Configuring ISG as a RADIUS Proxy in Passthrough Mode

Configuring ISG as a RADIUS Proxy in Passthrough Mode allows the Cisco Intelligent Services Gateway (ISG) acting as a RADIUS Proxy to direct all the RADIUS traffic from the client to the RADIUS server, without creating an ISG session.

This module describes how to configure ISG in RADIUS Proxy passthrough mode.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Prerequisites for Configuring ISG as a RADIUS Proxy in Passthrough Mode

  • You need to configure the authentication and accounting methods.

  • You need to configure the AAA server.

Restrictions for Configuring ISG as a RADIUS Proxy in Passthrough Mode

  • High availability for RADIUS proxy passthrough is not supported. However, once, the switchover is completed, new sessions are entertained.

Information About Configuring ISG as a RADIUS Proxy in Passthrough Mode

ISG Acting as a RADIUS Proxy Passthrough

The RADIUS proxy module of the Cisco ISG can be run in the passthrough mode to proxy the client's RADIUS traffic. This improves manageability. The RADIUS Proxy passthrough mode can be configured in two ways:

  • Global level: You can enable RADIUS proxy passthrough globally by configuring the mode pass-through command in the ISG RADIUS proxy server configuration mode. This causes all the clients configured after this command to be in RADIUS Proxy passthrough mode.

  • Client level: You can enable RADIUS proxy passthrough at the client level by configuring the mode pass-through command for a specific client in the RADIUS proxy client configuration mode.

    Note

    The ISG interface can also be configured for dual initiators where one initiator can be RADIUS proxy and the other non-RADIUS proxy. When a specified ISG interface having dual initiators receives the non-RADIUS proxy trigger, ISG creates a session for the client. However, if this interface has a client configured to be in RADIUS proxy pass-through mode, it does not create a session when the RADIUS proxy trigger is received. Both these scenarios can co-exist on the same ISG interface.

The RADIUS proxy configuration allows you to configure the accounting method list which specifies the AAA server to which the accounting start, interim and stop records are forwarded. This can be done at both the client level and the global level.

Benefits of Using ISG in RADIUS Proxy Passthrough Mode

  • RADIUS proxy passthrough mode offers more security as the AAA server's IP address is hidden from the ultimate host.

  • Performance is improved as ISG sessions are not created for RADIUS clients.

  • The same ISG can serve in two different modes as listed below:

    • ISG acting as a RADIUS proxy where a session is created and the client's RADIUS messages are sent to an external AAA server.

    • ISG acting as a RADIUS proxy passthrough where a session is not created and the client's RADIUS messages are sent to an external AAA server.

How to Configure ISG as a RADIUS Proxy in Passthrough Mode

Enabling RADIUS Proxy Passthrough mode at Global Level

Perform this task to enable the RADIUS proxy passthrough mode globally.

SUMMARY STEPS

    1.    enable

    2.    configure terminal

    3.    aaa new-model

    4.    aaa server radius proxy

    5.    mode pass-through

    6.    key [0 | 7] word

    7.    accounting method-list {method-list-name | default}

    8.    authentication method-list {method-list-name | default}

    9.    authentication port port-number

    10.    accounting port port-number

    11.    client {name | ip-address} [subnet-mask [vrfvrf-id]]

    12.    end


DETAILED STEPS
     Command or ActionPurpose
    Step 1 enable

    Example: 
    Device> enable
     

    Enables privileged EXEC mode.

    • Enter your password if prompted.

     
    Step 2configure terminal

    Example: 
    Device# configure terminal
     

    Enters global configuration mode.

     
    Step 3aaa new-model

    Example: 
    Device(config)# aaa new-model
     

    Enables the authentication, authorization and accounting(AAA) access control model.

     
    Step 4aaa server radius proxy

    Example: 
    Device(config)# aaa server radius proxy
     

    Enters Intelligent Services Gateway (ISG) RADIUS proxy server configuration mode.

     
    Step 5mode pass-through

    Example: 
    Device(config-locsvr-proxy-radius)# mode pass-through
     

    Enables ISG RADIUS proxy pass-through mode.

     
    Step 6 key [0 | 7] word

    Example: 
    Device(config-locsvr-proxy-radius)# key radprxykey
     
    Configures the encryption key to be shared between ISG and RADIUS clients.

    • 0 specifies that an unencrypted key will follow.

    • 7 specifies a hidden key will follow.

     
    Step 7 accounting method-list {method-list-name | default}

    Example: 
    Device(config-locsvr-proxy-radius)# accounting method-list SVC_ACCT
     

    Specifies the server to which accounting packets from RADIUS clients are forwarded.

