 | Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |
When a wireless subscriber starts a session, the WAP encapsulates EAP attributes into a RADIUS Access-Request message and sends the request to the E-series router, which the WAP views as the RADIUS server. The encapsulated message uses the RADIUS EAP-Message (79) attribute. The RADIUS relay server does not process any of the EAP attributes in the RADIUS Access-Request message; the encrypted message is simply passed through the router to the actual RADIUS server. The RADIUS server must be EAP aware.
You can also use an optional RADIUS proxy server to provide additional enhancements to the 802.1x-based environment. For example, the RADIUS proxy server enables subscribers to be multiplexed to multiple Internet service providers (ISPs) that are customers of the same carrier. The server performs one of the following actions:
The WAP initiates the authentication and authorization request by sending a standard RADIUS Access-Request to the RADIUS relay server. The Access-Request must include the attributes listed in Table 44. The attributes uniquely identify the wireless subscriber.
Table 44: Required RADIUS Access-Request Attributes
|
Attribute Name |
Description |
|---|---|
|
Called-Station-id [30] |
Subscriber’s WAP |
|
Calling-Station-id [31] |
Subscriber’s media access control (MAC) address |
When the RADIUS server authenticates the subscriber, the router’s RADIUS relay server creates a RADIUS Access-Accept message and sends the message back to the subscriber. The router’s DHCP server (either the router’s DHCP local server or an external DHCP server) assigns an IP address to the subscriber and creates the subscriber interface.
For information about using the optional SRC software with the RADIUS relay server to assign IP addresses, see RADIUS Relay Server and the SRC Software .
The WAP might periodically reauthenticate a subscriber. For example, reauthentication is necessary to renegotiate a new Wired Equivalent Privacy (WEP) key. The RADIUS relay server ignores any new RADIUS attributes that are sent during a renegotiation operation.
The RADIUS relay server’s clients (the WAPs) send standard accounting request messages to the RADIUS relay server. The accounting server processes the request and sends the results back to the RADIUS relay server, which then creates a RADIUS accounting response message and forwards the information to the client WAP.
For tracking purposes, the forwarding RADIUS relay server adds the Radius-Client-Address vendor-specific attribute (VSA 26-52) to the forwarded accounting request messages. The VSA indicates the RADIUS relay server’s IP address.
For information about using the SRC software with the RADIUS relay server to provide accounting, see RADIUS Relay Server and the SRC Software .
Table 45 shows the RADIUS attributes that must be included in accounting requests. The attributes uniquely identify subscribers.
Table 45: Required RADIUS Accounting Attributes
The RADIUS relay server terminates the wireless subscriber’s session when one of the following events occurs. When a subscriber session is terminated, the subscriber’s IP address is released back into the available address pool.
| Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |