- Overview of ISG
- Configuring ISG Control Policies
- Configuring ISG Access for PPP Sessions
- Configuring ISG Access for IP Subscriber Sessions
- Configuring MQC Support for IP Sessions
- Configuring ISG Port-Bundle Host Key
- Configuring ISG as a RADIUS Proxy
- Configuring RADIUS-Based Policing
- Configuring Ambiguous VLAN support for IP sessions over ISG
- Configuring ISG Policies for Automatic Subscriber Logon
- Configuring DHCP Option 60 and Option 82 with VPN-ID Support for Transparent Automatic Logon
- Enabling ISG to Interact with External Policy Servers
- Configuring ISG Subscriber Services
- ISG Subscriber Aware Ethernet
- Configuring ISG Network Forwarding Policies
- Configuring ISG Accounting
- Configuring ISG Support for Prepaid Billing
- Configuring ISG Policies for Session Maintenance
- Redirecting Subscriber Traffic Using ISG Layer 4 Redirect
- Configuring ISG Policies for Regulating Network Access
- ISG Support for SAMI Blade
- Configuring ISG Integration with SCE
- Service Gateway Interface
- Troubleshooting ISG with Session Monitoring and Distributed Conditional Debugging
- Configuring ISG Troubleshooting Enhancements
Configuring ISG as a RADIUS Proxy
Intelligent Services Gateway (ISG) is a Cisco software feature set that provides a structured framework in which edge devices can deliver flexible and scalable services to subscribers. The ISG RADIUS proxy feature enables ISG to serve as a proxy between a client device that uses RADIUS authentication and an authentication, authorization, and accounting (AAA) server. When configured as a RADIUS proxy, ISG is able to "sniff" (look at) the RADIUS packet flows and, on successful authentication, it can transparently create a corresponding ISG session. This module describes how to configure ISG as a RADIUS proxy.
In public wireless LAN (PWLAN) deployments, service providers must absolutely ensure the billing accuracy of a user's session. The billing accuracy must also be met in case of a network component failure. The RADIUS proxy billing accuracy feature ensures that the start and stop session events are accurate and the events are the main references for session management.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for ISG RADIUS Proxy
The Cisco software image must support authentication, accountability and authorization (AAA) and Intelligent Services Gateway (ISG).
Restrictions for ISG RADIUS Proxy
Wireless Internet service provider roaming (WISPr) attributes are not supported.
Information About ISG RADIUS Proxy
- Overview of ISG RADIUS Proxy
- ISG RADIUS Proxy Handling of Accounting Packets
- RADIUS Client Subnet Definition
- ISG RADIUS Proxy Support for Mobile Wireless Environments
- Benefits of ISG RADIUS Proxy
Overview of ISG RADIUS Proxy
Public wireless LANs (PWLANs) and wireless mesh networks can contain hundreds of access points, each of which must send RADIUS authentication requests to an authentication, addressing and authorization (AAA) server. The Intelligent Services Gateway (ISG) RADIUS proxy functionality allows the access points to send authentication requests to ISG, rather than directly to the AAA server. ISG relays the requests to the AAA server. The AAA server sends a response to ISG, which then relays the response to the appropriate access point.
When serving as a RADIUS proxy, ISG can pull user-specific data from the RADIUS flows that occur during subscriber authentication and authorization, and transparently create a corresponding IP session upon successful authentication. This functionality provides an automatic login facility with respect to ISG for subscribers that are authenticated by devices that are closer to the network edge.
When configured as a RADIUS proxy, ISG proxies all RADIUS requests generated by a client device and all RADIUS responses generated by the corresponding AAA server, as described in RFC 2865, RFC 2866, and RFC 2869.
ISG RADIUS proxy functionality is independent of the type of client device and supports standard authentication (that is, a single Access-Request/Response exchange) using both Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP), Access-Challenge packets, and Extensible Authentication Protocol (EAP) mechanisms.
In cases where authentication and accounting requests originate from separate RADIUS client devices, ISG associates all requests with the appropriate session through the use of correlation rules. For example, in a centralized PWLAN deployment, authentication requests originate from the wireless LAN (WLAN) access point, and accounting requests are generated by the Access Zone Router (AZR). The association of the disparate RADIUS flows with the underlying session is performed automatically when the Calling-Station-ID (Attribute 31) is sufficient to make the association reliable.
Following a successful authentication, authorization data collected from the RADIUS response is applied to the corresponding ISG session.
Sessions that were created using ISG RADIUS proxy operation are generally terminated by receipt of an Accounting-Stop packet.
To configure RADIUS proxy billing, you can use the timer reconnect command and show radius-proxy session command in the appropriate configuration modes.
To enable session reconnection for ISG RADIUS proxy servers and clients, use pwlan-session reconnect command in the appropriate configuration mode.
ISG RADIUS Proxy Handling of Accounting Packets
By default, ISG RADIUS proxy responds locally to accounting packets it receives. The accounting method-list command can be used to configure ISG to forward RADIUS proxy client accounting packets to a specified server. Forwarding of accounting packets can be configured globally for all RADIUS proxy clients or on a per-client basis.
RADIUS Client Subnet Definition
If Intelligent Services Gateway (ISG) is acting as a proxy for more than one client device, all of which reside on the same subnet, the clients may be configured using a subnet definition rather than a discrete IP address for each device. This configuration method results in the sharing of a single configuration by all the client devices.
ISG RADIUS Proxy Support for Mobile Wireless Environments
ISG RADIUS proxy uses mobile wireless-specific processes to provide support for Gateway General Packet Radio Service (GPRS) Support Node (GGSN) environments.
Attribute Processing and RADIUS Request Correlation
When authentication and accounting requests originate from separate RADIUS client devices, ISG uses correlation rules to associate all the requests with the appropriate session. The association of the disparate RADIUS flows with the underlying session is performed automatically when the Calling-Station-ID (Attribute 31) is sufficient to make the association reliable.
In mobile wireless environments, attribute processing and the correlation of RADIUS requests with a session are implemented differently than in a PWLAN environment. For example, in a PWLAN environment the Attribute 31 is a MAC address, and in a GGSN environment Attribute 31 is a Mobile Station Integrated Services Digital Network (MSISDN), which is a plain number or alphanumeric string. In addition, in a GGSN environment the correlation of RADIUS requests can be performed using attributes other than Attribute 31.
ISG RADIUS proxy supports mobile wireless environments by allowing you to specify whether the RADIUS-proxy client uses a MAC or MSISDN format for Attribute 31. The format is specified using the calling-station-id format command. In addition, you can use the session-identifier command to configure ISG RADIUS proxy to use other attributes (apart from Attribute 31) to perform RADIUS request correlation.
3GPP Attribute Support
In GGSN environments, ISG RADIUS proxy must understand and parse the Third Generation Partnership Project (3GPP) attributes described in the table below. These attributes form part of the accounting requests.
| Table 1 | 3GPP Attributes Supported by ISG RADIUS Proxy |
| Attribute |
Description |
Vendor ID/type |
|---|---|---|
| 3GPP-IMSI |
International Mobile Subscriber Identity (IMSI) for the user. |
10415/1 |
| 3GPP-Charging-ID |
Charging ID for this Packet Data Protocol (PDP) context (this together with the GGSN address constitutes a unique identifier for PDP context). |
10415/2 |
| 3GPP-SGSN-Address |
Serving GPRS Support Node (SGSN) address that is used by the GPRS Tunneling Protocol (GTP) control plane for handling of control messages. It may be used to identify the Public Line Mobile Network (PLMN) to which the user is attached. |
10415/6 |
Benefits of ISG RADIUS Proxy
Use of Intelligent Services Gateway (ISG) RADIUS proxy has the following benefits:
- Allows the complete set of ISG functionality to be applied to extensible authentication protocol (EAP) subscriber sessions.
- Allows an ISG device to be introduced into a network with minimum disruption to the existing network access server (NAS) and authentication, authorization and accounting (AAA) servers.
- Simplifies RADIUS server configuration because only the ISG, not every access point, must be configured as a client.
How to Configure ISG as a RADIUS Proxy
- Initiating ISG RADIUS Proxy IP Sessions
- Configuring ISG RADIUS Proxy Global Parameters
- Configuring ISG RADIUS Proxy Client-Specific Parameters
- Defining an ISG Policy for RADIUS Proxy Events
- Verifying ISG RADIUS Proxy Configuration
- Clearing ISG RADIUS Proxy Sessions
Initiating ISG RADIUS Proxy IP Sessions
Perform this task to configure ISG to initiate an IP session upon receipt of a RADIUS proxy message from a RADIUS client.
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
|
|
Example: Router> enable |
Enables privileged EXEC mode.
|
|
|
Example: Router# configure terminal |
Enters global configuration mode. |
|
|
Example: Router(config)# interface fastethernet 1/0/0 |
Specifies an interface for configuration and enters interface configuration mode. |
|
|
Example: Router(config-if)# ip subscriber routed |
Enables ISG IP subscriber support on an interface, specifies the access method that IP subscribers will use to connect to ISG on an interface and enters subscriber configuration mode. |
|
|
Example: Router(config-subscriber)# initiator radius-proxy |
Configures ISG to initiate IP sessions upon receipt of any RADIUS packet. |
|
|
Example: Router(config-subscriber)# end |
Exits the current configuration mode and returns to privileged EXEC mode. |
Configuring ISG RADIUS Proxy Global Parameters
Perform this task to configure ISG RADIUS proxy parameters that are applied by default to all RADIUS proxy clients. Client-specific parameters can also be configured and take precedence over this global configuration. To specify a client-specific configuration, see the "Configuring ISG RADIUS Proxy Client-Specific Parameters" section.
