Professional Documents
Culture Documents
Configuration Guide
Release 12.4
Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public
domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work,
Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP,
CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital,
the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink,
Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo,
Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet,
The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the
United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a
partnership relationship between Cisco and any other company. (0601R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the
document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
Audience xix
Overview of SSG 7
Contents 7
Contents 17
Additional References 40
Related Documents 40
MIBs 40
Technical Assistance 40
Feature Information for Implementing SSG 40
Contents 43
Where to Go Next 76
Additional References 77
Related Documents 77
Technical Assistance 77
Feature Information for SSG RADIUS Proxy 77
Contents 81
Where to Go Next 88
Additional References 88
Related Documents 88
Technical Assistance 89
Feature Information for Configuring SSG to Authenticate Web Logon Subscribers 89
Contents 91
Prerequisites 91
Restrictions 92
Contents 105
Example 115
Contents 121
Contents 135
Contents 145
Prerequisites for SSG Support for Subnet-Based Authentication 145
Contents 151
Contents 161
Contents 207
Contents 259
Contents 269
Contents 301
This chapter describes the objectives, audience, organization, and conventions of Cisco IOS software
documentation. It also provides sources for obtaining documentation, technical assistance, and
additional publications and information from Cisco Systems. It contains the following sections:
• Documentation Objectives, page xix
• Audience, page xix
• Documentation Organization for Cisco IOS Release 12.4, page xx
• Document Conventions, page xxvi
• Obtaining Documentation, page xxvii
• Documentation Feedback, page xxviii
• Cisco Product Security Overview, page xxix
• Obtaining Technical Assistance, page xxx
• Obtaining Additional Publications and Information, page xxxi
Documentation Objectives
Cisco IOS software documentation describes the tasks and commands available to configure and
maintain Cisco networking devices.
Audience
The Cisco IOS software documentation set is intended primarily for users who configure and maintain
Cisco networking devices (such as routers and switches) but who may not be familiar with the
configuration and maintenance tasks, the relationship among tasks, or the Cisco IOS software commands
necessary to perform particular tasks. The Cisco IOS software documentation set is also intended for
those users experienced with Cisco IOS software who need to know about new features, new
configuration options, and new software characteristics in the current Cisco IOS software release.
Note In some cases, information contained in Release 12.2T and 12.3T feature documents augments or
supersedes content in the accompanying documentation. Therefore it is important to review all
feature documents for a particular technology.
Table 1 lists the Cisco IOS Release 12.4 configuration guides and command references.
Table 1 Cisco IOS Release 12.4 Configuration Guides and Command References
Table 1 Cisco IOS Release 12.4 Configuration Guides and Command References (continued)
Table 1 Cisco IOS Release 12.4 Configuration Guides and Command References (continued)
Table 1 Cisco IOS Release 12.4 Configuration Guides and Command References (continued)
Table 1 Cisco IOS Release 12.4 Configuration Guides and Command References (continued)
Table 1 Cisco IOS Release 12.4 Configuration Guides and Command References (continued)
Table 2 lists the documents and resources that support the Cisco IOS Release 12.4 software
configuration guides and command references.
Table 2 Cisco IOS Release 12.4 Supporting Documents and Resources (continued)
Document Conventions
Within Cisco IOS software documentation, the term router is generally used to refer to a variety of Cisco
products (for example, routers, access servers, and switches). Routers, access servers, and other
networking devices that support Cisco IOS software are shown interchangeably within examples. These
products are used only for illustrative purposes; that is, an example that shows one product does not
necessarily indicate that other products are not supported.
The Cisco IOS documentation set uses the following conventions:
Convention Description
^ or Ctrl The ^ and Ctrl symbols represent the Control key. For example, the key combination ^D or Ctrl-D
means hold down the Control key while you press the D key. Keys are indicated in capital letters but
are not case sensitive.
string A string is a nonquoted set of characters shown in italics. For example, when setting an SNMP
community string to public, do not use quotation marks around the string or the string will include the
quotation marks.
Convention Description
bold Bold text indicates commands and keywords that you enter literally as shown.
italics Italic text indicates arguments for which you supply values.
[x] Square brackets enclose an optional element (keyword or argument).
| A vertical line indicates a choice within an optional or required set of keywords or arguments.
[x | y] Square brackets enclosing keywords or arguments separated by a vertical line indicate an optional
choice.
{x | y} Braces enclosing keywords or arguments separated by a vertical line indicate a required choice.
Nested sets of square brackets or braces indicate optional or required choices within optional or required
elements. For example:
Convention Description
[x {y | z}] Braces and a vertical line within square brackets indicate a required choice within an optional element.
Convention Description
screen Examples of information displayed on the screen are set in Courier font.
bold screen Examples of text that you must enter are set in Courier bold font.
< > Angle brackets enclose text that is not printed to the screen, such as passwords, and are used in
contexts in which the italic document convention is not available, such as ASCII text.
! An exclamation point at the beginning of a line indicates a comment line. (Exclamation points are also
displayed by the Cisco IOS software for certain processes.)
[ ] Square brackets enclose default responses to system prompts.
The following conventions are used to attract the attention of the reader:
Caution Means reader be careful. In this situation, you might do something that could result in equipment
damage or loss of data.
Note Means reader take note. Notes contain suggestions or references to material not covered in the
manual.
Timesaver Means the described action saves time. You can save time by performing the action described in the
paragraph.
Obtaining Documentation
Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several
ways to obtain technical assistance and other technical resources. These sections explain how to obtain
technical information from Cisco Systems.
Cisco.com
You can access the most current Cisco documentation and technical support at this URL:
http://www.cisco.com/techsupport
Ordering Documentation
Beginning June 30, 2005, registered Cisco.com users may order Cisco documentation at the Product
Documentation Store in the Cisco Marketplace at this URL:
http://www.cisco.com/go/marketplace/
Nonregistered Cisco.com users can order technical documentation from 8:00 a.m. to 5:00 p.m.
(0800 to 1700) PDT by calling 1 866 463-3487 in the United States and Canada, or elsewhere by
calling 011 408 519-5055. You can also order documentation by e-mail at
tech-doc-store-mkpl@external.cisco.com or by fax at 1 408 519-5001 in the United States and Canada,
or elsewhere at 011 408 519-5001.
Documentation Feedback
You can rate and provide feedback about Cisco technical documents by completing the online feedback
form that appears with the technical documents on Cisco.com.
You can send comments about Cisco documentation to bug-doc@cisco.com.
You can submit comments by using the response card (if present) behind the front cover of your
document or by writing to the following address:
Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883
We appreciate your comments.
Tip We encourage you to use Pretty Good Privacy (PGP) or a compatible product to encrypt any sensitive
information that you send to Cisco. PSIRT can work from encrypted information that is compatible with
PGP versions 2.x through 8.x.
Never use a revoked or an expired encryption key. The correct public key to use in your correspondence
with PSIRT is the one linked in the Contact Summary section of the Security Vulnerability Policy page
at this URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
The link on this page has the current PGP key ID in use.
Note Use the Cisco Product Identification (CPI) tool to locate your product serial number before submitting
a web or phone request for service. You can access the CPI tool from the Cisco Technical Support &
Documentation website by clicking the Tools & Resources link. Choose Cisco Product Identification
Tool from the Alphabetical Index drop-down list, or click the Cisco Product Identification Tool link
under Alerts & RMAs. The CPI tool offers three search options: by product ID or model name; by tree
view; or for certain products, by copying and pasting show command output. Search results show an
illustration of your product with the serial number label location highlighted. Locate the serial number
label on your product and record the information before placing a service call.
• Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering
professionals involved in designing, developing, and operating public and private internets and
intranets. You can access the Internet Protocol Journal at this URL:
http://www.cisco.com/ipj
• Networking products offered by Cisco Systems, as well as customer support services, can be
obtained at this URL:
http://www.cisco.com/en/US/products/index.html
• Networking Professionals Connection is an interactive website for networking professionals to share
questions, suggestions, and information about networking products and technologies with Cisco
experts and other networking professionals. Join a discussion at this URL:
http://www.cisco.com/discuss/networking
• World-class networking training is available from Cisco. You can view current offerings at
this URL:
http://www.cisco.com/en/US/learning/index.html
This chapter provides tips for understanding and configuring Cisco IOS software using the
command-line interface (CLI). It contains the following sections:
• Understanding Command Modes, page xxxiii
• Getting Help, page xxxiv
• Using the no and default Forms of Commands, page xxxviii
• Saving Configuration Changes, page xxxviii
• Filtering Output from the show and more Commands, page xxxix
• Finding Additional Feature Support Information, page xxxix
For an overview of Cisco IOS software configuration, see the Cisco IOS Configuration Fundamentals
Configuration Guide.
For information on the conventions used in the Cisco IOS software documentation set, see the “About
Cisco IOS Software Documentation for Release 12.4” chapter.
ROM monitor mode is a separate mode used when the Cisco IOS software cannot load properly. If a valid
software image is not found when the software boots or if the configuration file is corrupted at startup,
the software might enter ROM monitor mode.
Table 1 describes how to access and exit various common command modes of the Cisco IOS software.
It also shows examples of the prompts displayed for each mode.
For more information on command modes, see the “Using the Cisco IOS Command-Line Interface”
chapter in the Cisco IOS Configuration Fundamentals Configuration Guide.
Getting Help
Entering a question mark (?) at the CLI prompt displays a list of commands available for each command
mode. You can also get a list of keywords and arguments associated with any command by using the
context-sensitive help feature.
To get help specific to a command mode, a command, a keyword, or an argument, use one of the
following commands:
Command Purpose
help Provides a brief description of the help system in any command mode.
abbreviated-command-entry? Provides a list of commands that begin with a particular character string. (No space
between command and question mark.)
abbreviated-command-entry<Tab> Completes a partial command name.
Command Purpose
? Lists all commands available for a particular command mode.
command ? Lists the keywords or arguments that you must enter next on the command line.
(Space between command and question mark.)
Command Comment
Router> enable Enter the enable command and
Password: <password> password to access privileged EXEC
Router#
commands. You are in privileged
EXEC mode when the prompt changes
to Router#.
Router# configure terminal Enter the configure terminal
Enter configuration commands, one per line. End with CNTL/Z. privileged EXEC command to enter
Router(config)#
global configuration mode. You are in
global configuration mode when the
prompt changes to Router(config)#.
Command Comment
Router(config)# interface serial ? Enter interface configuration mode by
<0-6> Serial interface number specifying the serial interface that you
Router(config)# interface serial 4 ?
/
want to configure using the interface
Router(config)# interface serial 4/ ? serial global configuration command.
<0-3> Serial interface number
Enter ? to display what you must enter
Router(config)# interface serial 4/0 ?
<cr> next on the command line. In this
Router(config)# interface serial 4/0 example, you must enter the serial
Router(config-if)# interface slot number and port number,
separated by a forward slash.
When the <cr> symbol is displayed,
you can press Enter to complete the
command.
You are in interface configuration mode
when the prompt changes to
Router(config-if)#.
Router(config-if)# ? Enter ? to display a list of all the
Interface configuration commands: interface configuration commands
.
.
available for the serial interface. This
. example shows only some of the
ip Interface Internet Protocol config commands available interface configuration
keepalive Enable keepalive commands.
lan-name LAN Name command
llc2 LLC2 Interface Subcommands
load-interval Specify interval for load calculation for an
interface
locaddr-priority Assign a priority group
logging Configure logging for interface
loopback Configure internal loopback on an interface
mac-address Manually set interface MAC address
mls mls router sub/interface commands
mpoa MPOA interface configuration commands
mtu Set the interface Maximum Transmission Unit (MTU)
netbios Use a defined NETBIOS access list or enable
name-caching
no Negate a command or set its defaults
nrzi-encoding Enable use of NRZI encoding
ntp Configure NTP
.
.
.
Router(config-if)#
Command Comment
Router(config-if)# ip ? Enter the command that you want to
Interface IP configuration subcommands: configure for the interface. This
access-group Specify access control for packets
accounting Enable IP accounting on this interface
example uses the ip command.
address Set the IP address of an interface Enter ? to display what you must enter
authentication authentication subcommands
next on the command line. This
bandwidth-percent Set EIGRP bandwidth limit
broadcast-address Set the broadcast address of an interface example shows only some of the
cgmp Enable/disable CGMP available interface IP configuration
directed-broadcast Enable forwarding of directed broadcasts commands.
dvmrp DVMRP interface commands
hello-interval Configures IP-EIGRP hello interval
helper-address Specify a destination address for UDP broadcasts
hold-time Configures IP-EIGRP hold time
.
.
.
Router(config-if)# ip
Router(config-if)# ip address ? Enter the command that you want to
A.B.C.D IP address configure for the interface. This
negotiated IP Address negotiated over PPP
Router(config-if)# ip address
example uses the ip address command.
Enter ? to display what you must enter
next on the command line. In this
example, you must enter an IP address
or the negotiated keyword.
A carriage return (<cr>) is not
displayed; therefore, you must enter
additional keywords or arguments to
complete the command.
Router(config-if)# ip address 172.16.0.1 ? Enter the keyword or argument that you
A.B.C.D IP subnet mask want to use. This example uses the
Router(config-if)# ip address 172.16.0.1
172.16.0.1 IP address.
Enter ? to display what you must enter
next on the command line. In this
example, you must enter an IP subnet
mask.
A <cr> is not displayed; therefore, you
must enter additional keywords or
arguments to complete the command.
Command Comment
Router(config-if)# ip address 172.16.0.1 255.255.255.0 ? Enter the IP subnet mask. This example
secondary Make this IP address a secondary address uses the 255.255.255.0 IP subnet mask.
<cr>
Router(config-if)# ip address 172.16.0.1 255.255.255.0 Enter ? to display what you must enter
next on the command line. In this
example, you can enter the secondary
keyword, or you can press Enter.
A <cr> is displayed; you can press
Enter to complete the command, or
you can enter another keyword.
Router(config-if)# ip address 172.16.0.1 255.255.255.0 In this example, Enter is pressed to
Router(config-if)# complete the command.
It might take a minute or two to save the configuration. After the configuration has been saved, the
following output appears:
[OK]
Router#
On most platforms, this task saves the configuration to NVRAM. On the Class A flash file system
platforms, this task saves the configuration to the location specified by the CONFIG_FILE environment
variable. The CONFIG_FILE variable defaults to NVRAM.
For more information on the search and filter functionality, see the “Using the Cisco IOS Command-Line
Interface” chapter in the Cisco IOS Configuration Fundamentals Configuration Guide.
This roadmap lists the features documented in the Cisco IOS Service Selection Gateway Configuration
Guide and maps them to the modules in which they appear.
Note Table 3 lists only the Cisco IOS software release that introduced support for a given feature in a given
Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS
software release train also support that feature.
The Cisco Service Selection Gateway (SSG) is a Cisco IOS software feature set that works with the
Cisco Subscriber Edge Services Manager (SESM) and other components to provide a subscriber edge
services solution. SESM is used to deliver on-demand subscriber services across any SSG-enabled
network. SSG provides on-demand service enforcement within the Cisco network. As part of a
subscriber edge services solution, SSG provides subscriber authentication, service selection, and service
connection capabilities to subscribers of Internet services.
Module History
This module was first published on May 2, 2005, and last updated on May 2, 2005.
Contents
• Prerequisites for SSG, page 7
• Restrictions for SSG, page 7
• Information About SSG, page 8
• Where to Go Next, page 14
• Additional References, page 14
SESM
Registration - Personalized content
- List of subscribed services
- Access to walled gardens
- On-demand, billable services
Mobile
Access Wi-Fi
networks DSL
Laptop Cable
PDA Ethernet
Cisco SSG
Mobile
Walled gardens Internet
Basic
Video Voice
Internet
Premium
services
127101
Corporate
VPN
A subscriber edge services solution provides robust, highly scalable subscriber authentication, service
selection, and service connection capabilities to subscribers in broadband and mobile environments.
Web Portals
Subscriber Edge Services support web browser (HTTP) redirection or “captivation” of unauthenticated
users to specific web pages. Web pages may be customized and personalized according to device,
connection type, location, and other characteristics. This capability supports branding and targeted
point-of-sale messaging. Service redirection and captivations are available to raise system messages or
advertising at any time during a session.
Subscriber Self-Care
Subscriber Edge Services support subscriber account self-management. Subscribers can change their
own account details (such as address, phone number, and password) and create and manage
sub-accounts. Account self-registration and service self-subscription allow subscribers to fill in their
initial account details and sign up for new services without assistance. Self-care improves customer
satisfaction and reduces operational expenses.
Open Access
Open access is an important trend in the access-provider industry. Regulators in an increasing number
of countries are demanding that access providers provide equal-access service to competing Internet
service providers (ISPs). SSG can enable access providers to deploy services through multiple ISPs,
allowing the consumer to choose their preferred ISP.
SSG
SSG is the Cisco IOS feature set that controls user access at the edge of an IP network. SSG is deployed
at network access control points, and subscribers connect to service destinations through SSG. The role
of SSG is to identify and authenticate subscribers and then load a subscriber-specific profile that governs
the network services that the subscriber is entitled to access.
SESM
SESM is a software toolkit that interacts with SSG to control the user experience at the network edge by
providing a set of web-based interactive applications. These applications interact with the user to obtain
identity and credentials for authentication and payment. SESM web applications also interact with the
user to provide service selection, subscriber account self-management, and self-subscription. These
applications can be personalized, localized, and customized to display advertisements and notifications
according to where the user connects to the network and with which device.
AAA Server
An authentication, authorization, and accounting (AAA) server is used in a subscriber edge services
solution as the data repository for service, subscriber, and policy information. SSG is designed to work
with two types of servers: RADIUS-based AAA servers that accept vendor-specific attributes (VSAs)
and Lightweight Directory Access Protocol (LDAP) directories.
Note In order to use an LDAP directory, SSG must be used with SESM, and SESM must be configured for
LDAP mode. For information on creating and maintaining subscriber, service, and policy information in
an LDAP directory, refer to the Cisco Subscriber Management Guide.
Services
The term services means different things in different contexts. At the most fundamental and technical
level, a service is defined in networking terms as a network destination: a subset of the service network.
From a router perspective, a network destination is defined in terms of interfaces, next-hop definitions,
and IP definitions.
Services have attributes. Some of these attributes refer to whether and how the user must be
authenticated to access the services; other service attributes allow access filters and determine usage
limits and quotas. The collection of attributes is known as a service profile.
At the user level, services may be described in more businesslike terms: free services versus fee-based
services, gold service versus bronze, service selection, subscriber self provisioning, and so on. From the
service provider perspective, a subscriber is defined by means of a user profile, which determines the
services to which the subscriber is entitled.
These are examples of services that providers can offer:
• VPN services—Level 2 and Level 3 VPNs, irrespective of the type of transport. The services may
include telecommuter access to corporate, or equal access to a number of different ISPs from an
access provider.
• Filter services—Services that are implemented in the edge device or some inline device that limits
access in some way, like firewalls, SPAM filters, virus filters and others.
• Prepaid services
• Content Service Gateways (CSGs):—Used to charge per page or unit of content (such as mp3 or gif
files).
• Tiered Internet access—(for example bronze, silver, or gold)
• Dynamic bandwidth on demand
• Integrated voice and data
• Internet gaming and multimedia services
• Distance learning services
• Video on demand
• Peer-to-peer application control (for example, constraining bandwidth available for music
downloads)
• Higher bandwidth for premium users, irrespective of applications
AAA Directory
Server
PC SESM
DSL Corporate
VPN
WAP
Internet
SSG
GGSN
PDA Gaming
Subscribers access the SESM web portal application using any web browser on a variety of devices, such
as a desktop computer over DSL, a cellular phone over GPRS or CDMS, or a PDA over a WLAN.
Depending on how SSG has been configured, unauthenticated users can either be forwarded to the SESM
captive portal or automatically logged into the network. Service providers can thus use the SSG feature
set of the router to design a service selection access network.
Subscribers can use SESM to manager their accounts, subscribe to new services, and select those
services that they want to use. Service providers can use a subscriber edge services solution to offer and
advertise value-added services and to associate these services with their brand identities.
Where to Go Next
SSG configuration tasks are described in the following modules:
• Implementing SSG: Initial Tasks—this process explains how to enable SSG and establish
communication with the AAA server and SESM.
• Configuring SSG to Serve as a RADIUS Proxy—this module describes the types of deployments
that use SSG as a RADIUS proxy and how to configure them.
• Configuring SSG to Authenticate Subscribers—the following processes explain how to configure
SSG to authenticate subscribers according to the method of subscriber login.
– Configuring SSG to Authenticate Web Logon Subscribers
– Configuring SSG to Authenticate PPP Subscribers
– Configuring SSG to Authenticate Subscribers with Transparent Autologon
– Configuring SSG to Authenticate Subscribers Automatically in the Service Domain
– Configuring SSG for On-Demand IP Address Renewal
– Configuring SSG Support for Subnet-Based Authentication
– Configuring SSG for MAC-Address-Based Authentication
• Configuring SSG for Subscriber Services—this process describes how to configure SSG to create
services and allow subscribers to use them.
• Configuring SSG to Log Off Subscribers—this process explains how to configure methods of
subscriber logoff, such as SSG autologoff and timeouts.
• Configuring SSG Accounting—this process explains how to configure SSG support for subscriber
accounting and billing, including per-service accounting, broadcast accounting, and prepaid
services.
• RADIUS Profiles and Attributes for SSG—this module describes RADIUS profiles and their
attributes.
Additional References
The following sections provide references related to configuring SSG.
Related Documents
Related Topic Document Title
Configuring SESM Cisco Subscriber Edge Services Manager documentation.
RADIUS commands Cisco IOS Security Command Reference, Release 12.4
RADIUS configuration tasks “Configuring RADIUS” chapter in the Cisco IOS Security
Configuration Guide, Release 12.4
Configuring L2TP Cisco IOS Dial Technologies Configuration Guide, Release 12.4
Cisco IOS Dial Technologies Command Reference, Release 12.4
Technical Assistance
Description Link
Technical Assistance Center (TAC) home page, http://www.cisco.com/public/support/tac/home.shtml
containing 30,000 pages of searchable technical
content, including links to products, technologies,
solutions, technical tips, and tools. Registered
Cisco.com users can log on from this page to access
even more content.
This document describes the initial tasks you need to perform to enable SSG on the router and to
establish SSG communication with other key components of the network, including Subscriber Edge
Services Manager (SESM) and the authentication, authorization, and accounting (AAA) server.
Module History
This module was first published on May 2, 2005, and last updated on May 2, 2005.
Contents
• Prerequisites for Implementing SSG, page 17
• Restrictions for Implementing SSG, page 18
• How to Establish Initial SSG Communication, page 18
• Configuration Examples for Establishing Initial SSG Communication, page 35
• Where To Go Next, page 39
• Additional References, page 40
• Feature Information for Implementing SSG, page 40
Interfaces
SSG is supported on all logical and physical interfaces on which Cisco Express Forwarding (CEF)
switching is supported. This includes physical interfaces such as ATM, Ethernet, and
Packet-over-SONET (POS), and logical interfaces such as GRE, 802.1q virtual LANs, and
Point-to-Point Protocol (PPPoX).
CEF Switching
IP CEF must be enabled globally before SSG will work.
AAA or LDAP
An authentication, authorization, and accounting (AAA) RADIUS server or LDAP server are typically
used to authenticate subscribers and to store subscriber and service profiles.
Enabling SSG
Perform this task to enter global configuration and enable SSG on the router.
Note This task must be performed before any other SSG functionality can be configured.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip cef
4. ssg enable
DETAILED STEPS
Example:
Router# configure terminal
Step 3 ip cef Enables global IP CEF.
Example:
Router(config)ip cef
Step 4 ssg enable Enables SSG.
Example:
Router(config)# ssg enable
Interface Direction
SSG implements service selection through selective routing of IP packets to destination networks on a
per-subscriber basis. SSG uses the concept of interface direction (uplink or downlink) to help determine
the forwarding path of incoming packets. An uplink interface is an interface towards the services; a
downlink interface is an interface towards the subscribers. You can configure interface direction for a
single interface or a range of subinterfaces at once.
Note If a service is configured for multiple uplink interfaces, downstream traffic is allowed on all of the
interfaces for any service bound to even one of those interfaces.
If a host has a connection that uses NAT to one of the services on a set of redundant uplink interfaces,
all traffic from a user to any of the uplink interfaces uses NAT.
SSG interface redundancy can be configured for pass-through and proxy services, including open garden
services, walled garden services, and the default network. This feature is supported on all physical and
logical interfaces that SSG supports.
SSG uplink interface redundancy is configured by binding a service to more than one interface or next
hop and grouping the redundant interfaces to ensure that SSG treats them similarly. See the “Configuring
Services for Subscribers” module for information about how to bind services. To group redundant uplink
interfaces, see the “Setting SSG Interface Direction for an Individual Interface” section on page 23
The SSG Downlink Interface Redundancy feature can be configured with or without the Port-Bundle
Host-Key (PBHK) feature. When PBHK is disabled, downlink interface redundancy is the default
behavior. When PBHK is enabled, you must disable SSG’s support of overlapping host IP addresses with
the no host overlap command. For more information on configuring PBHK, see the “Configuring SSG
Port-Bundle Host-Key Functionality” section on page 27.
Figure 3 shows an example of SSG interface redundancy configured to support multiple next-hop
IP addresses per service. In this type of topology, each next hop is routable on a different uplink
interface. SSG forwards traffic to the appropriate next hop on the basis of the distance metric assigned
to it.
Next hop 1
Uplink 1
SSG Service
103656
Uplink 2
Next hop 2
Figure 4 shows an example of SSG interface redundancy configured to support multiple uplink
interfaces that share a single next hop. In this type of topology, routing to the service is governed by the
active route to the next-hop IP address, as dictated by the global routing table.
Figure 4 Multiple Uplink Interfaces with a Single Next Hop: Sample Topology
Uplink 1
103657
Uplink 2
Figure 5 shows an example of SSG interface redundancy configured to support multiple uplink
interfaces that are directly connected to the service.
Uplink 1
SSG Service
103658
Uplink 2
Combination of Directly Connected Uplink Interfaces and Interfaces with Next Hops
Figure 6 shows an example of SSG interface redundancy configured to support an uplink interface that
is directly connected to the service and an uplink interfaces with a next hop.
Figure 6 Combination of Directly Connected Uplink Interfaces and Interfaces with Next Hops:
Sample Topology
Uplink 1
103659
SSG Service
Uplink 2
Restrictions
When you configure a range of ATM permanent virtual circuits (PVCs) using the range command, you
cannot use the ssg direction command on an individual subinterface. All members of a range must have
the same direction.
An interface that does not exist will not be created as a result of the ssg direction command.
