 Feedback
|
Table Of Contents
Configuring SSG to Serve as a RADIUS Proxy
Prerequisites for SSG RADIUS Proxy
Restrictions for SSG RADIUS Proxy
Information About SSG Authentication Using RADIUS Proxy
SSG Autologon Using RADIUS Proxy
RADIUS Client Subnet Definition
Types of Deployments that Use SSG RADIUS Proxy
How to Configure SSG RADIUS Proxy
Configuring SSG Autologon Using RADIUS Proxy
Enabling SSG Autologon Using RADIUS Proxy
Configuring Session Identification Attributes
Configuring Timers for RADIUS Proxy
Configuring Multiple RADIUS Server Support
Configuring SSG RADIUS Proxy for GPRS Networks
Overview of SSG RADIUS Proxy in GPRS Networks
IP Addresses Assignment in GPRS Networks that Use SSG RADIUS Proxy
Support For Overlapped Host IP Addresses
Forwarding of Accounting Packets
Session Identification by IP address
Per-PDP Accounting in GPRS Networks that Use SSG RADIUS Proxy
Configuring SSG RADIUS Proxy for CDMA2000 Deployments
SSG RADIUS Proxy for CDMA2000 Overview
SSG RADIUS Proxy for CDMA2000 for Simple IP
SSG RADIUS Proxy for CDMA2000 for Mobile IP
Benefits of SSG RADIUS Proxy for CDMA2000
Configuring Home Agent IP Addresses
Verifying SSG RADIUS Proxy for CDMA2000
Configuring SSG RADIUS Proxy for 802.1x WLAN Deployments
EAP Implementations Supported by SSG
Prevention of IP Address Reuse
Configuring SSG RADIUS Proxy for 802.1x Deployments
Monitoring and Maintaining SSG RADIUS Proxy
Troubleshooting SSG RADIUS Proxy
Configuration Examples for SSG Authentication of RADIUS Proxy Subscribers
SSG Autologon Using RADIUS Proxy: Examples
Enabling SSG Autologon Using RADIUS Proxy: Example
Configuring Session Identification Attributes: Examples
Configuring Timers for RADIUS Proxy: Examples
SSG RADIUS Proxy for CDMA2000: Examples
Configuring Multiple RADIUS Server Support: Example
Configuring Home Agent IP Addresses: Example
SSG RADIUS Proxy for CDMA2000 - Complete Configuration: Example
SSG RADIUS Proxy for 802.1x WLAN Deployments: Example
Feature Information for SSG RADIUS Proxy
Configuring SSG to Serve as a RADIUS Proxy
First Published: May 2, 2005Last Updated: October 2, 2009
Note
Effective with Cisco IOS Release 15.0(1)M, this feature is not available in Cisco IOS software.
The RADIUS proxy feature is principally an insertion mechanism to allow an SSG device to be introduced to a network with minimum disruption to the existing network access server (NAS) and authentication, authorization, and accounting (AAA) server(s). By acting as a proxy between a NAS using RADIUS authentication (which may or may not be Cisco equipment) and a AAA server, SSG is able to "sniff" the RADIUS flows and transparently create a corresponding SSG session, on successful authentication of the subscriber. This provides an autologon facility with respect to SSG for subscribers that are authenticated by devices that are closer to the network edge. This document describes the types of deployments that use SSG as a RADIUS proxy and how to configure them.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for SSG RADIUS Proxy" section.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•
•
•
•
•
•
Prerequisites for SSG RADIUS Proxy
Before you can perform the tasks in this process, you must enable SSG by completing the steps in the task Enabling SSG in the "Implementing SSG: Initial Tasks" module.
Before you can configure SSG as a RADIUS proxy, you must first configure the RADIUS clients and the RADIUS servers.
Restrictions for SSG RADIUS Proxy
•
•
Information About SSG Authentication Using RADIUS Proxy
This section describes the following concepts:
•
•
•
SSG Autologon Using RADIUS Proxy
The RADIUS proxy feature is principally an insertion mechanism to allow an SSG device to be introduced to a network with minimum disruption to the existing NAS and AAA server(s). By acting as a proxy between a client device using RADIUS authentication (which may or may not be Cisco equipment) and a AAA server, SSG is able to "sniff" the RADIUS flows and transparently create a corresponding SSG session, on successful authentication of the subscriber. This provides an "autologon" facility with respect to SSG for subscribers that are authenticated by devices that are closer to the network edge.
When configured as a RADIUS proxy, SSG transparently proxies all RADIUS requests generated by a client device and all RADIUS responses generated by the corresponding AAA server, as described in RFCs 2865, 2866 and 2869.
This RADIUS proxy functionality is largely agnostic to the type of client device, for example, GGSN, PDSN, WLAN AP etc. and supports standard authentication (that is a single Access-Request/Response exchange) using both PAP and CHAP, Access-Challenge packets, and also EAP mechanisms (RFC 2869). Of the various types of EAP authentication in existence (which differ, for example, in the transport mechanism for the session keys), EAP-SIM and EAP-TLS are supported.
Where authentication and accounting requests originate from separate RADIUS client devices, SSG will associate all requests to the appropriate session through the use of certain correlation rules. This may occur for centralized PWLAN deployments, wherein authentication requests originate from the WLAN AP while accounting requests are generated by the AZR. The association of the disparate RADIUS flows to the underlying session is performed automatically where the combination of username (attribute 1) and calling-station-id (attribute 31, if present) is sufficient to make the association reliable. However, in some cases, configuration (that is, the specification of additional attributes for use as correlation keys) is required to coerce the correct association.
Following a successful authentication, authorization data gleaned from the RADIUS response is applied to the corresponding SSG session.
