Configuring ISG as a RADIUS Proxy
Prerequisites for ISG RADIUS Proxy
2
Prerequisites for ISG RADIUS Proxy
The Cisco IOS image must support AAA and ISG.
Restrictions for ISG RADIUS Proxy
Wireless Internet service provider roaming (WISPr) attributes are not supported.
Information About ISG RADIUS Proxy
Before you configure ISG to serve as a RADIUS proxy, you should understand the following concepts:
• Overview of ISG RADIUS Proxy, page 2
• ISG RADIUS Proxy Handling of Accounting Packets, page 3
• RADIUS Client Subnet Definition, page 3
• ISG RADIUS Proxy Support for Mobile Wireless Environments, page 3
• Benefits of ISG RADIUS Proxy, page 4
Overview of ISG RADIUS Proxy
Public wireless LANs (PWLANs) and wireless mesh networks can contain hundreds of access points,
each of which must send RADIUS authentication requests to a AAA server. The ISG RADIUS proxy
functionality allows the access points to send authentication requests to ISG, rather than directly to the
AAA server. ISG relays the requests to the AAA server. The AAA server sends a response to ISG, which
then relays the response to the appropriate access point.
When serving as a RADIUS proxy, ISG can pull user-specific data from the RADIUS flows that occur
during subscriber authentication and authorization, and transparently create a corresponding IP session
upon successful authentication. This functionality provides an automatic login facility with respect to
ISG for subscribers that are authenticated by devices that are closer to the network edge.
When configured as a RADIUS proxy, ISG proxies all RADIUS requests generated by a client device
and all RADIUS responses generated by the corresponding AAA server, as described in RFC 2865, RFC
2866, and RFC 2869.
ISG RADIUS proxy functionality is independent of the type of client device and supports standard
authentication (that is, a single Access-Request/Response exchange) using both Password
Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP),
Access-Challenge packets, and Extensible Authentication Protocol (EAP) mechanisms.
In cases where authentication and accounting requests originate from separate RADIUS client devices,
ISG associates all requests with the appropriate session through the use of correlation rules. For
example, in a centralized PWLAN deployment, authentication requests originate from the wireless LAN
(WLAN) access point, and accounting requests are generated by the Access Zone Router (AZR). The
association of the disparate RADIUS flows with the underlying session is performed automatically when
the Calling-Station-ID (Attribute 31) is sufficient to make the association reliable.
Following a successful authentication, authorization data collected from the RADIUS response is
applied to the corresponding ISG session.
To Next Page
Loading...
Need help?
General