Before you can change a direction from uplink to downlink, or the opposite, you must use the no ssg
direction command to clear the direction. If you do not, you will receive an error message similar to the
following:
Changing direction from Downlink to Uplink is denied for interface interface
Please use ‘no ssg direction downlink’ to clear the previous bind direction
SUMMARY STEPS
DETAILED STEPS
Example:
Router(config-if)# exit
Step 4 Repeat steps 1 to 3 for each interface for which you want to configure direction.
several ATM subinterfaces getting created implicitly, as explained in the guide: ATM PVC Range and
Routed Bridge Encapsulation Subinterface Grouping. In this case, all ATM subinterfaces in this PVC
range will inherit the same SSG bind direction.
Perform this task to configure a range of subinterfaces as uplink or downlink. An uplink interface is an
interface to services; a downlink interface is an interface to subscribers.
Restrictions
All subinterfaces in a range must have the same direction. If you try to specify the direction of an
interface that is part of a PVC range, you receive an error similar to the following:
PVC Range: Configuring interface is not allowed.
SUMMARY STEPS
DETAILED STEPS
Example:
Router(config)# interface ATM 1/0.1
point-to-point
Step 2 ssg direction {downlink | uplink [member Sets the direction of the subinterfaces.
group-name]}
• An uplink interface is an interface to services; a
downlink interface is an interface to subscribers.
Example:
Router(config-subif)# ssg direction downlink
Step 3 pvc vpi/vci Defines a PVC
• Use this command to define the permanent virtual
Example: connection (PVC).
Router(config-subif)# pvc 1/32
Step 4 range [range-name] pvc start-vpi/start-vci Defines a PVC range.
end-vpi/end-vci
• Use this command if a range was not already defined.
You can also use this command after the ssg direction
Example: command, with the same effect.
Router(config-subif)# range MyRange pvc 1/32
1/42
SUMMARY STEPS
DETAILED STEPS
Example:
Router# show ssg interface brief
Example
The following examples of output for the show ssg interface command show information about SSG
interface binding:
Router# show ssg interface
Interface: Ethernet1/1
Bind Direction: Downlink
Binding Type: Static
Interface: ATM4/0.40
Bind Direction: Downlink
Binding Type: Static
Interface: ATM4/0.140
Bind Direction: Uplink
Binding Type: Static
Services bound: NONE
Note On SSG platforms that support PXF forwarding engine, SSG typically forwards packets to and from the
default network through the router’s PXF forwarding engine. However, SSG also forwards default
network traffic through the route processor (RP) as follows:
Packets from the Default Network and Destined for an SSG User
SSG forwards the packets through the RP if either of the following conditions are met:
• The port-bundle host-key is enabled.
• The port-bundle host-key is disabled, TCP is the transport protocol, and the packets are associated
with an active TCP redirect mapping.
Otherwise, SSG forwards the packets through the PXF forwarding engine.
SUMMARY STEPS
DETAILED STEPS
SUMMARY STEPS
DETAILED STEPS
Example:
Router(config)# ssg radius-helper key MyKey
Step 2 ssg radius-helper [auth-port UDP-port-number] Specifies the port on which SSG will listen for SESM
[acct-port UDP-port-number] commands (SSG is the server). The default port
number for authentication packets is 1645, and the
Example: default port number for accounting packets is 1646.
Router(config)# ssg radius-helper [auth-port 1645]
[acct-port 1646]
Step 3 ssg radius-helper access-list (Optional) Specifies the access list to be applied to
traffic from SESM.
Example:
Router(config)# ssg radius-helper [access-list]
Step 4 ssg radius-helper validate (Optional) Enables the validation of SESM IP
addresses.
Example: • SSG will only accept commands from validated
Router(config)# ssg radius-helper validate IP addresses.
Attr ID Vendor ID Sub Attr ID and Type Attr Name Sub Attr Data
26 9 250 Account-Info Subscriber IP S<subscriber-ip-address>[:<port-bundle-number>
]
• S—Account-Info code for subscriber IP.
• <subscriber IP address>:<port-bundle
number>—The port-bundle number is only
used if the SSG Port-Bundle Host-Key feature
is configured.
For each new subscriber, SSG assigns a new port-bundle. The number of port-bundles is limited, but you
can assign multiple SSG source IP addresses to accommodate more subscribers. If the subscriber logs
in, SSG maintains the port-bundles as long as the host is active. If the subscriber does not log in, SSG
will recycle the port-bundle after a period of inactivity.
For each new TCP session between a subscriber and the SESM server, SSG uses one port from the port
bundle for the port mapping. Port mappings are flagged as eligible for reuse on the basis of inactivity
timers, but are not explicitly removed once assigned. The number of port bundles is limited, but you can
assign multiple SSG source IP addresses to accommodate more subscribers.
Port-Bundle Length
The port-bundle length determines the number of ports that are assigned to one subscriber
(number-of-ports = 2 ^ port-bundle length). By default, the port-bundle length is 4 bits, which yields 16
ports available for each subscriber. The maximum port-bundle length is 10 bits, which would support
1024 concurrent sessions to SESM. See Table 2 for available port-bundle length values, the number of
ports-per-bundle, and the number of bundles-per-IP address. Increasing the port-bundle length can be
useful when you see frequent error messages about running out of ports in a port bundle.
Note For each SESM server, all connected SSGs must have the same port-bundle length, which must
correspond to the configured value given in the SESM server’s BUNDLE_LENGTH argument. If you
change the port-bundle length on an SSG, be sure to make the corresponding change in the SESM
configuration.
Note SSG source IP addresses configured with the source ip command must be routable by SESM. This is the
IP addresses that SESM will receive for subscriber traffic.
SUMMARY STEPS
1. ssg port-map
2. destination range port-range-start to port-range-end [ip ip-address]
3. destination access-list access-list-number
DETAILED STEPS
SUMMARY STEPS
1. show running-config
2. show ssg port-map status [free | inuse | reserved]
3. show ssg port-map ip ip-address port port-number
DETAILED STEPS
Step 1 To verify the SSG Port-Bundle Host-Key configuration, use the show running-config command in
privileged EXEC mode.
Step 2 To display a summary of all port-bundle groups, use the show ssg port-map status command with no
keywords:
Router# show ssg port-map status
Bundle-length = 4
Bundle-groups:-
Use the show ssg port-map status command with the free, reserved, or inuse keyword to display port
bundles with the specified status:
Router# show ssg port-map status inuse
64 10.10.3.1 Virtual-Access2
Step 3 To display information about a specific port bundle, use the show ssg port-map ip command:
Router# show ssg port-map ip 70.13.60.2 port 64
State = IN-USE
Port-mappings:-
Prerequisites
In order for SSG to communicate with SESM and the AAA servers, the AAA servers must be configured
correctly. See the Cisco IOS Security Configuration Guide and Cisco IOS Security Command Reference
for the AAA and RADIUS commands and tasks for configuring AAA servers.
SUMMARY STEPS
DETAILED STEPS
Step 1 ssg service-password password Sets the password used to authenticate the SSG with
the local AAA server while downloading service
profiles.
Example:
Router(config)# ssg service-password password • This value must match the value configured for
the AAA server service profiles.
SUMMARY STEPS
DETAILED STEPS
Example:
Router# show ssg connection 19.1.1.19 InstMsg
Step 2 show ssg host [ip-address [interface] | (Optional) Displays the information about a subscriber and
username] current connections of the subscriber.
Example:
Router# show ssg host 10.3.1.1
Step 3 show ssg port-map ip ip-address port (Optional) Displays the following information about a port
port-number bundle:
• Port maps in the port bundle
Example:
Router# show ssg port-map ip 10.13.60.2 port 64
• Subscriber’s IP address
• Interface through which the subscriber is connected
Step 4 show ssg port-map status [free | reserved | (Optional) Displays information on port-bundle groups,
inuse] including the following:
• List of port-bundle groups
Example:
Router# show ssg port-map status
• Port-bundle length
• Number of free, reserved, and in-use port bundles in
each group
Step 5 show ssg interface [interface | brief] (Optional) Displays information about SSG interfaces.
• Use this command without any keywords or arguments
Example: to display information about all SSG interfaces.
Router# show ssg interface atm 3/0.10
Step 6 show ssg summary (Optional) Displays a summary of the SSG configuration.
• Use this command to display information such as which
Example: SSG features are enabled, how many users are active,
Router# show ssg summary how many services are active, and what filters are
active.
Example:
Router# clear ssg connection 10.18.1.1 Service1
Step 8 clear ssg host ip-address interface (Optional) Removes or disables a given host or subscriber.
Example:
Router# clear ssg host 192.168.1.1 fastethernet
1. debug radius
2. debug ssg port-map {events | packets}
DETAILED STEPS
Example:
Router # debug ssg port-map events
!
interface ethernet 1/0
ip address 10.0.1.1 255.255.255.0
ssg direction uplink member service-groupA
!
interface ethernet 2/0
ip address 10.0.2.1 255.255.255.0
ssg direction uplink member service-groupA
!
ip route 10.1.1.1 255.255.255.255 eth 1/0 10
ip route 10.1.1.1 255.255.255.255 eth 2/0 20
!
!
aaa new-model
aaa authentication ppp default group radius
aaa authorization network default group radius
aaa authorization network ssg_aaa_author_internal_list none
aaa accounting network default start-stop group radius
!
! Enables CEF
ip cef
!
! Enables SSG
ssg enable
### Configures password for service-profile download
ssg service-password servicecisco
!
!
! Configures SSG-SESM API communication
ssg radius-helper auth-port 1812 acct-port 1813
ssg radius-helper key cisco
!
! Configures SSG port-bundle host-key
ssg port-map
destination range 80 to 80 ip 192.168.2.55
destination range 443 to 443 ip 192.168.2.55
destination range 8090 to 8101 ip 192.168.2.55
source ip Loopback10
source ip Loopback11
!
! Configures an interface towards services (uplink interface)
interface FastEthernet1/0.1
description SSG-Service internet
encapsulation dot1Q 10
ip address 10.1.1.41 255.255.255.0
ip nat outside
ip nbar protocol-discovery
no ip mroute-cache
ssg direction uplink
!
! Configures an interface towards subscribers (downlink interface)
interface FastEthernet2/0.1
description Subscriber Access
encapsulation dot1Q 70
ip address 10.1.1.1 255.255.255.0
ssg direction downlink
!
! Configures SSG communication with the RADIUS server
radius-server attribute 44 include-in-access-req
radius-server attribute 55 include-in-acct-req
radius-server attribute nas-port format d
radius-server host 192.168.2.62 auth-port 1812 acct-port 1813 key cisco
radius-server retransmit 5
radius-server timeout 30
radius-server key cisco
radius-server vsa send accounting
radius-server vsa send authentication
!
Where To Go Next
• TBD
Additional References
The following sections provide references related to establishing SSG connectivity.
Related Documents
Related Topic Document Title
SSG commands Cisco IOS Service Selection Gateway Command Reference,
Release 12.4
SESM Cisco Subscriber Edge Services Manager documentation.
RADIUS commands Cisco IOS Security Command Reference, Release 12.4
RADIUS configuration tasks Cisco IOS Security Configuration Guide, Release 12.4
MIBs
MIBs MIBs Link
The Service Selection Gateway MIB enables network To locate and download MIBs for selected platforms, Cisco IOS
administrators to use Simple Network Management releases, and feature sets, use Cisco MIB Locator found at the
Protocol (SNMP) to monitor and manage SSG. The following URL:
SSG MIB contains objects that correspond to and allow http://www.cisco.com/go/mibs
the monitoring of several important SSG features.
For detailed list of MIB objects and their definitions,
see the CISCO-SSG-MIB.
Technical Assistance
Description Link
Technical Assistance Center (TAC) home page, http://www.cisco.com/public/support/tac/home.shtml
containing 30,000 pages of searchable technical
content, including links to products, technologies,
solutions, technical tips, and tools. Registered
Cisco.com users can log on from this page to access
even more content.
For information on a feature in this technology that is not documented here, see the Service Selection
Gateway Features Roadmap.
Cisco IOS software images are specific to a Cisco IOS software release, a feature set, and a platform.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image
support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on
Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at
the login dialog box and follow the instructions that appear.
Note Table 6 lists only the Cisco IOS software release that introduced support for a given feature in a given
Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS
software release train also support that feature.
The RADIUS proxy feature is principally an insertion mechanism to allow an SSG device to be
introduced to a network with minimum disruption to the existing network access server (NAS) and
authentication, authorization, and accounting (AAA) server(s). By acting as a proxy between a NAS
using RADIUS authentication (which may or may not be Cisco equipment) and a AAA server, SSG is
able to “sniff” the RADIUS flows and transparently create a corresponding SSG session, on successful
authentication of the subscriber. This provides an autologon facility with respect to SSG for subscribers
that are authenticated by devices that are closer to the network edge. This document describes the types
of deployments that use SSG as a RADIUS proxy and how to configure them.
Module History
This module first published May 2, 2005, and last updated May 2, 2005.
Contents
• Prerequisites for SSG RADIUS Proxy, page 43
• Restrictions for SSG RADIUS Proxy, page 44
• Information About SSG Authentication Using RADIUS Proxy, page 44
• How to Configure SSG RADIUS Proxy, page 46
• Configuration Examples for SSG Authentication of RADIUS Proxy Subscribers, page 71
• Where to Go Next, page 76
• Additional References, page 77
• Feature Information for SSG RADIUS Proxy, page 77
Before you can configure SSG as a RADIUS proxy, you must first configure the RADIUS clients and
the RADIUS servers.
When configured as a RADIUS proxy, SSG transparently proxies all RADIUS requests generated by a
client device and all RADIUS responses generated by the corresponding AAA server, as described in
RFCs 2865, 2866 and 2869.
This RADIUS proxy functionality is largely agnostic to the type of client device, e.g. GGSN, PDSN,
WLAN AP etc. and supports standard authentication (i.e. a single Access-Request/Response exchange)
using both PAP and CHAP, Access-Challenge packets, and also EAP mechanisms (RFC 2869). Of the
various types of EAP authentication in existence (which differ, for example, in the transport mechanism
for the session keys), EAP-SIM and EAP-TLS are supported.
Where authentication and accounting requests originate from separate RADIUS client devices, SSG will
associate all requests to the appropriate session through the use of certain correlation rules. This may
occur for centralized PWLAN deployments, wherein authentication requests originate from the WLAN
AP while accounting requests are generated by the AZR. The association of the disparate RADIUS
flows to the underlying session is performed automatically where the combination of username (attribute
1) and calling-station-id (attribute 31, if present) is sufficient to make the association reliable. However,
in some cases, configuration (i.e. the specification of additional attributes for use as correlation keys) is
required to coerce the correct association.
Following a successful authentication, authorization data gleaned from the RADIUS response is applied
to the corresponding SSG session.
Termination of a session created via RADIUS proxy operation is generally effected by receipt of an
Accounting-Stop packet with an appropriate session. Accounting-On/Off from a RADIUS client will
result in the termination of all SSG sessions hosted by that client.
Note The host-route insert command does not apply to Auto-domain users that are not RADIUS-Proxy users.
These users always have an IP address before any SSG involvement and so SSG would never be able to
insert a static route.
When a host object is created, SSG checks to see if the host is reachable (on the correct interface) by an
existing route and adds the static route only if it is not, and the insertion of host routes is enabled.
For the case where insertion of host routes is disabled, an "unrouted" timer may also be defined. If
configured this timer is started when a host object is created with an unroutable IP address. If this IP
address does not become routable (e.g. due to a routing protocol update) before the timer expires , then
the host object is destroyed.
SUMMARY STEPS
1. ssg radius-proxy
2. server-port [auth auth-port][acct acct-port]
3. client-address ip-address [mask] key secret
4. forward accounting-start-stop [server-group group-name]
5. no host-route insert
6. exit
DETAILED STEPS
Example:
Router(config-radius-proxy)# end
SUMMARY STEPS
1. ssg radius-proxy
2. client-address [ip-address]
3. key [secret]
4. session-identifier {auto | msid | correlation-id | accounting-session-id | ip | username}
5. remove vsa {3gpp2 | cisco}
DETAILED STEPS
Router(config-radproxy-client)# remove
vsa cisco
SUMMARY STEPS
1. ssg proxy-radius
2. server-port [auth auth-port][acct acct-port]
3. timeouts
4. hand-off timeout
5. idle timeout
6. ip-address timeout
7. msid timeout retry retries
DETAILED STEPS
Example:
Router(config-radius-proxy)# timeouts
Step 4 hand-off timeout Configures the RADIUS Proxy hand off timeout. Valid
range is 1 to 30 seconds.
Example:
Router(config-radproxy-timer)# hand-off 30
Step 5 idle timeout [reset-mode {radius | mixed}] Configures a host object timeout value. Valid range is 30 to
65536 seconds.
Example: • reset-mode—Specifies the type of traffic that resets
Router(config-radproxy-timer)# idle 150 the idle timer.
• radius—Resets the timer exclusively by RADIUS
traffic
• mixed—Resets the timer by both data traffic and
RADIUS traffic.
• If the reset mode is not set, by default the idle timer
resets on receipt of data traffic.
Step 6 session timeout Configures the global session timeout for RADIUS proxy
sessions. Valid range is from 30 to 65535. There is no
default value.
Example:
Router(config-radproxy-timer)# session 100
Step 7 ip-address timeout Configures an SSG RADIUS Proxy IP address timeout.
Valid range is 1 to 30 seconds.
Example:
Router(config-radproxy-timer)# ip-address 25
SUMMARY STEPS
DETAILED STEPS
Example:
Router(config-sg-radius)# exit
Step 5 aaa group server radius group-name Configures the second, redundant RADIUS server.
Example:
Router(config)# aaa group server radius
myservergroup2
Step 6 server ip-address Configures the IP address of the second RADIUS server for the
[auth auth-port][acct acct-port] group server.
Example:
Router(config-sg-radius)# server 1.2.3.5
[auth 1645][acct 1646]
Step 7 Repeat Step 6 to configure additional RADIUS servers.
Example:
Router(config-sg-radius)# exit
Step 9 aaa accounting network Enables AAA accounting of requested services for billing or
ssg_broadcast_accounting start-stop security purposes when you use RADIUS.
broadcast group group-name group
group-name • ssg_broadcast_accounting—Configures the broadcast
group.
Example: • start-stop—Sends a “start” accounting notice at the
Router(config)# aaa accounting network beginning of a process and a “stop” accounting notice at the
ssg_broadcast_accounting start-stop end of a process. The “start” accounting record is sent in the
broadcast group myservergroup1 group background. The requested user process begins regardless of
myservergroup2
whether the “start” accounting notice was received by the
accounting server.
• broadcast—Enables sending accounting records to multiple
AAA servers. Simultaneously sends accounting records to
the first server in each group. If the first server is unavailable,
failover occurs using the backup servers defined within that
group.
• group group-name—Uses a subset of RADIUS servers for
accounting as defined by the server group group-name
command.
Prerequisites
Before you configure RADIUS Proxy in GPRS networks, you must complete the steps in Enabling SSG
Autologon Using RADIUS Proxy, page 46.
Prerequisites
PDSN
• All RADIUS packets (including Access-Request packets for the Cisco variant of Module Subscriber
Identity (MSID) based access) generated by the PDSN must contain the 3GPP2-Correlation-ID
VSA.
• Access-Request packets for the Cisco variant of MSID-based access generated by the PDSN must
contain the 3GPP2-Correlation-ID Vendor Specific Attribute (VSA).
• Accounting-Start packets generated by the PDSN must contain the 3GPP2-IP-Technology VSA.
HA
• No RADIUS packets generated by the HA can contain the 3GPP2-Correlation-ID VSA.
Note The following HA prerequisites are not standard HA behavior and must be configured.
Miscellaneous
• RADIUS Access-Accept packets sent by the RADIUS server must contain the
3GPP2-IP-Technology VSA.
Restrictions
SSG RADIUS Proxy for CDMA2000 requires non standard extensions to the Home Agent behavior. See
Prerequisites, page 56 for more information.
In Auto-domain mode, SSG bypasses user authentication at the Network Attached Storage (NAS)
Authentication, Authorization and Accounting (AAA) server. SSG instead downloads a generic profile
for the specified Auto-domain. This profile may be a service profile for simple Auto-domain or a virtual
user profile in extended mode Auto-domain. When SSG is acting as a RADIUS Proxy in a CDMA2000
network, the profile returned in an Access-Accept from the AAA server must contain the
3GPP2-IP-Technology VSA to indicate to SSG whether this call setup is for a Simple IP call or for a
Mobile IP call. Even if a network supports only one type of user (either all Simple IP users or all Mobile
IP users), the Access-Accept packets received from the AAA must contain the 3GPP2-IP-Technology
VSA. In networks that support only one type of user, the Auto-domain profiles can be formatted to
contain the correct attribute. In networks that support both Mobile IP and Simple IP users
simultaneously, the Access-Accept packets must contain the correct attribute for the type of user. The
AAA server must be able to modify the contents of the generic Auto-domain profile so that it contains
the correct VSA. SSG must receive a real rather than a cached response from the AAA server for each
user logon. SSG Service Profile Caching must be disabled when SSG Auto-domain is enabled and SSG
is acting as a RADIUS Proxy in a CDMA2000 network that supports both Simple IP and Mobile IP users.
CDMA
Code Division Multiple Access (CDMA) is a digital spread-spectrum modulation technique used mainly
with personal communications devices such as mobile phones. CDMA digitizes the conversation and
tags it with a special frequency code. The data is then scattered across the frequency band in a
pseudorandom pattern. The receiving device is instructed to decipher only the data corresponding to a
particular code to reconstruct the signal.
For more information about CDMA, see the “CDMA Overview” knowledge byte on the Mobile Wireless
Knowledge Bytes web page:
http://www.cisco.com/warp/public/779/servpro/solutions/wireless_mobile/training.html.
CDMA2000 Radio Transmission Technology (RTT) is a wideband, spread-spectrum radio interface that
uses CDMA technology to satisfy the needs of third generation (3G) wireless communication systems.
CDMA2000 is backward compatible with CDMA.
For more information about CDMA2000, refer to the “CDMA2000 Overview” knowledge byte on the
Mobile Wireless Knowledge Bytes web page:
http://www.cisco.com/warp/public/779/servpro/solutions/wireless_mobile/training.html
AAA
Corporate
VPN
IP core
ISP
Access SSG
network WAP/Content
PDSN/FA gateway
Mobile BSC,
station BTS PCF
HA
75773
Radio Access Network (RAN)
Key to Figure 7
Item Description
BTS Base Transceiver Station
BSC Base Station Controller
PCF Packet Control Function
PDSN/FA Packet Data Serving Node / Foreign Agent
VPN Virtual Private Network
only when it receives an Accounting-Stop request with the 3GPP2-Session-Continue VSA set to
“FALSE” or when a subsequent Accounting-Start request is not received within a configured timeout.
PPP renegotiation during a PDSN hand off is treated as a new session.
In SSG RADIUS Proxy for CDMA2000 for Simple IP, the end-user IP address may be assigned statically
by the PDSN, RADIUS server, or SSG. The end-user IP address can also be assigned directly from the
Auto-domain service.
Network Address Translation (NAT) is automatically performed when necessary. NAT is generally
necessary when IP address assignment is performed by any mechanism other than directly from the
Auto-domain service (which may be a VPN). You can also configure SSG to always use NAT.
If the user profile contains Cisco attribute-value (AV) pairs of Virtual Private Dialup Network (VPDN)
attributes, SSG initiates Layer 2 Tunneling Protocol (L2TP) VPN.
SUMMARY STEPS
1. ssg proxy-radius
2. home-agent address [ip-address]
3. home-agent domain [domain-name] address [ip-address]
DETAILED STEPS
Example:
Router(config-radius-proxy)# home-agent
domain mydomain.com address 1.2.3.8
SUMMARY STEPS
DETAILED STEPS
The following example shows host object information for Mobile IP:
Router# show ssg host 10.0.0.101
Prerequisites
The SSG EAP Transparency features operates in the environment described in the “SSG EAP
Environment” section on page 63. Before you can use this feature, you must set up each of the
components of the environment, as specified in other Cisco documents.
The SSG EAP Transparency feature has the following requirements:
• You must set up the SSG RADIUS Proxy feature on the router that has SSG. It enables the SSG to
be aware of EAP authentication and process the user’s SSG service information sent in the
Access-Accept packet. You also must configure the access point (AP) and AZR as the RADIUS
Proxy client.
• The AP must use SSG as the authentication, authorization, and accounting (AAA) server for EAP
authentication.
• The AZR must use the Domain Host Configuration Protocol (DHCP) accounting feature and the
Address Resolution Protocol (ARP) log feature.
• SESM must be in RADIUS mode.
Note SSG does not terminate native EAP messages. SSG supports EAP transparency by looking at the
RADIUS packets generated by APs or switches.
• Subscriber Edge Services Manager (SESM)—An extensible set of applications for providing
support for on-demand value-added services and access control at the network edge. Together with
SSG, SESM provides subscriber authentication, service selection, and service connection
capabilities to subscribers of Internet services. Subscribers interact with an SESM web application
and portal using a standard Internet browser. In RADIUS mode, SESM obtains subscriber and
service information from a RADIUS server. (SESM in RADIUS mode is similar to the Cisco Service
Selection Dashboard (SSD), which was replaced by SESM.)
• Authentication, authorization, and accounting (AAA) server—This server validates the claimed
identity of a user device, grants access rights to a user or group, records who performed a certain
action, and tracks user connections and certain activities, such as service and network resource
usage. An AAA database is managed and accessed by a RADIUS security server.
• RADIUS server—An access server that uses the AAA protocol. It is a system of distributed security
that secures remote access to networks and network services against unauthorized access. The server
runs on a central computer, typically at the customer’s site, and the clients reside in the dialup access
servers and can be distributed throughout the network.
• Signaling System 7 (SS7) network—A system that stores information that is required for setting up
and managing telephone calls on the public switched telephone network (PSTN). The information
is stored on a network separate from the network on which the call was made. The AAA server
communicates with a Cisco IP Transfer Point (ITP), which acts as a gateway between the IP and SS7
networks. Using Mobile Application Part (MAP) messages, the system gets user service profiles
from the subscriber’s Home Location Register (HLR). In addition, the system includes an
authentication center (AuC), which provides authentication and encryption parameters to verify
each user’s identity and ensure call confidentiality.
On the client side, the EAP protocol is implemented in the EAP supplicant. The supplicant code is linked
into the EAP framework provided by the operating system; currently, supplicants exist for Microsoft
Windows XP and Windows 2000. The EAP framework handles EAP protocol messages and
communications between the supplicant and the AAA server; it also installs any encryption keys
provided to the supplicant in the client’s WLAN radio card.
