The authentication is initiated from RADIUS client on the ISA anchoring the user, based on an isa-radius-policy (configured under aaa) and specified on the wlan-gw group-interface. This support exists in prior releases and is described in Authentication and forwarding. The auth-policy can contain up to ten servers, five of which can be for authentication and all ten can be COA servers.
To generate accounting updates for DSM UEs, an accounting policy (type isa-radius-policy) must be configured under the aaa node and specified under vlan-range (default or specific range) on the wlan-gw interface. Accounting for DSM UEs includes accounting-start, accounting-stop, and interim-updates. Interim-update interval is configurable under vlan-range on wlan-gw interface. The username format to be included in RADIUS messages is configurable in the auth-policy and accounting-policy via the user-name-format command. By default, the username contains the UE MAC address, but can be configured to include the UEs MAC address and IP address, or circuit-id or DHCP vendor options. If authenticate-on-dhcp is enabled, then the IP address for the UE is not known before authentication, and, if the username is configured to contain both MAC and IP address, then only the MAC address is included.
The accounting-policy can be configured with attributes to be included in the accounting messages. The details of the attributes are covered in the 7450 ESS, 7750 SR, and VSR RADIUS Attributes Reference Guide. The attributes are included here for reference.
*A:Dut-1>config>aaa# info
----------------------------------------------
isa-radius-policy "isaRadiusPol1" create
user-name-format mac mac-format alu
acct-include-attributes
acct-delay-time
acct-trigger-reason
called-station-id
calling-station-id
circuit-id
dhcp-options
dhcp-vendor-class-id
frame-counters
framed-ip-addr
framed-ip-netmask
hardware-timestamp
inside-service-id
mac-address
multi-session-id
nas-identifier
nas-port-id
nas-port-type
octet-counters
outside-ip
outside-service-id
port-range-block
release-reason
remote-id
session-time
subscriber-id
ue-creation-type
user-name
wifi-rssi
wifi-ssid-vlan
exit
The isa-radius-policy for auth/COA and accounting specifies the server selection method for the servers specified in the policy with respect to load-balancing and failure of one or more servers. The three methods implemented include:
direct
Specifies that the first server is used as primary for all RADIUS messages, the second server is used as secondary (that is, used for all RADIUS messages if primary server fails), and so on.
round-robin
RADIUS messages across accounting-sessions are distributed in a round-robin manner amongst the list of configured servers. All accounting messages for a given session are sent to the selected server for that session, until that server fails. If a server fails, then the sessions targeted to that server are distributed in a round-robin manner amongst the remaining servers. If the failed server comes back up, the sessions that were originally assigned to the failed server revert to the original server.
hash
Server is picked via hash on UE MAC. The hash list consists of all configured servers that are up. If a server fails, then the UEs hashed to that server are re-hashed over the remaining servers that are up.
If a response is not received for a RADIUS message from a particular server for a configurable timeout value (per server), and the time elapsed because the last packet received from this RADIUS server is longer than this configured timeout value, then the server is deemed to be down. Periodically an accounting-on message is sent to a server that is marked as down, to probe if it has become responsive. If a response is received then the server is marked as up.
*A:Dut-1>config>aaa# info
isa-radius-policy "isaRadiusPol1" create
nas-ip-address-origin system-ip
password "6mNsKxvTe.0.nNCTIpGFcu.rr/qtdijazQ3ED8WAFfk" hash2
user-name-format mac mac-format alu release-reason
servers
access-algorithm hash-based
retry 3
router "Base"
source-address-range 81.1.0.1
timeout sec 5
server 1 create
accounting port 1813
authentication port 1812
coa port 3799
ip-address 10.13.0.2
secret "3BmWbBfDO38hPY8DtLFn8bYDBaduy6w.ogeSUsouoHc" hash2
no shutdown
exit
exit
exit
----------------------------------------------
*A:Dut-1>config>aaa#