Technical Documentation
New
Related Documentation
Understanding the RADIUS Relay Server
The JunosE RADIUS relay server provides authentication, authorization, accounting, and addressing services in an 802.1x-based wireless environment.
The IEEE 802.1x standard is an authentication standard for wireless LANs; it enables a wireless subscriber to be authenticated by a central authority. The standard uses the Extensible Authentication Protocol (EAP) for message exchange during the authentication process. The E Series router’s RADIUS relay server enhances the 802.1x environment by including authorization, accounting, and addressing support for wireless subscribers.
Figure 1 illustrates a typical 802.1x-based wireless environment. In the figure, wireless subscribers connect to wireless access points (WAPs) for authentication. The WAPs in turn connect to the E Series router’s RADIUS relay server. The RADIUS relay server passes the request on to the authentication server, which might be a RADIUS or TACACS+ server. The RADIUS server authenticates the subscriber, who is then granted access. After authentication, the RADIUS relay server obtains an IP address for the subscriber from the Dynamic Host Configuration Protocol (DHCP) local or external server. The RADIUS relay server can also use the RADIUS server or the optional Session and Resource Control (SRC) software (formerly the SDX software), to provide the accounting support.
Figure 1: RADIUS Relay Server
How RADIUS Relay Server Works
When a wireless subscriber starts a session, the WAP encapsulates EAP attributes into a RADIUS Access-Request message and sends the request to the E Series router, which the WAP views as the RADIUS server. The encapsulated message uses the RADIUS EAP-Message (79) attribute. The RADIUS relay server does not process any of the EAP attributes in the RADIUS Access-Request message; the encrypted message is simply passed through the router to the actual RADIUS server. The RADIUS server must be EAP aware.
You can also use an optional RADIUS proxy server to provide additional enhancements to the 802.1x-based environment. For example, the RADIUS proxy server enables subscribers to be multiplexed to multiple Internet service providers (ISPs) that are customers of the same carrier. The server performs one of the following actions:
- If the ISP’s RADIUS server supports EAP, the RADIUS proxy server extends the EAP session to the RADIUS server.
- If the ISP’s RADIUS server does not support EAP, the RADIUS proxy server translates the EAP session into a legacy RADIUS session for the RADIUS server.
Authentication and Addressing
The WAP initiates the authentication and authorization request by sending a standard RADIUS Access-Request to the RADIUS relay server. The Access-Request must include the attributes listed in Table 1. The attributes uniquely identify the wireless subscriber.
Table 1: Required RADIUS Access-Request Attributes
Attribute Name | Description |
|---|---|
Called-Station-id [30] | Subscriber’s WAP |
Calling-Station-id [31] | Subscriber’s media access control (MAC) address |
When the RADIUS server authenticates the subscriber, the router’s RADIUS relay server creates a RADIUS Access-Accept message and sends the message back to the subscriber. The router’s DHCP server (either the router’s DHCP local server or an external DHCP server) assigns an IP address to the subscriber and creates the subscriber interface.
For information about using the optional SRC software with the RADIUS relay server to assign IP addresses, see Unresolved xref.
The WAP might periodically reauthenticate a subscriber. For example, reauthentication is necessary to renegotiate a new Wired Equivalent Privacy (WEP) key. The RADIUS relay server ignores any new RADIUS attributes that are sent during a renegotiation operation.
Accounting
The RADIUS relay server’s clients (the WAPs) send standard accounting request messages to the RADIUS relay server. The accounting server processes the request and sends the results back to the RADIUS relay server, which then creates a RADIUS accounting response message and forwards the information to the client WAP.
For tracking purposes, the forwarding RADIUS relay server adds the Radius-Client-Address vendor-specific attribute (VSA 26-52) to the forwarded accounting request messages. The VSA indicates the RADIUS relay server’s IP address.
For information about using the SRC software with the RADIUS relay server to provide accounting, see Unresolved xref.
Table 2 shows the RADIUS attributes that must be included in accounting requests. The attributes uniquely identify subscribers.
Table 2: Required RADIUS Accounting Attributes
For RADIUS Acct-Start and Acct-Stop Messages | Description |
|---|---|
Called-Station-id [30] | Subscriber’s WAP |
Calling-Station-id [31] | Subscriber’s MAC address |
For RADIUS Acct-On and Acct-Off Messages |
|
Called-Station-id [30] | Subscriber’s WAP |
Terminating the Wireless Subscriber’s Connection
The RADIUS relay server terminates the wireless subscriber’s session when one of the following events occurs. When a subscriber session is terminated, the subscriber’s IP address is released back into the available address pool.
- The RADIUS relay server receives a RADIUS accounting stop request.
- No RADIUS accounting messages are received for this subscriber for more than 24 hours.
