Configuring ISG as a RADIUS Proxy in Passthrough Mode

Configuring ISG as a RADIUS Proxy in Passthrough Mode allows the Cisco Intelligent Services Gateway (ISG) acting as a RADIUS Proxy to direct all the RADIUS traffic from the client to the RADIUS server, without creating an ISG session.

This module describes how to configure ISG in RADIUS Proxy passthrough mode.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Prerequisites for Configuring ISG as a RADIUS Proxy in Passthrough Mode

  • You need to configure the authentication and accounting methods.

  • You need to configure the AAA server.

Restrictions for Configuring ISG as a RADIUS Proxy in Passthrough Mode

  • High availability for RADIUS proxy passthrough is not supported. However, once, the switchover is completed, new sessions are entertained.

Information About Configuring ISG as a RADIUS Proxy in Passthrough Mode

ISG Acting as a RADIUS Proxy Passthrough

The RADIUS proxy module of the Cisco ISG can be run in the passthrough mode to proxy the client's RADIUS traffic. This improves manageability. The RADIUS Proxy passthrough mode can be configured in two ways:

  • Global level: You can enable RADIUS proxy passthrough globally by configuring the mode pass-through command in the ISG RADIUS proxy server configuration mode. This causes all the clients configured after this command to be in RADIUS Proxy passthrough mode.

  • Client level: You can enable RADIUS proxy passthrough at the client level by configuring the mode pass-through command for a specific client in the RADIUS proxy client configuration mode.

    Note

    The ISG interface can also be configured for dual initiators where one initiator can be RADIUS proxy and the other non-RADIUS proxy. When a specified ISG interface having dual initiators receives the non-RADIUS proxy trigger, ISG creates a session for the client. However, if this interface has a client configured to be in RADIUS proxy pass-through mode, it does not create a session when the RADIUS proxy trigger is received. Both these scenarios can co-exist on the same ISG interface.

The RADIUS proxy configuration allows you to configure the accounting method list which specifies the AAA server to which the accounting start, interim and stop records are forwarded. This can be done at both the client level and the global level.

Benefits of Using ISG in RADIUS Proxy Passthrough Mode

  • RADIUS proxy passthrough mode offers more security as the AAA server's IP address is hidden from the ultimate host.

  • Performance is improved as ISG sessions are not created for RADIUS clients.

  • The same ISG can serve in two different modes as listed below:

    • ISG acting as a RADIUS proxy where a session is created and the client's RADIUS messages are sent to an external AAA server.

    • ISG acting as a RADIUS proxy passthrough where a session is not created and the client's RADIUS messages are sent to an external AAA server.

How to Configure ISG as a RADIUS Proxy in Passthrough Mode

Enabling RADIUS Proxy Passthrough mode at Global Level

Perform this task to enable the RADIUS proxy passthrough mode globally.

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. aaa new-model
  4. aaa server radius proxy
  5. mode pass-through
  6. key [0 | 7] word
  7. accounting method-list {method-list-name | default}
  8. authentication method-list {method-list-name | default}
  9. authentication port port-number
  10. accounting port port-number
  11. client {name | ip-address} [subnet-mask [vrfvrf-id]]
  12. end

DETAILED STEPS

  Command or Action Purpose
Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

aaa new-model

Example:

Device(config)# aaa new-model

Enables the authentication, authorization and accounting(AAA) access control model.

Step 4

aaa server radius proxy

Example:

Device(config)# aaa server radius proxy

Enters Intelligent Services Gateway (ISG) RADIUS proxy server configuration mode.

Step 5

mode pass-through

Example:

Device(config-locsvr-proxy-radius)# mode pass-through

Enables ISG RADIUS proxy pass-through mode.

Step 6

key [0 | 7] word

Example:

Device(config-locsvr-proxy-radius)# key radprxykey
Configures the encryption key to be shared between ISG and RADIUS clients.

  • 0 specifies that an unencrypted key will follow.

  • 7 specifies a hidden key will follow.

Step 7

accounting method-list {method-list-name | default}

Example:

Device(config-locsvr-proxy-radius)# accounting method-list SVC_ACCT

Specifies the server to which accounting packets from RADIUS clients are forwarded.