Termination of a session created via RADIUS proxy operation is generally effected by receipt of an Accounting-Stop packet with an appropriate session. Accounting-On/Off from a RADIUS client will result in the termination of all SSG sessions hosted by that client.
RADIUS Server Redundancy
When SSG acts as a RADIUS Proxy for a client device (GGSN, PDSN, HA etc.), access-requests that are generated by the client device are forwarded to the default RADIUS server, that is the first configured server. If this server fails, SSG provides fail-over to the next configured server (if present).
Broadcast of Host Accounting
SSG RADIUS Proxy for GPRS networks can provide geographical redundancy by copying host object accounting packets and sending them to multiple RADIUS servers.
RADIUS Client Subnet Definition
SSG will only proxy RADIUS packets originating from trusted client devices whose addresses have been explicitly configured in SSG. If SSG is acting as a proxy for multiple client devices, each of which resides on the same subnet, then the clients may be configured using a subnet definition rather than discrete IP addresses for each device. This configuration method results in a single client configuration entry for all the client devices, thus all client devices on this subnet must be configured with the same shared secret. Furthermore all these devices must be of the same type. For example CDMA2000 PDSNs and HAs must not share the same subnet configuration, although they may reside on the same subnet.
Host Route Insertion
By default, SSG inserts a static route to the host for proxy users (if there is no existing route available). For some installations, this may be either unnecessary or even undesirable, so you can disable the host route insertion on a per-client basis.
Note
When a host object is created, SSG checks to see if the host is reachable (on the correct interface) by an existing route and adds the static route only if it is not, and the insertion of host routes is enabled.
For the case where insertion of host routes is disabled, an "unrouted" timer may also be defined. If configured this timer is started when a host object is created with an unroutable IP address. If this IP address does not become routable (For example, due to a routing protocol update) before the timer expires, then the host object is destroyed.
Types of Deployments that Use SSG RADIUS Proxy
SSG can be used as a RADIUS Proxy for subscriber authentication in the following types of deployments:
•
•
•
How to Configure SSG RADIUS Proxy
To configure SSG as a RADIUS proxy, use the tasks below. The first task applies to all RADIUS Proxy deployments and you need to perform this task first. The next three tasks are specific to particular deployments. The last two tasks apply to all RADIUS proxy deployments.
•
•
•
•
•
•
Configuring SSG Autologon Using RADIUS Proxy
This feature allows SSG to as a proxy between a client device using RADIUS authentication and a AAA server and by "sniffing" the RADIUS flows, transparently create a corresponding SSG session, on successful authentication of the subscriber. Perform the following tasks to configure SSG Autologon Using RADIUS Proxy:
•
•
•
•
Enabling SSG Autologon Using RADIUS Proxy
Perform this task to enable SSG Autologon using RADIUS Proxy.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
DETAILED STEPS
Configuring Session Identification Attributes
By default, SSG selects the attribute used for session identification based on the type of client device. SSG assigns the 3GPP2-Correlation-ID attribute for PDSNs, Accounting-Session-ID attribute for HAs, and Calling-Station-ID attribute for non-CDMA2000 devices. You can override this automatic selection by using the following commands:
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
Configuring Timers for RADIUS Proxy
During the lifetime of an SSG RADIUS Proxy session, SSG expects to receive certain external events which are required for the session to continue. Whilst SSG is waiting for such external events, internal timers are running. If these timers expire, the RADIUS Proxy session is terminated.
Perform this task to configure the SSG RADIUS Proxy timers.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
DETAILED STEPS
Configuring Multiple RADIUS Server Support
Perform this task to configure geographical redundancy for accounting records by allowing copies of host object accounting packets to be sent to multiple RADIUS servers. Note this is distinct from RADIUS server failover—the requirement here is that clones of accounting packets are always forwarded to each of the configured servers, not just when the primary server fails. To configure the support for multiple RADIUS servers, use the following commands:
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
DETAILED STEPS
Step 1
aaa group server radius group-name
Example:Router(config)# aaa group server radius myservergroup1
Groups RADIUS server hosts into distinct lists and distinct methods.
•
Step 2
server ip-address [auth auth-port] [acct acct-port]
Example:Router(config-sg-radius)# server 1.2.3.4 [auth 1645][acct 1646]
Configures the IP address of the RADIUS server for the group server.
•
•
•
Step 3
Repeat Step 2 to configure additional RADIUS servers.
Step 4
exit
Example:Router(config-sg-radius)# exit
Exits server group RADIUS configuration mode.
Step 5
aaa group server radius group-name
Example:Router(config)# aaa group server radius myservergroup2
Configures the second, redundant RADIUS server.
Step 6
server ip-address [auth auth-port] [acct acct-port]
Example:Router(config-sg-radius)# server 1.2.3.5 [auth 1645][acct 1646]
Configures the IP address of the second RADIUS server for the group server.
Step 7
Repeat Step 6 to configure additional RADIUS servers.
Step 8
Exits server group RADIUS configuration mode.
Step 9
aaa accounting network ssg_broadcast_accounting start-stop broadcast group group-name group group-nameExample:Router(config)# aaa accounting network ssg_broadcast_accounting start-stop broadcast group myservergroup1 group myservergroup2Enables AAA accounting of requested services for billing or security purposes when you use RADIUS.
•
•
•
•
Configuring SSG RADIUS Proxy for GPRS Networks
The General Packet Radio System (GPRS) is a service that provides packet radio access for mobile Global System for Mobile Communications (GSM) and time-division multiple access (TDMA) users. By configuring SSG as a RADIUS proxy to the GGSN, SSG can provide service selection to and direct traffic of mobile wireless subscribers.
