![background image](http://html.mh-extra.com/html/cisco/ios-xe/ios-xe_configuration-manual_64936148.webp)
Configuring ISG as a RADIUS Proxy
Prerequisites for ISG RADIUS Proxy
2
Prerequisites for ISG RADIUS Proxy
The Cisco IOS image must support AAA and ISG.
Restrictions for ISG RADIUS Proxy
Wireless Internet service provider roaming (WISPr) attributes are not supported.
Information About ISG RADIUS Proxy
Before you configure ISG to serve as a RADIUS proxy, you should understand the following concepts:
•
Overview of ISG RADIUS Proxy, page 2
•
ISG RADIUS Proxy Handling of Accounting Packets, page 3
•
RADIUS Client Subnet Definition, page 3
•
ISG RADIUS Proxy Support for Mobile Wireless Environments, page 3
•
Benefits of ISG RADIUS Proxy, page 4
Overview of ISG RADIUS Proxy
Public wireless LANs (PWLANs) and wireless mesh networks can contain hundreds of access points,
each of which must send RADIUS authentication requests to a AAA server. The ISG RADIUS proxy
functionality allows the access points to send authentication requests to ISG, rather than directly to the
AAA server. ISG relays the requests to the AAA server. The AAA server sends a response to ISG, which
then relays the response to the appropriate access point.
When serving as a RADIUS proxy, ISG can pull user-specific data from the RADIUS flows that occur
during subscriber authentication and authorization, and transparently create a corresponding IP session
upon successful authentication. This functionality provides an automatic login facility with respect to
ISG for subscribers that are authenticated by devices that are closer to the network edge.
When configured as a RADIUS proxy, ISG proxies all RADIUS requests generated by a client device
and all RADIUS responses generated by the corresponding AAA server, as described in RFC 2865, RFC
2866, and RFC 2869.
ISG RADIUS proxy functionality is independent of the type of client device and supports standard
authentication (that is, a single Access-Request/Response exchange) using both Password
Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP),
Access-Challenge packets, and Extensible Authentication Protocol (EAP) mechanisms.
In cases where authentication and accounting requests originate from separate RADIUS client devices,
ISG associates all requests with the appropriate session through the use of correlation rules. For
example, in a centralized PWLAN deployment, authentication requests originate from the wireless LAN
(WLAN) access point, and accounting requests are generated by the Access Zone Router (AZR). The
association of the disparate RADIUS flows with the underlying session is performed automatically when
the Calling-Station-ID (Attribute 31) is sufficient to make the association reliable.
Following a successful authentication, authorization data collected from the RADIUS response is
applied to the corresponding ISG session.
Summary of Contents for IOS XE
Page 14: ...About Cisco IOS XE Software Documentation Additional Resources and Documentation Feedback xii ...
Page 28: ...Using the Command Line Interface in Cisco IOS XE Software Additional Information xiv ...
Page 36: ...Intelligent Services Gateway Features Roadmap 8 ...
Page 46: ...Overview of ISG Feature Information for the Overview of ISG 10 ...
Page 70: ...Configuring ISG Control Policies Feature Information for ISG Control Policies 24 ...
Page 136: ...Configuring MQC Support for IP Sessions Feature Information for MQC Support for IP Sessions 8 ...
Page 224: ...Configuring ISG Subscriber Services Feature Information for ISG Subscriber Services 20 ...
Page 344: ...Service Gateway Interface Feature Information for Service Gateway Interface 8 ...