     
    Step 8 authentication method-list {method-list-name | default}

    Example: 
    Device(config-locsvr-proxy-radius)# authentication method-list SVC_ACCT
     

    Specifies the server to which authentication packets from RADIUS clients are forwarded.

     
    Step 9authentication port port-number

    Example: 
    Device(config-locsvr-proxy-radius)# authentication port 1645
     
    Specifies the port on which the ISG listens for authentication packets from RADIUS clients.

    • The default port is 1645.

     
    Step 10 accounting port port-number

    Example: 
    Device(config-locsvr-proxy-radius)# accounting port 1646
     
    Specifies the port on which the ISG listens for accounting packets from RADIUS clients.

    • The default port is 1646.

     
    Step 11 client {name | ip-address} [subnet-mask [vrfvrf-id]]

    Example: 
    Device(config-locsvr-proxy-radius)# client 1.1.1.1
     

    Specifies a RADIUS proxy client for which client-specific parameters can be configured, and enters RADIUS proxy client configuration mode.

     
    Step 12end

    Example: 
    Device(config-locsvr-radius-client)# end
     

    Exits the ISG RADIUS proxy client configuration mode and returns to privileged EXEC mode.

     

    Enabling RADIUS Proxy Passthrough mode at Client Level

    Perform this task to enable the RADIUS proxy passthrough mode for an individual client.

    SUMMARY STEPS

      1.    enable

      2.    configure terminal

      3.    aaa new-model

      4.    aaa server radius proxy

      5.    client {name | ip-address} [subnet-mask [vrfvrf-id]]

      6.    mode pass-through

      7.    key [0 | 7] word

      8.    accounting method-list {method-list-name | default}

      9.    authentication method-list {method-list-name | default}

      10.    authentication port port-number

      11.    accounting port port-number

      12.    end


    DETAILED STEPS
       Command or ActionPurpose
      Step 1 enable

      Example: 
      Device> enable
       

      Enables privileged EXEC mode.

      • Enter your password if prompted.

       
      Step 2configure terminal

      Example: 
      Device# configure terminal
       

      Enters global configuration mode.

       
      Step 3aaa new-model

      Example: 
      Device(config)# aaa new-model
       

      Enables the authentication, authorization and accounting(AAA) access control model.

       
      Step 4aaa server radius proxy

      Example: 
      Device(config)# aaa server radius proxy
       

      Enters Intelligent Services Gateway (ISG) RADIUS proxy server configuration mode.

       
      Step 5 client {name | ip-address} [subnet-mask [vrfvrf-id]]

      Example: 
      Device(config-locsvr-proxy-radius)# client 1.1.1.1
       

      Specifies a RADIUS proxy client for which client-specific parameters can be configured, and enters RADIUS proxy client configuration mode.

       
      Step 6mode pass-through

      Example: 
      Device(config-locsvr-radius-client)# mode pass-through
       

      Enables ISG RADIUS proxy pass-through mode.

       
      Step 7 key [0 | 7] word

      Example: 
      Device(config-locsvr-radius-client)# key radprxykey
       
      Configures the encryption key to be shared between ISG and RADIUS clients.

      • 0 specifies that an unencrypted key will follow.

      • 7 specifies a hidden key will follow.

       
      Step 8 accounting method-list {method-list-name | default}

      Example: 
      Device(config-locsvr-radius-client)# accounting method-list SVC_ACCT
       

      Specifies the server to which accounting packets from RADIUS clients are forwarded.

       
      Step 9 authentication method-list {method-list-name | default}

      Example: 
      Device(config-locsvr-radius-client)# authentication method-list SVC_ACCT
       

      Specifies the server to which authentication packets from RADIUS clients are forwarded.

       
      Step 10authentication port port-number

      Example: 
      Device(config-locsvr-radius-client)# authentication port 1645
       
      Specifies the port for which the ISG listens for authentication packets from RADIUS clients.

      • The default port is 1645.

       
      Step 11 accounting port port-number

      Example: 
      Device(config-locsvr-radius-client)# accounting port 1646
       
      Specifies the port on which the ISG listens for accounting packets from RADIUS clients.

      • The default port is 1646.

       
      Step 12end

      Example: 
      Device(config-locsvr-radius-client)# end
       

      Exits the ISG RADIUS proxy client configuration mode and returns to privileged EXEC mode.

       

      Verifying ISG RADIUS Proxy Passthrough Sessions

      SUMMARY STEPS

        1.    enable

        2.    show radius-proxy statistics

        3.    end


      DETAILED STEPS
         Command or ActionPurpose
        Step 1enable

        Example: 
        Device> enable
         
        Enables privileged EXEC mode.

