Understanding the RADIUS Relay Server

The JunosE RADIUS relay server provides authentication, authorization, accounting, and addressing services in an 802.1x-based wireless environment.

The IEEE 802.1x standard is an authentication standard for wireless LANs; it enables a wireless subscriber to be authenticated by a central authority. The standard uses the Extensible Authentication Protocol (EAP) for message exchange during the authentication process. The E Series router’s RADIUS relay server enhances the 802.1x environment by including authorization, accounting, and addressing support for wireless subscribers.

Figure 1 illustrates a typical 802.1x-based wireless environment. In the figure, wireless subscribers connect to wireless access points (WAPs) for authentication. The WAPs in turn connect to the E Series router’s RADIUS relay server. The RADIUS relay server passes the request on to the authentication server, which might be a RADIUS or TACACS+ server. The RADIUS server authenticates the subscriber, who is then granted access. After authentication, the RADIUS relay server obtains an IP address for the subscriber from the Dynamic Host Configuration Protocol (DHCP) local or external server. The RADIUS relay server can also use the RADIUS server or the optional Session and Resource Control (SRC) software (formerly the SDX software), to provide the accounting support.

Figure 1: RADIUS Relay Server

RADIUS Relay Server

How RADIUS Relay Server Works

When a wireless subscriber starts a session, the WAP encapsulates EAP attributes into a RADIUS Access-Request message and sends the request to the E Series router, which the WAP views as the RADIUS server. The encapsulated message uses the RADIUS EAP-Message (79) attribute. The RADIUS relay server does not process any of the EAP attributes in the RADIUS Access-Request message; the encrypted message is simply passed through the router to the actual RADIUS server. The RADIUS server must be EAP aware.

You can also use an optional RADIUS proxy server to provide additional enhancements to the 802.1x-based environment. For example, the RADIUS proxy server enables subscribers to be multiplexed to multiple Internet service providers (ISPs) that are customers of the same carrier. The server performs one of the following actions:

Authentication and Addressing

The WAP initiates the authentication and authorization request by sending a standard RADIUS Access-Request to the RADIUS relay server. The Access-Request must include the attributes listed in Table 3. The attributes uniquely identify the wireless subscriber.

Table 3: Required RADIUS Access-Request Attributes

Attribute Name

Description

Called-Station-id [30]

Subscriber’s WAP

Calling-Station-id [31]

Subscriber’s media access control (MAC) address

When the RADIUS server authenticates the subscriber, the router’s RADIUS relay server creates a RADIUS Access-Accept message and sends the message back to the subscriber. The router’s DHCP server (either the router’s DHCP local server or an external DHCP server) assigns an IP address to the subscriber and creates the subscriber interface.

For information about using the optional SRC software with the RADIUS relay server to assign IP addresses, see the Using the SRC Software for Addressing section in RADIUS Relay Server and the SRC Software.

The WAP might periodically reauthenticate a subscriber. For example, reauthentication is necessary to renegotiate a new Wired Equivalent Privacy (WEP) key. The RADIUS relay server ignores any new RADIUS attributes that are sent during a renegotiation operation.

Accounting

The RADIUS relay server’s clients (the WAPs) send standard accounting request messages to the RADIUS relay server. The accounting server processes the request and sends the results back to the RADIUS relay server, which then creates a RADIUS accounting response message and forwards the information to the client WAP.

For tracking purposes, the forwarding RADIUS relay server adds the Radius-Client-Address vendor-specific attribute (VSA 26-52) to the forwarded accounting request messages. The VSA indicates the RADIUS relay server’s IP address.

For information about using the SRC software with the RADIUS relay server to provide accounting, see the Using the SRC Software for Addressing section in RADIUS Relay Server and the SRC Software.

Table 4 shows the RADIUS attributes that must be included in accounting requests. The attributes uniquely identify subscribers.

Table 4: Required RADIUS Accounting Attributes

For RADIUS Acct-Start and Acct-Stop Messages

Description

Called-Station-id [30]

Subscriber’s WAP

Calling-Station-id [31]

Subscriber’s MAC address

For RADIUS Acct-On and Acct-Off Messages

 

Called-Station-id [30]

Subscriber’s WAP

Terminating the Wireless Subscriber’s Connection

The RADIUS relay server terminates the wireless subscriber’s session when one of the following events occurs. When a subscriber session is terminated, the subscriber’s IP address is released back into the available address pool.

Related Documentation