The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Configuring ISG as a RADIUS Proxy in Passthrough Mode allows the Cisco Intelligent Services Gateway (ISG) acting as a RADIUS Proxy to direct all the RADIUS traffic from the client to the RADIUS server, without creating an ISG session.
This module describes how to configure ISG in RADIUS Proxy passthrough mode.
You need to configure the authentication and accounting methods.
You need to configure the AAA server.
High availability for RADIUS proxy passthrough is not supported. However, once, the switchover is completed, new sessions are entertained.
Information About Configuring ISG as a RADIUS Proxy in Passthrough Mode
The RADIUS proxy module of the Cisco ISG can be run in the passthrough mode to proxy the client's RADIUS traffic. This improves manageability. The RADIUS Proxy passthrough mode can be configured in two ways:
Global level: You can enable RADIUS proxy passthrough globally by configuring the mode pass-through command in the ISG RADIUS proxy server configuration mode. This causes all the clients configured after this command to be in RADIUS Proxy passthrough mode.
 Note |
The ISG interface can also be configured for dual initiators where one initiator can be RADIUS proxy and the other non-RADIUS proxy. When a specified ISG interface having dual initiators receives the non-RADIUS proxy trigger, ISG creates a session for the client. However, if this interface has a client configured to be in RADIUS proxy pass-through mode, it does not create a session when the RADIUS proxy trigger is received. Both these scenarios can co-exist on the same ISG interface. |
The RADIUS proxy configuration allows you to configure the accounting method list which specifies the AAA server to which the accounting start, interim and stop records are forwarded. This can be done at both the client level and the global level.
RADIUS proxy passthrough mode offers more security as the AAA server's IP address is hidden from the ultimate host.
Performance is improved as ISG sessions are not created for RADIUS clients.
ISG acting as a RADIUS proxy where a session is created and the client's RADIUS messages are sent to an external AAA server.
ISG acting as a RADIUS proxy passthrough where a session is not created and the client's RADIUS messages are sent to an external AAA server.
How to Configure ISG as a RADIUS Proxy in Passthrough Mode
Perform this task to enable the RADIUS proxy passthrough mode globally.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
enable Example: |
Enables privileged EXEC mode.
|
|
Step 2 |
configure terminal Example: |
Enters global configuration mode. |
|
Step 3 |
aaa new-model Example: |
Enables the authentication, authorization and accounting(AAA) access control model. |
|
Step 4 |
aaa server radius proxy Example: |
Enters Intelligent Services Gateway (ISG) RADIUS proxy server configuration mode. |
|
Step 5 |
mode pass-through Example: |
Enables ISG RADIUS proxy pass-through mode. |
|
Step 6 |
key [0 | 7] word Example: |
|
|
Step 7 |
accounting method-list {method-list-name | default} Example: |
Specifies the server to which accounting packets from RADIUS clients are forwarded. |
|
Step 8 |
authentication method-list {method-list-name | default} Example: |
Specifies the server to which authentication packets from RADIUS clients are forwarded. |
|
Step 9 |
authentication port port-number Example: |
|
|
Step 10 |
accounting port port-number Example: |
|
|
Step 11 |
client {name | ip-address} [subnet-mask [vrfvrf-id]] Example: |
Specifies a RADIUS proxy client for which client-specific parameters can be configured, and enters RADIUS proxy client configuration mode. |
|
Step 12 |
end Example: |
Exits the ISG RADIUS proxy client configuration mode and returns to privileged EXEC mode. |
Perform this task to enable the RADIUS proxy passthrough mode for an individual client.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
enable Example: |
Enables privileged EXEC mode.
