3
If the authorization fails, services such as OpenGarden and Layer 4 Redirect (L4R) are applied to the
subscriber for a temporary period of time.
4
ISG then redirects the subscriber to the portal where the subscriber enters the username and password.
The subscriber
’
s credentials are then sent to the ISG through the account login message.
5
ISG now authenticates the subscriber on the AAA server and retrieves the subscriber
’
s profile, which may
contain a few preconfigured auto-login services.
6
On successful authentication, ISG enables the user
’
s auto-login services (Internet).
7
Assuming that the services for accessing the Internet are not cached on ISG prior to this session, ISG sends
an access request to the corresponding service provider
’
s AAA server to download the service definition.
8
The AAA server responds with the service definition.
9
The defined service is applied to the subscriber
’
s session and the subscriber can start accessing the Internet.
The subscriber now has full access to the network.
10
On successful account login, the L4R feature is unapplied for the subscriber in ISG to prevent subscriber
traffic redirection to the ISP
’
s web portal.
11
An Accounting Start message is sent to the application provider to indicate the start of the subscriber
’
s
service. Now, the subscriber is connected to the Internet.
Simple IP Unclassified MAC Authentication Call Flow Configuration
The following configuration is an example of a simple IP unclassified MAC call flow. This is applicable to
both the MAC TAL and web logon authentication scenarios:
#----------------------------------------------
# AAA and RADIUS
#----------------------------------------------
aaa new-model
!
aaa server radius dynamic-author
client 5.5.5.1 server-key cisco
!
aaa group server radius SERVER_GROUP1
server name RAD1
!
aaa authentication login AUTHEN_LIST group SERVER_GROUP1
aaa authorization network default group SERVER_GROUP1 local
aaa authorization network AUTHOR_LIST group SERVER_GROUP1 local
aaa authorization subscriber-service default local group SERVER_GROUP1
aaa accounting network List1 start-stop group SERVER_GROUP1
aaa accounting system default start-stop group radius
!
radius-server key cisco
!
radius server RAD1
address ipv4 4.4.4.1 auth-port 1645 acct-port 1646
#----------------------------------------------
# Interface
#----------------------------------------------
interface GigabitEthernet0/0/2.10
#Connected to the client, access interface.
encapsulation dot1Q 10
ip address 11.11.11.1 255.255.255.0
service-policy type control TAL
ip subscriber l2-connected
initiator unclassified mac-address
!
interface GigabitEthernet0/0/3
#Connected to the RADIUS server
Intelligent Wireless Access Gateway Configuration Guide
96
OL-30226-03
Call Flows for Simple IP Users
Simple IP Unclassified MAC Authentication Call Flow Configuration