On the network side, the EAP authenticator code resides on the service provider’s AAA server. Besides
handling the server side of the EAP protocol, this code is also responsible for communicating with the
service provider’s AuC. In a Cisco implementation of EAP, the AAA server communicates with a Cisco
IP transfer point (ITP). The Cisco ITP translates messages from the AAA server into standard GSM
protocol messages, which are then sent to the AuC.
EAP Transparency
The SSG EAP Transparency feature allows SSG on a Cisco router to act as a RADIUS Proxy during EAP
authentication. SSG creates the host after successful EAP authentication, so the user does not have to
log on through the web portal. Instead, the user is automatically logged in.
The AP does the authentication for the client. SSG looks like a AAA server, which proxies relevant
packets to the real AAA server. To create a host automatically, SSG has to know that the authentication
was successful. By proxying messages, it obtains this information. The IP address is not assigned until
authentication is complete, so SSG creates an inactive host and uses the MAC address as an identifier.
To get the IP address, it waits for a DHCP Accounting Start from the AZR, so the AZR must be
configured as an SSG RADIUS Proxy client.
Note If user reconnect is enabled and a user refreshes or reloads the SESM page after an account logoff, SESM
sends a query to SSG, which causes SSG to activate the host. It is recommended that users be made aware
of this behavior so they do not accidentally activate the host.
SUMMARY STEPS
1. ssg radius-proxy
2. client-address IP-address
3. key secret
4. session-identifier {auto | msid | correlation-id | accounting-session-id}
5. timeouts
6. idle timeout
or
ip-address timeout
7. exit
8. exit
9. Repeat Steps 5 to 9 to configure the AZR as a RADIUS client.
10. ssg wlan reconnect
DETAILED STEPS
Example:
Router(config-radproxy-client)# timeouts
Example:
Router(config-radproxy-timer)# exit
Step 8 exit Exits to SSG-RADIUS-Proxy configuration mode.
Example:
Router(config-radproxy-client)# exit
Step 9 Repeat Steps 5 to 9 to configure the AZR as a RADIUS
client.
Step 10 ssg wlan reconnect Enables EAP users to reconnect after logging off or having
idle time out occur.
Example:
Router(config)# ssg wlan reconnect
SUMMARY STEPS
DETAILED STEPS
Example:
Router# show ssg next-hop
Step 9 show ssg radius-proxy address-pool address-pool Displays IP address pool usage for a specific domain
[domain domain-name] [free | inuse] for an entire router.
Example:
Router# show ssg radius-proxy address-pool domain
ssg.com free
SUMMARY STEPS
DETAILED STEPS
Step 1 debug ssg ctrl packets Displays packet contents handled by control modules.
Example:
Router# debug ssg ctrl packets
Step 2 debug ssg port-map events Displays port mapping event messages.
Example:
Router# debug ssg port-map events
Step 3 debug ssg port-map packets Displays port mapping packet contents.
Example:
Router# debug ssg port-map packets
Examples
The following output is generated by using the debug ssg ctrl-packets command when a RADIUS proxy
subscriber logs out of a service:
Access-request:
3d05h:SSG-CTL-PAK:Received Packet:
sIP=5.5.5.2 sPort=1645 dIP=5.5.5.1 dPort=1645
3d05h:RADIUS:id= 91, code= Access-Request, len= 93
3d05h:RADIUS: authenticator B8 5D 3D 06 E3 2B A2 F3 - 68 E6 C5 E0 F3
1C 60 C7
3d05h:RADIUS: User-Name [1] 10 "user"
3d05h:RADIUS: User-Password [2] 18 *
3d05h:RADIUS: Called-Station-Id [30] 9 "ssg.com"
3d05h:RADIUS: Calling-Station-Id [31] 6 "1234"
3d05h:RADIUS: Framed-Protocol [7] 6 GPRS_PDP_CONTEXT
[7]
3d05h:RADIUS: NAS-Port-Type [61] 6 Virtual
[5]
3d05h:RADIUS: NAS-Port [5] 6 0
3d05h:RADIUS: Service-Type [6] 6 Framed
[2]
3d05h:RADIUS: NAS-IP-Address [4] 6 10.1.1.102
Access-Accept:
3d05h:RADIUS:id= 91, code= Access-Accept, len= 38
3d05h:RADIUS: authenticator 62 57 FE F6 96 65 C1 79 - 18 D7 12 56 EA
28 62 73
3d05h:RADIUS: Service-Type [6] 6 Framed
[2]
3d05h:RADIUS: Idle-Timeout [28] 6 2000
3d05h:RADIUS: Framed-IP-Address [8] 6 10.1.5.10
Accounting-Request(start) to SSG:
3d05h:SSG-CTL-EVN:Received cmd (4) from proxy-client (5.5.5.2:1646)
3d05h:SSG-CTL-PAK:Received Accounting Packet:
sIP=5.5.5.2 sPort=1646 dIP=5.5.5.1 dPort=1646
3d05h:RADIUS:id= 128, code= Accounting-Request, len= 109
3d05h:RADIUS: authenticator 42 42 D8 7D EC 18 20 42 - 61 B1 03 A2 29
F8 26 56
3d05h:RADIUS: User-Name [1] 10 "user"
3d05h:RADIUS: Acct-Status-Type [40] 6 Start
[1]
3d05h:RADIUS: Acct-Session-Id [44] 10 "00001F5D"
3d05h:RADIUS: Framed-Protocol [7] 6 GPRS_PDP_CONTEXT
[7]
3d05h:RADIUS: Called-Station-Id [30] 9 "ssg.com"
3d05h:RADIUS: Calling-Station-Id [31] 6 "1234"
3d05h:RADIUS: Framed-IP-Address [8] 6 10.1.5.10
3d05h:RADIUS: Authentic [45] 6 RADIUS
[1]
3d05h:RADIUS: NAS-Port-Type [61] 6 Virtual
[5]
3d05h:RADIUS: NAS-Port [5] 6 0
3d05h:RADIUS: Service-Type [6] 6 Framed
[2]
3d05h:RADIUS: NAS-IP-Address [4] 6 10.1.1.102
3d05h:RADIUS: Delay-Time [41] 6 0
To display control path events or errors for the host and service logon, use the debug ssg ctrl-events,
debug ssg ctrl-errors, and debug ssg errors commands.
key cisco
session-identifier msid
The following example shows how to configure SSG to identify the specified client session based on the
3GPP2-Correlation-ID attribute:
ssg enable
ssg proxy-radius
client-address 172.16.0.0
key cisco
session-identifier correlation-id
The following example shows how to configure SSG to identify the specified client session based on the
Accounting-Session-ID attribute:
ssg enable
ssg proxy-radius
client-address 172.16.0.0
key cisco
session-identifier accounting-session-id
The following example shows how to enable SSG RADIUS Proxy and to configure an idle timeout of 60
seconds:
ssg enable
ssg proxy-radius
server-port auth 1812 acct 1813
idle 60
The following example shows how to enable SSG RADIUS Proxy and to configure an IP address timeout
of 10 seconds:
ssg enable
ssg proxy-radius
server-port auth 1812 acct 1813
ip-address 60
The following example shows how to enable SSG RADIUS Proxy and to configure an MSID timeout of
3 seconds:
ssg enable
ssg proxy-radius
server-port auth 1812 acct 1813
msid 3 retry 3
The following example shows how to remove all 3GPP2 VSAs from a RADIUS response sent to a
RADIUS client:
ssg enable
ssg proxy-radius
client-address 172.16.0.0
remove vsa 3gpp2
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname host1
!
aaa new-model
!
aaa group server radius OPERATIONS
server 10.10.50.181 auth-port 1645 acct-port 1646
!
aaa group server radius RASCUSTOMER
server 10.10.50.180 auth-port 1645 acct-port 1646
!
aaa authentication login vty line
aaa authentication ppp default local group radius
aaa authorization exec vty none
aaa authorization network default local group radius none
aaa authorization network ssg_aaa_author_internal_list none
aaa accounting update periodic 1
aaa accounting network ssg_broadcast_accounting start-stop broadcast group OPERATIONS
group RASCUSTOMER
aaa nas port extended
aaa session-id common
enable password password1
!
username cisco password 0 cisco
redundancy
main-cpu
auto-sync standard
no secondary console enable
!
ip subnet-zero
ip cef
no ip domain-lookup
!
ip dhcp-client network-discovery informs 2 discovers 2 period 15
vpdn enable
vpdn search-order domain
!
vpdn-group 1
accept-dialin
protocol pppoe
virtual-template 1
pppoe limit per-mac 1000
pppoe limit per-vc 1000
!
vpdn-group 3
request-dialin
protocol l2tp
domain tunsvc
domain banking
local name dial-tunnel
!
!
!
ssg enable
ssg default-network 10.0.48.0 255.255.255.0
ssg service-password servicecisco
ssg radius-helper auth-port 1812 acct-port 1813
ssg radius-helper key cisco
ssg maxservice 12
ssg accounting interval 300000
ssg enable
ssg radius-proxy
server-port auth 1645 acct 1646
client-address 1.1.1.1
key cisco
session-identifier auto
!
client-address 1.1.1.1
key cisco
!
timeouts
ip-address 60
!
Where to Go Next
To configure other methods of subscriber authentication, refer to the following modules:
• Configuring SSG to Authenticate Web Logon Subscribers
• Configuring SSG to Authenticate Subscribers Automatically in the Service Domain
• Configuring SSG Support for Subnet-Based Authentication
• Configuring SSG for MAC-Address-Based Authentication
• Configuring SSG to Authenticate PPP Subscribers
• Configuring SSG to Authenticate Subscribers with Transparent Autologon
Additional References
The following sections provide references related to configuring SSG to authenticate RADIUS Proxy
subscribers.
Related Documents
Related Topic Document Title
CMDA and CMDA2000 “CDMA Overview” and “CDMA2000 Overview” on the Mobile
Wireless Knowledge Bytes web page:
http://www.cisco.com/warp/public/779/servpro/solutions/wireless_
mobile/training.html
Cisco IOS voice, video and fax commands Cisco IOS Voice, Video, and Fax Command Reference
Cisco IOS voice, video and fax configuration Cisco IOS Voice, Video, and Fax Configuration Guide
SSG commands Cisco IOS Wide-Area Networking Command Reference,
Release 12.4
SESM Cisco Subscriber Edge Services Manager documentation.
RADIUS commands Cisco IOS Security Command Reference, Release 12.4
RADIUS configuration tasks “Configuring RADIUS” chapter in the Cisco IOS Security
Configuration Guide, Release 12.4
DHCP accounting DHCP Accounting feature module for Cisco IOS Release 12.2(15)T
Configuring L2TP Cisco IOS Dial Technologies Configuration Guide, Release 12.4
Cisco IOS Dial Technologies Command Reference, Release 12.4
Technical Assistance
Description Link
Technical Assistance Center (TAC) home page, http://www.cisco.com/public/support/tac/home.shtml
containing 30,000 pages of searchable technical
content, including links to products, technologies,
solutions, technical tips, and tools. Registered
Cisco.com users can log on from this page to access
even more content.
Cisco IOS software images are specific to a Cisco IOS software release, a feature set, and a platform.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image
support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on
Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at
the login dialog box and follow the instructions that appear.
Note Table 7 lists only the Cisco IOS software release that introduced support for a given feature in a given
Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS
software release train also support that feature.
This module describes how SSG can be configured to authenticate Web logon subscribers.
SSG works with in conjunction with SESM, which provides a user interface for subscribers to SSG
services. SESM is a specialized web server that allows users to connect to and disconnect from various
services offered by the service provider. SESM provides subscriber authentication, service selection, and
service connection capabilities.
Module History
This module was first published on May 2, 2005, and last updated on May 2, 2005.
Contents
• Prerequisites for Configuring SSG to Authenticate Web Logon Subscribers, page 81
• Restrictions for Configuring SSG to Authenticate Web Logon Subscribers, page 82
• Information About Web Logon Subscribers, page 82
• How to Configure SSG to Authenticate Web Logon Subscribers, page 84
• Where to Go Next, page 88
• Additional References, page 88
• Before you can configure SSG to authenticate subscribers you must first configure SESM and the
RADIUS server to support the logon method.
• Before you configure SSG to authenticate web logon subscribers, you should perform the tasks
described in Configuring SSG Interface Direction, Configuring SSG-SESM API Communication,
and Configuring SSG to AAA Server Interaction in the “Implementing SSG: Initial Tasks” module.
• In order to use the SSG TCP Redirect feature, you must install Cisco SESM Release 3.1(1) or higher.
Web Logon
SSG works with in conjunction with SESM, which provides a user interface for subscribers to SSG
services. SESM is a specialized web server that allows users to connect to and disconnect from various
services offered by the service provider. SESM provides subscriber authentication, service selection, and
service connection capabilities. Web service selection enables subscribers to concurrently access
multiple on-demand services from a list of personalized services.
SESM provides subscriber authentication, service selection, and service connection capabilities to
subscribers. Subscribers interact with SESM using a standard Internet browser. They do not need to
download any software or plug-ins to use SESM. After a subscriber successfully authenticates, SESM
presents a list of services that the subscriber is currently authorized to use. The subscriber can gain
access to one or more of those services by selecting them from a web page.
SESM works in conjunction with other network components to provide extremely robust, highly scalable
connection management to Internet services. Internet service providers (ISPs) and network access
providers (NAPs) deploy SESM to provide their subscribers with a web interface for accessing multiple
Internet services. The ISPs and NAPs can customize and brand the content of the web pages and thereby
control the user experience for different categories of subscribers.
SUMMARY STEPS
1. ssg tcp-redirect
2. server-group group-name
3. server ip-address port
4. exit
5. redirect unauthenticated-user to group-name
DETAILED STEPS
Example:
Router(config)# ssg tcp-redirect
Step 2 server-group group-name Defines the group of one or more servers that make up
a named captive portal group and enables
ssg-redirect-group configuration mode.
Example:
Router(config-ssg-redirect)# server-group • group-name—Name of the captive portal group.
RedirectServer
Example:
Router(config-ssg-redirect-group)# exit
Step 5 redirect unauthenticated-user to group-name Selects a captive portal group for redirection of traffic
from unauthenticated users.
Example: • group-name—Name of the captive portal group.
Router(config-ssg-redirect)# redirect
unauthenticated-user to RedirectServer
SUMMARY STEPS
DETAILED STEPS
!
! enable SSG on the router
ssg enable
ssg radius-helper auth-port 1645 acct-port 1646
ssg radius-helper key cisco
!
Where to Go Next
To configure other methods of subscriber authentication, refer to the following modules:
• Configuring SSG to Authenticate Subscribers Automatically in the Service Domain
• Configuring SSG Support for Subnet-Based Authentication
• Configuring SSG for MAC-Address-Based Authentication
• Configuring SSG to Authenticate PPP Subscribers
• Configuring SSG to Authenticate Subscribers with Transparent Autologon
To configure SSG to authenticate RADIUS Proxy subscribers, refer to Configuring SSG to Serve as a
RADIUS Proxy
Additional References
The following sections provide references related to configuring SSG to authenticate web logon
subscribers.
Related Documents
Related Topic Document Title
SSG commands Cisco IOS Service Selection Gateway Command Reference,
Release 12.4
Configuring SESM Cisco Subscriber Edge Services Manager documentation.
RADIUS commands Cisco IOS Security Command Reference, Release 12.4
RADIUS configuration tasks Cisco IOS Security Configuration Guide, Release 12.4
Technical Assistance
Description Link
Technical Assistance Center (TAC) home page, http://www.cisco.com/public/support/tac/home.shtml
containing 30,000 pages of searchable technical
content, including links to products, technologies,
solutions, technical tips, and tools. Registered
Cisco.com users can log on from this page to access
even more content.
Note Table 1 lists only the Cisco IOS software release that introduced support for a given feature in a given
Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS
software release train also support that feature.
Table 1 Feature Information for Configuring SSG to Authenticate Web Logon Subscribers
SSG supports PPP as a subscriber access protocol. PPP provides router-to-router and host-to-network
connections over both synchronous and asynchronous circuits. This document provides information
about how to configure SSG to support PPP subscribers, including information about PPP Termination
Aggregation (PTA), PTA-multidomain(PTA-MD), virtual-circuit (VC)-to-service-name mapping, and
single signon for PPP users.
Module History
This module was first published on May 2, 2005, and last updated on May 2, 2005.
Contents
• Prerequisites, page 91
• Restrictions, page 92
• Information About SSG Authentication of PPP Subscribers, page 92
• How to Configure SSG to Authenticate PPP Subscribers, page 94
• Where to Go Next, page 101
• Additional References, page 102
Prerequisites
Before you can perform the tasks in this process, SSG must be enabled. See the “Enabling SSG” section
in the Establishing Initial SSG Communication module for more information.
If Cisco Subscriber Edge Services Manager (SESM) is part of your SSG network, SESM and the
RADIUS server must be configured to support the subscriber logon method. See the Cisco Subscriber
Edge Services Manager documentation for information about how to configure SESM.
If SSG is configured to work with SESM in RADIUS mode, service profiles, subscriber profiles, and
control profiles must be configured on the authentication, authorization, and accounting (AAA) server
before SSG will work. See the <RADIUS Profiles and Attributes for SSG> document for information
about RADIUS profiles and vendor-specific attributes (VSAs) for SSG.
Restrictions
Virtual path identifier (VPI)/virtual channel identifier (VCI) indexing to service profile works only for
PPP over ATM (PPPoA) and PPP over Ethernet (PPPoE) over ATM.
• to allow access providers to terminate user PPP sessions and logically associate each session with a
particular service
• to allow SSG to bind a user session and its service to the appropriate network side interface
PTA-Multidomain
Whereas PTA terminates the PPP session into a single routing domain, PTA-MD terminates the PPP
sessions into multiple IP routing domains, thus supporting a wholesale virtual private network (VPN)
model in which each domain is isolated from the others and has the capability to support overlapping IP
addresses.
Note VPI/VCI indexing to services works only for PPPoA and PPPoEoA (PPP over Ethernet over ATM).
SSG supports VPI/VCI closed user groups by allowing VPI/VCIs to be bound to a given service. All
users accessing SSG through the VPI/VCI or a range of VPI/VCIs will be able to access the configured
service. You can specify whether users are allowed to access only the bound service or other additional
services to which they subscribe. A closed user group service can be selected only through the VPI/VCI
and not by entering the domain name in the username of a PPP session.
SUMMARY STEPS
DETAILED STEPS
Step 1 interface virtual-template number Creates a virtual template interface and enters
interface configuration mode.
Example:
Router(config)# interface virtual-template 60
Step 2 ssg direction downlink Sets the direction of the interface.
• A downlink interface is an interface to
Example: subscribers.
ssg direction downlink
Step 3 ip unnumbered [loopback 1 | ethernet 0] Enables IP without assigning a specific IP address on
the LAN.
Example:
Router(config-if)# ip unnumbered loopback 1
Step 4 encapsulation ppp Enables PPP encapsulation on the virtual template
interface.
Example:
Router(config-if)# encapsulation ppp
Step 5 virtual-profile (Optional) Creates a virtual-access interface only if
the inbound connection requires one.
Example:
Router(config-if)# virtual-profile
SUMMARY STEPS
DETAILED STEPS
Example:
Router(config)# ssg multidomain ppp
Step 2 exclude {domain name | all-domains} Adds names to the PTA-MD exclusion list.
• domain—Adds a domain to the exclusion list.
Example: • name—Name of the domain to be added to the
Router(config-ssg-ppp-md)# exclude domain xyz
exclusion list.
• all-domains—Excludes all domains; in other
words, disables parsing of PPP structured
usernames.
Step 3 download exclude-profile profile-name [password] Downloads the specified exclusion list from the AAA
server.
Example: • profile-name—Specifies the name for a list of
Router(config-ssg-ppp-md)# download exclude-profile excluded names that may be downloaded from
abc cisco the AAA server.
• password—Specifies the password required to
download the PTA-MD exclusion list from the
AAA server. If no password is entered, the
password used in the previous exclusion list
download will be used to download the exclusion
list.
Step 4 end (Optional) Returns to privileged EXEC mode.
Example:
Router(config-ssg-ppp-md)# end
Step 5 show ssg multidomain ppp exclude-list (Optional) Displays the contents of a PTA-MD
exclusion list.
Example:
Router# show ssg multidomain ppp exclude-list
SUMMARY STEPS
DETAILED STEPS
Example:
Router(config-auto-domain)# exit
Step 3 show ssg vc-service-map (Optional) Displays VC-to-service-name mappings.
Example:
Router# show ssg vc-service-map
Note In order to use single signon for PPP subscribers, you must first enable the single signon feature in
SESM.
SUMMARY STEPS
1. ssg profile-cache
DETAILED STEPS
In the following example, the PTA-MD exclusion list is downloaded to the router from the AAA server.
The password to download the exclusion list is cisco. After downloading the PTA-MD exclusion list,
microsoft and sun are added to the list using the router CLI.
ssg multidomain ppp
download exclude-profile pta_md cisco
exclude domain microsoft
exclude domain sun
The following example shows the service name “public” mapped to a range of VCs:
ssg vc-service-map public interface atm3/0 1/37 1/82 non-exclusive
Configure the ATM interface on which the PPPoEoA user comes in.
interface ATM4/0.23 point-to-point
description "Connected to 36/7 for PPPoE user"
ip address 23.6.6.1 255.255.255.0
pvc 23/40
encapsulation aal5snap
protocol pppoe
Configure the Ethernet interface on which the PPPoEoE user comes in.
interface fastethernet 1/0
description "Interface for PPPoEoE user"
ip address 23.8.8.1 255.255.255.0
pppoe enable
Where to Go Next
To configure other methods of subscriber authentication, refer to the following modules:
• Configuring SSG to Authenticate Web Logon Subscribers
• Configuring SSG to Authenticate Subscribers with Transparent Autologon
• Configuring SSG to Authenticate Subscribers Automatically in the Service Domain
• Configuring SSG Support for Subnet-Based Authentication
• Configuring SSG for MAC-Address-Based Authentication
Additional References
The following sections provide references related to configuring SSG to authenticate PPP subscribers.
Related Documents
Related Topic Document Title
SESM Cisco Subscriber Edge Services Manager documentation.
RADIUS commands Cisco IOS Security Command Reference, Release 12.4
RADIUS configuration tasks “Configuring RADIUS” chapter in the Cisco IOS Security
Configuration Guide, Release 12.4
Configuring L2TP Cisco IOS Dial Technologies Configuration Guide, Release 12.4
Cisco IOS Dial Technologies Command Reference, Release 12.4
Technical Assistance
Description Link
Technical Assistance Center (TAC) home page, http://www.cisco.com/public/support/tac/home.shtml
containing 30,000 pages of searchable technical
content, including links to products, technologies,
solutions, technical tips, and tools. Registered
Cisco.com users can log on from this page to access
even more content.
Note Table 1 lists only the Cisco IOS software release that introduced support for a given feature in a given
Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS
software release train also support that feature.
The SSG Transparent Autologon feature enables Service Selection Gateway (SSG) to authenticate and
authorize a user on the basis of the source IP address of packets received from the user. This document
describes the SSG Transparent Autologon feature and how to configure SSG to authenticate subscribers
by using transparent autologon.
Module History
This module was first published on May 2, 2005, and last updated on May 2, 2005.
Contents
• Prerequisites for SSG Transparent Autologon, page 105
• Restrictions for SSG Transparent Autologon, page 106
• Information About SSG Transparent Autologon, page 106
• How to Configure SSG Transparent Autologon, page 110
• Configuration Examples for SSG Transparent Autologon, page 117
• Where to Go Next, page 118
• Additional References, page 118
SSG authorizes the transparent autologon (TAL) user by using the IP address of the user in dotted
notation as a string. Therefore, subscriber profiles must be configured with the IP addresses in dotted
decimal notation as the username on the authentication, authorization, and accounting (AAA) server.
Additionally, all of the subscriber profiles must all be configured with the same password.
Note Transparent autologon functionality is not applied to packets destined to the default network or SSG’s
IP address.
AAA
2 3 Radius
IP IP
1 4
98658
SSG
For TP users, idle timeouts and session timeouts can be configured either in the user profiles or globally
though the CLI. The idle timeout and session timeout values configured in the user profile take
precedence over the values configured globally.
SUMMARY STEPS
DETAILED STEPS
Example:
Router(config-login-transparent)# exit
SUMMARY STEPS
1. enable
2. show ssg user transparent
3. clear ssg user transparent all
4. show ssg user transparent authorizing [count]
5. show ssg user transparent passthrough [ipaddress | count]
6. clear ssg user transparent passthrough {all | ipaddress}
7. show ssg user transparent suspect [count]
8. clear ssg user transparent suspect {all | ipaddress}
9. show ssg user transparent unidentified [count]
DETAILED STEPS
Example:
Router# show ssg user transparent passthrough
Step 6 clear ssg user transparent passthrough {all | Deletes pass-through user entries.
ipaddress}
Example:
Router# clear ssg user transparent passthrough
all
Step 7 show ssg user transparent suspect [count] Displays a list of all suspect (SP) user IP addresses.
Example:
Router# show ssg user transparent suspect count
Step 8 clear ssg user transparent suspect {all | Deletes suspect (SP) user entries.
ipaddress}
Example:
Router# clear ssg user transparent suspect all
Example:
Router# clear ssg user transparent unidentified
all
Example
The following examples show sample output for commands that can be used to monitor SSG transparent
autologon:
10.10.10.10 Passthrough
11.11.11.11 Suspect
120.120.120.120 Authorizing
94.0.0.1
93.0.0.1
SUMMARY STEPS
DETAILED STEPS
Example:
Router# debug ssg transparent login
Example
The following examples show sample output for the debug ssg transparent logon command. The output
is self-explanatory.
Idle-Timeout = 600
Session-Timeout = 3600
Where to Go Next
To configure other methods of subscriber authentication, refer to the following modules:
• Configuring SSG to Authenticate Web Logon Subscribers
• Configuring SSG to Authenticate Subscribers Automatically in the Service Domain
• Configuring SSG Support for Subnet-Based Authentication
• Configuring SSG for MAC-Address-Based Authentication
To configure SSG to authenticate RADIUS Proxy subscribers, refer to the Configuring SSG to Serve as
a RADIUS Proxy module.
Additional References
The following sections provide references related to configuring SSG to authenticate TAL subscribers.
Related Documents
Related Topic Document Title
SSG commands Cisco IOS Service Selection Gateway Command Reference,
Release 12.4
SESM Cisco Subscriber Edge Services Manager documentation.
RADIUS commands Cisco IOS Security Command Reference, Release 12.4
RADIUS configuration tasks “Configuring RADIUS” chapter in the Cisco IOS Security
Configuration Guide, Release 12.4
Technical Assistance
Description Link
Technical Assistance Center (TAC) home page, http://www.cisco.com/public/support/tac/home.shtml
containing 30,000 pages of searchable technical
content, including links to products, technologies,
solutions, technical tips, and tools. Registered
Cisco.com users can log on from this page to access
even more content.
