Configuring ISG as
a RADIUS Proxy in Passthrough Mode
Configuring ISG as a RADIUS Proxy
in Passthrough Mode allows the Cisco Intelligent Services Gateway (ISG) acting
as a RADIUS Proxy to direct all the RADIUS traffic from the client to the
RADIUS server, without creating an ISG session.
This module describes how to configure ISG in RADIUS Proxy passthrough
mode.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for
Configuring ISG as a RADIUS Proxy in Passthrough Mode
Restrictions for
Configuring ISG as a RADIUS Proxy in Passthrough Mode
-
High
availability for RADIUS proxy passthrough is not supported. However, once, the
switchover is completed, new sessions are entertained.
Information About Configuring ISG as a RADIUS Proxy in Passthrough Mode
ISG Acting as a
RADIUS Proxy Passthrough
The RADIUS proxy
module of the Cisco ISG can be run in the passthrough mode to proxy the
client's RADIUS traffic. This improves manageability. The RADIUS Proxy
passthrough mode can be configured in two ways:
The RADIUS proxy
configuration allows you to configure the accounting method list which
specifies the AAA server to which the accounting start, interim and stop
records are forwarded. This can be done at both the client level and the global
level.
Benefits of Using
ISG in RADIUS Proxy Passthrough Mode
How to Configure ISG as a RADIUS Proxy in Passthrough Mode
Enabling RADIUS
Proxy Passthrough mode at Global Level
Perform this task
to enable the RADIUS proxy passthrough mode globally.
SUMMARY STEPS1.
enable
2.
configure
terminal
3.
aaa new-model
4.
aaa server
radius proxy
5.
mode
pass-through
6.
key [0 | 7]
word
7.
accounting
method-list {method-list-name | default}
8.
authentication method-list {method-list-name | default}
9.
authentication port port-number
10.
accounting
port port-number
11.
client
{name | ip-address} [subnet-mask [vrfvrf-id]]
12.
end
DETAILED STEPS | Command or Action | Purpose |
---|
Step 1 | enable
Example:
Device> enable
|
Enables
privileged EXEC mode.
|
Step 2 | configure
terminal
Example:
Device# configure terminal
|
Enters global
configuration mode.
|
Step 3 | aaa new-model
Example:
Device(config)# aaa new-model
|
Enables the
authentication, authorization and accounting(AAA) access control model.
|
Step 4 | aaa server
radius proxy
Example:
Device(config)# aaa server radius proxy
|
Enters
Intelligent Services Gateway (ISG) RADIUS proxy server configuration mode.
|
Step 5 | mode
pass-through
Example:
Device(config-locsvr-proxy-radius)# mode pass-through
|
Enables ISG
RADIUS proxy pass-through mode.
|
Step 6 | key [0 | 7]
word
Example:
Device(config-locsvr-proxy-radius)# key radprxykey
|
Configures
the encryption key to be shared between ISG and RADIUS clients.
|
Step 7 | accounting
method-list {method-list-name | default}
Example:
Device(config-locsvr-proxy-radius)# accounting method-list SVC_ACCT
|
Specifies
the server to which accounting packets from RADIUS clients are forwarded.
|
Step 8 |
authentication method-list {method-list-name | default}
Example:
Device(config-locsvr-proxy-radius)# authentication method-list SVC_ACCT
|
Specifies
the server to which authentication packets from RADIUS clients are forwarded.
|
Step 9 | authentication port port-number
Example:
Device(config-locsvr-proxy-radius)# authentication port 1645
|
Specifies
the port on which the ISG listens for authentication packets from RADIUS
clients.
|
Step 10 | accounting
port port-number
Example:
Device(config-locsvr-proxy-radius)# accounting port 1646
|
Specifies
the port on which the ISG listens for accounting packets from RADIUS clients.
|
Step 11 | client
{name | ip-address} [subnet-mask [vrfvrf-id]]
Example:
Device(config-locsvr-proxy-radius)# client 1.1.1.1
|
Specifies a
RADIUS proxy client for which client-specific parameters can be configured, and
enters RADIUS proxy client configuration mode.
|
Step 12 | end
Example:
Device(config-locsvr-radius-client)# end
|
Exits the ISG
RADIUS proxy client configuration mode and returns to privileged EXEC mode.
|
Enabling RADIUS
Proxy Passthrough mode at Client Level
Perform this task
to enable the RADIUS proxy passthrough mode for an individual client.