DETAILED STEPS
Configuring ISG RADIUS Proxy Client-Specific Parameters
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
|
|
Example: Device> enable |
Enables privileged EXEC mode. |
|
|
Example: Device# configure terminal |
Enters global configuration mode. |
|
|
Example: Device(config)# new-model |
Enables the authentication, authorization and accounting(AAA) access control model. |
|
|
Example: Device(config)# aaa server radius proxy |
Enters Intelligent Services Gateway (ISG) RADIUS proxy server configuration mode. |
|
|
Example: Device(config-locsvr-proxy-radius)# client 172.16.54.45 vrf myvrftable |
Specifies a RADIUS proxy client for which client-specific parameters can be configured, and enters RADIUS client configuration mode. |
|
|
Example: Device(config-locsvr-radius-client)# pwlan-session reconnect |
Enables the Public Wireless LAN (PWLAN) session reconnect feature. |
|
|
Example: Device(config-locsvr-radius-client)# session-identifier vsa vendor 5335 type 123 |
(Optional) Correlates the RADIUS requests of a session and identifies the session in the RADIUS proxy module. |
|
|
Example: Device(config-locsvr-radius-client)# calling-station-id format msisdn |
Specifies the Calling-Station-ID format. |
|
|
Example: Device(config-locsvr-radius-client)# accounting method-list fwdacct |
Specifies the server to which accounting packets from RADIUS clients are forwarded. |
|
|
Example: Device(config-locsvr-radius-client)# accounting port 2222 |
Specifies the port on which the ISG listens for accounting packets from RADIUS clients. |
|
|
Example: Device(config-locsvr-radius-client)# authentication port 1111 |
Specifies the port on which the ISG listens for authentication packets from RADIUS clients. |
|
|
Example: Device(config-locsvr-radius-client)# key radpro |
Configures the encryption key to be shared between ISG and RADIUS clients. |
|
|
Example: Device(config-locsvr-radius-client)# timer ip-address 5 |
Specifies the amount of time ISG waits for the specified event before terminating the session. |
|
|
Example: Device(config-locsvr-radius-client)# end |
Exits the ISG RADIUS client configuration mode and returns to privileged EXEC mode. |
Defining an ISG Policy for RADIUS Proxy Events
Perform this task to configure a policy that is applied at session start and causes ISG to proxy RADIUS packets to a specified server.
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
|
|
Example: Router> enable |
Enables privileged EXEC mode.
|
|
|
Example: Router# configure terminal |
Enters global configuration mode. |
|
|
Example: Router(config)# aaa new-model |
Enables the AAA access control model. |
|
|
Example: Router(config)# aaa authorization radius-proxy RP group radius |
Configures AAA authorization methods for ISG RADIUS proxy subscribers.
|
|
|
Example: Router(config)# policy-map type control proxyrule |
Creates or modifies a control policy map, which defines an ISG control policy and enters control policy-map configuration mode. |
|
|
Example: Router(config-control-policymap)# class type control always event session-start |
Specifies a control class for which actions may be configured and enters control policy-map class configuration mode. |
|
|
Example: Router(config-control-policymap-class-control)# 1 proxy aaa list RP |
Sends RADIUS packets to the specified server.
|
|
|
Example: Router(config-control-policymap-class-contro)# end |
Exits the current configuration mode and returns to privileged EXEC mode. |
Verifying ISG RADIUS Proxy Configuration
Use one or more of the following commands to verify ISG RADIUS proxy configuration. The commands may be entered in any order.
DETAILED STEPS
| Command or Action | Purpose | |||
|---|---|---|---|---|
|
|
Example: Router# show radius-proxy client 10.10.10.10 |
Displays RADIUS proxy configuration information and a summary of sessions for an ISG RADIUS proxy client. |
||
|
|
Example: Router# show radius-proxy session ip 10.10.10.10 |
Displays information about an ISG RADIUS proxy session.
|
||
|
|
Example: Router# show subscriber session detailed |
Displays information about subscriber sessions on an ISG device. |
Clearing ISG RADIUS Proxy Sessions
DETAILED STEPS
| Command or Action | Purpose | |||
|---|---|---|---|---|
|
|
Example: Device> enable |
Enables privileged EXEC mode. |
||
|
|
Example: Device# clear radius-proxy client 10.10.10.10 |
Clears all ISG RADIUS proxy sessions that are associated with the specified client device. |
||
|
|
Example: Device# clear radius-proxy session ip 10.10.10.10 |
Clears a specific ISG RADIUS proxy session.
|
Configuration Examples for ISG RADIUS Proxy
ISG RADIUS Proxy Configuration Example
The following example configures ISG to serve as a RADIUS proxy and to send RADIUS packets to the method list called RP. FastEthernet interface 0/0 is configured to initiate IP sessions upon receipt of RADIUS packets.