|
|
Step 2 |
configure terminal Example: |
Enters global configuration mode. |
|
Step 3 |
aaa new-model Example: |
Enables the authentication, authorization and accounting(AAA) access control model. |
|
Step 4 |
aaa server radius proxy Example: |
Enters Intelligent Services Gateway (ISG) RADIUS proxy server configuration mode. |
|
Step 5 |
client {name | ip-address} [subnet-mask [vrfvrf-id]] Example: |
Specifies a RADIUS proxy client for which client-specific parameters can be configured, and enters RADIUS proxy client configuration mode. |
|
Step 6 |
mode pass-through Example: |
Enables ISG RADIUS proxy pass-through mode. |
|
Step 7 |
key [0 | 7] word Example: |
|
|
Step 8 |
accounting method-list {method-list-name | default} Example: |
Specifies the server to which accounting packets from RADIUS clients are forwarded. |
|
Step 9 |
authentication method-list {method-list-name | default} Example: |
Specifies the server to which authentication packets from RADIUS clients are forwarded. |
|
Step 10 |
authentication port port-number Example: |
|
|
Step 11 |
accounting port port-number Example: |
|
|
Step 12 |
end Example: |
Exits the ISG RADIUS proxy client configuration mode and returns to privileged EXEC mode. |
| Command or Action | Purpose | |||
|---|---|---|---|---|
|
Step 1 |
enable Example: |
|
||
|
Step 2 |
show radius-proxy statistics Example: |
|
||
|
Step 3 |
end Example: |
Returns to user EXEC mode. |
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
enable Example: |
|
|
Step 2 |
clear radius-proxy statistics Example: |
Clears all ISG RADIUS proxy statistics. |
|
Step 3 |
end Example: |
Returns to user EXEC mode. |
Configuration Examples for Configuring ISG as RADIUS Proxy in Passthrough Mode
The following example shows how to configure ISG as a RADIUS Proxy passthrough where the interface is configured with dual initiators. Here, an ISG session is not created for the client 10.0.0.2 as it is in passthrough mode whereas a session is created for the client 12.0.0.2 as session creation is triggered by the RADIUS proxy initiator.
aaa server radius proxy
message-authenticator ignore
!
client 10.0.0.2
mode pass-through
key radprxykey
accounting method-list SVC_ACCT
authentication port 1645
accounting port 1646
client 12.0.0.2
key radprxykey
accounting method-list SVC_ACCT
authentication method-list SVC_ACCT
authentication port 1647
accounting port 1648
Use the show radius-proxy statistics command to verify that ISG is functioning in RADIUS proxy passthrough mode.
The following is a sample output from the show radius-proxy statistics command, showing information for both passthrough and non-passthrough clients.
Device#show radius-proxy statistics
NON-PASSTHROUGH CLIENTS
FROM: Client ISG AAA
Access Requests: 0 0 0
Access Accepts: 0 0 0
Access Rejects: 0 0 0
Access Challenges 0 0 0
Accounting Requests 0 0 0
Accounting Starts 0 0 0
Accounting Stops 0 0 0
Accounting Updates 0 0 0
Accounting Responses 0 0 0
Accounting ON/OFFS 0 0 0
PASSTHROUGH CLIENTS
FROM: Client ISG AAA
Access Requests: 48000 48000 0
Access Accepts: 0 48000 48000
Access Rejects: 0 0 0
Access Challenges 0 0 0
Accounting Requests 80000 80000 0
Accounting Starts 80000 0 0
Accounting Stops 0 0 0
Accounting Updates 0 0 0
Accounting Responses 0 0 80000
Accounting ON/OFFS 0 0 0
|
Related Topic |
Document Title |
|---|---|
|
Cisco IOS commands |
|
|
ISG commands |
|
|
ISG as RADIUS Proxy |
"Configuring ISG as a RADIUS Proxy" module in the Intelligent Services Gateway Configuration Guide |
|
RADIUS configurations |
"Configuring RADIUS" module in the RADIUS Configuration Guide |
|
ISG Subscriber Service configurations |
"Configuring ISG Subscriber Services" module in the Intelligent Services Gateway Configuration Guide |
|
Command Lookup Tool |
| Description | Link |
|---|---|
|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.|
Feature Name |
Releases |
Feature Information |
|---|---|---|
|
Configuring ISG as a RADIUS Proxy in Passthrough Mode |
Configuring the ISG as a RADIUS Proxy in Passthrough Mode allows the Cisco Intelligent Services Gateway (ISG) acting as a RADIUS Proxy to direct all the RADIUS traffic from the client to the RADIUS server, without creating an ISG session. The following commands were introduced: mode pass-thru and authentication method-list list-authen . |
Feedback