Note Table 1 lists only the Cisco IOS software release that introduced support for a given feature in a given
Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS
software release train also support that feature.
Table 1 Feature Information for Configuring SSG to Authenticate Subscribers with Transparent Autologon
The SSG AutoDomain feature allows Service Selection Gateway (SSG) to authenticate subscribers
automatically in the service domain. The AutoDomain feature allows a user to be connected to a service
automatically on the basis of either the access point name (APN) or the domain part of a structured
username, which is specified in an Access-Request packet. In this mode, authentication of the user is not
performed at the network access provider (NAP) authentication, authorization, and accounting (AAA)
server but instead in the service domain (for example, the AAA server within a corporate network).
Module History
This module was first published on May 2, 2005, and last updated on May 2, 2005.
Contents
• Prerequisites for SSG AutoDomain, page 121
• Restrictions for SSG AutoDomain, page 122
• Information About SSG AutoDomain, page 122
• How to Configure SSG AutoDomain, page 127
• Configuration Examples for SSG AutoDomain, page 130
• Where to Go Next, page 131
• Additional References, page 131
If SSG is configured to work with SESM in RADIUS mode, service profiles, subscriber profiles, and
control profiles must be configured on the AAA server before SSG will work. See the “RADIUS Profiles
and Attributes for SSG” document for information about RADIUS profiles and attributes for SSG.
Subscriber Edge Services Manager (SESM) and the AAA server must be configured to support SSG
AutoDomain.
SSG AutoDomain makes it possible to log a user on to either Layer 2 Tunnel Protocol (L2TP) or proxy
services. The username and password used to log a user on with AutoDomain are the same username and
password provided by the end-user device when the end user originally logged into the network. The
username and password may be entered manually by the end user or preconfigured on the end-user
device. The password may also be dynamically generated.
SSG AutoDomain does not require SSG vendor specific attributes (VSAs) when using a domain name
as a means to determine which service the user is to be logged on to. AutoDomain uses a heuristic to
determine the service onto which the user is to be logged. When AutoDomain is used, the host object is
not activated until the user has been successfully authenticated with the service. If the autoservice
connection fails for any reason, the user logon is rejected, and an Access-Reject packt is returned to the
client device.
By default, SSG first checks for an AutoDomain name using the APN. The APN is normally conveyed
in the Called-Station-ID attribute. If the AutoDomain name is not in the Called-Station-ID attribute, SSG
looks for the name in the NAS-Identifier attribute. If the AutoDomain name cannot be extracted from
the APN, SSG attempts to extract it from the structured username.
If AutoDomain is enabled and the received Access-Request packet specifies an APN, SSG uses this APN
for AutoDomain selection unless it is a member of the APN AutoDomain exclusion list. If an
AutoDomain is not selected based on the APN, SSG uses the structured username. If a structured
username is not supplied, or the supplied structured username is a member of the domain name exclusion
list, no AutoDomain is selected, and normal SSG user logon proceeds. You can override these
AutoDomain selection defaults by configuring the select command in SSG-auto-domain mode. You can
define the APN AutoDomain exclusion list and the domain name exclusion list with the exclude
command in SSG-auto-domain mode.
When AutoDomain is enabled, an AutoDomain profile is downloaded from the local AAA server. The
AutoDomain profile can be a service profile or a virtual user profile, depending on whether you
configure AutoDomain in basic or extended mode. This profile is specified as an outbound service, and
the password is the globally configured service password.
IP Address Assignment
Host objects created as a result of AutoDomain logon are assigned an IP address from one of the
following sources:
• From the client device. If the IP address is assigned by the client device before authentication, each
Access-Request packet received from the client device has an IP address in the Framed-IP field.
If after authentication, the client device uses DHCP to assign an IP address to the user once the user
has been successfully authenticated. This IP address is signaled to SSG in the Accounting start
packet.
• From the Gateway GPRS Support Node (GGSN). Each Access-Request packet received from GGSN
has an IP address in the Framed-IP field.
• From the Corporate Network: The AAA server in the corporate network authenticates the user and
sends an Access-Accept packet. In the Access-Accept packet, the AAA server sends an IP address
in the Framed-IP field.
• From the SSG local pool: In RADIUS-proxy mode you can configure IP address pools. If an IP
address is not assigned from any of the above sources, the IP address is allocated from the SSG local
pool.
The APN Network Identifier is mandatory. The name of an access point in the form of an APN Network
Identifier must correspond to the fully qualified name in the Domain Name System (DNS) configuration
for that network, and it must also match the name specified for the access point in the GGSN
configuration. The GGSN also uniquely identifies an APN by an index number.
The APN Operator Identifier is an optional name that consists of the fully qualified DNS name, with the
ending “.gprs”.
The access points that are supported by the GGSN are preconfigured on the GGSN. When a user requests
a connection in the GPRS network, the APN is included in the Create Packet Data Protocol (PDP)
Request message. The Create PDP Request message is a GPRS Tunneling Protocol (GTP) message that
establishes a connection between the Serving GPRS Support Node (SGSN) and the GGSN.
An APN has several attributes associated with its configuration that define how users can access the
network at a specified entry point. For more information about configuring APNs, see the APN Manager
Application Programming Guide.
Note If the Access-Request packet received from the RADIUS client does not contain the
Called-Station-ID (attribute 30), then the NAS-Identifier (attribute 32), if provided, is treated as the
APN name.
ssg radius-proxy
address-pool 1.1.1.1 1.1.2.2
address-pool 1.1.2.3 1.1.3.3
address-pool 1.1.3.4 1.1.4.4 acme.com
address-pool 1.1.4.5 1.1.5.5 acme.com
!
This functionality does not allow overlapping ranges within the same domain or global set. However, no
restrictions are imposed on pools in one domain overlapping with those in another domain.
Subattribute
Attribute ID Vendor ID ID and Type Attribute Name Subattribute Data
26 9 251 NAT user address C—Service-Info code for NAT
Service-Info user address.
0 or 1—Disable or enable NAT
of user address respectively.
The value of attribute C can be 0 or 1 depending on whether NAT mode is being disabled or enabled,
respectively. Any value received for this attribute in a service profile takes precedence over the globally
configured value.
SUMMARY STEPS
1. ssg auto-domain
2. mode extended
3. select {username | called-station-id calling-station-id | nas-identifier | attribute number}
4. exclude {apn | domain} name
5. download exclude-profile profile-name password
6. session-auto-terminate
7. nat user-address
8. end
9. Configure NAT in the service profile for the AutoDomain service.
DETAILED STEPS
Example:
Router(config-auto-domain)# mode extended
Step 3 select {username | called-station-id (Optional) Configures the AutoDomain selection method.
calling-station-id | nas-identifier | attribute
<number>} • username—Configures the algorithm to use only the
domain portion of the username to select the
AutoDomain.
Example:
Router(config-auto-domain)# select • called-station-id—Configures the algorithm to use
calling-station-id only the APN (Called-Station-ID).
• calling-station-id— Configures the algorithm to use
only the Calling Station ID.
• nas-identifier—Configures the algorithm to use only
the NAS-Identifier.
• attribute number—Configures any attribute to be
specified as the source for the AutoDomain name.
Specify the appropriate attribute number in the range
from 1 to 255. SSG does not limit the range of allowed
values.
By default, AutoDomain attempts to find a valid
AutoDomain based on APN (either Called-Station-ID or
NAS-Identifier) followed by the domain portion of the
username.
Step 4 exclude {apn | domain} name (Optional) Adds names to the AutoDomain exclusion list.
• apn—Adds an APN to the exclusion list.
Example: • domain—Adds a domain to the exclusion list.
Router(config-auto-domain)# exclude domain xyz
• name—Name of the APN or domain to be added to the
exclusion list.
Step 5 download exclude-profile profile-name password (Optional) Adds names to the AutoDomain download
exclusion list.
Example: • profile-name—Specifies the name for a list of excluded
Router(config-auto-domain)# download names that may be downloaded from the AAA server.
exclude-profile abc cisco
• password—Password for a list of excluded names that
may be downloaded from the AAA server.
Example:
Router(config-auto-domain)# end
Step 9 Configure NAT in the service profile for the Defines a Service-Info attribute in the service profile for the
AutoDomain service. AutoDomain service.
SUMMARY STEPS
DETAILED STEPS
SUMMARY STEPS
DETAILED STEPS
Example:
Router# debug ssg ctrl-events
Step 2 debug ssg ctrl-errors Displays SSG control error messages.
Example:
Router# debug ssg ctrl-errors
Where to Go Next
To configure other methods of subscriber authentication, refer to the following modules:
• Configuring SSG to Authenticate Web Logon Subscribers
• Configuring SSG Support for Subnet-Based Authentication
• Configuring SSG for MAC-Address-Based Authentication
• Configuring SSG to Authenticate PPP Subscribers
• Configuring SSG to Authenticate Subscribers with Transparent Autologon
To configure SSG to authenticate RADIUS Proxy subscribers, refer to Configuring SSG to Serve as a
RADIUS Proxy
Additional References
The following sections provide references related to configuring SSG to authenticate subscribers for
services.
Related Documents
Related Topic Document Title
Configuring SESM Cisco Subscriber Edge Services Manager documentation.
Configuring L2TP Cisco IOS Dial Technologies Configuration Guide, Release 12.4
Cisco IOS Dial Technologies Command Reference, Release 12.4
SSG commands Cisco IOS Service Selection Gateway Command Reference,
Release 12.4
RADIUS commands Cisco IOS Security Command Reference, Release 12.4
RADIUS configuration tasks “Configuring RADIUS” chapter in the Cisco IOS Security
Configuration Guide, Release 12.4
Technical Assistance
Description Link
Technical Assistance Center (TAC) home page, http://www.cisco.com/public/support/tac/home.shtml
containing 30,000 pages of searchable technical
content, including links to products, technologies,
solutions, technical tips, and tools. Registered
Cisco.com users can log on from this page to access
even more content.
Note Table 3 lists only the Cisco IOS software release that introduced support for a given feature in a given
Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS
software release train also support that feature.
Table 3 Feature Information for Configuring SSG to Authenticate Subscribers Automatically in the Service Domain
The Configuring SSG for On-Demand IP Address Renewal feature enables service providers to manage
the Dynamic Host Configuration Protocol (DHCP) pool from which a subscriber’s IP address is
assigned. By receiving an IP address through DHCP rather than through Network Address Translation
(NAT), subscribers can access services that require a dynamically assigned IP address through the Cisco
Service Selection Gateway (SSG).
Module History
This module was first published on May 2, 2005, and last updated on May 2, 2005.
Contents
• Prerequisites for SSG On-Demand IP Address Renewal, page 135
• Restrictions for SSG On-Demand IP Address Renewal, page 136
• Information About SSG On-Demand IP Address Renewal, page 136
• How to Configure SSG for On-Demand IP Address Renewal, page 138
• Configuration Examples for SSG On-Demand IP Address Renewal, page 140
• Additional References, page 141
127931
Subscriber's PC SSG DHCP server
DHCP module
a. By logging out of the service. SSG informs the DHCP relay agent, which begins the process to
forces the subscriber’s computer to rediscover an IP address in the private address pool.
b. By sending a DHCPRELEASE message (for instance, if the subscriber shuts down his or her
computer). The DHCP relay agent informs SSG, which removes the host object of this
subscriber.
SUMMARY STEPS
1. enable
2. configure terminal
3. ssg intercept dhcp
DETAILED STEPS
Example:
Router# configure terminal
Step 3 ssg intercept dhcp Configures SSG to force a subscriber’s computer, upon
logging into an ISP service, to request an IP address from
the DHCP pool associated with the service profile.
Example:
Router<config># ssg intercept dhcp
SUMMARY STEPS
1. enable
2. show ssg host [ip-address | count | username]
DETAILED STEPS
Step 1 enable
Enables privileged EXEC mode. Enter your password if prompted.
Router> enable
Displaying Subscriber Login Events and Errors for the SSG On-Demand IP Address Renewal Feature
Perform this task to display subscriber login events and errors when the SSG On-Demand IP Address
Renewal feature is enabled.
SUMMARY STEPS
1. enable
2. debug ssg dhcp {error | event} [ip_address]
DETAILED STEPS
Step 1 enable
Enables privileged EXEC mode. Enter your password if prompted.
Router> enable
Additional References
The following sections provide references related to the SSG On-Demand IP Address Renewal feature.
Related Documents
Related Topic Document Title
Configuring DHCP “DHCP” section of the Cisco IOS IP Addressing Services
Configuration Guide, Release 12.4
DHCP Lease Query Support DHCP Enhancements for Edge-Session Management feature
module for Cisco IOS Release 12.3(14)T
RADIUS configuration tasks “Configuring RADIUS” chapter in the Cisco IOS Security
Configuration Guide, Release 12.4
SSG commands Cisco IOS Service Selection Gateway Command Reference,
Release 12.4
Technical Assistance
Description Link
Technical Assistance Center (TAC) home page, http://www.cisco.com/public/support/tac/home.shtml
containing 30,000 pages of searchable technical
content, including links to products, technologies,
solutions, technical tips, and tools. Registered
Cisco.com users can log in from this page to access
even more content.
Glossary
DHCP—Dynamic Host Configuration Protocol.
DHCP relay agent—Any host that forwards DHCP packets between clients and servers.
DHCP server—An application that assigns and manages IP addresses from specified address pools
within the router to DHCP clients.
SSG—Service Selection Gateway.
subscriber—The end user who accesses a service provided by a service provider via SSG.
Note See Internetworking Terms and Acronyms for terms not included in this glossary.
Note Table 4 lists only the Cisco IOS software release that introduced support for a given feature in a given
Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS
software release train also support that feature.
The SSG Support for Subnet-Based Authentication feature allows a service provider to identify
subscribers to services by their subnet, rather than by a subscriber’s IP address. This module describes
how the Cisco Service Selection Gateway (SSG) recognizes and manages subnet-based subscribers.
Module History
This module was first published on May 2, 2005, and last updated on May 2, 2005.
Contents
• Prerequisites for SSG Support for Subnet-Based Authentication, page 145
• Restrictions for SSG Support for Subnet-Based Authentication, page 145
• Information About SSG Support for Subnet-Based Authentication, page 146
• How to Configure SSG Support for Subnet-Based Authentication, page 146
• Additional References, page 148
SUMMARY STEPS
1. enable
2. show ssg connection {ip-address | network-id subnet-mask} service-name [interface]
3. show ssg host [ip-address | count | username] [interface [username] [subnet-mask]]
DETAILED STEPS
Step 1 enable
Enables privileged EXEC mode. Enter your password if prompted.
Router> enable
Step 3 show ssg host [ip-address | count | username] [interface [username] [subnet-mask]]
Displays information about a subscriber and the subscriber’s current connections. To display information
about the specified subnet-based subscribed host, enter the IP subnet mask.
Router# show ssg host 10.0.0.0 255.255.255.0
Additional References
The following sections provide references related to the SSG Support for Subnet-Based Authentication
feature.
Related Documents
Related Topic Document Title
SSG commands Cisco IOS Service Selection Gateway Command Reference,
Release 12.4
SESM Cisco Subscriber Edge Services Manager documentation.
RADIUS commands Cisco IOS Security Command Reference, Release 12.4
RADIUS configuration tasks “Configuring RADIUS” chapter in the Cisco IOS Security
Configuration Guide, Release 12.4
Technical Assistance
Description Link
Technical Assistance Center (TAC) home page, http://www.cisco.com/public/support/tac/home.shtml
containing 30,000 pages of searchable technical
content, including links to products, technologies,
solutions, technical tips, and tools. Registered
Cisco.com users can log in from this page to access
even more content.
Cisco IOS software images are specific to a Cisco IOS software release, a feature set, and a platform.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image
support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on
Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at
the login dialog box and follow the instructions that appear.
Note Table 5 lists only the Cisco IOS software release that introduced support for a given feature in a given
Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS
software release train also support that feature.
The MAC-Address-Based Authentication for SSG feature allows a service provider to authorize
subscriber access to services by the subscriber’s MAC address, thus eliminating the need for explicit user
logins between client power cycles. This module describes how the Cisco Service Selection Gateway
(SSG) recognizes and manages MAC-address-based subscribers.
Module History
This module was first published on May 2, 2005, and last updated on May 2, 2005.
Contents
• Prerequisites for MAC-Address-Based Authentication for SSG, page 151
• Restrictions for MAC-Address-Based Authentication for SSG, page 152
• Information About MAC-Address-Based Authentication for SSG, page 152
• How to Configure MAC-Address-Based Authentication for SSG, page 156
• Additional References, page 159
Figure 10 is a diagram of of the network topology when the MAC-Address-Based Authentication for
SSG feature is enabled. In this sample configuration, the router running SSG also acts as the DHCP relay
agent, while the DHCP server, SESM, AAA, and Lightweight Directory Access Protocol (LDAP)
services run on separate platforms.
127932
DHCP relay agent
(CNR) (RDP)
12. SESM presents an accounting logon page to the subscriber, asking for the username and password.
The subscriber enters this information and clicks the “logon” button.
13. SESM sends an Account-Logon request packet containing the subscriber’s username and password
to SSG.
14. SSG sends a DHCP lease query request packet for the subscriber to the DHCP server and sends an
authentication request packet to the AAA server. If no DHCP servers have been configured using
the ip dhcp-server command, the DHCP lease query request packet is broadcast on all interfaces.
15. The DHCP server returns the subscriber’s MAC address to SSG.
16. SSG sends an Access-Request packet to the AAA server to authenticate the subscriber. Along with
other attributes, the Access-Request packet includes the following:
– User-Name(attribute 1): The username entered by the subscriber on the SESM accounting logon
page.
– Password (attribute 2): The password entered by the subscriber on the SESM accounting logon
page.
– Calling-station-id (attribute 31): The subscriber’s MAC address. Note that this attribute will be
present only when SSG receives a valid MAC address in the DHCP lease query response packet.
– Framed-ip (attribute 8): The subscriber’s IP address.
17. The AAA server sends a query to the LDAP application to verify the subscriber’s username.
18. The LDAP application finds an entry for the subscriber and sends the subscriber’s profile to the
AAA server.
19. The AAA server sends an Access-Accept packet to SSG.
20. SSG creates a host object for the subscriber based on the contents of the Access-Accept packet and
forwards the access-accept packet to SESM. Along with other attributes, the Access-Accept packet
includes the following:
– Calling-station-id (attribute 31): The subscriber’s MAC address. Note that this attribute will be
present only when SSG receives a valid MAC address in the DHCP lease query response packet.
– Framed-ip (attribute 8): The subscriber’s IP address.
21. SESM adds the subscriber’s MAC address to the subscriber’s record.
22. SSG sends an Accounting-Start packet to the AAA server. Along with other attributes, the
Accounting-Start packet includes the following:
– Username (attribute 1): The username of the subscriber as received in the Access-Accept
packet.
– Calling-station-id (attribute 31): The subscriber’s MAC address. Note that this attribute will be
present only when SSG receives a valid MAC address in the DHCP lease query response packet.
– Framed-ip (attribute 8): The subscriber’s IP address.
23. The AAA server sends an Accounting-Response packet to SSG.
24. When the subscriber logs out, SSG deletes the host object for that subscriber.
SUMMARY STEPS
1. enable
2. configure terminal
3. ssg query mac dhcp
4. username mac
DETAILED STEPS
Example:
Router# configure terminal
SUMMARY STEPS
1. enable
2. configure terminal
3. ssg radius-proxy
4. client-address ip-address [vrf vrf-name]
5. query ip dhcp
DETAILED STEPS
Example:
Router# configure terminal
Step 3 ssg radius-proxy Enables the SSG RADIUS proxy.
Example:
Router(config)# ssg radius proxy
Additional References
The following sections provide references related to the MAC-Address-Based Authentication for SSG
feature.
Related Documents
Related Topic Document Title
Configuring DHCP “DHCP” section in the Cisco IOS IP Addressing and Services
Configuration Guide, Release 12.4
DHCP Lease Query Support DHCP Enhancement for Edge-Session Management, feature module
for Cisco IOS Release 12.3(14)T.
RADIUS configuration tasks “Configuring RADIUS” chapter in the Cisco IOS Security
Configuration Guide, Release 12.4
SSG commands Cisco IOS Service Selection Gateway Command Reference,
Release 12.4
Technical Assistance
Description Link
Technical Assistance Center (TAC) home page, http://www.cisco.com/public/support/tac/home.shtml
containing 30,000 pages of searchable technical
content, including links to products, technologies,
solutions, technical tips, and tools. Registered
Cisco.com users can log in from this page to access
even more content.
Note Table 6 lists only the Cisco IOS software release that introduced support for a given feature in a given
Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS
software release train also support that feature.
The Cisco Service Selection Gateway (SSG) is deployed at network aggregation points to control
subscriber access to network services. SSG can be configured to support authenticated pass-through,
proxy, and Layer 2 Tunnel Protocol (L2TP) services, as well as unauthenticated open garden services.
This module provides information about how to configure SSG to create services and allow subscribers
to use them.
Module History
This module was first published on May 2, 2005, and last updated on May 2, 2005.
Contents
• Prerequisites for Configuring SSG for Subscriber Services, page 161
• Information About SSG Support for Subscriber Services, page 162
• How to Configure Services for Subscribers, page 170
• Configuration Examples for SSG Support for Subscriber Services, page 191
• Additional References, page 203
Authenticated Services
Authenticated services are services that a subscriber can access after providing valid authentication
information. There are five types of authenticated services, which are described in the following
sections:
• Pass-Through Services, page 163
• Proxy Services, page 163
• L2TP Dial-In Services, page 163
• L2TP Dial-Out Services, page 164
• DNS Packet Handling, page 164
Pass-Through Services
SSG does not authenticate users specifically for pass-through services. One example in which a
pass-through service may be used is when a Network Access Provider (NAP) provides Internet service.
After authenticating the user, the NAP does not require another authentication to provide the user with
Internet service.
If the IP address pool name VSA is configured in the service profile for a pass-through service, SSG will
choose one IP address from the pool as the service IP address and perform NAT between the user’s actual
IP address and the IP address of the service.
Proxy Services
Proxy services involve subscriber authentication for the service, such as when a NAP partners with an
Internet Service Provider (ISP) to provide Internet service, or with a content provider to provide content.
In these cases, the NAP authenticates the user, but before the user can access the service provided by the
partner, the partner also authenticates the user (service-level authentication).
When a subscriber requests access to a proxy service, SESM prompts the user for the username and
password. SSG then performs the service authentication by sending an Access-Request packet to the
remote AAA server configured in the service profile. Upon receiving an Access-Accept packet from the
remote RADIUS server, SSG logs the subscriber in to the service. SSG must be configured as a network
access server (NAS) client on the remote RADIUS server.
The service IP address can be chosen by one of the following methods (ordered according to priority, the
highest first):
1. The remote AAA server sends the Framed-IP-address attribute (RADIUS attribute 8) in the
Access-Accept packet.
2. The remote AAA server provides the IP address pool name VSA in the Access-Accept packet. In
this case, SSG chooses one IP address from the locally configured pool as the service IP address.
3. The IP address pool name VSA may be configured in the service profile. In this case, SSG chooses
one IP address from the service pool as the service IP address.
SSG supports both Password Authentication Protocol (PAP) and Challenge Handshake Authentication
Protocol (CHAP) authentication for proxy services.
Note Effective with Cisco IOS Release 12.2(16)B, SSG passes the mobile station ID (MSID) of the user, if
present, to the LNS in the Calling Number attribute value (AV) pair (22) of the Incoming-Call-Request
(ICRQ) control message during L2TP session establishment. If LNS is using RADIUS authentication,
the MSID value will also be copied to the Calling-Station-ID attribute (31), of the subsequently
generated Access-Request packet.
For more information about SSG support for L2TP tunnel services, see the “What to Do Next” section
on page 172.
Note DNS packet processing in an open garden configuration was handled differently by SSG in Cisco IOS
Release 12.2(2)B and earlier releases. In those releases, DNS domain lookup was performed first in
the domains configured in the open garden services. If a match was not found, DNS domain lookup
was performed in the connected services of the user.
If SSG receives a packet that is not destined for the open garden, SSG checks the source IP address of
the packet to see if the subscriber is authenticated. If SSG recognizes the IP address, the subscriber is
authenticated and SSG forwards the packet. If the subscriber is not authenticated and the packet is not a
DNS packet, SSG drops the packet.
When a service is bound to a point-to-point interface, SSG sends the traffic on that interface. If a service
is bound to an interface that is not point-to-point (such as Ethernet), SSG will use the global routing table
to send the packets.
For L2TP dial-in or dial-out tunnel services, virtual-access interfaces are created dynamically on the
service side for each user. SSG automatically determines the binding when the virtual-access interface
is created.
SSG allows next-hop bindings to be configured in a next-hop table on the AAA server. The next-hop
table is downloaded by SSG upon startup. The next-hop table uses the Next-Hop Gateway attribute to
specify the next-hop key for a service. Each SSG uses its own next-hop gateway table, which associates
the next-hop key with an actual IP address.
Open garden 1
SSG
Open garden 2
62669
Next-hop gateway
Note Hierarchical policing for open garden services works slightly differently from the way it works for
authenticated connected services. For subscribed or authenticated services, each connection inherits
policing parameters from the service. For open garden services, policing parameters apply to the service
(all traffic to and from the service) since no connections are present.
Failover
When redundant bindings are configured for a service, the order in which SSG selects these bindings to
be used to reach a service depends on the distance metric that is assigned to the service binding. The
interface for the service binding with the lowest weight is the primary interface. The interface for the
service binding with the second-lowest weight is the secondary interface, and so on.
If a failure occurs on an active interface, SSG recognizes the failure and switches the service connection
to the interface associated with the next-lowest weight. When the primary uplink interface or next hop
becomes available again, SSG switches back to using the primary interface.
SSG interface redundancy can be configured for services, including open garden and walled garden
services, and the default network.
Load Balancing
If the same distance metric is assigned to multiple service bindings, SSG will perform load-balancing
across those bindings. If one of the bindings fails, SSG will move the traffic to the rest of the working
bindings. If the binding that failed comes back up again, the traffic is automatically shared among all the
active bindings.
Load-balancing with the same distance metric to multiple bindings and failover with different distance
metrics can be configured together for the same service.
Configuration Information
SSG uplink interface redundancy is configured by binding a service to more than one next hop or
interface and grouping the redundant interfaces to ensure that SSG treats them similarly. To bind services
to interfaces or next hops, see the “Configuring SSG Support for Services” section on page 171. To
group redundant uplink interfaces, see the “Establishing Initial SSG Communication” module.
