- Read Me First
- Overview of ISG
- Configuring ISG Control Policies
- Configuring ISG Access for PPP Sessions
- Configuring ISG Access for IP Subscriber Sessions
- Configuring ISG IPv6 Support
- Configuring MQC Support for IP Sessions
- Configuring ISG Port-Bundle Host Key
- Configuring ISG as a RADIUS Proxy
- Configuring ISG as a RADIUS Proxy in Passthrough Mode
- ISG RADIUS Proxy Support for Mobile Users—Hotspot Roaming and Accounting Start Filtering
- Walk-By User Support in ISG
- ISG L2 Subscriber Roaming
- Configuring RADIUS-Based Policing
- Overview for Framed Route
- ISG Dynamic VLAN Interface Provisioning
- Ambiguous VLAN Support for IP sessions over ISG
- Configuring ISG Policies for Automatic Subscriber Logon
- Configuring DHCP Option 60 and Option 82 with VPN-ID Support for Transparent Automatic Logon
- Enabling ISG to Interact with External Policy Servers
- Configuring ISG Subscriber Services
- Configuring ISG Network Forwarding Policies
- Configuring ISG Accounting
- Configuring ISG Support for Prepaid Billing
- Configuring ISG Policies for Session Maintenance
- Redirecting Subscriber Traffic Using ISG Layer 4 Redirect
- Configuring Layer 4 Redirect Logging
- Configuring ISG Policies for Regulating Network Access
- Configuring ISG Integration with SCE
- Service Gateway Interface
- ISG MIB
- ISG SSO and ISSU
- ISG Debuggability
- Troubleshooting ISG with Session Monitoring and Distributed Conditional Debugging
- Configuring ISG Troubleshooting Enhancements
- Gx Diameter Support for ISG sessions
- DHCPv6 Support for ISG
- Finding Feature Information
- Restrictions for ISG RADIUS Proxy Support for Mobile Users—Hotspot Roaming and Accounting Start Filtering
- Information About ISG RADIUS Proxy Support for Mobile Users—Hotspot Roaming and Accounting Start Filtering
- How to Configure ISG RADIUS Proxy Support for Mobile Users—Hotspot Roaming and Accounting Start Filtering
ISG RADIUS Proxy Support for Mobile Users—Hotspot Roaming and Accounting Start Filtering
- Finding Feature Information
- Restrictions for ISG RADIUS Proxy Support for Mobile Users—Hotspot Roaming and Accounting Start Filtering
- Information About ISG RADIUS Proxy Support for Mobile Users—Hotspot Roaming and Accounting Start Filtering
- How to Configure ISG RADIUS Proxy Support for Mobile Users—Hotspot Roaming and Accounting Start Filtering
- Configuration Examples for ISG RADIUS Proxy Support for Mobile Users—Hotspot Roaming and Accounting Start Filtering
- Additional References
- Feature Information for ISG RADIUS Proxy Support for Mobile Users: Hotspot Roaming and Accounting Start Filtering
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Restrictions for ISG RADIUS Proxy Support for Mobile Users—Hotspot Roaming and Accounting Start Filtering
Restrictions for RADIUS Proxy Support for Hotspot Roaming
A subscriber is connected to an access point (AP1) that is connected to an Access Zone Router (AZR) (AZR1). The subscriber moves to a different AZR and moves back to a different access point (AP2) within AZR1. When the subscriber tries to reauthenticate with the same IP address that it had for AP1, ISG cannot determine that it is a new session with AP2 and terminates the session when the roaming timer expires.
Restrictions for RADIUS Proxy Support for Accounting Start Filtering
Information About ISG RADIUS Proxy Support for Mobile Users—Hotspot Roaming and Accounting Start Filtering
Hotspot Roaming Timer
The time difference between the arrival of the accounting start request and the reauthentication request is less than the configured IP timer. For more information on IP timers, see the “Configuring ISG RADIUS Proxy Global Parameters” and the “Configuring ISG RADIUS Proxy Client-Specific Parameters” sections in the “Configuring ISG as a RADIUS Prox”y chapter.
The subscriber is EAP-authenticated.
If the new session is created successfully, a roaming timer is started for the first session. Use the timer roaming command in RADIUS proxy server configuration and RADIUS proxy client configuration modes to configure the roaming timer. Once the cleanup timer expires, ISG clears the first session, and the second session remains as the only session for the subscriber.
If the subscriber moves back to the first hotspot before the roaming timer expires on the first session and reauthentication is successful, the roaming timer is stopped for the first session. A new roaming timer is initiated for the second session. If the reauthentication fails, the first session is cleared.
If ISG receives an accounting-stop request for the first session from the AZR to which the session belongs, before the roaming timer expires, the timer is stopped and the first session is cleared. The accounting-stop request is forwarded to the RADIUS server. The response from the RADIUS server is forwarded to the AZR.
If the subscriber roams between multiple hotspots, ISG creates multiple parallel sessions. All these sessions are maintained on ISG until the roaming timer associated with them expires. Only the session that is authenticated last is not associated with a roaming timer.