! aaa new-model ! aaa group server radius EAP server 10.2.36.253 auth-port 1812 acct-port 1813 ! aaa authorization radius-proxy RP group EAP aaa accounting network FWDACCT start-stop group EAP aaa accounting network FLOWACCT start-stop group EAP ! aaa server radius proxy session-identifier attribute 1 calling-station-id format msisdn authentication port 1111 accounting port 2222 key radpro message-authenticator ignore ! The method list "FWDACCT" was configured by the aaa accounting network FWDACCT ! start-stop group EAP command above. accounting method-list FWDACCT client 10.45.45.2 timer request 5 ! client 10.45.45.3 key aashica#@!$%&/ timer ip-address 120 ! ! ! This control policy references the method list called "RP" that was configured using the aaa authorization radius-proxy command above. policy-map type control PROXYRULE class type control always event session-start 1 proxy aaa list RP ! ! ! bba-group pppoe global ! ! interface FastEthernet 2/1/0 ip address 10.45.45.1 255.255.255.0 ip subscriber routed initiator radius-proxy no ip route-cache cef no ip route-cache no cdp enable ! ! The control policy "PROXYRULE" is applied to the interface. service-policy type control PROXYRULE ! ! radius-server host 10.2.36.253 auth-port 1812 acct-port 1813 key cisco radius-server host 10.76.86.83 auth-port 1665 acct-port 1666 key rad123 radius-server vsa send accounting radius-server vsa send authentication aaa new-model ! ! aaa group server radius EAP server 10.2.36.253 auth-port 1812 acct-port 1813 !
ISG RADIUS Proxy and Layer 4 Redirect Example
The following example shows an ISG policy configured for both ISG RADIUS proxy and Layer 4 redirection:
aaa authorization network default local ! redirect server-group REDIRECT server ip 10.255.255.28 port 23 ! class-map type traffic match-any traffic1 match access-group input 101 ! policy-map type service service1 class type traffic traffic1 redirect list 101 to group REDIRECT ! policy-map type control PROXYRULE class type control always event session-start 1 proxy aaa list RP 2 service-policy type service name service1 ! access-list 101 permit tcp host 10.45.45.2 any
The following example shows corresponding sample output from the show subscriber session command:
Router# show subscriber session username 12345675@cisco
Unique Session ID: 66
Identifier: aash
SIP subscriber access type(s): IP
Current SIP options: Req Fwding/Req Fwded
Session Up-time: 00:00:40, Last Changed: 00:00:00
Policy information:
Authentication status: authen
Active services associated with session:
name "service1", applied before account logon
Rules, actions and conditions executed:
subscriber rule-map PROXYRULE
condition always event session-start
1 proxy aaa list RP
2 service-policy type service name service1
Session inbound features:
Feature: Layer 4 Redirect ------>>> L4 redirect is applied to the session at session start
Rule table is empty
Traffic classes:
Traffic class session ID: 67
ACL Name: 101, Packets = 0, Bytes = 0
Unmatched Packets (dropped) = 0, Re-classified packets (redirected) = 0
Configuration sources associated with this session:
Service: service1, Active Time = 00:00:40
Interface: FastEthernet0/1, Active Time = 00:00:40
Additional References
Related Documents
| Related Topic |
Document Title |
|---|---|
| Cisco IOS Commands | |
| ISG commands: complete command syntax, command mode, command history, defaults, usage guidelines, and examples |
|
| Overview of ISG RADIUS proxy | Configuring Intelligent Service Gateway Configuration Guide |
RFCs
| RFC |
Title |
|---|---|
| RFC 2865 |
|
| RFC 2866 |
|
| RFC 2869 |
Technical Assistance
| Description |
Link |
|---|---|
| The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |
Feature Information for ISG RADIUS Proxy Billing Accuracy
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
| Table 2 | Feature Information for ISG RADIUS Proxy Billing Accuracy |
| Feature Name | Releases | Feature Information |
|---|---|---|
| ISG: RADIUS Proxy Billing Accuracy |
Cisco IOS XE Release 3.3SG |
This ISG RADIUS proxy feature enables ISG to serve as a proxy between a client device that uses RADIUS authentication and an AAA server. This functionality enables ISG to be deployed in PWLAN and wireless mesh networks where authentication requests for mobile subscribers must be sent to specific RADIUS servers. The RADIUS proxy billing accuracy feature ensures that the start and stop session events are accurate and the events are the main references for session management. To configure this feature, use the timer reconnect command in RADIUS proxy server configuration mode and use the show radius-proxy session command to see information about the timer in ISG RADIUS proxy sessions. |
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
Feedback