Figure 12 shows an example of SSG interface redundancy configured to support multiple next-hop
IP addresses per service. In this type of topology, each next hop is routable on a different uplink
interface. SSG forwards traffic to the appropriate next hop on the basis of the distance metric assigned
to it.
Next hop 1
Uplink 1
SSG Service
103656
Uplink 2
Next hop 2
Figure 13 shows an example of SSG interface redundancy configured to support multiple uplink
interfaces that share a single next hop. In this type of topology, routing to the service is governed by the
active route to the next-hop IP address in the IP routing table.
Figure 13 Multiple Uplink Interfaces with a Single Next Hop: Sample Topology
Uplink 1
103657
Uplink 2
Figure 14 shows an example of SSG interface redundancy configured to support multiple uplink
interfaces that are directly connected to the service. These uplink interfaces could also be tunnel
interfaces.
Uplink 1
SSG Service
103658
Uplink 2
Combination of Directly Connected Uplink Interfaces and Interfaces with Next Hops
Figure 15 shows an example of SSG interface redundancy configured to support an uplink interface that
is directly connected to the service and an uplink interfaces with a next hop.
Figure 15 Combination of Directly Connected Uplink Interfaces and Interfaces with Next Hops:
Sample Topology
Uplink 1
103659
SSG Service
Uplink 2
Note DNS packet processing in an open garden configuration was handled differently by SSG in Cisco IOS
Release 12.2(2)B and earlier releases. In those releases, DNS domain lookup was performed first in
the domains configured in the open garden services. If a match was not found, DNS domain lookup
was performed in the connected services of the user.
If SSG receives a packet that is not destined for the open garden, SSG checks the source IP address of
the packet to see if the subscriber is authenticated. If SSG recognizes the IP address, the subscriber is
authenticated and SSG forwards the packet. If the subscriber is not authenticated and the packet is not a
DNS packet, SSG drops the packet.
Filters can be configured to control transparent pass-through traffic. These filters can be configured
locally on the router or on the AAA server in a transparent pass-through filter pseudo-service profile.
For information about transparent pass-through filter pseudo-service profiles, see the RADIUS Profiles
and Attributes for SSG module.
You can also configure service profiles directly on the router by using the Cisco IOS command line
interface. Perform this task to configure a local service profile.
Note If you are using SSG with the SESM in LDAP mode, see the Cisco Distributed Administration Tool
Guide for information on creating and maintaining subscriber, service, and policy information in an
LDAP directory, including defining a tunnel service profile.
SUMMARY STEPS
1. local-profile service-name
2. attribute radius-attribute-id [vendor-id] [cisco-vsa-type] attribute-value
3. Repeat Step 2 for each attribute that you want to add to the service profile.
DETAILED STEPS
Perform this task to configure SSG support for authenticated services (pass-through, proxy, and L2TP
services).
SUMMARY STEPS
DETAILED STEPS
Example:
Router(config)# ssg next-hop download
next-hop-tbl next-hop-tbl-passwd
Step 4 ssg service-cache [refresh-interval minutes] (Optional) Allows SSG to cache the user profiles of
non-PPP users.
Example:
Router(config)# ssg profile-cache
Step 5 exit (Optional) Returns to global configuration mode.
Example:
Router(config)# exit
What to Do Next
If you are configuring L2TP services, you must also perform the tasks in the “Configuring SSG to
Support L2TP Dial-In Tunnel Services” section on page 173.
SUMMARY STEPS
1. vpdn enable
2. interface slot/port
DETAILED STEPS
Example:
Router(config)# vpdn enable
Step 1 interface type slot/port Enables NAT on the downlink interface.
Example:
Router(config)# interface 1/0
SUMMARY STEPS
1. vpdn-group name
DETAILED STEPS
Attribute Description
VPDN IP Address Specifies the IP addresses of the home gateways (L2TP network
servers) to receive the L2TP connections.
VPDN Tunnel ID Specifies the name of the tunnel that must match the tunnel ID
specified in the LNS VPDN group.
L2TP Tunnel Password Specifies the secret (password) used for L2TP tunnel
authentication.
vpdn-group-name Specifies the vpdn-group-name that will be configured on the
router.
Attribute Description
Type of Service Specifies proxy, tunnel, or pass-through service. L2TP always uses
tunnel service.
MTU Size Specifies the PPP maximum transmission unit (MTU) size for SSG
as an LAC. By default, the PPP MTU size is 1500 bytes.
Service Route Specifies the networks available to the user for this service.
SUMMARY STEPS
DETAILED STEPS
Example:
Router(config-vpdn-acc-in)# protocol l2tp
Example:
Router(config-vpdn-acc-in)# exit
Step 7 terminate-from hostname hostname Specifies the tunnel ID that will be required
when a VPDN tunnel is accepted.
Example: • This must match the VPDN tunnel ID
Router(config-vpdn)# terminate-from hostname myhostname configured in the RADIUS service
profile.
Step 8 l2tp tunnel password password Identifies the password that the router will use
for tunnel authentication.
Example:
Router(config-vpdn)# l2tp tunnel password mypassword
Step 9 exit Returns to global configuration mode.
Example:
Router(config-vpdn)# exit
Step 10 interface virtual-template number Creates a virtual template interface that can
clone new virtual access interfaces.
Example:
Router(config)# interface Virtual-Template 1234
Step 11 ip unnumbered interface-type interface-number Configures the interface as unnumbered and
provides a local address.
Example: • Enters interface configuration mode.
Router(config-if)# ip unnumbered FastEthernet 1/0
Step 12 peer default ip address pool pool-name Specifies the pool from which to retrieve the
IP address to assign to a remote peer dialing in
to the interface.
Example:
Router(config-if)# peer default ip address pool mypool
Step 13 ppp authentication {chap | chap pap | pap chap | pap} Specifies the order in which the CHAP or PAP
protocols are requested on the interface.
Example:
Router(config-if)# ppp authentication {chap | chap pap |
pap chap | pap}
Step 14 ip local pool pool-name start-address end-address Creates a local IP address pool named
mypool, which contains all local IP addresses
from 172.16.23.0 to 172.16.23.255.
Example:
Router(config-if)# ip local pool mypool 172.16.23.0
172.16.23.255
SUMMARY STEPS
1. enable
2. show vpdn tunnel [all | packets | state | summary | transport] [id | local-name | remote-name]
3. show vpdn session [all [interface | tunnel | username]| packets | sequence | state | timers |
window]
4. clear vpdn tunnel l2tp remote-name local-name
DETAILED STEPS
t
Example:
Router# show vpdn tunnel summary
Step 3 show vpdn session [all [interface | tunnel | Displays VPDN session information, including interface,
username]| packets | sequence | state | timers tunnel, username, packets, status, and window statistics.
| window]
Example:
Router# show vpdn session
Step 4 clear vpdn tunnel l2tp remote-name local-name Shuts down a specific tunnel and all the sessions within the
tunnel.
Example:
Router# clear vpdn tunnel l2tp local2 local3
Subscribers Services
144.10.50.10 10.10.10.1
SESM AAA
IP Access PSTN
L2TP
SSG LAC
75494
144.10.50.11 10.10.10.1
user abc@091805318090
password *******
SGSN
PPP
LAC 091805318090
Dial-up Soho
network
L2TP
GN backbone IP backbone
GGSN SSG
[LNS] L2TP Dial-up Soho
network
LAC 03962951
PPP
SGSN
user def@03962951
password *******
75493
SSG L2TP Dial-Out Service Account Logon with Structured Username and Without SSG
Auto-Domain
When a user attempts an account logon with a structured username and the SSG Auto-domain feature is
not enabled, the entered username is sent to a local authentication, authorization, and accounting (AAA)
server for user authentication. If the username entered is a structured username, SSG does not interpret
the full username as user and domain. If the username is entered as “user@DNIS”, the full username is
used for user authentication.
If a user has a dial-out tunnel service configured as an autologon service and does not specify a username
and password along with the service name in the user profile, the username and password entered for
account logon are used. If the username and password are given with the service name in the user profile,
then that username and password are used. The username entered in either case must be “user@DNIS”.
The DNIS portion of the username is used as the dial string to dial from the LAC to the SOHO.
SSG L2TP Dial-Out Service Logon with Structured Username and with SSG Auto-Domain
When the SSG Auto-domain feature is enabled, a full username must be entered by the user at the
account logon page if the user wants to perform service selection by using the DNIS number. SSG
interprets the full username as username and domain. For “user@DNIS”, “user” is the username and
“DNIS” is the domain. This “DNIS” domain must be a numerical value; for example, “user@3962962.”
You can select the dial-out global service that is available to a user who performs an account logon with
a structured username (user@DNIS) by configuring the dnis-prefix all service command.
SSG Auto-domain can be configured to work in basic or extended mode. In basic mode, the SSG
Auto-domain profile downloaded from the AAA server is a service profile. In extended SSG
Auto-domain mode, the SSG Auto-domain profile downloaded from the AAA server is a “virtual-user”
profile. In the virtual-user profile, the dial-out service is configured as the primary autologon service.
When SSG Auto-domain is configured, SSG parses the structured username. If the domain part of the
username is a DNIS prefix, the SSG Auto-domain profile is downloaded. If the SSG Auto-domain profile
has not been configured or the DNIS prefix is included in the DNIS exclusion list, the account logon is
rejected.
If the account logon is successful and the configured service is a dial-out service, SSG establishes a
tunnel session with the LAC. The IP address of the LAC must be configured in the global service profile.
SSG uses the DNIS number that was entered as part of the username as the dial string to dial out to the
SOHO from the LAC. When the PPP session begins successfully, the user is authenticated at the SOHO.
If the X attribute is configured in the SSG Auto-domain profile, the full username is sent for
authentication.
SSG performs Network Address Translation (NAT) for the user’s IP address for a tunnel by default. If
you enter the no nat user-address command when SSG Auto-domain is configured, SSG does not
perform NAT on the user’s IP address. Rather, the IP address assigned by the SOHO is assigned to the
user. This configuration is valid only for RADIUS-proxy users where the AAA server (in this case, SSG)
is assigning the IP address to the user.
SUMMARY STEPS
1. ssg dial-out
2. dnis-prefix all service service-name
DETAILED STEPS
Example:
Note There is no command to enable or disable the SSG
Router(config)# ssg dial-out
L2TP Dial-Out feature. An L2TP dial-out tunnel is
established if the service profile contains the
“vpdn:dout-type=2” attribute.
Step 2 dnis-prefix all service service-name Configures the dial-out global service name.
• The global service is configured for users who are
Example: doing an account logon with a structured username.
Router(config-dial-out)# dnis-prefix all
service service1
• service-name—Name of the dial-out global service.
Subattribute ID
Attribute ID Vendor ID and Type Attribute Name Subattribute Data
26 9 251 MSISDN/DNIS Y—Service-information code for
sending MSISDN with DNIS
G—Delimiter character that separates
the DNIS number from the MSISDN
number.
DNIS Filters
To block PSTN calls to unwanted DNIS numbers, such as free phone or international numbers, you can
configure a DNIS filter. DNIS filters can be locally configured through the command line interface (CLI)
or received from a AAA profile.
Perform this task to configure a DNIS filter locally on the router.
SUMMARY STEPS
1. ssg dial-out
2. exclude dnis-prefix dnis-prefix
3. Repeat Step 2 to add DNIS prefixes to the DNIS exclusion list.
4. download exclude-profile profile-name password
DETAILED STEPS
Example:
Router(config)# ssg dial-out
Step 2 exclude dnis-prefix dnis-prefix (Optional) Configures the DNIS filter by adding a DNIS prefix to
the DNIS exclusion list.
Example: • dnis-prefix—The DNIS prefix to add to the DNIS exclusion
Router(config-dial-out)# exclude list.
dnis-prefix 18085288110
Step 3 (Optional) Repeat Step 2 to add DNIS prefixes to the DNIS exclusion list.
Step 4 download exclude-profile profile-name (Optional) Downloads the DNIS exclusion list locally or from
password AAA.
• profile-name—Name of the DNIS exclusion list.
Example:
Router(config-dial-out)# download
• password—Password of the DNIS exclusion list.
exclude-profile dnis_exclude_profile
safe123
SUMMARY STEPS
DETAILED STEPS
Example:
Router# show ssg dial-out exclude-list
SUMMARY STEPS
DETAILED STEPS
If either of the two outputs above is displayed, the user profile does not exist, the password is incorrect
in AAA, or the AAA is not configured. Enable AAA by entering the aaa new-model command.
Step 2 debug ssg radius
Enter the debug ssg radius command to display messages about the communication between the AAA
server and the router.
Router# debug ssg radius
The output above is displayed if the RADIUS server is not configured or is not reachable. Configure the
RADIUS server by entering the radius-server host command.
If the debug ssg radius command displays the following output, there is a RADIUS server key
mismatch:
RADIUS: Response (159) failed decrypt
Configure the correct key by entering the radius-server key ssg command.
Step 3 debug ssg ctrl-err
Enter the debug ssg ctrl-err command to display error messages for the control modules, including all
modules that manage user authentication and service logon and logoff.
Router# debug ssg ctrl-err
The output above indicates that the ATM3/0.1 interface, where the user is coming from, is not configured
as a downlink interface. SSG requires that all the interfaces to the subscribers be bound as downlink
interfaces. Enter the ssg direction downlink command in interface configuration mode to configure the
interface as downlink.
The output above indicates that an invalid DNIS number has been configured. The DNIS number
should be configured according to the E.165 standard. Valid DNIS numbers can contain the
following characters: A, B, C, D, 0–9, #, *, and “.”, and they can start with + and end with T.
Any issues on the LAC or SOHO side will cause the following outputs in the debug ssg ctrl-events
command:
SSG-VPDN-CTL-EVN: VPDN module failed to establish tunnel
or
SSG-VPDN-CTL-EVN: Failed to establish call..informing SSG
d. Enable the debug dialer and debug isdn q921, 931 commands on the LAC and on the SOHO. A
common problem is ISDN status “not established.”
For Dialer interface configuration problems, cut and paste the configuration given in the
“Configuration Examples” section on page 14 again and look for any command rejections. Most
problems will have to do with ISDN (Layer 2).
Common problems found in the PPP debug messages are authentication failed and IPCP negotiation
failed.
SUMMARY STEPS
1. local-profile [profile-name]
2. attribute 26 9 251 “Rip-address;subnet-mask”
3. attribute 26 9 251 “Dip-address”
4. attribute 26 9 251 “Odomain-name”
5. exit
6. ssg open-garden profile-name
7. ssg bind service service {ip-address | interface-type interface-number}
DETAILED STEPS
Example:
Router(config-prof)# exit
Step 6 ssg open-garden profile-name Designates the service as an open garden
service.
Example:
Router(config)# ssg open-garden profile-name
Step 7 ssg bind service service {ip-address | Specifies the bindings for the service.
interface-type interface-number}
Note This step is required only if the
open garden is routed through a
Example: next-hop gateway.
Router(config)# ssg bind service og2 10.5.5.1
SUMMARY STEPS
DETAILED STEPS
Example:
Router(config)# end
Step 3 show ssg pass-through-filter [begin expression | (Optional) Displays the downloaded filter for transparent
exclude expression | include expression] pass-through.
• Use this command to verify transparent pass-through
Example: configuration.
Router# show ssg pass-through-filter
SUMMARY STEPS
1. show ssg service [service-name [begin expression | exclude expression | include expression]]
2. show vpdn tunnel l2tp
3. show ssg open-garden
4. show ssg interface [brief]
5. show ip nat translations
6. clear ssg open-garden
DETAILED STEPS
Example:
Router# show ssg service
Step 2 show vpdn tunnel l2tp Shows L2TP tunnels established for tunnel services.
Example:
Router# show vpdn tunnel l2tp
Step 3 show ssg open-garden Shows the list of open-garden services created by the ssg
open garden command.
Example:
Router# show ssg open-garden
Step 4 show ssg interface [brief] Lists the SSG-enabled interfaces as uplink, downlink, and
featurelink.
Example: • Lists hosts on downlink interfaces and services bound
Router# Show ssg interface brief to the uplink interfaces.
Step 5 show ip nat translations Lists the NAT entries on SSG.
Example:
Router# Show ip nat translations
Step 6 clear ssg open-garden Removes all instances of the ssg open-garden command
from the configuration and removes the service object of all
the open garden services.
Example:
Router# clear ssg open-garden
Step 7 clear ssg service profile-name Removes the service from SSG.
• For authenticated services, this command clears all of
Example: the connections (that is, users) logged into that service.
Router# clear ssg service profile-name
Example:
Router# show ssg pass-through-filter
Step 9 clear ssg pass-through-filter (Optional) Removes the downloaded filter for transparent
pass-through.
Example:
Router# clear ssg pass-through-filter
SUMMARY STEPS
DETAILED STEPS
attribute 26 9 1 "vpdn:l2tp-tunnel-password=cisco"
attribute 26 9 1 "vpdn:ip-addresses=171.69.255.246"
attribute 26 9 1 "vpdn:tunnel-id=LAC18"
!
Configuring SSG L2TP Dial-Out for SSG Without SSG Auto-Domain Enabled: Example
The following example shows the minimum configurations needed for an SSG L2TP Dial-Out solution
with the auto-domain feature disabled. Figure 5 illustrates a sample SSG L2TP Dial-Out network.
AAA/SESM
75760
SSG LAC SOHO
Subscriber
In this configuration, the SSG user can access the SOHO in two ways, with an account logon and then a
service logon or with an account logon with service configured as an autologon service.
Use the following profile configuration when the SSG user accesses the SOHO with an account logon
with service configured as an autologon service:
user=abc {
radius-6510-SSG-v1.1 {
check_items= {
2=cisco
}
reply_attributes= {
9,250-”Asoho0;user@DNIS;cisco”
}
}
}
Configuring SSG L2TP Dial-Out for SSG with SSG Auto-Domain Enabled: Example
The following example shows the minimum configurations needed for an SSG L2TP Dial-Out solution
for an SSG with auto-domain enabled, one LAC and one SOHO.
In this configuration, the SSG user is assumed to access the SOHO with an account login and then a
service login with “user@dnis” as the username. In this solution, services are selected on the basis of
auto-domain configuration (basic or extended mode) and the global service configured for the SSG
dial-out.
dialer pool-member 1
isdn switch-type primary-5ess
no peer default ip address
no cdp enable
ppp authentication chap
!
interface Dialer1 ! Configures a special service policy and pool for user “user1.”
ip unnumbered loopback1
encapsulation ppp
dialer pool 1
dialer remote-name john
dialer idle-timeout 2147483
dialer string 3456048
dialer-group 1
service-policy output SETDSCP
peer default ip address pool soho_1
!
interface Dialer2 ! Configures a special service policy and pool for user “user7.”
ip unnumbered loopback1
encapsulation ppp
dialer pool 1
dialer remote-name gary
dialer idle-timeout 2147483
dialer-group 1
peer default ip address pool soho_OLAPP
pulse-time 0
ppp authentication chap
!
ip local pool soho_1 10.0.0.20 10.0.0.40
ip local pool soho_OLAP 11.0.0.10
AAA/SESM
Subscriber
SOHO20
75761
LAC11 SOHO11
user = soho11{
radius=6510-SSG-v1.1 {
check_items= {
2=cisco
}
reply_attributes= {
9,251="TT"
9,251="R170.0.0.1;255.0.0.0"
9,1="vpdn:ip-addresses=172.17.0.0" ! IP address of LAC11.
9,1="vpdn:l2tp-tunnel-password=lab"
9,1="vpdn:tunnel-type=l2tp"
9,1="vpdn:tunnel-id=lns_l2x0"
9,1="vpdn:dout-type=2"
}
}
}
ssg dial-out
dnis-prefix all service dialout_1
}
}
The following example shows how to add two DNIS prefixes to the exclude profile and to download a
DNIS exclude profile named “exclude_dnis_aaa” with a password of “cisco”:
ssg dial-out
exclude dnis-prefix 18085288110
exclude dnis-prefix 18085288111
download exclude-profile exclude_dnis_aaa cisco
Service Bound to Multiple Next Hops Through Same Uplink Interface: Example
In the following example, a service called “sample-serviceA” is bound to primary next-hop gateway
10.1.1.1 (with distance-metric = 10) and secondary next-hop gateway 10.2.2.2 (with distance-metric =
20). Both of the next-hop gateways are reachable through the same uplink interface: Ethernet interface
1/0.
!
ssg bind service sample-serviceA 10.1.1.1 10
ssg bind service sample-serviceA 10.2.2.2 20
!
interface ethernet 1/0
description connected to 10.0.0.2
ip address 10.0.0.1 255.255.255.0
ssg direction uplink
!
ip route 10.1.1.1 255.255.255.255 10.0.0.2
ip route 10.2.2.2 255.255.255.255 10.0.0.2
The following example shows how to enable SSG transparent pass-through and apply ACLs with it. The
ACLs are defined on the router, which allows traffic from 10.0.0.1/32 (an SNMP tool kept on the
downlink).
access-list 101 remark for upstream traffic
access-list 101 permit ip host 10.0.0.1 any
Additional References
The following sections provide references related to the Configuring SSG for Subscruber Services
features.
Related Documents
Related Topic Document Title
SSG commands Cisco IOS Service Selection Gateway Command Reference,
Release 12.4
SESM Cisco Subscriber Edge Services Manager documentation.
RADIUS commands Cisco IOS Security Command Reference, Release 12.4
RADIUS configuration tasks “Configuring RADIUS” chapter in the Cisco IOS Security
Configuration Guide, Release 12.4
Technical Assistance
Description Link
Technical Assistance Center (TAC) home page, http://www.cisco.com/public/support/tac/home.shtml
containing 30,000 pages of searchable technical
content, including links to products, technologies,
solutions, technical tips, and tools. Registered
Cisco.com users can log on from this page to access
even more content.
Cisco IOS software images are specific to a Cisco IOS software release, a feature set, and a platform.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image
support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on
Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at
the login dialog box and follow the instructions that appear.
Note Table 1 lists only the Cisco IOS software release that introduced support for a given feature in a given
Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS
software release train also support that feature.
This chapter provides information about configuring the following Service Selection Gateway (SSG)
subscriber experience features:
• Hierarchical Policing
• TCP Redirection
• Per-Session Firewall
• DNS Redirection
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image
support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on
Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at
the login dialog box and follow the instructions that appear.
Contents
• Prerequisites for Configuring SSG Subscriber Experience Features, page 208
• Information About SSG Subscriber Experience Features, page 208
• How to Configure SSG Subscriber Experience Features, page 224
• Configuration Examples for Configuring SSG Subscriber Experience Features, page 250
• Additional References Related to SSG Subscriber Experience Features, page 255
• Feature Information for Configuring SSG Subscriber Experience Features, page 256
The SSG Hierarchical Policing feature limits the transmission rate of traffic based on a token bucket
algorithm that analyzes a packet and determines whether the packet should be forwarded to its
destination or dropped. A token bucket can be used to monitor upstream traffic (traffic sent by a
subscriber) or downstream traffic (traffic destined for a subscriber), and a bucket can be configured in
both directions for a user or a service profile.
As shown in Table 2, the committed rate, normal burst, and excess-burst are the user-configurable
parameters when configuring SSG Hierarchical Policing. These parameters are used by the SSG
Hierarchical Policing token buckets to evaluate traffic.
Parameter Purpose
committed-rate The committed-rate parameter is the amount of bandwidth that is
entitled to a subscriber (per-user policing) or to a service for a
particular subscriber (per-session policing). The token bucket
algorithm uses the committed-rate parameter for generating tokens
when a packet arrives.
The committed-rate parameter is equal to the minimum amount of
bandwidth that is guaranteed to a subscriber or service.
Note The committed rate is specified in bits per second, while the
normal burst and excess-burst sizes are specified in bytes.
Parameter Purpose
normal-burst The normal-burst parameter determines the maximum size of a traffic
burst before packets are dropped.
excess-burst The excess-burst size parameter is an optional variable that
determines the burst size beyond which all traffic is dropped. The
excess-burst size parameter is disabled when it is set lower than the
normal burst size.
If the excess-burst size parameter is configured, the traffic that falls
between the normal-burst size and the excess-burst sizes is dropped
based on a calculated probability (the probability that traffic will be
forwarded increases as the size of the configured excess-burst
parameter increases).
If a token bucket is configured with an excess-burst size, subscribers
and services using additional bandwidth will likely experience
sporadic drops (similar to the method in which packets are dropped by
using the Random Early Detection [RED] feature).
Before explaining the calculations used by the token bucket algorithm to drop or forward packets, an
understanding of actual and compound debt is useful.
When a normal or excess-burst is required to forward traffic, debt is incurred. The debt is then compared
to the configured parameters, and the algorithm either sends or drops the packet based on the
comparison.
The probability for the algorithm to forward large packets increases when a user or a service has been
idle for a long period of time.
Term Definition
actual debt The actual debt is the number of tokens that have been borrowed by
the current packet.
When a packet is forwarded by using a burst, the actual debt is
compared to the user-configured normal-burst size. If the actual debt
is less than the normal-burst size, the packet is forwarded. If the actual
debt is greater than the normal-burst size, the packet is either dropped
(excess-burst configuration is less than the normal-burst size) or
forwarded by using the excess-burst size (which is possible when the
excess-burst size is larger than the normal-burst size).
compound debt The compound debt is equal to the total number of tokens that have
been borrowed—in addition to the normal-burst allowance. Because
additional tokens cannot be borrowed when the excess-burst
parameter is not set, compound debt is only used when the
excess-burst parameter is set.
Compound debt is only a factor in forwarding a packet after the actual
debt exceeds the normal-burst size.
Compound debt is compared to the excess-burst size. If the compound
debt is less than the excess-burst size, the packet is forwarded. If the
compound debt is greater than the excess-burst size, the packet is
dropped.
The following steps describe how the algorithm that polices traffic operates:
1. The packet arrives. The packet size (Ps) is noted.
2. The time between the arrival of the last packet and the arrival of the current packet is calculated.
This calculation is called time difference (td).
3. The actual debt is calculated and is based on the following formula:
actual_debt = previous_actual_debt (Ad) + Ps
4. The tokens that can be generated by the arriving packet are calculated:
tokens = committed_rate (Ar) * td
5. The tokens are then compared to the actual debt.
a. If tokens > actual_debt, the actual debt for the packet is set at 0.
b. If tokens < actual debt, the actual debt is calculated by using the following formula:
actual_debt = actual_debt – tokens
6. The actual debt is compared to the normal burst to see if traffic should be forwarded or dropped.
a. If actual_debt < normal_burst, the packet conforms and is forwarded.
b. If actual_debt > normal_burst, the packet is dropped if the excess-burst size is not configured.
If actual_debt > normal_burst and the excess-burst size is configured, compound debt is
checked.
and port to the original packet’s destination. SSG uses the same redirect server if multiple TCP sessions
from the same user are redirected. When the TCP session terminates or is idle for more than 60 seconds,
SSG clears translations of packets made before the packets are sent to the captive portal. In host-key
mode with overlapping user IP addresses, redirection works only for host-keyed servers.