Before you configure SSG RADIUS proxy support for GPRS networks, you should understand the following concepts:
•
•
•
•
•
•
Prerequisites
Before you configure RADIUS Proxy in GPRS networks, you must complete the steps in Enabling SSG Autologon Using RADIUS Proxy.
Overview of SSG RADIUS Proxy in GPRS Networks
The General Packet Radio System (GPRS) is a service that provides packet radio access for Global System for Mobile Communications (GSM) and time-division multiple access (TDMA) users.
The SSG RADIUS Proxy for GPRS feature allows an SSG device to be inserted between a GGSN and a NAP AAA server and act as a proxy for the authentication and accounting RADIUS flows. By monitoring these flows SSG can transparently create a corresponding SSG session, on successful authentication of the subscriber, and thus provide the user with access to the full range of SSG features.
IP Addresses Assignment in GPRS Networks that Use SSG RADIUS Proxy
You can assign an IP address to the host object in any of the following ways; these are in order of precedence (but not necessarily preference):
1.
2.
3.
4.
5.
If SSG receives an IP address in an AR from the GGSN, SSG proxies it to the AAA server. If the AAA server returns a different address in the AA, SSG assigns it to the host object, and returns it to the GGSN in the proxied AA. This in accordance with the RADIUS specification whereby IP addresses in ARs are treated by the server as hints and do not have to be honored.
For the case of auto-domain tunnel or proxy services, if there is already an IP address, SSG assigns this address to the host object and performs NAT towards this service.
If there is no existing route to the assigned IP address, static routes are added to the SSG's routing table with RADIUS-client as next-hop. This default behavior may be overridden by configuration (see ....) if, for example, routing protocols are in effect on the network and the static route addition is unnecessary.
Support For Overlapped Host IP Addresses
Overlapped host IP addresses are supported for hosts connected to SSG on different point-to-point (other than RBE) downlink interfaces.
Forwarding of Accounting Packets
While SSG is acting as a RADIUS Proxy for the GGSN it also receives all the Accounting packets. The Accounting Stop packet is used as an indication of session termination. By default, only Accounting-On/Off packets are forwarded to the real AAA server: Accounting-/Start/Stop/Update packets are not forwarded and SSG generates the responses locally. A CLI is provided to override this default behavior and allows transparent proxying of all accounting packets.
SSG will always proxy Accounting-On (or Accounting-Off) packets received from client GGSNs. These are used to signal that the client GGSN has just rebooted (or is about to be rebooted). When SSG receives the packets, SSG destroys all host objects associated with the specified client GGSN before forwarding the packet. Note that SSG uses the NAS-IP-Address in the Accounting-On/Off packets to determine the affected GGSN. This allows scenarios where multiple tunnel interfaces exist between the GGSN and SSG. In these scenarios, although there are multiple RADIUS clients configured at SSG, only a single Accounting-On/Off packet is generated by the GGSN. As part of normal SSG functionality, SSG sends Accounting-Start/Update/Stop records for both the active host objects and for any services they are connected to.
Session Identification by IP address
The default session identification is the MSID. To override this default and specify the subscriber's IP address as the session identifier, use the session-identifier command.
Per-PDP Accounting in GPRS Networks that Use SSG RADIUS Proxy
The Cisco GGSN (and presumably other GGSNs) supports per-PDP accounting rather than per-user accounting. In this mode Accounting-Start/Stop packets are generated for each PDP context activated by a subscriber, rather than a single pair representing the lifetime of the entire subscriber session. These multiple Accounting-Start/Stop pairs share the same Framed-IP-Address attribute (that is, the IP address of the user) and are distinguished by unique Accounting-Session-ID attributes.
SSG monitors the number of separate contexts associated with an IP address by monitoring the number of (different) Accounting-Starts received. When the number of contexts drops to zero or SSG receives an Accounting-Stop with a 3GPP-Session-Stop-Indicator, SSG terminates the session.
Configuring SSG RADIUS Proxy for CDMA2000 Deployments
This section describes how to configure SSG RADIUS Proxy for CDMA2000 deployments. Before you configure SSG RADIUS proxy for CDMA2000 deployments, you should understand the following concepts:
•
•
•
•
•
•
This section contains the following tasks:
•
•
Prerequisites
PDSN
•
•
•
HA
•
Note
•
•
•
Miscellaneous
•
Restrictions
SSG RADIUS Proxy for CDMA2000 requires non standard extensions to the Home Agent behavior. See Prerequisites for more information.
In Auto-domain mode, SSG bypasses user authentication at the Network Attached Storage (NAS) Authentication, Authorization and Accounting (AAA) server. SSG instead downloads a generic profile for the specified Auto-domain. This profile may be a service profile for simple Auto-domain or a virtual user profile in extended mode Auto-domain. When SSG is acting as a RADIUS Proxy in a CDMA2000 network, the profile returned in an Access-Accept from the AAA server must contain the 3GPP2-IP-Technology VSA to indicate to SSG whether this call setup is for a Simple IP call or for a Mobile IP call. Even if a network supports only one type of user (either all Simple IP users or all Mobile IP users), the Access-Accept packets received from the AAA must contain the 3GPP2-IP-Technology VSA. In networks that support only one type of user, the Auto-domain profiles can be formatted to contain the correct attribute. In networks that support both Mobile IP and Simple IP users simultaneously, the Access-Accept packets must contain the correct attribute for the type of user. The AAA server must be able to modify the contents of the generic Auto-domain profile so that it contains the correct VSA. SSG must receive a real rather than a cached response from the AAA server for each user logon. SSG Service Profile Caching must be disabled when SSG Auto-domain is enabled and SSG is acting as a RADIUS Proxy in a CDMA2000 network that supports both Simple IP and Mobile IP users.
CDMA
Code Division Multiple Access (CDMA) is a digital spread-spectrum modulation technique used mainly with personal communications devices such as mobile phones. CDMA digitizes the conversation and tags it with a special frequency code. The data is then scattered across the frequency band in a pseudorandom pattern. The receiving device is instructed to decipher only the data corresponding to a particular code to reconstruct the signal.
For more information about CDMA, see the "CDMA Overview" knowledge byte on the Mobile Wireless Knowledge Bytes web page.
CDMA2000 Radio Transmission Technology (RTT) is a wideband, spread-spectrum radio interface that uses CDMA technology to satisfy the needs of third generation (3G) wireless communication systems. CDMA2000 is backward compatible with CDMA.
For more information about CDMA2000, refer to the "CDMA2000 Overview" knowledge byte on the Mobile Wireless Knowledge Bytes web page.
SSG RADIUS Proxy for CDMA2000 Overview
The SSG RADIUS Proxy for CDMA2000 feature allows you to extend the functionality of the existing SSG RADIUS Proxy so that it may be used in CDMA2000 networks.
Code Division Multiple Access (CDMA) is a digital spread-spectrum modulation technique used mainly with personal communications devices such as mobile phones. CDMA digitizes the conversation and tags it with a special frequency code. The data is then scattered across the frequency band in a pseudorandom pattern. The receiving device is instructed to decipher only the data corresponding to a particular code to reconstruct the signal.
When used in a CDMA2000 network, the Service Selection Gateway (SSG) provides RADIUS Proxy services to the Packet Data Serving Node (PDSN) and the Home Agent (HA) for both Simple IP and Mobile IP authentication. SSG also provides service selection management and policy-based traffic direction for subscribers.
SSG RADIUS Proxy for CDMA2000, used with Cisco Subscriber Edge Services Manager (SESM), provides users with on-demand services and service providers with service management and subscriber management.
SSG RADIUS Proxy for CDMA2000 supports time- and volume-based usage accounting for Simple IP and Mobile IP sessions. Prepaid and postpaid services are supported. Host accounting records can be sent to multiple network elements, including Content Service Gateways (CSGs), Content Optimization Engines (COEs), and Wireless Application Protocol (WAP) gateways.
Figure 1 CDMA Network
Key to Figure 1
BTS
Base Transceiver Station
BSC
Base Station Controller
PCF
Packet Control Function
PDSN/FA
Packet Data Serving Node / Foreign Agent
VPN
Virtual Private Network
SSG RADIUS Proxy for CDMA2000 for Simple IP
When used in a CDMA2000 environment, SSG acts as a RADIUS Proxy to the Packet Data Serving Node (PDSN) and to the Home Agent for Simple IP authentication. SSG sets up a host object for the following three access modes:
•
•
•
SSG operating in a CDMA2000 network correlates Accounting-Start and Accounting-Stop requests. A PDSN may send out many Accounting-Start and Accounting-Stop requests during a session. These Accounting-Start and Accounting-Stop requests can be generated by PDSN hand off, Packet Control Function (PCF) hand off, interim accounting, and time-of-date accounting. SSG terminates a session only when it receives an Accounting-Stop request with the 3GPP2-Session-Continue VSA set to FALSE or when a subsequent Accounting-Start request is not received within a configured timeout. PPP renegotiation during a PDSN hand off is treated as a new session.
In SSG RADIUS Proxy for CDMA2000 for Simple IP, the end-user IP address may be assigned statically by the PDSN, RADIUS server, or SSG. The end-user IP address can also be assigned directly from the Auto-domain service.
Network Address Translation (NAT) is automatically performed when necessary. NAT is generally necessary when IP address assignment is performed by any mechanism other than directly from the Auto-domain service (which may be a VPN). You can also configure SSG to always use NAT.
If the user profile contains Cisco attribute-value (AV) pairs of Virtual Private Dialup Network (VPDN) attributes, SSG initiates Layer 2 Tunneling Protocol (L2TP) VPN.
SSG RADIUS Proxy for CDMA2000 for Mobile IP
For Mobile IP, SSG functions as the RADIUS Proxy for both PDSN and the HA. SSG proxies PPP PAP or CHAP and Mobile Node (MN)/Foreign Agent (FA) CHAP authentication. SSG RADIUS Proxy for CDMA2000 for Mobile IP can assign IP addresses statically by the PDSN, RADIUS server, or SSG. The end user IP address can also be assigned directly from the Auto-domain service.
Home Agent-Mobile Node (HA-MN) authentication and reverse tunneling must be enabled so that SSG can create host objects for Mobile IP sessions based on proxied RADIUS packets received from the HA.
The Home Agent must generate RADIUS accounting packets so that SSG can discover the user IP address and detect the termination of the session. Multiple Mobile IP sessions with the same NAI are supported. RADIUS packets must contain the Accounting-Session-ID attribute to be associated with the correct user session. SSG correlates RADIUS packets from the PDSN in order to obtain MSID information for a host object of a Mobile IP session.
SSG can set up a host object either with or without PAP/CHAP performed during the original PPP session.
SSG initiates L2TP VPN according to the SSG tunnel service VSAs in the user's profile. If the user profile contains Cisco AV pairs of VPDN, SSG sets up the L2TP tunnel per these VPDN attributes. SSG removes these AV pairs when sending the Access-Accept packet back to the PDSN.
Either the HA or the RADIUS server can assign the user's IP address.
Dynamic Home Agent Assignment
Dynamic HA assignment based on a mobile user's location is supported.
The SSG RADIUS Proxy for CDMA2000 feature provides three options for dynamic HA assignment:
•
•
•
Benefits of SSG RADIUS Proxy for CDMA2000
SSG RADIUS Proxy for CDMA2000 provides the following features and capabilities:
•
•
–
–
•
•
•
•
•
•
Configuring Home Agent IP Addresses
SSG supports dynamic assignment of the Home Agent IP address using these commands. The HA IP address will only be dynamically assigned for sessions from a domain configured using these commands, where the domain is derived from the structured username of the session. The actual HA IP address assigned may be configured globally (that is, the same for all recognized domains) or on a per-domain basis. To configure Home Agent domain names and Home Agent IP addresses, use the following commands:
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Verifying SSG RADIUS Proxy for CDMA2000
Perform this task to verify SSG RADIUS Proxy for CDMA2000.
SUMMARY STEPS
1.
DETAILED STEPS
Step 1
Use the show ssg host command to display information about a host object including client device type. The following example shows host object information for Simple IP:
Router# show ssg host 10.0.0.0------------------------ HostObject Content -----------------------Activated: TRUEInterface:User Name: user1Host IP: 10.0.0.0Msg IP: 0.0.0.0 (0)Host DNS IP: 0.0.0.0Proxy logon from client IP: 10.0.48.3Device: PDSN (Simple IP)NASIP : 10.0.48.3SessID: 12345678APN :MSID : 5551000Timer : NoneMaximum Session Timeout: 0 secondsHost Idle Timeout: 60000 secondsClass Attr: NONEUser policing disabledUser logged on since: *05:59:46.000 UTC Fri May 3 2002User last activity at: *05:59:52.000 UTC Fri May 3 2002SMTP Forwarding: NOInitial TCP captivate: NOTCP Advertisement captivate: NODefault Service: NONEDNS Default Service: NONEActive Services: internet-blue;AutoService: internet-blue;Subscribed Services: internet-blue; iptv; games; distlearn; corporate; shop; banking;vidconf;Subscribed Service Groups: NONEThe following example shows host object information for Mobile IP:
Router# show ssg host 10.0.0.101------------------------ HostObject Content -----------------------Activated: TRUEInterface:User Name: user1Host IP: 10.0.0.101Msg IP: 0.0.0.0 (0)Host DNS IP: 0.0.0.0Proxy logon from client IP: 10.0.48.4Device: HANASIP : 10.0.48.4SessID: 44444445APN :MSID : 5551001Timer : NoneMaximum Session Timeout: 0 secondsHost Idle Timeout: 60000 secondsClass Attr: NONEUser policing disabledUser logged on since: *06:01:02.000 UTC Fri May 3 2002User last activity at: *06:01:09.000 UTC Fri May 3 2002SMTP Forwarding: NOInitial TCP captivate: NOTCP Advertisement captivate: NODefault Service: NONEDNS Default Service: NONEActive Services: internet-blue;AutoService: internet-blue;Subscribed Services: internet-blue; iptv; games; distlearn; corporate; shop; banking;vidconf;Subscribed Service Groups: NONEConfiguring SSG RADIUS Proxy for 802.1x WLAN Deployments
In 802.1x WLAN deployments, SSG acts as a RADIUS Proxy during Extensible Authentication Protocol (EAP) authentication between a WLAN AP and the corresponding AAA server. Using SSG as a RADIUS Proxy in 802.1x deployments enables WLAN users to access SSG functionality after they have connected to the AP.
Before you configure SSG RADIUS Proxy for 802.1x WLAN deployments, you should understand the following concepts:
•
•
Perform the following task to configure SSG RADIUS Proxy for 802.1x WLAN deployments:
•
Prerequisites
The SSG EAP Transparency features operates in the environment described in the "SSG EAP Environment" section. Before you can use this feature, you must set up each of the components of the environment, as specified in other Cisco documents.
The SSG EAP Transparency feature has the following requirements:
•
•
•
•
EAP Implementations Supported by SSG
SSG supports the following EAP implementations, which are designed to support 802.1x requirements for public wireless LANs (PWLANs) and Ethernet LANs:
•
•
•
•
Note
SSG EAP Environment
EAP authentication is an enhancement to Global System for Mobile communications (GSM) authentication and operates over the IEEE 802.1x standard. The Cisco implementation of EAP transparency for PWLANs operates in conjunction with the following components:
•
•
•
•
•
•
•
On the client side, the EAP protocol is implemented in the EAP supplicant. The supplicant code is linked into the EAP framework provided by the operating system; currently, supplicants exist for Microsoft Windows XP and Windows 2000. The EAP framework handles EAP protocol messages and communications between the supplicant and the AAA server; it also installs any encryption keys provided to the supplicant in the client's WLAN radio card.
On the network side, the EAP authenticator code resides on the service provider's AAA server. Besides handling the server side of the EAP protocol, this code is also responsible for communicating with the service provider's AuC. In a Cisco implementation of EAP, the AAA server communicates with a Cisco IP transfer point (ITP). The Cisco ITP translates messages from the AAA server into standard GSM protocol messages, which are then sent to the AuC.
EAP Transparency
The SSG EAP Transparency feature allows SSG on a Cisco router to act as a RADIUS Proxy during EAP authentication. SSG creates the host after successful EAP authentication, so the user does not have to log on through the web portal. Instead, the user is automatically logged in.
The AP does the authentication for the client. SSG looks like a AAA server, which proxies relevant packets to the real AAA server. To create a host automatically, SSG has to know that the authentication was successful. By proxying messages, it obtains this information. The IP address is not assigned until authentication is complete, so SSG creates an inactive host and uses the MAC address as an identifier. To get the IP address, it waits for a DHCP Accounting Start from the AZR, so the AZR must be configured as an SSG RADIUS Proxy client.