        • Enter your password if prompted.

         
        Step 2show radius-proxy statistics

        Example: 
        Device> show radius-proxy statistics
Device> show radius-proxy statistics | include access request
         
        Displays statistics of all RADIUS proxy sessions on the ISG.
        Note   

        You can also use appropriate output modifiers to display a section of the statistics for all the ISG RADIUS proxy sessions based on the specification.

         
        Step 3end

        Example: 
        Device> end
         

        Returns to user EXEC mode.

         

        Clearing ISG RADIUS Proxy Statistics

        SUMMARY STEPS

          1.    enable

          2.    clear radius-proxy statistics

          3.    end


        DETAILED STEPS
           Command or ActionPurpose
          Step 1enable

          Example: 
          Device> enable
           
          Enables privileged EXEC mode.

          • Enter your password if prompted.

           
          Step 2clear radius-proxy statistics

          Example: 
          Device> clear radius-proxy statistics
           

          Clears all ISG RADIUS proxy statistics.

           
          Step 3end

          Example: 
          Device> exit
           

          Returns to user EXEC mode.

           

          Configuration Examples for Configuring ISG as RADIUS Proxy in Passthrough Mode

          Example: Configuring Radius Proxy Passthrough Mode

          The following example shows how to configure ISG as a RADIUS Proxy passthrough where the interface is configured with dual initiators. Here, an ISG session is not created for the client 10.0.0.2 as it is in passthrough mode whereas a session is created for the client 12.0.0.2 as session creation is triggered by the RADIUS proxy initiator. 

          aaa server radius proxy
message-authenticator ignore
!
client 10.0.0.2
mode pass-through 
key radprxykey
accounting method-list SVC_ACCT
authentication port 1645
accounting port 1646 

client 12.0.0.2
key radprxykey
accounting method-list SVC_ACCT
authentication method-list SVC_ACCT 
authentication port 1647
accounting port 1648

          Example: Verifying Radius Proxy Passthrough Mode

          Use the show radius-proxy statistics command to verify that ISG is functioning in RADIUS proxy passthrough mode.

          The following is a sample output from the show radius-proxy statistics command, showing information for both passthrough and non-passthrough clients. 

          Device#show radius-proxy statistics

 NON-PASSTHROUGH CLIENTS
 FROM:                  Client       ISG         AAA
Access Requests:          0          0            0
Access Accepts:           0          0            0
Access Rejects:           0          0            0
Access Challenges         0          0            0
Accounting Requests       0          0            0
Accounting Starts         0          0            0
Accounting Stops          0          0            0
Accounting Updates        0          0            0
Accounting Responses      0          0            0
Accounting ON/OFFS        0          0            0

 PASSTHROUGH CLIENTS
 FROM:                  Client       ISG         AAA
Access Requests:          48000      48000        0
Access Accepts:           0          48000        48000
Access Rejects:           0          0            0
Access Challenges         0          0            0
Accounting Requests       80000      80000        0
Accounting Starts         80000      0            0
Accounting Stops          0          0            0
Accounting Updates        0          0            0
Accounting Responses      0          0            80000
Accounting ON/OFFS        0          0            0

          Additional References for ISG as RADIUS Proxy in Passthrough Mode

          Related Documents

          Related Topic

          Document Title

          Cisco IOS commands

          Master Command List, All Releases

          ISG commands

          ISG Command Reference

          ISG as RADIUS Proxy

          "Configuring ISG as a RADIUS Proxy" module in the Intelligent Services Gateway Configuration Guide

          RADIUS configurations

          "Configuring RADIUS" module in the RADIUS Configuration Guide

          ISG Subscriber Service configurations

          "Configuring ISG Subscriber Services" module in the Intelligent Services Gateway Configuration Guide

          Command Lookup Tool

          Command Lookup Tool

          Technical Assistance

          Description Link

          The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

          To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

          Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

          http:/​/​www.cisco.com/​support

          Feature Information for Configuring ISG as a RADIUS Proxy in Passthrough Mode

          The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

          Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.
          Table 1 Feature Information for Configuring ISG as a RADIUS Proxy in Passthrough Mode

          Feature Name

          Releases

          Feature Information

          Configuring ISG as a RADIUS Proxy in Passthrough Mode

          Configuring the ISG as a RADIUS Proxy in Passthrough Mode allows the Cisco Intelligent Services Gateway (ISG) acting as a RADIUS Proxy to direct all the RADIUS traffic from the client to the RADIUS server, without creating an ISG session.

          The following commands were introduced: mode pass-thru and authentication method-list list-authen.