Note This feature applies only to non-PPP users. PPP users are always authenticated as part of the
PPP negotiation process. PPP users logging off from SESM are also redirected.
SSG TCP Redirect also restricts access to certain networks that are part of another authorized service.
For example, in Figure 20 the user is allowed to access ServiceA. IPTVService is part of ServiceA, but
the user is not authorized to access IPTVService. SSG redirects TCP sessions from the user to
IPTVService (10.1.1.1/32), but allows access to anywhere else in ServiceA (10.0.0.0/8).
ServiceA
10.0.0.0/8
87908
IPTVService 10.1.1.1/32
Note Use the CLI to configure the server group and to associate a port or port list to the server
group.
• Duration of captivation
• Service name (optional)
Note If you specify the optional service name, captivation is activated only when a user logs in to
that service.
Typically, if a service is connected, SSG forwards packets to a user and packets from a user even if the
packets do not match the protocol and TCP ports that are specified for redirection. However, the behavior
of initial captivation on the Cisco 10000 series router differs in the following ways:
• When a packet arrives from an SSG user and the packet matches the protocol and TCP ports
configured as the redirection filter, the packet is subject to initial captivation and is redirected. If the
packet does not match the redirection filter, it is not subject to initial captivation and the packet is
dropped.
• When a packet arrives from a service destined for an SSG user who is subject to initial captivation,
the packet is dropped.
The SSG TCP Redirect Access Control Lists feature allows you to use access lists to select TCP traffic
sessions for redirection or to prevent certain TCP traffic sessions from being redirected.
The following are examples of possible uses of this feature.
Ports or port lists can be used with the SSG TCP Redirect feature to control which applications are
redirected; however, some servers may provide non-HTTP application services on standard ports. The
TCP redirection servers may not be able to handle such applications. In these cases, ACLs can be used
to prevent redirection of TCP sessions to these types of application servers.
Location-Based Redirections
SSG TCP redirect ACLs can be used for location-based redirections. For example, a network might
include multiple SESMs, each of which is customized for a different location. SSG can be configured
with each SESM in a different TCP redirect group. Each TCP redirect group can be associated with an
ACL that permits a particular subnet of hosts from one location. The server groups can then be used for
location-based unauthenticated user or service redirections.
For captivation redirections, the messaging portal is used to redirect browsers to a different URL on
advertising servers. When captivation is active and the advertising servers are outside the SSG default
network and open gardens, the TCP session to such servers is redirected back to the messaging portal,
resulting in a loop. The SSG TCP Redirect Access Control Lists feature can be used to prevent
redirection of traffic to advertisement servers for captivation.
Cisco IOS software extended ACLs provide the option to configure a range of ports in an ACL entry.
Extended ACLs can be used with the SSG TCP Redirect feature for redirection on the basis of a range
of ports, without having to enter all the ports in the range into a port list.
An HTTP-proxy server is a server that acts like an HTTP (or web) server for the user, but is just a proxy.
Browsers such as Netscape, Mozilla, and Windows Internet Explorer can be configured to send all HTTP
traffic to an HTTP proxy server, which brings back the web pages from the real HTTP server. In this
document, the term traffic refers to HTTP traffic from the HTTP proxy user, and the term user (or HTTP
proxy user) refers to a user with HTTP proxy settings in his or her browser (unless otherwise stated).
When an HTTP proxy server is configured in a browser, HTTP traffic is always directed to the HTTP
proxy server. HTTP proxy servers are usually internal to a corporate intranet or Internet service provider
(ISP) and are usually not routable globally.
If an HTTP proxy user attempts to open a web page from a public wireless LAN (PWLAN), SSG drops
the HTTP traffic because the HTTP server is not routable by SSG. The SSG Permanent TCP Redirection
feature enables SSG to support users whose web browsers are configured with HTTP proxy servers.
Figure 21 shows an example of a typical wireless LAN (WLAN) topology that uses permanent TCP
redirection.
IP
network
Wireless Access Cisco SSG
access router
point
95811
The following steps provide a general description of how permanent TCP redirection works:
1. A user (IPu) enters a WLAN hot spot (a specific location in which an access point provides public
wireless broadband network services to mobile visitors) and opens the browser on his or her laptop.
The browser is configured with an HTTP-proxy server (IPw : Portw).
2. The user tries to open a web page; for example, http://www.example.com. The browser sends the
traffic to the HTTP proxy server (IPw : Portw).
3. SSG intercepts the traffic from unauthenticated user IPu and passes the traffic to the SESM captive
portal.
4. The SESM captive portal looks into the HTTP packet and determines if the packet is destined for
the HTTP proxy server. When the SESM captive portal determines that the packet is destined for an
HTTP proxy server, the SESM captive portal sends a message to SSG containing the user’s HTTP
proxy settings.
5. SSG stores the information (namely, that user IPu has the HTTP proxy server setting IPw : Portw).
From now on, SSG will redirect all traffic from user IPu and destined for IPw : Portw to the local
HTTP proxy server for unauthenticated users, which is running on SESM.
6. Once the user has been authenticated, SSG will redirect all traffic from the user IPu and destined for
IPw : Portw to the local HTTP proxy server for authenticated users, which is also running on SESM.
The SSG Permanent TCP Redirection feature supports the following functionality:
• SSG allows users with browsers that are configured with HTTP proxy servers to log in and connect
to the Internet. The HTTP proxy server can be configured as an IP address or a domain name.
• SSG supports users with HTTP proxy server configurations who also use Extensible Authentication
Protocol (EAP) authentication methods. SSG redirects the users to the SESM captive portal by using
the initial-captivation functionality.
• SSG supports users with HTTP proxy server configurations in PWLAN hot spots in which the hot
spot allows users to select from multiple ISPs. In such cases, each ISP must have an instance of the
HTTP proxy server running on SESM, and this instance can be defined in the ISP’s service profile.
ISPs can share the same HTTP server.
• SSG allows users to initiate an end-to-end Virtual Private Network (VPN) connection after users
have been authenticated and authorized to reach the Internet or VPN gateway.
• If an authenticated user selects a corporate service (a Layer 2 Tunnel Protocol (L2TP) tunnel service
that is initiated from SSG), the service can be configured so that SSG allows HTTP traffic to reach
the service without redirecting it to the local HTTP proxy server.
Note The corporate HTTP proxy server must be able to reach SESM in order for users to be able
to log off or manage services. To enable HTTP proxy users to reach SESM, give SESM a
globally routable IP address.
• SSG permanent TCP redirection is supported with or without the SSG Port-Bundle Host Key
feature.
• SSG accounting includes all HTTP traffic going to the HTTP proxy server, including the traffic
destined for the open garden or TCP-redirect server (which is otherwise not included in the
accounting).
Note If you use the CSG as the authenticated HTTP server, you can configure the CSG to prevent
HTTP traffic destined for the open garden or TCP redirect server from being included in
accounting.
• The SSG Permanent TCP Redirection feature is supported, even if the user is configured with an
exclude list for the HTTP proxy server and the home page (or first page) falls into the exclude list.
Table 4 lists the vendor-specific attributes that can be configured in the RADIUS service profile to
perform SSG permanent TCP redirection. The service profile is downloaded from the authentication,
authorization, and accounting (AAA) server as part of user authentication.
Table 4 Vendor-Specific RADIUS Attributes for the SSG Permanent TCP Redirection Feature
Subattribute Subattribute
Attribute ID Vendor ID ID Type Subattribute Data
26 9 251 Service-Info KWserver-group-name—When a user logs in to the service, SSG
redirects the user’s HTTP traffic to a server in the specified server
group. All the service features (such as quality of service (QoS)
and prepaid billing) are applied to the HTTP traffic.
Example: ssg-service-info = KWhttp-proxy-isp_a
26 9 251 Service-Info KW0—When a user logs in to the service, SSG allows all HTTP
traffic to go to the service, without redirection, as if there are no
HTTP-proxy server settings in the user’s browser.
Note Certain restrictions apply when using per-session firewalls for SSG. see Restrictions for Per-Session
Firewall, page 221, before configuring Per-Session firewalls.
Cisco-AVpair = "ip:outacl[#number]={standard-access-control-list |
extended-access-control-list}"
Syntax Description
Example
Cisco-AVpair = "ip:outacl#101=deny tcp 10.168.1.0 0.0.0.255 any eq 21"
Note Multiple instances of the Downstream Access Control List attribute can occur within a single
profile. Use one attribute for each ACL statement. You can use multiple attributes for the
same ACL. Multiple attributes are downloaded according to the number specified and are
executed in that order.
Cisco-AVpair = "ip:inacl[#number]={standard-access-control-list |
extended-access-control-list}"
Syntax Description
Example
Cisco-AVpair = "ip:inacl#101=deny tcp 10.168.1.0 0.0.0.255 any eq 21"
Note Multiple instances of the Upstream Access Control List attribute can occur within a single
profile. Use one attribute for each access control list statement. You can use multiple
attributes for the same ACL. Multiple attributes are downloaded according to the number
specified and are executed in that order.
• SSG ACLs take precedence over Cisco IOS software ACLs. If you configure a Cisco IOS software
ACL on an SSG interface by using the ip access-group command, the router applies the ACL as
long as an SSG ACL is not applied to the interface in the same direction. If an SSG ACL is applied
to the interface in the same direction, the router applies the SSG ACL.
Subattribute Subattribute
Attribute ID Vendor ID ID and Type Name Subattribute Data
26 9 251 Domain Name O{name1[;name2]...[;nameX] | *[;unauthenticated]}
Service-Info
name1—Domain name that gets DNS resolution from this server.
name2...x—Additional domain names that get DNS resolution
from this server.
*—Default domain for all DNS queries. Note that this cannot be
part of a list of domain names.
*O;unauthenticated—Default domain that applies to DNS queries
for unauthenticated users only. This is useful in a wireless LAN
environment in which SSG redirects all DNS queries for
unauthenticated users to the SESM DNS server, which can spoof
the responses if required.
Example:
ssg-service-info = "Ocisco.com;cisco-sales.com"
Example:
ssg-service-info = "O*;unauthenticated"
Cisco-AVpair Attributes
The Cisco-AVpair attributes are used in user and service profiles to configure ACLs and L2TP.
Table 6 lists the Cisco-AVpair attributes.
Attribute Description
Downstream Specifies either a Cisco IOS software standard ACL or an extended ACL to be
Access Control List applied to downstream traffic going to the user.
(outacl)
L2TP Tunnel Specifies the secret (the password) used for L2TP tunnel authentication.
Password
Upstream Access Specifies either a Cisco IOS software standard ACL or an extended ACL to be
Control List (inacl) applied to upstream traffic coming from the user.
VPDN IP Address Specifies the IP addresses of the home gateways (LNSes) to receive the L2TP
connections.
VPDN Tunnel ID Specifies the name of the tunnel that must match the tunnel ID specified in the
LNS VPDN group.
To configure a RADIUS user profile for per-user policing, add the following attribute to the user profile:
Account-Info = “QU;upstream-bandwidth;upstream-normal-burst;
[upstream-excess-burst];D;downstream-bandwidth;
downstream-normal-burst;[downstream-excess-burst]”
Example
Account-Info = “QU;80000;40000;50000;D;80000;40000;50000”
Note For details on how to modify a RADIUS user profile, see your RADIUS server documentation.
Example
Service-Info = “QU;40000;20000;25000;D;40000;20000;25000”
Note For details on how to modify a service profile for per-session policing on the AAA server, see your AAA
server documentation.
SUMMARY STEPS
1. enable
2. configure terminal
3. local-profile profile-name
4. attribute radius-attribute-id vendor-id cisco-vsa-type
“QU;upstream-token-rate;upstream-normal-burst;[upstream-excess-burst];D;downstream-token-rate;
downstream-normal-burst;downstream-excess-burst”
DETAILED STEPS
Example:
Router# configure terminal
Step 3 local-profile profile-name Enters profile configuration mode. Configures
a local RADIUS service profile.
Example:
Router(config)# local-profile profile-2065
Step 4 attribute radius-attribute-id vendor-id cisco-vsa-type Configures the policing attributes in a local
“QU;upstream-token-rate;upstream-normal-burst; RADIUS service profile.
[upstream-excess-burst];D;downstream-token-rate;
downstream-normal-burst;downstream-excess-burst” The Q parameter (as shown in the command)
represents QoS. The variables are used to
configure upstream (U) and downstream (D)
Example:
policing. The upstream traffic is the traffic
Router(config-prof)# attribute 26 9 251“QU;80000;40000;
50000;D;downstream-token-rate;40000;50000” that travels from the subscriber to the
network, while the downstream traffic is the
traffic that travels from the network to the
subscriber.
SSG Hierarchical Policing can be configured
in either direction or in both directions
simultaneously.
Note To disable SSG Hierarchical Policing on a router, use the no ssg qos police user and the no ssg qos
police session commands.
SUMMARY STEPS
1. enable
2. configure terminal
3. ssg qos police user
DETAILED STEPS
Example:
Router# configure terminal
Step 3 ssg qos police user Enables SSG per-user policing on the router.
Example:
Router(config)# ssg qos police user
Step 4 ssg qos police session Enables SSG per-session policing.
Example:
Router(config)# ssg qos police session
SUMMARY STEPS
DETAILED STEPS
Example:
Router# debug ssg data
Note SSG must be enabled by configuring the ssg enable command before these configurations can be
completed. See the Service Selection Gateway feature module for Cisco IOS Release 12.2(4)B for
detailed information about configuring SSG.
Note You must enable Cisco Express Forwarding (CEF) on the router before SSG functionality can be
enabled.
SSG works with CEF switching technology to provide maximum Layer 3 switching performance.
Because CEF is topology-driven rather than traffic-driven, its performance is unaffected by network size
or dynamics.
SSG TCP Redirect for Services feature has the following restrictions:
• SSG TCP Redirect for Services requires Cisco SESM Release 3.1(1) to handle unauthenticated
redirections. For other types of redirection, SESM Release 3.1.1. is required.
• The server defined in a server group must be globally routable.
• Traffic from hosts with overlapping IP addresses can be redirected only to SESMs with port bundle
host keys.
• When overlapping IP address support is enabled (the host key feature is enabled), a host can reach
the SSG only by a particular interface on the SSG. All packets between the host and the SSG use
this interface and must not be changed.
• Once the servers in a group have been configured, the routes to those servers do not change. SSG
TCP Redirect for Services does not work if packets from servers that require redirection are received
on a non-SSG interface.
• SSG TCP Redirect for Services does not support TCP sessions that can remain idle for more than
one minute.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip cef
4. ssg enable
5. ssg tcp-redirect
DETAILED STEPS
Example:
Router# configure terminal
Example:
Router(config)# ip cef
Step 4 ssg enable Enables SSG functionality.
Example:
Router(config)# ssg enable
Step 5 ssg tcp-redirect Enables SSG TCP redirect.
Example:
Router(config)# ssg tcp-redirect
SUMMARY STEPS
1. enable
2. configure terminal
3. ssg tcp-redirect
4. server-group group-name
5. server ip-address port
6. (Optional) Repeat steps 3. to 5. for each captive portal group.
DETAILED STEPS
Example:
Router# configure terminal
Example:
Router(config)# ssg tcp-redirect
Step 4 server-group group-name Defines the group of one or more servers that
make up a named captive portal group and
enters SSG-redirect-group configuration mode.
Example:
Router(config-ssg-redirect)# server-group capt_portgroup group-name—Name of the captive portal group.
Step 5 server ip-address port Adds a server to a captive portal group.
• ip-address—IP address of the server to add
Example: to the captive portal group.
Router(config-ssg-redirect-group)# server 10.2.2.2 24
• port—TCP port of the server to add to the
captive portal group.
Step 6 (Optional) Repeat steps 3. to 5. for each captive portal group. Defines additional groups of servers to add to
the captive portal group.
SUMMARY STEPS
1. enable
2. configure terminal
3. ssg tcp-redirect
4. redirect captivate initial default group group-name duration seconds
5. redirect captivate advertising default group group-name duration seconds frequency frequency
DETAILED STEPS
Example:
Router# configure terminal
Example:
Router(config)# ssg tcp-redirect
Step 4 redirect captivate initial default group group-name Selects the default captive portal group for
duration seconds initial captivation of users upon initialization.
• group-name—Name of the captive portal
Example: group.
Router(config-ssg-redirect)# redirect captivate initial
default group group-name duration seconds • seconds—The duration in seconds of the
initial captivation. The valid range is 1 to
65,536 seconds.
Step 5 redirect captivate advertising default group group-name Selects the default captive portal group for
duration seconds frequency frequency captivation of advertisements for users.
• group-name—Name of the captive portal
Example: group.
Router(config-ssg-redirect)# redirect captivate
advertising default group group-name duration seconds • seconds—The duration in seconds of the
frequency frequency advertising captivation. The valid range is 1
to 65,536 seconds.
• frequency—The frequency in seconds at
which TCP packets are redirected to the
captive portal group. The valid range is 1 to
65536 seconds.
Prerequisites
This task assumes that you know how to configure an IP access control list.
SUMMARY STEPS
1. enable
2. configure terminal
3. ssg tcp-redirect
4. server-group group-name
5. server ip-address port
6. exit
7. redirect port port-number to group-name
or
redirect port-list port-listname to group-name
8. redirect access-list {number | name} to group-name
DETAILED STEPS
Example:
Router# configure terminal
Step 3 ssg tcp-redirect Enables SSG TCP redirect functionality and enters
SSG-redirect configuration mode.
Example:
Router(config)# ssg tcp-redirect
Step 4 server-group group-name Defines the group of one or more servers that make up a
named captive portal group and enters SSG-redirect-group
configuration mode.
Example:
Router(config-ssg-redirect)# server-group SESM1 • group-name—Name of the captive portal group.
Example:
Router(config-ssg-redirect-group)# exit
Step 7 redirect port port-number to group-name (Optional) Configures a TCP port or named TCP port list
for SSG TCP redirection.
or
• port—Specifies a TCP port to mark for SSG TCP
redirect port-list port-listname to group-name
redirection.
• port-list—Specifies the named TCP port list to mark
for SSG TCP redirection.
Example:
Router(config-ssg-redirect)# redirect port 80 • port-number—Specifies the incoming destination port
to SESM1 number of the TCP port to mark for SSG TCP
redirection.
or
• group-name—Defines the name of the captive portal
Router(config-ssg-redirect)# redirect port-list
portlist1 to SESM1
group to redirect packets that are marked for a
destination port or named TCP port list.
• port-listname—Specifies the name of the named TCP
port list.
Step 8 redirect access-list {number | name}[to Configures an access control list for SSG TCP redirection.
group-name]
• If a server group is not specified, the access list is used
for redirection to any server group that does not have an
Example: access list associated with it.
Router(config-ssg-redirect)# redirect
access-list 80 to SESM1
SUMMARY STEPS
DETAILED STEPS
SUMMARY STEPS
1. enable
2. configure terminal
3. ssg tcp-redirect
4. redirect unauthenticated-user to group-name
DETAILED STEPS
Example:
Router# configure terminal
Step 3 ssg tcp-redirect Enables SSG TCP redirect.
Example:
Router(config)# ssg tcp-redirect
Step 4 redirect unauthenticated-user to group-name Selects a captive portal group for redirection of
traffic from unauthenticated users.
Example: • group-name—Name of the captive portal
Router(config-ssg-redirect)# redirect group.
unauthenticated-user to mygroupname
SUMMARY STEPS
1. enable
2. configure terminal
3. ssg tcp-redirect
4. port-list port-listname
5. port port-number
6. exit
7. redirect port port-number to group-name
or
redirect port-list port-listname to group-name
DETAILED STEPS
Example:
Router# configure terminal
Step 3 ssg tcp-redirect Enables SSG TCP redirect.
Example:
Router(config)# ssg tcp-redirect
Step 4 port-list port-listname Defines the port list and enters SSG-redirect-port
configuration mode.
Example: • port-listname—Defines the name of the port list.
Router(config-ssg-redirect)# port-list myportlist
Step 5 port port-number Adds a port to a port list.
• port-number—Incoming destination port
Example: number. The valid range of port numbers is 1 to
Router(config-ssg-redirect-port)# port 65534 65535
Example:
Router(config-ssg-redirect-port)# exit
Step 7 redirect port port-number to group-name Configures a TCP port or named TCP port list for
SSG TCP redirection.
or
• port—Specifies a TCP port to mark for SSG
redirect port-list port-listname to group-name
TCP redirection.
• port-list—Specifies the named TCP port list to
Example: mark for SSG TCP redirection.
Router(config-ssg-redirect)# redirect port 65534 to
myportgroup • port-number—Specifies the incoming
destination port number of the TCP port to mark
or for SSG TCP redirection.
• group-name—Defines the name of the captive
Router(config-ssg-redirect)# redirect port-list
myportlist to myportgroup
portal group to redirect packets that are marked
for a destination port or named TCP port list.
• port-listname—Specifies the name of the named
TCP port list.
SUMMARY STEPS
1. enable
2. configure terminal
3. ssg tcp-redirect
4. network-list network-listname
5. network ip-address
6. exit
7. redirect unauthorized-service [destination network-list network-listname] to group-name
DETAILED STEPS
Example:
Router# configure terminal
Step 3 ssg tcp-redirect Enables SSG TCP redirect.
Example:
Router(config)# ssg tcp-redirect
Step 4 network-list network-listname Defines the network list and enters
SSG-redirect-network configuration mode.
Example: • network-listname—Defines the name of the
Router(config-ssg-redirect)# network-list network list.
mynetworklist
Step 5 network ip-address Adds the specified IP address to the named network
list.
Example: • ip-address—The IP address to add to a named
Router(config-ssg-redirect-network)# network network list.
ip-address 10.2.2.2
Step 6 exit Exits SSG-redirect-network configuration mode.
Example:
Router(config-ssg-redirect-network)# exit
Step 7 redirect unauthorized-service [destination Creates a list of destination IP networks that can be
network-list network-listname] to group-name redirected by the named captive portal group.
• (Optional) destination network-list—Checks
Example: to determine if incoming packets from
Router(config-ssg-redirect)# redirect authenticated hosts require redirection to
unauthorized-service destination network-list
authorized networks.
mynetworklist to myportgroup
• (Optional) network-listname—Name of the list
of destination IP networks.
• group-name—Name of the captive portal group.
Note If you do not specify a destination IP
network by configuring the optional
destination network-list keywords, the
captive portal group specified in the
group-name argument is used as the default
group for unauthorized service redirection
when the IP address of the unauthorized
packet does not fall into any network list
associated with the captive portal group.
SUMMARY STEPS
1. enable
2. configure terminal
3. ssg tcp-redirect
4. redirect smtp group group-name [all | user]
DETAILED STEPS
Example:
Router# configure terminal
Step 3 ssg tcp-redirect Enables SSG TCP redirect.
Example:
Router(config)# ssg tcp-redirect
Step 4 redirect smtp group group-name [all | user] Selects a captive portal group for redirection of
SMTP traffic.
Example: • group-name—Name of the captive portal group.
Router(config-ssg-redirect)# redirect smtp group
myportgroup all
• (Optional) all—All SMTP packets are
forwarded.
• (Optional) user—Forwards SMTP packets from
users who have SMTP forwarding permissions.
Note If you do not configure the optional all or
user keywords, the default is all.
Table 7 Vendor-Specific RADIUS Attributes for the SSG TCP Redirect for Services Feature
Attribute Account-Info
ID VendorID SubAttrID SubAttr Name SubAttrDataType Feature Code
26 9 250 Account-Info String R
Note To enable HTTP proxy users to reach SESM, provide a globally routable IP address to
SESM.
SUMMARY STEPS
1. enable
2. configure terminal
3. ssg tcp-redirect
4. redirect permanent http authenticated to server-group
5. redirect permanent http unauthenticated to server-group
6. end
7. Configure the RADIUS service profile to support permanent TCP redirection, see “RADIUS
Attributes for SSG Permanent TCP Redirection” section on page 219.
DETAILED STEPS
Example:
Router# configure terminal
Step 3 ssg tcp-redirect Enables SSG TCP redirect and enters SSG-redirect
configuration mode.
Example:
Router(config)# ssg tcp-redirect
Step 4 redirect permanent http authenticated to Specifies a server group for permanent TCP redirections for
server-group authenticated users with HTTP proxy server configurations.
• server-group—Name of the local HTTP proxy server
Example: group for authenticated users
Router(config-ssg-redirect)# redirect permanent
http authenticated to auth_servergroup
Step 5 redirect permanent http unauthenticated to Specifies a server group for permanent TCP redirections for
server-group unauthenticated users with HTTP proxy server
configurations.
Example: • server-group—Name of the local HTTP proxy server
Router(config-ssg-redirect)# redirect permanent group for unauthenticated users
http unauthenticated to unauth_servergroup
Step 6 end (Optional) Returns to global configuration mode.
Example:
Router(config-ssg-redirect)# end
Step 7 Configure the RADIUS service profile to support The RADIUS service profile is downloaded from the AAA
permanent TCP redirection. server as part of service authorization. Configure one of the
following attributes in the service profile to support
permanent TCP redirection:
• ssg-service-info = KWserver-group-name
• ssg-service-info = KW0
See the “RADIUS Attributes for SSG Permanent TCP
Redirection” section on page 219 for more information
about the RADIUS attributes for permanent TCP
redirection.
SUMMARY STEPS
1. show running-config
2. show ssg tcp-redirect group [group-name]
3. show ssg tcp-redirect mappings [ip-address [interface]]
4. show ssg host ip-address
DETAILED STEPS
ssg tcp-redirect
network-list RedirectNw
network 10.16.10.0 255.255.255.0
network 10.20.0.0 255.255.0.0
!
port-list WebPorts
port 80
.
.
.
.
Step 2 show ssg tcp-redirect group [group-name] Displays a list all configured captive portal
groups, and indicates which group is used for
redirected packets from unauthorized users.
Example:
This show command also displays which captive
Router# show ssg tcp-redirect group portal groups are the default groups for
captivation and unauthorized service
Current TCP redirect groups:
RedirectServer redirection.
CaptivateServer • group-name—(optional) Name of the
SMTPServer
SSD
captive portal group.
If you do not enter the optional group-name
Unauthenticated user redirect group:RedirectServer
argument, the show ssg tcp-redirect group
Default service redirect group:SSD
SMTP forwarding group:SMTPServer, for all users command displays a list of all defined portal
Default initial captivation group:CaptivateServer, groups. If the group-name argument is included,
for 10 seconds the command displays information about the
Default advertising captivation group:CaptivateServer, specified portal group.
for 30 seconds approximately every 3600 seconds
SUMMARY STEPS
DETAILED STEPS
Note Certain restrictions apply when configuring per-session firewalls. Before configuring a per-session
firewall, see Per-Session Firewall Overview, page 220.
