Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Understanding the RADIUS Relay Server

    The JunosE RADIUS relay server provides authentication, authorization, accounting, and addressing services in an 802.1x-based wireless environment.

    The IEEE 802.1x standard is an authentication standard for wireless LANs; it enables a wireless subscriber to be authenticated by a central authority. The standard uses the Extensible Authentication Protocol (EAP) for message exchange during the authentication process. The E Series router’s RADIUS relay server enhances the 802.1x environment by including authorization, accounting, and addressing support for wireless subscribers.

    Figure 1 illustrates a typical 802.1x-based wireless environment. In the figure, wireless subscribers connect to wireless access points (WAPs) for authentication. The WAPs in turn connect to the E Series router’s RADIUS relay server. The RADIUS relay server passes the request on to the authentication server, which might be a RADIUS or TACACS+ server. The RADIUS server authenticates the subscriber, who is then granted access. After authentication, the RADIUS relay server obtains an IP address for the subscriber from the Dynamic Host Configuration Protocol (DHCP) local or external server. The RADIUS relay server can also use the RADIUS server or the optional Session and Resource Control (SRC) software (formerly the SDX software), to provide the accounting support.

    Figure 1: RADIUS Relay Server

    RADIUS Relay Server

    How RADIUS Relay Server Works

    When a wireless subscriber starts a session, the WAP encapsulates EAP attributes into a RADIUS Access-Request message and sends the request to the E Series router, which the WAP views as the RADIUS server. The encapsulated message uses the RADIUS EAP-Message (79) attribute. The RADIUS relay server does not process any of the EAP attributes in the RADIUS Access-Request message; the encrypted message is simply passed through the router to the actual RADIUS server. The RADIUS server must be EAP aware.

    You can also use an optional RADIUS proxy server to provide additional enhancements to the 802.1x-based environment. For example, the RADIUS proxy server enables subscribers to be multiplexed to multiple Internet service providers (ISPs) that are customers of the same carrier. The server performs one of the following actions:

    • If the ISP’s RADIUS server supports EAP, the RADIUS proxy server extends the EAP session to the RADIUS server.
    • If the ISP’s RADIUS server does not support EAP, the RADIUS proxy server translates the EAP session into a legacy RADIUS session for the RADIUS server.

    Authentication and Addressing

    The WAP initiates the authentication and authorization request by sending a standard RADIUS Access-Request to the RADIUS relay server. The Access-Request must include the attributes listed in Table 1. The attributes uniquely identify the wireless subscriber.

    Table 1: Required RADIUS Access-Request Attributes

    Attribute Name

    Description

    Called-Station-id [30]

    Subscriber’s WAP

    Calling-Station-id [31]

    Subscriber’s media access control (MAC) address

    When the RADIUS server authenticates the subscriber, the router’s RADIUS relay server creates a RADIUS Access-Accept message and sends the message back to the subscriber. The router’s DHCP server (either the router’s DHCP local server or an external DHCP server) assigns an IP address to the subscriber and creates the subscriber interface.

    For information about using the optional SRC software with the RADIUS relay server to assign IP addresses, see the Using the SRC Software for Addressing section in RADIUS Relay Server and the SRC Software.

    The WAP might periodically reauthenticate a subscriber. For example, reauthentication is necessary to renegotiate a new Wired Equivalent Privacy (WEP) key. The RADIUS relay server ignores any new RADIUS attributes that are sent during a renegotiation operation.

    Accounting

    The RADIUS relay server’s clients (the WAPs) send standard accounting request messages to the RADIUS relay server. The accounting server processes the request and sends the results back to the RADIUS relay server, which then creates a RADIUS accounting response message and forwards the information to the client WAP.

    For tracking purposes, the forwarding RADIUS relay server adds the Radius-Client-Address vendor-specific attribute (VSA 26-52) to the forwarded accounting request messages. The VSA indicates the RADIUS relay server’s IP address.

    For information about using the SRC software with the RADIUS relay server to provide accounting, see the Using the SRC Software for Addressing section in RADIUS Relay Server and the SRC Software.

    Table 2 shows the RADIUS attributes that must be included in accounting requests. The attributes uniquely identify subscribers.

    Table 2: Required RADIUS Accounting Attributes

    For RADIUS Acct-Start and Acct-Stop Messages

    Description

    Called-Station-id [30]

    Subscriber’s WAP

    Calling-Station-id [31]

    Subscriber’s MAC address

    For RADIUS Acct-On and Acct-Off Messages

     

    Called-Station-id [30]

    Subscriber’s WAP

    Terminating the Wireless Subscriber’s Connection

    The RADIUS relay server terminates the wireless subscriber’s session when one of the following events occurs. When a subscriber session is terminated, the subscriber’s IP address is released back into the available address pool.

    • The RADIUS relay server receives a RADIUS accounting stop request.
    • No RADIUS accounting messages are received for this subscriber for more than 24 hours.

    Published: 2014-08-20