Step 8

authentication method-list {method-list-name | default}

Example:

Device(config-locsvr-proxy-radius)# authentication method-list SVC_ACCT

Specifies the server to which authentication packets from RADIUS clients are forwarded.

Step 9

authentication port port-number

Example:

Device(config-locsvr-proxy-radius)# authentication port 1645
Specifies the port on which the ISG listens for authentication packets from RADIUS clients.

  • The default port is 1645.

Step 10

accounting port port-number

Example:

Device(config-locsvr-proxy-radius)# accounting port 1646
Specifies the port on which the ISG listens for accounting packets from RADIUS clients.

  • The default port is 1646.

Step 11

client {name | ip-address} [subnet-mask [vrfvrf-id]]

Example:

Device(config-locsvr-proxy-radius)# client 1.1.1.1

Specifies a RADIUS proxy client for which client-specific parameters can be configured, and enters RADIUS proxy client configuration mode.

Step 12

end

Example:

Device(config-locsvr-radius-client)# end

Exits the ISG RADIUS proxy client configuration mode and returns to privileged EXEC mode.

Enabling RADIUS Proxy Passthrough mode at Client Level

Perform this task to enable the RADIUS proxy passthrough mode for an individual client.

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. aaa new-model
  4. aaa server radius proxy
  5. client {name | ip-address} [subnet-mask [vrfvrf-id]]
  6. mode pass-through
  7. key [0 | 7] word
  8. accounting method-list {method-list-name | default}
  9. authentication method-list {method-list-name | default}
  10. authentication port port-number
  11. accounting port port-number
  12. end

DETAILED STEPS

  Command or Action Purpose
Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

aaa new-model

Example:

Device(config)# aaa new-model

Enables the authentication, authorization and accounting(AAA) access control model.

Step 4

aaa server radius proxy

Example:

Device(config)# aaa server radius proxy

Enters Intelligent Services Gateway (ISG) RADIUS proxy server configuration mode.

Step 5

client {name | ip-address} [subnet-mask [vrfvrf-id]]

Example:

Device(config-locsvr-proxy-radius)# client 1.1.1.1

Specifies a RADIUS proxy client for which client-specific parameters can be configured, and enters RADIUS proxy client configuration mode.

Step 6

mode pass-through

Example:

Device(config-locsvr-radius-client)# mode pass-through

Enables ISG RADIUS proxy pass-through mode.

Step 7

key [0 | 7] word

Example:

Device(config-locsvr-radius-client)# key radprxykey
Configures the encryption key to be shared between ISG and RADIUS clients.

  • 0 specifies that an unencrypted key will follow.

  • 7 specifies a hidden key will follow.

Step 8

accounting method-list {method-list-name | default}

Example:

Device(config-locsvr-radius-client)# accounting method-list SVC_ACCT

Specifies the server to which accounting packets from RADIUS clients are forwarded.

Step 9

authentication method-list {method-list-name | default}

Example:

Device(config-locsvr-radius-client)# authentication method-list SVC_ACCT

Specifies the server to which authentication packets from RADIUS clients are forwarded.

Step 10

authentication port port-number

Example:

Device(config-locsvr-radius-client)# authentication port 1645
Specifies the port for which the ISG listens for authentication packets from RADIUS clients.

  • The default port is 1645.

Step 11

accounting port port-number

Example:

Device(config-locsvr-radius-client)# accounting port 1646
Specifies the port on which the ISG listens for accounting packets from RADIUS clients.

  • The default port is 1646.

Step 12

end

Example:

Device(config-locsvr-radius-client)# end

Exits the ISG RADIUS proxy client configuration mode and returns to privileged EXEC mode.

Verifying ISG RADIUS Proxy Passthrough Sessions

SUMMARY STEPS

  1. enable
  2. show radius-proxy statistics
  3. end

DETAILED STEPS

  Command or Action Purpose
Step 1

enable

Example:

Device> enable
Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

show radius-proxy statistics

Example:


Device> show radius-proxy statistics
Device> show radius-proxy statistics | include access request
Displays statistics of all RADIUS proxy sessions on the ISG.
Note 

You can also use appropriate output modifiers to display a section of the statistics for all the ISG RADIUS proxy sessions based on the specification.