Prevention of IP Address Reuse
When the AZR reboots, it sends Accounting On/Off packets. SSG receives these packets and, even though EAP users may be connected, it moves hosts to the inactive state and starts an inactive-period timer. During the DHCP renewal, the AZR performs an ARP lock and sends an Accounting Start packet to SSG. After receiving an Accounting Start packet, SSG activates the corresponding hosts using the MAC address as the identity. If the inactive-period timer expires, SSG removes all of the inactive hosts.
This functionality prevents the use of previously valid IP addresses after an AZR reboot. It closes a security hole that could allow an illegal user to hijack the session of a valid user through the IP address, and at the same time it removes the inconvenience of reauthentication for the user. In order to prevent the reuse of IP addresses, clients must be configured with a short DHCP lease interval. If users are not configured with a short lease interval, they will have to reauthenticate whenever the AZR reboots.
User Reconnect After Logoff
EAP users do not have a username and password as other types of SSG users do. If they access SESM, log off, and try to reconnect to the service later, SESM presents them with a logon page, which they cannot use. To allow EAP users to reconnect without being asked to log on again, enable the user reconnect functionality with the ssg wlan reconnect command.
The following steps describe the SSG EAP transparency user reconnect process:
1.
2.
3.
4.
SSG deletes an active or inactive host when it receives an Accounting Stop packet from the AZR.
The SSG EAP transparency user reconnect functionality can be enabled or disabled using the command-line interface, as described in the "SUMMARY STEPS" section.
Note
Configuring SSG RADIUS Proxy for 802.1x Deployments
Perform this task to configure SSG as a RADIUS proxy in a 802.1x WLAN deployment.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
orip-address timeout
7.
8.
9.
10.
DETAILED STEPS
Monitoring and Maintaining SSG RADIUS Proxy
Perform this task to monitor and maintain SSG Autologon for RADIUS Proxy users.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
DETAILED STEPS
Troubleshooting SSG RADIUS Proxy
Perform this task to troubleshoot SSG authentication of RADIUS proxy subscribers.
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Examples
The following output is generated by using the debug ssg ctrl-packets command when a RADIUS proxy subscriber logs out of a service:
Router# debug ssg ctrl-packetsAccess-request:3d05h:SSG-CTL-PAK:Received Packet:sIP=5.5.5.2 sPort=1645 dIP=5.5.5.1 dPort=16453d05h:RADIUS:id= 91, code= Access-Request, len= 933d05h:RADIUS: authenticator B8 5D 3D 06 E3 2B A2 F3 - 68 E6 C5 E0 F31C 60 C73d05h:RADIUS: User-Name [1] 10 "user"3d05h:RADIUS: User-Password [2] 18 *3d05h:RADIUS: Called-Station-Id [30] 9 "ssg.com"3d05h:RADIUS: Calling-Station-Id [31] 6 "1234"3d05h:RADIUS: Framed-Protocol [7] 6 GPRS_PDP_CONTEXT[7]3d05h:RADIUS: NAS-Port-Type [61] 6 Virtual[5]3d05h:RADIUS: NAS-Port [5] 6 03d05h:RADIUS: Service-Type [6] 6 Framed[2]3d05h:RADIUS: NAS-IP-Address [4] 6 10.1.1.102Access-Accept:3d05h:RADIUS:id= 91, code= Access-Accept, len= 383d05h:RADIUS: authenticator 62 57 FE F6 96 65 C1 79 - 18 D7 12 56 EA28 62 733d05h:RADIUS: Service-Type [6] 6 Framed[2]3d05h:RADIUS: Idle-Timeout [28] 6 20003d05h:RADIUS: Framed-IP-Address [8] 6 10.1.5.10Accounting-Request(start) to SSG:3d05h:SSG-CTL-EVN:Received cmd (4) from proxy-client (5.5.5.2:1646)3d05h:SSG-CTL-PAK:Received Accounting Packet:sIP=5.5.5.2 sPort=1646 dIP=5.5.5.1 dPort=16463d05h:RADIUS:id= 128, code= Accounting-Request, len= 1093d05h:RADIUS: authenticator 42 42 D8 7D EC 18 20 42 - 61 B1 03 A2 29F8 26 563d05h:RADIUS: User-Name [1] 10 "user"3d05h:RADIUS: Acct-Status-Type [40] 6 Start[1]3d05h:RADIUS: Acct-Session-Id [44] 10 "00001F5D"3d05h:RADIUS: Framed-Protocol [7] 6 GPRS_PDP_CONTEXT[7]3d05h:RADIUS: Called-Station-Id [30] 9 "ssg.com"3d05h:RADIUS: Calling-Station-Id [31] 6 "1234"3d05h:RADIUS: Framed-IP-Address [8] 6 10.1.5.103d05h:RADIUS: Authentic [45] 6 RADIUS[1]3d05h:RADIUS: NAS-Port-Type [61] 6 Virtual[5]3d05h:RADIUS: NAS-Port [5] 6 03d05h:RADIUS: Service-Type [6] 6 Framed[2]3d05h:RADIUS: NAS-IP-Address [4] 6 10.1.1.1023d05h:RADIUS: Delay-Time [41] 6 0Accounting-Response sent by SSG:3d05h:SSG-CTL-PAK:Sent accounting response packet:sIP=?? sPort=56708 dIP=5.5.5.2 dPort=16463d05h:RADIUS:id= 128, code= Accounting-response, len= 203d05h:RADIUS: authenticator F6 9A 88 38 6C 9D 77 FE - 68 A2 7F 90 9FDF 15 99To display control path events or errors for the host and service logon, use the debug ssg ctrl-events, debug ssg ctrl-errors, and debug ssg errors commands.
