Public wireless LANs (PWLANs) and wireless mesh networks can contain hundreds of access points, each of which must send RADIUS authentication requests to an authentication, addressing and authorization (AAA) server. The Intelligent Services Gateway (ISG) RADIUS proxy functionality allows the access points to send authentication requests to ISG, rather than directly to the AAA server. ISG relays the requests to the AAA server. The AAA server sends a response to ISG, which then relays the response to the appropriate access point.
When serving as a RADIUS proxy, ISG can pull user-specific data from the RADIUS flows that occur during subscriber authentication and authorization, and transparently create a corresponding IP session upon successful authentication. This functionality provides an automatic login facility with respect to ISG for subscribers that are authenticated by devices that are closer to the network edge.
When configured as a RADIUS proxy, ISG proxies all RADIUS requests generated by a client device and all RADIUS responses generated by the corresponding AAA server, as described in RFC 2865, RFC 2866, and RFC 2869.
ISG RADIUS proxy functionality is independent of the type of client device and supports standard authentication (that is, a single Access-Request/Response exchange) using both Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP), Access-Challenge packets, and Extensible Authentication Protocol (EAP) mechanisms.
In cases where authentication and accounting requests originate from separate RADIUS client devices, ISG associates all requests with the appropriate session through the use of correlation rules. For example, in a centralized PWLAN deployment, authentication requests originate from the wireless LAN (WLAN) access point, and accounting requests are generated by the Access Zone Router (AZR). The association of the disparate RADIUS flows with the underlying session is performed automatically when the Calling-Station-ID (Attribute 31) is sufficient to make the association reliable.
Following a successful authentication, authorization data collected from the RADIUS response is applied to the corresponding ISG session.
Sessions that were created using ISG RADIUS proxy operation are generally terminated by receipt of an Accounting-Stop packet.
To configure RADIUS proxy billing, you can use the
timer reconnect command and
show radius-proxy session command in the appropriate configuration modes.
To enable session reconnection for ISG RADIUS proxy servers and clients, use
pwlan-session reconnect command in the appropriate configuration mode.