Step 3

end

Example:

Device> end

Returns to user EXEC mode.

Clearing ISG RADIUS Proxy Statistics

SUMMARY STEPS

  1. enable
  2. clear radius-proxy statistics
  3. end

DETAILED STEPS

  Command or Action Purpose
Step 1

enable

Example:

Device> enable
Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

clear radius-proxy statistics

Example:

Device> clear radius-proxy statistics

Clears all ISG RADIUS proxy statistics.

Step 3

end

Example:

Device> exit

Returns to user EXEC mode.

Configuration Examples for Configuring ISG as RADIUS Proxy in Passthrough Mode

Example: Configuring Radius Proxy Passthrough Mode

The following example shows how to configure ISG as a RADIUS Proxy passthrough where the interface is configured with dual initiators. Here, an ISG session is not created for the client 10.0.0.2 as it is in passthrough mode whereas a session is created for the client 12.0.0.2 as session creation is triggered by the RADIUS proxy initiator. 


aaa server radius proxy
message-authenticator ignore
!
client 10.0.0.2
mode pass-through 
key radprxykey
accounting method-list SVC_ACCT
authentication port 1645
accounting port 1646 

client 12.0.0.2
key radprxykey
accounting method-list SVC_ACCT
authentication method-list SVC_ACCT 
authentication port 1647
accounting port 1648

Example: Verifying Radius Proxy Passthrough Mode

Use the show radius-proxy statistics command to verify that ISG is functioning in RADIUS proxy passthrough mode.

The following is a sample output from the show radius-proxy statistics command, showing information for both passthrough and non-passthrough clients. 


Device#show radius-proxy statistics

 NON-PASSTHROUGH CLIENTS
 FROM:                  Client       ISG         AAA
Access Requests:          0          0            0
Access Accepts:           0          0            0
Access Rejects:           0          0            0
Access Challenges         0          0            0
Accounting Requests       0          0            0
Accounting Starts         0          0            0
Accounting Stops          0          0            0
Accounting Updates        0          0            0
Accounting Responses      0          0            0
Accounting ON/OFFS        0          0            0

 PASSTHROUGH CLIENTS
 FROM:                  Client       ISG         AAA
Access Requests:          48000      48000        0
Access Accepts:           0          48000        48000
Access Rejects:           0          0            0
Access Challenges         0          0            0
Accounting Requests       80000      80000        0
Accounting Starts         80000      0            0
Accounting Stops          0          0            0
Accounting Updates        0          0            0
Accounting Responses      0          0            80000
Accounting ON/OFFS        0          0            0

Additional References for ISG as RADIUS Proxy in Passthrough Mode

Related Documents

Related Topic

Document Title

Cisco IOS commands

Master Command List, All Releases

ISG commands

ISG Command Reference

ISG as RADIUS Proxy

"Configuring ISG as a RADIUS Proxy" module in the Intelligent Services Gateway Configuration Guide

RADIUS configurations

"Configuring RADIUS" module in the RADIUS Configuration Guide

ISG Subscriber Service configurations

"Configuring ISG Subscriber Services" module in the Intelligent Services Gateway Configuration Guide

Command Lookup Tool

Command Lookup Tool

Technical Assistance

Description Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/support

Feature Information for Configuring ISG as a RADIUS Proxy in Passthrough Mode

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 1. Feature Information for Configuring ISG as a RADIUS Proxy in Passthrough Mode

Feature Name

Releases

Feature Information

Configuring ISG as a RADIUS Proxy in Passthrough Mode

Configuring the ISG as a RADIUS Proxy in Passthrough Mode allows the Cisco Intelligent Services Gateway (ISG) acting as a RADIUS Proxy to direct all the RADIUS traffic from the client to the RADIUS server, without creating an ISG session.

The following commands were introduced: mode pass-thru and authentication method-list list-authen .