Configuration Examples for SSG Authentication of RADIUS Proxy Subscribers
This section contains the following examples:
•
•
•
SSG Autologon Using RADIUS Proxy: Examples
This section contains the following examples:
•
•
•
Enabling SSG Autologon Using RADIUS Proxy: Example
In the following example, SSG is configured as a RADIUS Proxy. Port 1500 is configured as the authentication port, and port 1499 is configured as the accounting port. A client with the IP address 192.0.2.0 is configured and assigned a shared key secret called secret1. An IP address pool is configured for the domain called cisco with a start IP address 192.2.2.0 and an end IP address 192.6.2.0. An idle timeout of 60 seconds is configured. Accounting start-stop is enabled and accounting start/stop/update packets from all RADIUS clients are proxied to the AAA server. All host objects received from the RADIUS client at IP address 192.7.2.0 and from the NAS at IP address 192.8.2.0 are deactivated and destroyed.
ssg enable!ssg radius-proxyserver-port auth 1500 acct 1499
client-address 192.0.2.0 key secret1
address-pool 192.2.0. 192.6.2.0 domain cisco
idle-timeout 60
!
forward accounting-start-stop
exitConfiguring Session Identification Attributes: Examples
The following example shows how to configure SSG to identify the specified client session based on MSID:
ssg enablessg proxy-radiusclient-address 192.0.2.0key ciscosession-identifier msidThe following example shows how to configure SSG to identify the specified client session based on the 3GPP2-Correlation-ID attribute:
ssg enablessg proxy-radiusclient-address 192.0.2.0key ciscosession-identifier correlation-idThe following example shows how to configure SSG to identify the specified client session based on the Accounting-Session-ID attribute:
ssg enablessg proxy-radiusclient-address 192.0.2.0key ciscosession-identifier accounting-session-idConfiguring Timers for RADIUS Proxy: Examples
The following example shows how to enable SSG RADIUS Proxy and to configure a hand off timeout of 25 seconds:
ssg enablessg proxy-radiusserver-port auth 1812 acct 1813hand-off 25The following example shows how to enable SSG RADIUS Proxy and to configure an idle timeout of 60 seconds:
ssg enablessg proxy-radiusserver-port auth 1812 acct 1813idle 60The following example shows how to enable SSG RADIUS Proxy and to configure an IP address timeout of 10 seconds:
ssg enablessg proxy-radiusserver-port auth 1812 acct 1813ip-address 60The following example shows how to enable SSG RADIUS Proxy and to configure an MSID timeout of 3 seconds:
ssg enablessg proxy-radiusserver-port auth 1812 acct 1813msid 3 retry 3SSG RADIUS Proxy for CDMA2000: Examples
•
•
•
•
•
Configuring Multiple RADIUS Server Support: Example
The following example shows how to configure multiple RADIUS servers in a CDMA2000 network. Configuring multiple RADIUS servers provides geographical redundancy by sending copies of host object accounting packets to multiple RADIUS servers.
aaa group server radius billingserver 10.0.0.1 auth-port 1812 acct-port 1813end!aaa server group server radius hotstandbyserver 10.0.0.2 auth-port 1813 acct-port 1813end!aaa accounting network ssg_broadcast_accounting start-stop broadcast group billing grouphotstandbyConfiguring Home Agent IP Addresses: Example
The following example shows how to configure a Home Agent with IP address 172.16.0.0 and with a domain name of "hadomain1".
ssg enablessg proxy-radiushome-agent address 192.0.2.0home-agent domain hadomain1Removing VSA Types: Examples
The following example shows how to remove all Cisco VSAs from a RADIUS response sent to a RADIUS client:
ssg enablessg proxy-radiusclient-address 192.0.2.0remove vsa ciscoThe following example shows how to remove all 3GPP2 VSAs from a RADIUS response sent to a RADIUS client:
ssg enablessg proxy-radiusclient-address 192.0.2.0remove vsa 3gpp2SSG RADIUS Proxy for CDMA2000 - Complete Configuration: Example
The following example shows the complete configuration of SSG as a RADIUS proxy in a CDMA2000 network:
!version 12.3service timestamps debug uptimeservice timestamps log uptimeno service password-encryption!hostname host1!aaa new-model!aaa group server radius OPERATIONSserver 10.10.50.181 auth-port 1645 acct-port 1646!aaa group server radius RASCUSTOMERserver 10.10.50.180 auth-port 1645 acct-port 1646!aaa authentication login vty lineaaa authentication ppp default local group radiusaaa authorization exec vty noneaaa authorization network default local group radius noneaaa authorization network ssg_aaa_author_internal_list noneaaa accounting update periodic 1aaa accounting network ssg_broadcast_accounting start-stop broadcast group OPERATIONSgroup RASCUSTOMERaaa nas port extendedaaa session-id commonenable password password1!username cisco password 0 ciscoredundancymain-cpuauto-sync standardno secondary console enable!ip subnet-zeroip cefno ip domain-lookup!ip dhcp-client network-discovery informs 2 discovers 2 period 15vpdn enablevpdn search-order domain!vpdn-group 1accept-dialinprotocol pppoevirtual-template 1pppoe limit per-mac 1000pppoe limit per-vc 1000!vpdn-group 3request-dialinprotocol l2tpdomain tunsvcdomain bankinglocal name dial-tunnel!!!ssg enablessg default-network 10.0.48.0 255.255.255.0ssg service-password serviceciscossg radius-helper auth-port 1812 acct-port 1813ssg radius-helper key ciscossg maxservice 12ssg accounting interval 300000ssg bind service vidconf ATM0/0/0.159ssg bind