To configure SSG ACLs, configure the following Cisco-AV pair attributes in your user or service profile
on the AAA server:
• Downstream Access Control List (outacl)
Cisco-AVpair = "ip:outacl[#number]={standard-access-control-list |
extended-access-control-list}"
Note The method used to configure these attributes depends upon the AAA server. see your AAA server
documentation for details.
Note Certain restrictions apply when configuring default DNS redirection. Before configuring default DNS
redirection, see Default DNS Redirection Overview, page 222.
Configuring DNS Redirection in a Local Service Profile using the Cisco IOS CLI
This task configures SSG default DNS redirection in a local service profile.
You can also configure SSG default DNS redirection by adding the VSA for default DNS redirection to
the service profile on the RADIUS server. See the SSG Domain Name Vendor-Specific Attribute,
page 223 for information about the Domain Name VSA.
SUMMARY STEPS
1. enable
2. configure terminal
3. local-profile profile-name
4. attribute 26 9 251 "O*[;unauthenticated]"
5. end
6. show ssg service [service-name [begin expression | exclude expression | include expression]]
DETAILED STEPS
Example:
Router# configure terminal
Step 3 local-profile profile-name Configures a local service profile and enters profile
configuration mode.
Example:
Router(config)# local-profile og-dns
Step 4 attribute 26 9 251 "O*[;unauthenticated]" Configures the attribute for default DNS redirection in a
local service profile.
Example:
Router(config-prof)# attribute 26 9 251 "O*"
Step 5 end (Optional) Returns to privileged EXEC mode.
Example:
Router(config-prof)# end
Step 6 show ssg service [service-name [begin (Optional) Displays the information for about a service. The
expression | exclude expression | include output for this command indicates if default DNS matching
expression]]
is enabled and whether it is valid for unauthenticated users
only.
Example:
Router# show ssg service og-dns
The following example shows how to define a port list named “WebPorts” and adds TCP ports 80 and
8080 to the port list. The port list named “WebPorts” is configured to be redirected by the captive portal
group named “Redirect Server”:
ssg enable
ssg tcp-redirect
port-list WebPorts
port 80
port 8080
exit
redirect port-list WebPorts to RedirectServer
In the following example, because no destination network list is specified, the captive portal group
named “RedirectServer” is used as the default group for unauthorized service redirection.
ssg enable
ssg tcp-redirect
network-list RedirectNw
network 10.16.10.0 255.255.255.0
network 10.20.0.0 255.255.255.0
exit
redirect unauthorized-service to RedirectServer
In the following example the captive portal group named “SMTPServer” is used to forward any SMTP
packets from authorized users.
ssg enable
ssg tcp-redirect
redirect smtp group SMTPServer all
Note The RADIUS attributes shown in the following examples are configured in the user profiles on the AAA
server. The user profile is downloaded from the AAA server as part of user authentication.
The following example shows how to configure the user profile for initial captivation on account login
to one of the servers in the captive portal group named “CaptivateGrpA” for 300 seconds:
ICaptivateGrpA;300
The following example shows how to configure the user profile for initial captivation upon service login
to the service “Games”:
ICaptivateGrpB;240;Games
The following example shows how to configure the user for captivation of advertisements while the host
is logged in to SSG:
ACaptivateGrpA;300;3600
The following example shows how to configure the user for captivation of advertisements to one of the
servers in the captive portal group called “CaptivateGrpB” for 240 seconds. The captivation of
advertisements begins when the user starts using the “Games” service and approximately every 1800
seconds thereafter:
ACaptivateGrpB;240;1800;Games
When a default DNS domain is configured, the output for the show ssg service command includes the
following:
Default domain matching is Enabled
When a default DNS domain is configured for unauthenticated users only, the output for the show ssg
service command includes the following:
Default domain matching is Enabled - valid only for unauthenticated users
Related Documents
Related Topic Document Title
SSG commands Cisco IOS Wide-Area Networking Command Reference,
Release 12.3 T
SESM Cisco Subscriber Edge Services Manager
Cisco Service Selection Dashboard
RADIUS commands Cisco IOS Security Command Reference, Release 12.3 T
RADIUS configuration tasks Cisco IOS Security Configuration Guide
Standards
Standards Title
No new or modified standards are supported by this —
feature. Support for existing standards has not been
modified by this feature.
MIBs
MIBs MIBs Link
No new or modified MIBs are supported by this To locate and download MIBs for selected platforms, Cisco IOS
feature. Support for existing MIBs has not been releases, and feature sets, use Cisco MIB Locator found at the
modified by this feature. following URL:
http://www.cisco.com/go/mibs
RFCs
RFCs Title
No new or modified RFCs are supported by this —
feature. Support for existing RFCs has not been
modified by this feature.
Technical Assistance
Description Link
Technical Assistance Center (TAC) home page, http://www.cisco.com/public/support/tac/home.shtml
containing 30,000 pages of searchable technical
content, including links to products, technologies,
solutions, technical tips, and tools. Registered
Cisco.com users can log on from this page to access
even more content.
Note Table 8 lists only the Cisco IOS software release that introduced support for a given feature in a given
Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS
software release train also support that feature.
Table 8 Feature Information for Configuring SSG Subscriber Experience Features (continued)
Service Selection Gateway (SSG) supports the following methods of subscriber logoff:
• Graceful logoff, in which the subscriber initiates the logoff procedure at the end of a session
• Disconnection through the Web Services Gateway (WSG)
• The SSG Autologoff feature, which automatically logs off SSG subscribers
• Session timeouts and idle timeouts
This document describes these logoff methods and explains how to configure SSG to implement them.
Module History
This module was first published on May 2, 2005, and last updated on May 2, 2005.
Finding Support Information for Platforms and Cisco IOS Software Images
Your Cisco IOS software release may not support all features. To find information about feature support
and configuration, use the “Feature Information for Configuring SSG to Log Off Subscribers” section
on page 266.
Contents
• Prerequisites for Configuring SSG to Log Off Subscribers, page 259
• Information About Configuring SSG to Log Off Subscribers, page 260
• How to Configure SSG to Log Off Subscribers, page 262
• Configuration Examples for Configuring SSG to Log Off Subscribers, page 265
• Additional References, page 265
Graceful Logoff
Graceful logoff occurs when the subscriber decides to end a session and clicks the Log Off button. This
is the typical method of ending a session, and SSG supports it by default; you do not have to configure
SSG to support graceful logoff.
SSG Autologoff
When SSG automatic logoff (autologoff) is configured, SSG checks the status of the connection with
each host at configured intervals. If SSG finds that a host is not reachable, SSG automatically initiates
the logoff of that host. SSG has two methods of checking the connectivity of hosts: ARP ping and ICMP
ping. The following sections provide more information about SSG Autologoff:
• SSG Autologoff Using ARP Ping, page 260
• SSG Autologoff Using ICMP Ping, page 261
• MAC Address Checking for Autologoff, page 261
• Benefits of SSG Autologoff, page 261
Note ARP ping should be used only in deployments where all hosts are directly connected to SSG through
a broadcast interface, such as an Ethernet interface, or a bridged interface, such as a routed bridge
encapsulation (RBE) or an integrated routing and bridging (IRB) interface.
ARP request packets are smaller than ICMP ping packets, so Cisco recommends that you configure SSG
autologoff to use ARP ping in deployments where hosts are directly connected.
• Session-Timeout—An attribute that specifies the maximum length of time for which a host or
connection can remain continuously active.
• Idle-Timeout—An attribute that specifies the maximum length of time for which a session or
connection can remain idle before it is disconnected.
User Session-Timeout and Idle-Timeout can be present in the user-profile RADIUS attributes and can
be configured globally. When present, these attributes are applied to each user session and supersede the
global configuration.
Service Session-Timeout and Idle-Timeout are configured in the service profile and apply individually
to each service connection.
The Idle-Timeout and Session-Timeout attributes in the profile are standard RADIUS attributes as
described in RFC 2865.
Restrictions
The following restrictions apply to the SSG Autologoff feature:
• You should use only ARP ping in deployments in which all hosts are directly connected (on Layer
2) to SSG through a broadcast interface such as an Ethernet interface or a bridged interface such as
a routed bridge encapsulation or integrated routing and bridging (IRB) interface. You can use
Internet Control Message Protocol (ICMP) ping in all types of deployment.
• ARP ping works only on hosts that have a MAC address. So, for example, ARP ping does not work
for PPP users because they do not have a MAC table entry.
• ARP ping does not support overlapping users’ IP addresses.
• SSG autologoff that uses the ARP ping mechanism does not work for hosts that have static ARP
entries.
• You can use only one method of SSG autologoff at a time: ARP ping or ICMP ping.
• Session reuse is not prevented if a malicious host performs a MAC address spoof.
SUMMARY STEPS
DETAILED STEPS
Example:
Router(config)# ssg auto-logoff arp
match-mac-address interval 60
Step 2 ssg auto-logoff icmp [timeout milliseconds] [packets Configures SSG to automatically log off hosts that
number] [interval seconds] have lost connectivity with SSG and to use the ICMP
ping mechanism to detect connectivity.
Example:
Router(config)# ssg auto-logoff icmp timeout 300
packets 3 interval 60
Note To configure timeouts specific to RADIUS proxy subscribers, see the “RADIUS Proxy Timers” and
“Configuring Timers for RADIUS Proxy” sections in the “Configuring SSG to Serve as a RADIUS
Proxy” module.
SUMMARY STEPS
1. ssg timeouts
2. idle seconds
3. session seconds
DETAILED STEPS
Example:
Router(config)# ssg timeouts
Example:
Router(ssg-timeouts)# idle 60
Step 3 session seconds Sets the global session timeout.
Example:
Router(ssg-timeouts)# session 60
SUMMARY STEPS
DETAILED STEPS
Example:
Router# debug ssg ctrl-errors
Step 2 debug ssg ctrl-events Displays all event messages for control modules, including
autologoff events.
Example:
Router# debug ssg ctrl-events
Step 3 debug ssg ctrl-packets Displays packet contents handled by control modules.
Example:
Router# debug ssg ctrl-packets
Step 4 debug ssg data Displays all data-path packets.
Example:
Router# debug ssg data
The following example shows how to enable SSG MAC address checking for autologoff and to specify
an ARP ping interval of 60 seconds:
ssg auto-logoff arp match-mac-address interval 60
Additional References
The following sections provide references related to disconnecting SSG subscribers and services.
Related Documents
Related Topic Document Title
Configuring SESM Cisco Subscriber Edge Services Manager documentation.
RFCs
RFCs Title
RFC 2865 Remote Authentication Dial In User Service (RADIUS)
Technical Assistance
Description Link
Technical Assistance Center (TAC) home page, http://www.cisco.com/public/support/tac/home.shtml
containing 30,000 pages of searchable technical
content, including links to products, technologies,
solutions, technical tips, and tools. Registered
Cisco.com users can log on from this page to access
even more content.
Note Table 9 lists only the Cisco IOS software release that introduced support for a given feature in a given
Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS
software release train also support that feature.
Cisco Service Selection Gateway (SSG) accounting features allow a service provider to decide how to
configure billing and accounting for its users. This module describes how to configure SSG accounting
features including per-host or per-service accounting, broadcast accounting, prepaid service support, and
postpaid tariff switching.
Module History
This module was first published on May 2, 2005, and last updated on May 2, 2005.
Contents
• Prerequisites for SSG Accounting, page 269
• Information About SSG Accounting, page 269
• How to Configure SSG Accounting, page 286
• Configuration Examples for SSG Accounting, page 296
• Additional References, page 297
• Additional References, page 297
Note The Proxy-state attribute is not normally present in both the accounting-start and accounting-stop record.
It is normally found in only one of them.
Example RADIUS Accounting-Stop Record Sent by SSG When a User Logs Out
This example shows the information contained in a RADIUS accounting-stop record.
User-Name = “user1”
Acct-Status-Type = Stop
Acct-Authentic = RADIUS
Service-Type = Framed
Framed-Protocol = PPP
NAS-IP-Address = 192.168.0.0
NAS-Port-Type = Virtual
Acct-Session-Time = 77
Acct-Terminate-Cause = User-Request
The Acct-Session-Time attribute indicates the length of session, expressed in seconds. The
Acct-Terminate-Cause attribute indicates the reason for account termination, which can be due to the
following events:
• User-Request
• Session-Timeout
• Idle-Timeout
• Lost-Carrier
NAS-IP-Address = 192.168.2.48
NAS-Port = 0
NAS-Port-Type = Virtual
Acct-Session-Id = "00000002"
Acct-Terminate-Cause = User-Request
Acct-Session-Time = 84
Acct-Input-Octets = 0 ! Downstream packet counts
Acct-Output-Octets = 649 ! Upstream packet counts
Acct-Input-Packets = 0 ! Downstream byte counts
Acct-Output-Packets = 17 ! Upstream byte counts
Framed-IP-Address = 192.168.101.10 ! User’s IP address
Control-Info = "I0;0" ! high_32_dnst_byte;low_32_dnst_byte
Control-Info = "O0;649" ! high_32_upst_byte;low_32_upst_byte
Service-Info = "NService1.com" ! servicename
Service-Info = "Uuser1" username-for-service
Service-Info = "TP"
Acct-Delay-Time = 0
Interim Accounting
The SSG supports interim (intermittent) RADIUS accounting updates between the time that SSG sends
accounting-start and accounting-stop records. The interim accounting records are sent at a configurable
interval, and are valid for both hosts and service connections.
Per-Host Accounting
Per-host accounting is the aggregate of all the connection traffic for a host. SSG does not account for the
following types of traffic:
• Between the host and the default-network.
• To open gardens.
• Redirected by the TCP Redirect feature.
• Permitted by pass-through filters.
Per-host accounting records all other traffic.
By default, SSG sends host and service accounting records. A service provider only interested in host
records can disable service (per-connection) accounting with the ssg accounting per-host command.
The per-host accounting records are sent to the local authentication, authorization, and accounting
(AAA) server configured with the radius-server host command.
Per-Service Accounting
By default, SSG sends host and service accounting records. A service provider only interested in service
records can disable host accounting with the ssg accounting per-host command. Service
Accounting-Stop records can be throttled by using the ssg accounting stop rate-limit command.
Broadcast Accounting
SSG supports broadcast accounting, which is the ability to send user accounting records to multiple
RADIUS servers. The SSG broadcast accounting feature provides service providers with geographical
redundancy for RADIUS servers, and provides accounting records to partners in wholesale models.
Note Broadcast accounting is not the same as RADIUS server failover: It requires that clones of host
accounting packets are always forwarded to each of the configured servers, not only when the primary
server fails.
Subattribute
Attribute ID Vendor ID ID and Type Attribute Name Subattribute Data
26 9 251 Service Authorization The value “Z” indicates that
Service-Info authorization is required.
To obtain the first quota for a connection, SSG submits an authorization request to the AAA server. The
AAA server contacts the prepaid billing server, which returns the quota values to SSG. SSG then
monitors the connection to track the quota usage. When the quota runs out, SSG performs
reauthorization. During reauthorization, the billing server may provide SSG with an additional quota if
there is available credit. If no further quota is provided, SSG logs the user off from the service that has
run out of quota.
This section contains the following topics:
• Service Authorization, page 274
• Service Reauthorization, page 276
• Accounting Records and Prepaid Billing, page 276
• Simultaneous Volume- and Time-Based Prepaid Billing, page 277
• SSG Prepaid Idle Timeout, page 277
• SSG Prepaid Reauthorization Threshold, page 279
• SSG Prepaid Redirection on Quota Exhaustion Feature, page 279
• Default Quota for Prepaid Server Failure, page 280
• Benefits of the SSG Prepaid Feature, page 280
Service Authorization
When a user tries to access a service, SSG downloads the service profile. The presence of the “Z” value
in the service profile indicates that this particular service needs to be prepaid, and that SSG must perform
authorization before providing access.
Once a service has been identified as prepaid, SSG generates an Access-Request packet called a Service
Authorization Request. The contents of this type of Access-Request packet are described in Table 11.
The prepaid billing server generally performs quota authorization based on the same key that was used
for authentication. For example, for mobile wireless networks, where the unique key that is used for
authentication is the Calling-Station-ID attribute (attribute 31), the quota authorization would also be
performed using the Calling-Station-ID attribute.
The prepaid billing server responds to the Service Authorization Request packet with an Access-Accept
packet (the Service Authorization Response) that defines the quota parameters for the connection. The
Service Authorization Response is listed in Table 12. Access to the service is provided based on the
presence and contents of the Quota VSA in the Access-Accept packet listed in Table 13.
Subattribute
Attribute ID Vendor ID ID and Type Attribute Name Subattribute Data
26 9 253 Quota Q—Control-Info code for prepaid
Control-Info quota.
T or V—Quota subcode for time or
volume.
Numeric string—Quota value.
Based on the presence and value of quota attributes in the authorization response, SSG will take the
following actions:
• If a nonzero quota is returned in the authorization response, SSG creates a connection to the service
using the initial quota value in seconds for time and bytes for volume.
• If a value of zero in a quota is returned in the authorization response, then the user has insufficient
credit and is not authorized to use that service.
• If the quota attribute is not present in the authorization response, SSG treats the connection as
postpaid.
In the case of volume quota, instead of SSG using a single token, two quota tokens can be allocated to
accommodate the tariff switching functionality.
Service Reauthorization
When the quota for the connection reaches zero, SSG issues a Service Reauthorization Request to the
billing server. For volume-based billing, SSG decrements the volume-based quota until it runs out. For
time-based billing, the connection is allowed to proceed for the quota duration. The Service
Reauthorization Request includes an SSG VSA called Quota Used, which has the same format as the
Quota VSA described in Table 13. The content of the Service Reauthorization Request is described in
Table 14.
Note Both the time and volume quota parameters must be nonzero.
The simultaneous volume- and time-based prepaid billing feature can interwork with the prepaid
idle-timeout functionality and volume threshold. Table 15 describes the attributes contained in a
Service-Authorization response packet.
SSG returns the quota in a reauthorization request and adds a VSA called the Reauthorization Reason
attribute, which verifies that the reauthorization request is to return the quota to the user, and not to query
for more quota. The content of the Reauthorization Reason attribute is described in Table 16.
The interworking of idle-timeout and dual-quota functionality with the existing prepaid features is
shown in Table 17.
Note When SSG redirects a user to a portal page, it maintains the user’s connection to the original service,
although any traffic passing through the connection is dropped. This enables the user to replenish quota
without requiring a subsequent service login, provided that the reauthorization timout has not been
exceeded.
Subattribute ID
Attribute ID Vendor ID and Type Attribute Name Subattribute Data
26 9 251 Service-Info Prepaid Default PZQT seconds—sets a default
Quota time quota.
or
PZQVbytes—sets a default
volume quota.
Real-Time Billing
The SSG Prepaid feature allows for real-time billing with maximum flexibility, regardless of the type of
service and billing scheme. Users can be billed on a flat rate, air-time, or volume basis.
Threshold Values
The SSG Prepaid Reauthorization Threshold feature can prevent revenue leaks by enabling the user to
configure a threshold value. Configuring a threshold value causes user connections to be reauthorized
before the user completely consumes the allotted quota for a service.
Note SSG is not involved in computing the billing rate changes that occur at tariff switch points.
Billing rate change computations are performed by the prepaid billing server.
SSG supports prepaid tariff switching by using two quota tokens that correspond to the pretariff switch
time period and posttariff switch time period.
In the authorization response, the prepaid billing server specifies the tariff change time and the tokens
for post-switch and pre-switch periods in its authorization response to SSG.
Note The tariff change time denotes the delay, in seconds, between the authorization and the tariff
switch.
SSG uses the prepaid tariff switch quota until the tariff switch occurs. Upon tariff switch, SSG performs
a token switch and starts using the postpaid tariff quota for prepaid connection monitoring.
Reauthorization occurs only when either of these tokens is exhausted, not when a tariff change occurs.
Event Action
An authorization response is received Tariff switching is enabled on SSG for a given prepaid
containing the dual-quota token tariff connection.
switch attribute.
During data forwarding, the quota runs SSG performs a reauthorization in the same way as in a no
out before the tariff switch occurs. tariff switching case. The prepaid billing server may
recalculate the tariff switch time and send the response
again. Note that tariff switch attributes are not included in
the reauthorization response.
During data forwarding, the tariff switch SSG switches from the current quota token to the second
time elapses after the last authorization. quota token. The new quota token is now used for real-time
accounting.
During data forwarding, the quota runs SSG will send the quota usage in pre- and posttariff periods
out after the tariff switch. back to the prepaid server in the authorization response.
The user logs out of the service after the SSG will report the quota usage in the pre- and posttariff
tariff switch. switch periods in the Accounting Stop packet.
The user logs out of the service before SSG sends a normal Accounting-Stop packet, as in the
the tariff switch. nontariff switching case.
Interim accounting If the connection is in the posttariff switch period, SSG will
report quota usage in the pre- or posttariff switching periods
in the interim accounting packet.
Subattribute
Attribute ID Vendor ID ID and Type Attribute Name Subattribute Data
26 9 253 Quota Q—Control-Info code for prepaid quota.
Control-Info
X—Tariff switch code for prepaid quota.
time;—Tariff switch time, in seconds.
volume;—Preswitch quota volume token,
in bytes.
volume— Postswitch quota volume
token, in bytes.
The VSA shown in Table 21 is used in reauthorization requests and accounting packets. This VSA is
used in addition to the usual Quota Volume attribute that indicates the total volume usage in a
connection. Table 21 describes the VSA content.
Subattribute
Attribute ID Vendor ID ID and Type Attribute Name Subattribute Data
26 9 253 Quota Q—Control-Info code for prepaid quota.
Control-Info
B;—Tariff switch code for denoting the
total volume used after the last tariff
switch.
volume—Total volume of traffic in that
connection (since start) after the last tariff
switch, in bytes.
time—Tariff switch time in the UNIX
time stamp. This is used only in postpaid
service accounting records.
Note Only one interim accounting record in every tariff switching interval plus an Accounting-Stop
record is required for the billing server to reconstruct the usage information before and after the
switching time.
The following example illustrates how the accounting interim updates would look in various tariff switch
periods and how the billing server has to interpret the records to obtain the individual usages in the
various intervals.
Consider a user logged in to the connection at time T0. The tariff switch points in that week are Tx, Ty,
and Tz. The user logs off at T1.
Accounting records A1 through A5 were sent in the various tariff switching intervals. All interim
accounting records contain the total volume of traffic sent in the connection from start until that point in
time. This volume of traffic value is available in the standard accounting attributes and the SSG
Accounting VSAs. For records sent after a tariff switch, the tariff switch VSA indicates usage since the
last tariff switch point.
Accounting record A1 does not contain any tariff switch VSAs. Accounting record A2 contains a tariff
switch VSA to indicate the usage since the last tariff switch point (Tx). Note that more than one interim
accounting record can be sent in the interval, depending on the accounting interval configured. It is
possible to derive the usage in the various intervals even if only one accounting record in an interval was
successfully sent. The following sequence shows how the billing server calculates usage in the interval
between Tx and Ty.
Record A2 contains total volume (V2) and usage since the last tariff switch point Tx (T2). The amount
of usage in interval (T0,Tx) is represented as V(0,x) = V2 – T2.
Record A3 contains total volume (V3) since start of connection, and the last tariff switch point Ty (T3).
The amount of usage in interval (T0,Ty) is represented as V(0,y) = V3 – T3. The amount of usage in
interval (Tx,Ty) is represented as V(x,y) = V(0,y) – V(0,x).
Note Accounting-Stop record A5 also contains only the total volume and the usage since the last tariff switch
point, and not the usage in the various intervals.
The information in these interim accounting records enables the service provider to derive the
accounting information in the various tariff switching intervals.
Tariff quota is considered to be exhausted when prepaid tariff quota (PRE) is exhausted before tariff
switching, or when the postpaid tariff (POST) quota is exhausted after tariff switch. The interworking of
dual quota functionality with tariff switching and idle-timeout is shown in Table 23.
Note In Table 23, QT represents time-based quota, and QX represents quota for prepaid and postpaid tariff
switching. TS denotes time of tariff switch, PRE denotes prepaid switch quota, and POST denotes
postpaid switch quota. QXTS;PRE;POST represents QX time-of-tariff-switch; prepaid-switch-quota;
postpaid-switch-quota.
If dual quota was allotted in the earlier authorization, the reauthorization request contains both the
volume and time attributes. The volume attributes may include the quota for tariff switching (QB) or the
volume-based quota (QV) when the connection is made in the post-tariff switch period. The
reauthorization reason attribute may be present in the reauthorization request. Table 16 on page 278
describes the reasons.
Typically, a service provider uses postpaid tariff switching to offer different tariffs to a user during an
active connection; for example, changing a user to a less expensive tariff during off-peak hours.
To handle tariff switches for postpaid connections, the accounting packets log the usage information
during the various tariff switch intervals. The service profile contains a weekly tariff switch plan
detailing the times of day at which tariff changes occur. SSG monitors the usage at every tariff switch
point and records this information in the interim accounting records. The billing server monitors all
accounting interim updates and obtains the information about the volume of traffic sent at each tariff
rate.
Note Tariff switching is not required for time-based billing services. Because the billing server knows the
service login time stamp and logout time stamp, it can calculate the different tariffs that apply during
that time.
SUMMARY STEPS
DETAILED STEPS
Note This is not the same as RADIUS server failover. It clones accounting packets, which are then always
forwarded to each of the configured servers, not only when the primary server fails.
SUMMARY STEPS
DETAILED STEPS
Example:
Router(config)# aaa group server radius BILLING
Step 2 server ip-address auth-port auth-port-number Configures a server in the selected server group.
acct-port acct-port-number
Example:
Router(config)# server 10.10.50.181 auth-port
1812 acct-port 1813
Step 3 aaa group server radius group-name Defines the server group.
Example:
Router(config)# aaa group server radius
HOTSTANDBY
Step 4 server ip-address auth-port auth-port-number Configures a server in the selected server group.
acct-port acct-port-number
Example:
Router(config-sg)# server 10.10.50.180 auth-port
1812 acct-port 1813
Step 5 aaa accounting network accounting-list-name Configures a broadcast accounting network list.
start-stop broadcast group group-name group
group-name • The accounting-list-name argument must be
ssg_broadcast_accounting.
Example:
Router(config)# aaa accounting network
ssg_broadcast_accounting start-stop broadcast
group BILLING group HOTSTANDBY
SSG accounting must be enabled in order for the SSG Prepaid features to be used. SSG accounting is
enabled by default. If it has been disabled, enable it by using the ssg accounting command in global
configuration mode.
• Quotas are measured in seconds for time or bytes for volume. There is no way to change the unit of
measure.