RADIUS Packet Filter Creation
The RADIUS filter consists of a filter structure and a CLI through which subscribers can configure the filter on RADIUS packets. When a packet is received by ISG, ISG reads the attributes in the packet and matches them with the attributes defined in the filter. Depending on the match criteria that are specified in the filter, ISG takes the defined action on the RADIUS packet.
To create a RADIUS packet filter, follow three steps:
How to Configure ISG RADIUS Proxy Support for Mobile Users—Hotspot Roaming and Accounting Start Filtering
Configuring a Roaming Timer for the ISG RADIUS Proxy Session
1.
enable
2.
configure terminal
3.
aaa new-model
4.
aaa server radius proxy
5.
timer roaming
timer-value
6.
end
DETAILED STEPS
Configuring RADIUS Proxy Support for Accounting Start Filtering
The Accounting Start Filtering feature allows the creation of RADIUS packet filtering to filter packets that reach ISG. Based on the defined filter criteria, ISG performs certain actions on the RADIUS packet.
The RADIUS packet filter is created on ISG by defining the filter name and the match criteria in the radius filter command. The match criteria are applied to the attributes of the RADIUS packet. When you configure the radius filter match-all command, the filter is applied to the RADIUS packet only if all the attributes configured in the command match the attributes in the RADIUS packet. When you configure the radius filter match-any command, the filter is applied to the RADIUS packet if at least one attribute configured in the command matches the attributes in the RADIUS packet. The attributes to match are defined in RADIUS filter configuration mode.
In RADIUS filter configuration mode, you can specify a standard IETF RADIUS attribute or a vendor-specific RADIUS attribute. These attributes must match the attributes in the RADIUS packet so that the filter can be applied accordingly. The match command checks if the attribute is present in the packet, and the matchnot command checks if the attribute is not present in the packet.
Apply RADIUS filters to the RADIUS proxy server in order for the configuration to take effect. Apply RADIUS filters in RADIUS proxy server configuration mode and RADIUS proxy client configuration mode. If filters are applied in both modes, only the client mode configuration will take effect.
You can specify the type of RADIUS packets to which the filter should be applied using the filter access and filter accounting commands.
Perform the following tasks to configure a RADIUS packet filter and apply the filter criteria to RADIUS proxy.
Configuring a RADIUS Packet Filter
1.
enable
2.
configure terminal
3.
radius filter match-all
name
4.
match
attribute
att-type-number
5.
matchnot
vendor-type
9
6.
end
DETAILED STEPS
Applying RADIUS Filters to RADIUS Proxy Server or Client
Use the filter command in RADIUS proxy server configuration mode or RADIUS proxy client configuration mode to apply a RADIUS filter. If the RADIUS filter is configured in both these modes, only the filter configured in the client mode will be applied.
1.
enable
2.
configure terminal
3.
aaa new-model
4.
aaa server radius proxy
5.
filter access ack
name
6.
end
DETAILED STEPS
Configuration Examples for ISG RADIUS Proxy Support for Mobile Users—Hotspot Roaming and Accounting Start Filtering
Example: Configuring a Roaming Timer for an ISG RADIUS Proxy Session
Device> enable Device# configure terminal Device(config)# aaa new-model Device(config)# aaa server radius proxy Device(config-locsvr-proxy-radius)# timer roaming 60
Example: Configuring a RADIUS Packet Filter
Use the following example along with the example given in the “Example: Applying RADIUS Packet Filters to RADIUS Proxy Mode” section to configure a RADIUS packet filter for the RADIUS proxy server.
The following example shows how to create the RADIUS packet filter, filter1, and define the matching conditions:
Device> enable Device# configure terminal Device(config)# radius filter match-all filter1 Device(config)# match attribute 25 Device(config)# match attribute 100 Device(config)# matchnot vendor-type 100
Example: Applying RADIUS Packet Filters to RADIUS Proxy Server
Use the following example along with the example given in “Example: Configuring a RADIUS Packet Filter” section to configure a RADIUS packet filter for the RADIUS proxy server.
Device> enable Device# configure terminal Device(config)# aaa new-model Device(config)# aaa server radius proxy Device(config-locsvr-proxy-radius)# filter access ack filter1
Additional References
Related Documents
Related Topic |
Document Title |
|---|---|
|
Cisco IOS commands |
|
|
ISG commands |
Technical Assistance
Description |
Link |
|---|---|
|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
Feature Information for ISG RADIUS Proxy Support for Mobile Users: Hotspot Roaming and Accounting Start Filtering
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.Feature Name |
Releases |
Feature Information |
|---|---|---|
|
ISG RADIUS Proxy Support for Mobile Users—Hotspot Roaming and Accounting Start Filtering |
Cisco IOS XE Release 3.5S |
The ISG RADIUS Proxy Support for Mobile Users—Hotspot Roaming and Accounting Start Filtering feature allows you to configure hotspot roaming and RADIUS packet filtering for RADIUS proxy sessions. The following commands were introduced or modified: filter (radius-proxy), match (radius-filter), matchnot (radius-filter), radius filter, and timer (ISG RADIUS proxy). |
Feedback