service banking ATM0/0/0.156ssg bind service internet-red ATM0/0/0.152ssg bind service games ATM0/0/0.155ssg bind service corporate ATM0/0/0.154ssg bind service shop ATM0/0/0.158ssg bind service distlearn ATM0/0/0.157ssg bind service internet-green ATM0/0/0.153ssg bind service iptv ATM0/0/0.160ssg bind service internet-blue ATM0/0/0.151ssg bind direction downlink Ethernet0/0/0ssg bind direction downlink FastEthernet0/0/0!ssg radius-proxyserver-port auth 1645 acct 1646client-address 10.0.48.3key cisco!client-address 10.0.48.4key cisco!timeoutsidle 60000!address-pool 77.77.77.77 77.77.77.88 domain msid3.accessaddress-pool 88.88.88.88 88.88.88.99 domain corporate3address-pool 99.99.99.99 99.99.99.111 domain nat-testaddress-pool 66.66.66.66 66.66.66.77 domain corporatehome-agent address 4.3.2.1!ssg auto-domainexclude apn corporateexclude apn corporate3!local-profile local1attribute 26 9 251 "D192.1.1.1"...radius-server host 10.0.48.3 auth-port 1812 acct-port 1813 key troyradius-server host 10.10.50.181 auth-port 1645 acct-port 1646radius-server host 10.10.50.180 auth-port 1645 acct-port 1646radius-server retransmit 3radius-server attribute 44 include-in-access-reqradius-server attribute 55 include-in-acct-reqradius-server attribute nas-port format dradius-server key troyradius-server vsa send accountingradius-server vsa send authenticationbridge 1 protocol ieeebridge 1 route ip!line con 0exec-timeout 0 0line aux 0line vty 0 4exec-timeout 0 0password ciscologin authentication vty!SSG RADIUS Proxy for 802.1x WLAN Deployments: Example
The following example shows the configuration of SSG as a RADIUS proxy in a 802.1x WLAN deployment.
...radius-server host 9.2.36.253 auth-port 1645 acct-port 1646 key ciscossg enablessg radius-proxyserver-port auth 1645 acct 1646client-address 1.1.1.1key ciscosession-identifier auto!client-address 1.1.1.1key cisco!timeoutsip-address 60!ssg wlan reconnectWhere to Go Next
To configure other methods of subscriber authentication, refer to the following modules:
•
•
•
•
•
•
To configure SSG to authenticate RADIUS Proxy subscribers, refer to Configuring SSG to Serve as a RADIUS Proxy
Additional References
The following sections provide references related to configuring SSG to authenticate RADIUS Proxy subscribers.
Related Documents
Cisco IOS voice, video and fax commands
Cisco IOS voice, video and fax configuration
Configuring SESM
Cisco Subscriber Edge Services Manager documentation
RADIUS commands
RADIUS configuration tasks
"Configuring RADIUS" chapter in the Cisco IOS Security Configuration Guide
SSG commands
DHCP accounting
DHCP Accounting feature
Configuring L2TP
•
Technical Assistance
Feature Information for SSG RADIUS Proxy
Table 1 lists the features in this module and provides links to specific configuration information. Only features that were introduced or modified in Cisco IOS Release 12.2(1) or later appear in the table.
Not all commands may be available in your Cisco IOS software release. For details on when support for specific commands was introduced, see the command reference documentation.
For information on a feature in this technology that is not documented here, see the Service Selection Gateway Features Roadmap.
Cisco IOS software images are specific to a Cisco IOS software release, a feature set, and a platform. Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Note
Table 1 Feature Information for Configuring SSG to Serve as a RADIUS Proxy
SSG AAA Server Group for Proxy RADIUS
12.3(3)B
12.3(1a)BW12.3(4)T
12.4This feature allows you to configure multiple AAA servers. You can configure each remote RADIUS server with timeout and retransmission parameters. SSG will perform failover among the servers in the predefined group.
The following section provides information about this feature:
SSG Autologon Using Proxy RADIUS
12.2(4)B
12.2(13)T
12.4The SSG Autologon Using Proxy RADIUS feature enables SSG to act as a RADIUS proxy for non-SSD clients whose Access-Requests do not contain VSAs.
The following sections provide information about this feature:
•
•
•
•
SSG EAP Transparency
12.2T
12.3(4)TIn 802.1x WLAN deployments, SSG acts as a RADIUS Proxy during Extensible Authentication Protocol (EAP) authentication between a WLAN AP and the corresponding AAA server. Using SSG as a RADIUS Proxy in 802.1x deployments enables WLAN users to access SSG functionality after they have connected to the AP.
The following sections provide information about this feature:
•
•
•
•
SSG Proxy for CDMA2000
12.2(15)B
12.2T
12.3(4)TThis feature enables service selection in CDMA2000 networks through enhancements to the SSG RADIUS Proxy functionality.
The following sections provide information about this feature:
•
Configuring SSG to Serve as a RADIUS Proxy
15.0(1)M
This feature was removed in Cisco IOS Release 15.0(1)M.
CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Nurse Connect, Cisco Pulse, Cisco SensorBase, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, Flip Gift Card, and One Million Acts of Green are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Lumin, Cisco Nexus, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Follow Me Browsing, GainMaker, iLYNX, IOS, iPhone, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, SenderBase, SMARTnet, Spectrum Expert, StackWise, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0910R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2005-2009 Cisco Systems, Inc. All rights reserved.