SUMMARY STEPS1.
enable
2.
configure
terminal
3.
aaa
new-model
4.
aaa server
radius proxy
5.
client
{name | ip-address} [subnet-mask [vrfvrf-id]]
6.
mode
pass-through
7.
key [0 | 7]
word
8.
accounting
method-list {method-list-name | default}
9.
authentication method-list {method-list-name | default}
10.
authentication port port-number
11.
accounting
port port-number
12.
end
DETAILED STEPS | Command or Action | Purpose |
---|
Step 1 | enable
Example:
Device> enable
|
Enables
privileged EXEC mode.
|
Step 2 | configure
terminal
Example:
Device# configure terminal
|
Enters
global configuration mode.
|
Step 3 | aaa
new-model
Example:
Device(config)# aaa new-model
|
Enables the
authentication, authorization and accounting(AAA) access control model.
|
Step 4 | aaa server
radius proxy
Example:
Device(config)# aaa server radius proxy
|
Enters
Intelligent Services Gateway (ISG) RADIUS proxy server configuration mode.
|
Step 5 | client
{name | ip-address} [subnet-mask [vrfvrf-id]]
Example:
Device(config-locsvr-proxy-radius)# client 1.1.1.1
|
Specifies a
RADIUS proxy client for which client-specific parameters can be configured, and
enters RADIUS proxy client configuration mode.
|
Step 6 | mode
pass-through
Example:
Device(config-locsvr-radius-client)# mode pass-through
|
Enables ISG
RADIUS proxy pass-through mode.
|
Step 7 | key [0 | 7]
word
Example:
Device(config-locsvr-radius-client)# key radprxykey
|
Configures
the encryption key to be shared between ISG and RADIUS clients.
|
Step 8 | accounting
method-list {method-list-name | default}
Example:
Device(config-locsvr-radius-client)# accounting method-list SVC_ACCT
|
Specifies
the server to which accounting packets from RADIUS clients are forwarded.
|
Step 9 |
authentication method-list {method-list-name | default}
Example:
Device(config-locsvr-radius-client)# authentication method-list SVC_ACCT
|
Specifies
the server to which authentication packets from RADIUS clients are forwarded.
|
Step 10 | authentication port port-number
Example:
Device(config-locsvr-radius-client)# authentication port 1645
|
Specifies
the port for which the ISG listens for authentication packets from RADIUS
clients.
|
Step 11 | accounting
port port-number
Example:
Device(config-locsvr-radius-client)# accounting port 1646
|
Specifies
the port on which the ISG listens for accounting packets from RADIUS clients.
|
Step 12 | end
Example:
Device(config-locsvr-radius-client)# end
|
Exits the
ISG RADIUS proxy client configuration mode and returns to privileged EXEC mode.
|
Verifying ISG RADIUS Proxy Passthrough Sessions
SUMMARY STEPS1.
enable
2.
show radius-proxy statistics
3.
end
DETAILED STEPS | Command or Action | Purpose |
---|
Step 1 | enable
Example:
Device> enable
|
Enables privileged EXEC mode.
|
Step 2 | show radius-proxy statistics
Example:
Device> show radius-proxy statistics
Device> show radius-proxy statistics | include access request
|
Displays statistics of all RADIUS proxy sessions on the ISG.
