUS Proxy Configuration: Example

The following example configures ISG to serve as a RADIUS proxy and to send RADIUS packets to the method list called RP. FastEthernet interface 0/0 is configured to initiate IP sessions upon receipt of RADIUS packets.

!  
aaa new-model  
!  
aaa group server radius EAP  
server 10.2.36.253 auth-port 1812 acct-port 1813  
! 

aaa authorization radius-proxy RP group EAP  

aaa accounting network FWDACCT start-stop group EAP  
aaa accounting network FLOWACCT start-stop group EAP  
!   
aaa server radius proxy  
session-identifier attribute 1 
calling-station-id format msisdn 
authentication port 1111  
accounting port 2222  
key radpro  
message-authenticator ignore 

! The method list "FWDACCT" was configured by the aaa accounting network FWDACCT 
! start-stop group EAP command above. 

accounting method-list FWDACCT  
client 10.45.45.2  
timer request 5  
!  
client 10.45.45.3  
key aashica#@!$%&/  
timer ip-address 120  
!  
!  
! This control policy references the method list called "RP" that was configured using the 
aaa authorization radius-proxy command above.

policy-map type control PROXYRULE  
class type control always event session-start  
1 proxy aaa list RP   
!  
!   
!  
bba-group pppoe global  
!  
!  
interface FastEthernet 2/1/0 
ip address 10.45.45.1 255.255.255.0  
ip subscriber routed 
initiator radius-proxy  
no ip route-cache cef  
no ip route-cache  
no cdp enable 

!

! The control policy "PROXYRULE" is applied to the interface. 
service-policy type control PROXYRULE  
!  
!  
radius-server host 10.2.36.253 auth-port 1812 acct-port 1813 key cisco  
radius-server host 10.76.86.83 auth-port 1665 acct-port 1666 key rad123  
radius-server vsa send accounting  
radius-server vsa send authentication 

aaa new-model 

! 

! 

aaa group server radius EAP 

server 10.2.36.253 auth-port 1812 acct-port 1813 

! 

ISG RADIUS Proxy and Layer 4 Redirect: Example

The following example shows an ISG policy configured for both ISG RADIUS proxy and Layer 4 redirection:

aaa authorization network default local

!

redirect server-group REDIRECT

 server ip 10.255.255.28 port 23

 !

class-map type traffic match-any traffic1

match access-group input 101

! 

policy-map type service service1

 class type traffic traffic1

  redirect list 101 to group REDIRECT

!

policy-map type control PROXYRULE 

 class type control always event session-start

  1 proxy aaa list RP

  2 service-policy type service name service1 

!

access-list 101 permit tcp host 10.45.45.2 any

The following example shows corresponding sample output from the show subscriber session command:

Router# show subscriber session username 12345675@cisco

Unique Session ID: 66

Identifier: aash

SIP subscriber access type(s): IP

Current SIP options: Req Fwding/Req Fwded

Session Up-time: 00:00:40, Last Changed: 00:00:00

Policy information:

  Authentication status: authen

  Active services associated with session:

    name "service1", applied before account logon

  Rules, actions and conditions executed:

    subscriber rule-map PROXYRULE

      condition always event session-start

        1 proxy aaa list RP 

        2 service-policy type service name service1

Session inbound features:

Feature: Layer 4 Redirect ------>>> L4 redirect is applied to the session at session start

  Rule table is empty

Traffic classes:

  Traffic class session ID: 67

   ACL Name: 101, Packets = 0, Bytes = 0

Unmatched Packets (dropped) = 0, Re-classified packets (redirected) = 0

Configuration sources associated with this session:

Service: service1, Active Time = 00:00:40

Interface: FastEthernet0/1, Active Time = 00:00:40

Additional References

The following sections provide references related to ISG RADIUS proxy.

Related Documents

Related Topic	Document Title
ISG commands	Cisco IOS Intelligent Services Gateway Command Reference
ISG design and deployment	•Cisco ISG Design and Deployment Guide: ATM Aggregation •Cisco ISG Design and Deployment Guide: Gigabit Ethernet Aggregation
RADIUS attributes	RADIUS Attributes Overview and RADIUS IETF Attributes
Vendor-specific attributes	Vendor-Specific Attributes (VSA) and RADIUS Disconnect-Cause Attribute Values

Standards

Standard	Title
None	—

MIBs

MIB	MIBs Link
None	To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs

RFCs

RFC	Title
RFC 2865	Remote Authentication Dial In User Service (RADIUS)
RFC 2866	RADIUS Accounting
RFC 2869	RADIUS Extensions

Technical Assistance

Description

Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/cisco/web/support/index.html

Feature Information for ISG RADIUS Proxy

Table 1 lists the release history for this feature.

Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.

Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

---

Note Table 1 lists only the Cisco IOS software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS software release train also support that feature.

---

Table 2 Feature Information for ISG RADIUS Proxy

Feature Name	Releases	Feature Information
ISG:AAA Wireless Enhancements	12.2(33)SRE	This feature enhances ISG RADIUS proxy to provide additional support for mobile wireless environments. It includes changes to RADIUS attribute 31 processing. The following sections provide information about this feature: •Information About ISG RADIUS Proxy •How to Configure ISG as a RADIUS Proxy The following commands were introduced by this feature: session-identifier, calling-station-id format.
ISG:Authentication:RADIUS Proxy WiMax Enhancements	12.2(33)SRE 12.2(33)XNE	This feature enhances ISG RADIUS proxy to provide additional support for WiMax broadband environments. The following sections provide information about this feature: •Information About ISG RADIUS Proxy •How to Configure ISG as a RADIUS Proxy In Cisco IOS Release 12.2(33)XNE, support was added for the Cisco 10000 series routers.
ISG:Policy Control: RADIUS Proxy Enhancements for ISG	12.2(31)SB2 12.2(33)SRC 12.2(33)SRE	This feature enables ISG to serve as a proxy between a client device that uses RADIUS authentication and an AAA server. This functionality enables ISG to be deployed in PWLAN and wireless mesh networks where authentication requests for mobile subscribers must be sent to specific RADIUS servers. The following sections provide information about this feature: •Information About ISG RADIUS Proxy, page 2 •How to Configure ISG as a RADIUS Proxy, page 3 The following commands were introduced or modified by this feature: aaa authorization radius-proxy, aaa server radius proxy, accounting method-list, accounting port, authentication port, clear radius-proxy client, clear radius-proxy session, client (ISG RADIUS proxy), debug radius-proxy, initiator radius-proxy, key (ISG RADIUS proxy), message-authenticator ignore, proxy (ISG RADIUS proxy), show radius-proxy client, show radius-proxy session, timer (ISG RADIUS proxy). In Cisco IOS Release 12.2(33)SRC, support was added for the Cisco 7600 router.

Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

© 2006-2009 Cisco Systems, Inc. All rights reserved.