Note
|
You can also use appropriate output modifiers to display a
section of the statistics for all the ISG RADIUS proxy sessions based on the
specification.
|
|
Step 3 | end
Example:
Device> end
|
Returns to user EXEC mode.
|
Clearing ISG
RADIUS Proxy Statistics
SUMMARY STEPS1.
enable
2.
clear
radius-proxy statistics
3.
end
DETAILED STEPS | Command or Action | Purpose |
---|
Step 1 | enable
Example:
Device> enable
|
Enables
privileged EXEC mode.
|
Step 2 | clear
radius-proxy statistics
Example:
Device> clear radius-proxy statistics
|
Clears all ISG
RADIUS proxy statistics.
|
Step 3 | end
Example:
Device> exit
|
Returns to
user EXEC mode.
|
Configuration Examples for Configuring ISG as RADIUS Proxy in Passthrough Mode
Example:
Configuring Radius Proxy Passthrough Mode
The following
example shows how to configure ISG as a RADIUS Proxy passthrough where the
interface is configured with dual initiators. Here, an ISG session is not
created for the client 10.0.0.2 as it is in passthrough mode whereas a session
is created for the client 12.0.0.2 as session creation is triggered by the
RADIUS proxy initiator.
aaa server radius proxy
message-authenticator ignore
!
client 10.0.0.2
mode pass-through
key radprxykey
accounting method-list SVC_ACCT
authentication port 1645
accounting port 1646
client 12.0.0.2
key radprxykey
accounting method-list SVC_ACCT
authentication method-list SVC_ACCT
authentication port 1647
accounting port 1648
Example: Verifying Radius Proxy Passthrough Mode
Use the
show radius-proxy statistics command to
verify that ISG is functioning in RADIUS proxy passthrough mode.
The following is a sample output from the
show radius-proxy statistics command, showing
information for both passthrough and non-passthrough clients.
Device#show radius-proxy statistics
NON-PASSTHROUGH CLIENTS
FROM: Client ISG AAA
Access Requests: 0 0 0
Access Accepts: 0 0 0
Access Rejects: 0 0 0
Access Challenges 0 0 0
Accounting Requests 0 0 0
Accounting Starts 0 0 0
Accounting Stops 0 0 0
Accounting Updates 0 0 0
Accounting Responses 0 0 0
Accounting ON/OFFS 0 0 0
PASSTHROUGH CLIENTS
FROM: Client ISG AAA
Access Requests: 48000 48000 0
Access Accepts: 0 48000 48000
Access Rejects: 0 0 0
Access Challenges 0 0 0
Accounting Requests 80000 80000 0
Accounting Starts 80000 0 0
Accounting Stops 0 0 0
Accounting Updates 0 0 0
Accounting Responses 0 0 80000
Accounting ON/OFFS 0 0 0
Additional
References for ISG as RADIUS Proxy in Passthrough Mode
Related
Documents
Related
Topic
|
Document Title
|
Cisco
IOS commands
|
Master Command List, All
Releases
|
ISG
commands
|
ISG Command
Reference
|
ISG as
RADIUS Proxy
|
"Configuring ISG as a RADIUS Proxy" module in the
Intelligent Services Gateway Configuration Guide
|
RADIUS
configurations
|
"Configuring RADIUS" module in the
RADIUS Configuration Guide
|
ISG
Subscriber Service configurations
|
"Configuring ISG Subscriber Services" module in the
Intelligent Services Gateway Configuration Guide
|
Command Lookup Tool
|
Command Lookup
Tool
|
Technical
Assistance
Description
|
Link
|
The
Cisco Support website provides extensive online resources, including
documentation and tools for troubleshooting and resolving technical issues with
Cisco products and technologies.
To
receive security and technical information about your products, you can
subscribe to various services, such as the Product Alert Tool (accessed from
Field Notices), the Cisco Technical Services Newsletter, and Really Simple
Syndication (RSS) Feeds.
Access
to most tools on the Cisco Support website requires a Cisco.com user ID and
password.
|
http://www.cisco.com/support
|
Feature
Information for Configuring ISG as a RADIUS Proxy in Passthrough Mode
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 1 Feature Information
for Configuring ISG as a RADIUS Proxy in Passthrough Mode
Feature Name
|
Releases
|
Feature Information
|
Configuring ISG as a RADIUS Proxy in Passthrough Mode
|
|
Configuring the ISG as a RADIUS Proxy in Passthrough Mode
allows the Cisco Intelligent Services Gateway (ISG) acting as a RADIUS Proxy to
direct all the RADIUS traffic from the client to the RADIUS server, without
creating an ISG session.
The following commands were introduced:
mode pass-thru and
authentication method-list
list-authen.
|