• The volume quota is for combined upstream and downstream traffic.
• Returning quota when the connection is idle is supported only for volume-based connections. It is
not supported for time-based connections.
SUMMARY STEPS
DETAILED STEPS
Configuring RADIUS Service Profiles for the SSG Prepaid Support Feature
To configure support of the SSG Prepaid feature, you must add the following vendor-specific attributes
to RADIUS profiles:
• Service Authorization (Z) attribute
• Prepaid Server (PZS) attribute
• Prepaid Accouting Interval (PZI) attribute
Prerequisites
The SESM Captive Portal feature must be configured on the appropriate port to listen for redirect
requests.
SUMMARY STEPS
1. ssg tcp-redirect
2. server-group group-name
3. server ip-address port
4. Repeat Step 3 to add servers to the captive portal group.
5. end
6. redirect prepaid-user to server-group-name
DETAILED STEPS
Example:
Router(config-ssg-redirect-group)# end
Step 6 redirect prepaid-user to server-group-name Configures a captive portal group for redirection of
prepaid user traffic.
Example: • server-group-name—Name of the captive portal
Router(config-ssg-redirect)# redirect group.
prepaid-user to myserver
SUMMARY STEPS
DETAILED STEPS
Step 1 Enter the show ssg connection command to display information about the host’s connection to the
specified service, including quota information for prepaid connections.
The following output is displayed for a user that has a nonzero volume quota with a nonzero idle timeout:
Router# show ssg connection 172.16.0.0 Internet
Prepaid quota:
Quota Type = ‘Volume’, Quota Value = 11200
Timeout Value = 60
The following output is displayed for a user that has a zero volume quota with zero idle timeout:
Router# show ssg connection 172.16.0.0 Internet
Prepaid quota:
Quota Type = 'VOLUME', Quota Value = 0
Timeout Value = 0
The following output is displayed when a user receives a zero time quota with idle timeout:
Router# show ssg connection 172.16.0.0 Internet
Step 2 Enter the show ssg service command to display the redirect group configured for a service:
Router# show ssg service Internet
DNS Server(s):
No Radius server group created. No remote Radius servers.
Prepaid Redirect Service Group = InternetRedirectGroup !
Service-specific redirect group
Domain List:
Active Connections:
1 :RealIP=10.0.0.0, Subscriber=172.18.0.2
Step 3 Enter the show ssg tcp-redirect group command to display the configured redirect server groups. The
output displayed shows two configured redirect groups. The redirect default group called
“DefaultRedirectGroup” is used to redirect prepaid connections when a user runs out of quota, and the
corresponding service is not configured with any service-specific redirect group:
Router# show ssg tcp-redirect group
Step 4 Enter the show running-config command to display the contents of the current running configuration:
Router# show running-config
.
.
.
ssg prepaid reauthorization drop-packet
ssg prepaid threshold volume 2000
ssg prepaid threshold time 10
.
.
.
ssg tcp-redirect
server-group InternetRedirectGroup
server 255.255.255.253 8080
server 255.255.255.100 80
!
server-group DefaultRedirectGroup
server 10.0.0.1 8080
server 10.0.0.20 80
!
redirect prepaid-user to DefaultRedirectGroup
.
.
.
Post-Paid VSA
SSG uses VSA 26 in the service profile to specify the tariff switch points. Table 24 describes the contents
of this VSA.
Subattribute
Attribute ID Vendor ID ID and Type Attribute Name Subattribute Data
26 9 251 post-paid P—Service-Info code for postpaid
Service-Info service.
W—Service-Info code for weekly tariff
switch plan.
weekly time—Weekly tariff switch time
in hh:mm:ss:d format.
• hh = hour of day <0-23>
• mm = minutes <0-59>
• ss = seconds <0-59>
• d = bitmap format for the days of the
week. Each weekday is represented
by one bit, as follows:
– 00000001 = Monday
– 00000010 = Tuesday
– 00000100 = Wednesday
– 00001000 = Thursday
– 00010000 = Friday
– 00100000 = Saturday
– 01000000 = Sunday
SUMMARY STEPS
1. Add the Post-Paid VSA (attribute 26) to the service profile using the parameters listed in Table 24.
DETAILED STEPS
Examples
The following example shows the configuration of the Service Profile Definition to support a daily fee.
The tariff switch will occur each midnight.
SSG Service-Info = "PPW00:00:00:127"
The following example show the configuration of the Service Profile Definition to support an off-peak
tariff in which a tariff switch occurs Monday through Friday at 8:00 p.m.:
SSG Service-Info = "PPW20:00:00:31"
The following example shows the configuration of the Service Profile Definition to support an on-peak
tariff in which a tariff switch occurs Monday through Friday at 6:00 a.m.:
SSG Service-Info = "PPW06:00:00:31"
In the following example, the local profile cisco.com is configured on the router to send an interim
accounting update every 90 seconds:
Router(config)# local-profile cisco.com
Router(config-prof)# attribute 26 9 1 "L90"
The following example show a service profile configured to support a prepaid service:
ExampleProfile Password = "servicecisco", Service-Type = Outbound
Service-Info = "IVideo Jam",
Service-Info = "R10.10.10.0;255.255.255.0",
Service-Info = "D10.10.10.10",
Service-Info = "Omy-video.net",
Service-Info = "MS",
Service-Info = "Z"
The following example shows how to configure a threshold volume value of 2000 bytes:
ssg prepaid threshold volume 2000
The following example shows how to configure SSG to drop traffic during reauthorization:
ssg prepaid reauthorization drop-packet
Additional References
The following sections provide references related to the SSG Accounting feature.
Related Documents
Related Topic Document Title
Configuring SESM Cisco Subscriber Edge Services Manager documentation.
Configuring RADIUS “Configuring RADIUS” chapter in the Cisco IOS Security Configuration Guide,
Release 12.4
Cisco IOS Security Command Reference, Release 12.4
Configuring L2TP Cisco IOS Dial Technologies Configuration Guide, Release 12.4
Cisco IOS Dial Technologies Command Reference, Release 12.4
Technical Assistance
Description Link
Technical Assistance Center (TAC) home page, containing http://www.cisco.com/public/support/tac/home.shtml
30,000 pages of searchable technical content, including
links to products, technologies, solutions, technical tips,
and tools. Registered Cisco.com users can log in from this
page to access even more content.
Module History
This module was first published on May 2, 2005, and last updated on May 2, 2005.
Contents
Prerequisites for RADIUS Profiles and Attributes for SSG, page 301
Information About RADIUS Profiles and Attributes for SSG, page 301
Additional References, page 356
Cisco-AVpair Attributes
The Cisco-AVpair attributes are used in user and service profiles to configure ACLs and L2TP
.
Table 27 Cisco AV Pair Attributes
Attribute Description
Downstream Specifies either a Cisco IOS standard access control list or an extended access
Access Control List control list to be applied to downstream traffic going to the user.
(outacl)
Upstream Access Specifies the secret (the password) used for L2TP tunnel authentication.
Control List
Upstream Access Specifies either a Cisco IOS standard access control list or an extended access
Control List (inacl) control list to be applied to upstream traffic coming from the user.
Attribute Description
VPDN IP Address Specifies the IP addresses of the home gateways (LNSes) to receive the L2TP
connections.
VPDN IP Address Specifies the name of the tunnel that must match the tunnel ID specified in the
LNS VPDN group.
The Account-Info attributes are used in user profiles and service group profiles.
User profiles define the password, services, and groups to which the user is subscribed.
Service group profiles contain a list of services and service groups and can be used to create
sophisticated directory structures for locating and logging in to services. When a user is subscribed to a
service group, the user is automatically subscribed to all services and groups within that service group.
A service group profile includes the name of the service group, the password, the service type
(outbound), a list of services, and a list of other service groups.
The following account-info attributes set various parameters for the host in SSG.
+-+-+-+-+-+-+-+-+-+-+
|a|b| c |d|e|f|g|
+-+-+-+-+-+-+-+-+-+-+
+-+-+-+-+-+-+-+-+-+-+
|a|b| c |d|e|f|g|
+-+-+-+-+-+-+-+-+-+-+
Group Name
This attribute specifies the service-group Name. This is used in cases where the services are grouped
under one group-name and the user just subscribes to the service-group. this attribute is primarily used
by SESM to display group-name and then the list of services in that group.
+-+-+-+-+-+-+-+-+-+-+-+-+....+-+-+
|a|b| c |d|e|f|g |
+-+-+-+-+-+-+-+-+-+-+-+-+....+-+-+
+-+-+-+-+-+-+-+-+-+-+-+-+....+-+-+
|a|b| c |d|e|f|g |
+-+-+-+-+-+-+-+-+-+-+-+-+....+-+-+
Service Name
This attribute specifies the name of the service that a host is subscribed to. This is configured in the user
profile and is present in Access-Accept packets and can appear multiple times.
This attribute is also used in Access-Accept packets for Account-Query by SESM to indicate the status
of the user’s connection to a service and includes the elapsed time of the connection and the username
used to logon to that service. It is also used in Access-Accept for Service-Query from SESM.
+-+-+-+-+-+-+-+-+-+-+-+-+....+-+-+
|a|b| c |d|e|f|g |
+-+-+-+-+-+-+-+-+-+-+-+-+....+-+-+
+-+-+-+-+-+-+-+-+-+-+-+-+....+-+-+
|a|b| c |d|e|f|g |
+-+-+-+-+-+-+-+-+-+-+-+-+....+-+-+
+-+-+-+-+-+-+-+-+-+-+-+-+....+-+-+
|a|b| c |d|e|f|g |
+-+-+-+-+-+-+-+-+-+-+-+-+....+-+-+
TCP Redirection
This attribute specifies the TCP-redirection configuration for the host. It has three subattributes, one for
SMTP redirection, one for initial captivation and one for periodic advertising captivation. This is
configured in the user profile and is present in the Access-Accept and each subattribute can appear at
most once.
+-+-+-+-+-+-+-+-+-+-+-+-+....+-+-+
|a|b| c |d|e|f|g |
+-+-+-+-+-+-+-+-+-+-+-+-+....+-+-+
SMTP forwarding
g = 'S' indicating user has SMTP forwarding capability
If SMTP forwarding has been enabled on a per-user basis, the presence of this attribute in the user profile
allows SMTP forwarding for that host to the server defined on SSG.
Initial Captivation
g = 'I<group>;<duration>[;<service>]'
This attribute indicates that the user has Initial Captivation capability, and also indicating captive portal
group to use, and duration of the captivation (in seconds). If the optional service field is added then the
captivation will only start once the user has activated the named service.
Advertisement Captivation
g = 'A<group>;<duration>;<frequency>[;<service>]'
This attribute indicates that the user has Advertisement Captivation capability, and also indicating
captive portal group to use, and duration and approximate frequency of the captivation (in seconds). If
the optional service field is added then the captivation will only occur when the user has the named
service active.
Subscriber IP
This attribute identifies the host on SSG. This is present in all Access-Requests from SESM to SSG and
also in all the replies from SSG to SESM. In the normal mode, the IP address is used to identify the host.
In the port-bundle host-key mode, a combination of the IP address and the port-bundle is used.
+-+-+-+-+-+-+-+-+-+-+-+-+....+-+-+
|a|b| c |d|e|f|g |
+-+-+-+-+-+-+-+-+-+-+-+-+....+-+-+
+-+-+-+-+-+-+-+-+-+-+-+-+....+-+-+
|a|b| c |d|e|f|g |
+-+-+-+-+-+-+-+-+-+-+-+-+....+-+-+
User Cookie
This attribute is used by AAA-server – which is sent transparently by SSG to the aaa-server in all
accounting records. AAA-server initially sends this attribute in the user-profile. In a sense, this is similar
to class attribute (attribute#25)
+-+-+-+-+-+-+-+-+-+-+-+-+....+-+-+
|a|b| c |d|e|f|g |
+-+-+-+-+-+-+-+-+-+-+-+-+....+-+-+
SESM Namespace
This is used by SESM. It has subattributes that are used to form the complete IDs for host or connections.
This attribute has the following generic format:
Code: 250, $
Len: >12
+-+-+-+-+-+-+-+-+-+-+-+-+....+-+-+
|a|b| c |d|e|f| g | h |
+-+-+-+-+-+-+-+-+-+-+-+-+....+-+-+
Host Complete ID
The possible values for the host complete ID are described in Table 29 below.
Note The host name, host IP address and host MSISDN will be sent using the standard RADIUS attributes.
.Connection Complete ID
The connection complete ID attribute has the following format:
Code: 250, $
Len: >12
+-+-+-+-+-+-+-+-+-+-+-+-+-+
|a|b| c |d|e|f|g| h |i|
+-+-+-+-+-+-+-+-+-+-+-+-+-+
Example:
For a connection to "service1" with the username "usernam1", calling-id
"1234567" and real IP 10.10.0.1, the attribute values would be as follows:
The Service-Info VSAs are used for SSG service specific parameters and are configured in the service
profile. These attributes appear in Access-Accept packets for service profile download.
The following Service Info attributes set various parameters for the host in SSG.
Authentication Type
This attribute defines the authentication type – PAP or CHAP - for the proxy and tunnel service.
+-+-+-+-+-+-+-+-+-+-+
|a|b| c |d|e|f|g|
+-+-+-+-+-+-+-+-+-+-+
+-+-+-+-+-+-+-+-+-+-+-+-+...-+
|a|b| c |d|e|f| g |
+-+-+-+-+-+-+-+-+-+-+-+-+...-+
+-+-+-+-+-+-+-+-+-+-+-+-+...-+
|a|b| c |d|e|f| g |
+-+-+-+-+-+-+-+-+-+-+-+-+...-+
+-+-+-+-+-+-+-+-+-+-+-+-+...-+
|a|b| c |d|e|f| g |
+-+-+-+-+-+-+-+-+-+-+-+-+...-+
Max Connections
This value of this attribute limits the number of connections to a particular service.
+-+-+-+-+-+-+-+-+-+-+...-+
|a|b| c |d|e|f|p| g |
+-+-+-+-+-+-+-+-+-+-+...-+
Attribute Filter
This attribute lists the RADIUS attributes that are to be filtered out from user authentication for the
service (would apply to both proxy RADIUS service and L2TP tunnel service).Currently only attribute
31 (calling station ID) is supported. The attributes listed here are filtered in Access-Request for proxy
service authentication, L2TP tunnel session negotiation and SSG proxy service connection
Accounting-Requests sent to the remote AAA (AAA server specified in the proxy service profile). This
filter has no effect on host accounting requests, prepaid (re)authorization requests and connection
accounting requests to the local AAA server. This attribute can be used when the access provider does
not wish to expose the user’s calling-ID/MSISDN number to services.
+-+-+-+-+-+-+-+-+-+-+...-+
|a|b| c |d|e|f|p| g |
+-+-+-+-+-+-+-+-+-+-+...-+
+-+-+-+-+-+-+-+-+-+-+-+-+...-+
|a|b| c |d|e|f| g |
+-+-+-+-+-+-+-+-+-+-+-+-+...-+
Note Service name will be resolved to IP from the next hop table.
Initial URL
This attribute is used by SESM.When the user logs into the service, SESM opens up a page with this
URL.
+-+-+-+-+-+-+-+-+-+-+-+-+...-+
|a|b| c |d|e|f| g |
+-+-+-+-+-+-+-+-+-+-+-+-+...-+
TCP-Redirect Server-Group
This attribute specifies service-specific tcp-redirect server-groups. Currently, it is used only for the
per-service web-proxy server-group.
+-+-+-+-+-+-+-+-+-+-+-+-+....-+
|a|b| c |d|e|f|g| h |
+-+-+-+-+-+-+-+-+-+-+-+-+....-+
+-+-+-+-+-+-+-+-+-+-+-+-+...-+
|a|b| c |d|e|f| g |
+-+-+-+-+-+-+-+-+-+-+-+-+...-+
Service Mode
This attribute specifies the mode of access to a service. If the mode is sequential, a user cannot access
this service if they are already logged on to another service. If the user is logged on to a sequential
service, no other service can be accessed. This attribute can appear almost at once. If this attribute is not
configured in the service profile, the default mode for the service is concurrent.
+-+-+-+-+-+-+-+-+-+-+
|a|b| c |d|e|f|g|
+-+-+-+-+-+-+-+-+-+-+
+-+-+-+-+-+-+-+-+-+-+-+-+....+-+-+
|a|b| c |d|e|f| g |
+-+-+-+-+-+-+-+-+-+-+-+-+....+-+-+
Service Domain
This attribute specifies the domains that are a part of the service. If a user is connected to this service,
all DNS queries to this domain are redirected to the DNS server for this service. This attribute is
configured in the service profile and can appear multiple times.
+-+-+-+-+-+-+-+-+-+-+-+-+....+-+-+
|a|b| c |d|e|f| g |
+-+-+-+-+-+-+-+-+-+-+-+-+....+-+-+
Payment Type
This attribute is used as a code to define further subattributes relating to prepaid and postpaid services.
+-+-+-+-+-+-+-+-+-+-+-+
|a|b| c |d|e|f|g|…|
+-+-+-+-+-+-+-+-+-+-+-+
Consequently the value "00011111" (= 31 decimal) defines Monday, Tuesday, Wednesday, Thursday and
Friday.
Example:
SSG Service-Info = "PPW00:00:00:127" - tariff switch time each day a week at midnight to support
daily fee
SSG Service-Info = "PPW20:00:00:31" - tariff switch Monday till Friday at 8:00pm (off peak tariff)
SSG Service-Info = "PPW06:00:00:31" - tariff switch Monday till Friday at 6:00am (on peak tariff)
+-+-+-+-+-+-+-+-+-+-+-+-+....+-+-+
|a|b| c |d|e|f| g |
+-+-+-+-+-+-+-+-+-+-+-+-+....+-+-+
Destination Network
This attribute specifies the networks that belong to a service. The network can be either an include
network or an exclude network. Users are not allowed to access exclude networks. This is configured in
the service profile and should be present at least once.
+-+-+-+-+-+-+-+-+-+-+-+...-+
|a|b| c |d|e|f| g |
+-+-+-+-+-+-+-+-+-+-+-+...-+
Note Within one RADIUS packet, there may be multiple instances of service-info subattributes for the
destination network.
RADIUS Server
This attribute specifies the RADIUS server to be used for authentication for the service. This is used only
for proxy services. Using multiple instances of this attribute can be used to configure multiple servers.
+-+-+-+-+-+-+-+-+-+-+-+-+...-+
|a|b| c |d|e|f| g |
+-+-+-+-+-+-+-+-+-+-+-+-+...-+
Service Type
This attribute specifies the type of the service. A service can one of ‘Proxy’, ‘Passthrough’ or ‘Tunnel’
type. The default type of a service is ‘Passthrough’ if this attribute is not set in the service profile.
+-+-+-+-+-+-+-+-+-+-+
|a|b| c |d|e|f|g|
+-+-+-+-+-+-+-+-+-+-+
+-+-+-+-+-+-+-+-+-+-+
|a|b| c |d|e|f|g|
+-+-+-+-+-+-+-+-+-+-+
Note Note: Currently, only Connection Accounting packet uses this subattribute.
len: >=4
+-+-+-+-+-+-+-+-+-+-+
|a|b| c |d|e|f|g|
+-+-+-+-+-+-+-+-+-+-+
+-+-+-+-+-+-+-+-+-+
|a|b| c |d|e|f|
+-+-+-+-+-+-+-+-+-+
The following SSG Control Info attributes set various parameters for the host in SSG.
+-+-+-+-+-+-+-+-+-+-+...-+
|a|b| c |d|e|f|p| g |
+-+-+-+-+-+-+-+-+-+-+...-+
Note The portlist can be a list of port numbers delimited by ",". "-" can be used to specify a range. For
example, a port list consists of 23, 34, 35, and all the ports that are greater than 3000 can be specified as
"23,34-35,3001-".
+-+-+-+-+-+-+-+-+-+-+...-+-+...-+
|a|b| c |d|e|f|p| g | h |
+-+-+-+-+-+-+-+-+-+-+...-+-+...-+
Note The portlist can be a list of port numbers delimited by ",". "-" can be used to specify a range. For
example, a port list consists of 23, 34, 35, and all the ports that are greater than 3000 can be specified as
"23,34-35,3001-". The flag is either 'D' for deny or 'P' for permit.
+-+-+-+-+-+-+-+-+-+-+...-+
|a|b| c |d|e|f|p| g |
+-+-+-+-+-+-+-+-+-+-+...-+
+-+-+-+-+-+-+-+-+-+-+...-+
|a|b| c |d|e|f|p| g |
+-+-+-+-+-+-+-+-+-+-+...-+
+-+-+-+-+-+-+-+-+-+-+...-+
|a|b| c |d|e|f|p| g |
+-+-+-+-+-+-+-+-+-+-+...-+
Subscriber Profiles
RADIUS subscriber profiles contain a password, a list of subscribed services and groups, and access
control lists.
Table 33 describes attributes that appear in RADIUS user profiles.
Attribute Description
Cisco AV Pair Attributes
Downstream Access Control List (outacl) Specifies either a Cisco IOS standard access
control list or an extended access control list to be
applied to downstream traffic going to the user.
Upstream Access Control List (inacl) Specifies either a Cisco IOS standard access
control list or an extended access control list to be
applied to upstream traffic coming from the user.
Account-Info Attributes
Auto Service (Reply attribute) Automatically logs a user in to a
service when the user logs in to SSG.
Home URL (Optional) The URL for the user’s preferred
Internet home page.
Service Group (Reply attribute) Subscribes the user to a service
group. Multiple instances of this attribute can
occur within a single user profile. Use one
attribute for each service group to which the user
is subscribed.
Service Name (Reply attribute) Subscribes the user to a service.
There can be multiple instances of this attribute
within a single user profile. Use one attribute for
each service to which the user is subscribed.
Standard Attributes1
Framed-IP-Netmask Indicates the IP net mask to be configured for the
user when the user is a router to a network. This
attribute value results in the adding of a static
route for Framed-IP-Address with the mask
specified.
Idle-Timeout (Reply attribute) Specifies, in seconds, the
maximum length of time for which a connection
can remain idle.
Password (Check attribute) Specifies the user’s password.
Session-Timeout (Reply attribute) Specifies, in seconds, the
maximum length of the user’s session.
1. Standard attributes are described in detail in RFC 2138.
The Downstream Access Control List attribute specifies either a Cisco IOS standard access control list
or an extended access control list to be applied to downstream traffic going to the user.
Cisco-AVpair = "ip:outacl[#number]={standard-access-control-list |
extended-access-control-list}"
Syntax Description
Example
Cisco-AVpair = "ip:outacl#101=deny tcp 192.168.1.0 0.0.0.255 any eq 21"
Note Multiple instances of the Downstream Access Control List attribute can occur within a single
profile. Use one attribute for each access control list statement. Multiple attributes can be used
for the same ACL. Multiple attributes are downloaded according to the number specified and are
executed in that order.
The Upstream Access Control List attribute specifies either a Cisco IOS standard access control list or
an extended access control list to be applied to upstream traffic coming from the user.
Cisco-AVpair = "ip:inacl[#number]={standard-access-control-list |
extended-access-control-list}"
Syntax Description
Example
Cisco-AVpair = "ip:inacl#101=deny tcp 192.168.1.0 0.0.0.255 any eq 21"
Note Multiple instances of the Upstream Access Control List attribute can occur within a single
profile. Use one attribute for each access control list statement. Multiple attributes can be used
for the same ACL. Multiple attributes are downloaded according to the number specified and
executed in that order.
Auto Service
The Auto Service attribute subscribes the user to a service and automatically logs the user in to the
service when the user accesses SESM. A user profile can have more than one Auto Service attribute.
Account-Info = "Aservicename[;username;password]"
Syntax Description
Example
Account-Info = “Afictiousname.net;jdoe;secret"
Home URL
The Home URL attribute specifies the URL for the user’s preferred Internet home page. This attribute is
optional.
Account-Info = "Hurl"
or
Account-Info = "Uurl"
Syntax Description
url A fully qualified URL for the user’s preferred Internet home page.
Usage
If the SESM web application is designed to use HTML frames, the Home URL attribute also specifies
whether the home page is displayed in a new browser window or in a frame in the current (SESM)
window, as follows:
• Hurl—URL for the home page displayed in a frame in the SESM browser window.
• Uurl—URL for the home page displayed in its own browser window.
Note In a frameless application, both H and U cause a new browser window to open for the home page. The
New World Service Provider (NWSP) application is a frameless application.
Example
Account-Info = "Uhttp://www.fictiousname.com"
Service Group
In user profiles, the Service Group attribute subscribes a user to a service group. In service group
profiles, this attribute lists the service subgroups that belong to the service group.
Account-Info = "Gname"
Syntax Description
Example
Account-Info = "GServiceGroup1"
Note Multiple instances of this attribute can occur within a user or service-group profile. Use one
attribute for each service subgroup.
Service Name
In user profiles, the Service Name attribute subscribes the user to the specified service. In service-group
profiles, this attribute lists services that belong to the service group.
Account-Info = "Nname"
Syntax Description
Note Multiple instances of this attribute can occur within a user or service profile. Use one attribute
for each service.
Service Profiles
Service profiles define the services that subscribers can select. Each service that is accessible has a
profile that defines the attributes of the service. Service profiles are configured on the RADIUS server
or directly on SSG. The RADIUS server or SESM downloads the service profiles to SSG as needed.
Service profiles include the following information: password, service type (outbound), type of service
(passthrough or proxy), service access mode (sequential or concurrent), DNS server IP address,
networks that exist in the service domain, access control lists, and timeouts. The following sections
describe the attributes included in RADIUS service profiles.
Specifies either an IOS standard access control list or an extended access control list to be applied to
downstream traffic going to the user.
Cisco-AVpair = “ip:outacl [#number]={standard-access-control-list |
extended-access-control-list}”
Syntax Description
Example
Cisco-AVpair = "ip:outacl#101=deny tcp 192.168.1.0 0.0.0.255 any eq 21"
Note Multiple instances of the Downstream Access Control List attribute can occur within a single
profile. Use one attribute for each access control list statement. Multiple attributes can be used
for the same ACL. Multiple attributes are downloaded according to the number specified and are
executed in that order.
Specifies either an IOS standard access control list or an extended access control list to be applied to
upstream traffic coming from the user.
Cisco-AVpair = “ip:inacl[#number]={standard-access-control-list |
extended-access-control-list}”
Syntax Description
Example
Cisco-AVpair = "ip:inacl#101=deny tcp 192.168.1.0 0.0.0.255 any eq 21"
Note Multiple instances of the Upstream Access Control List attribute can occur within a single
profile. Use one attribute for each access control list statement. Multiple attributes can be used
for the same ACL. Multiple attributes are downloaded according to the number specified and are
executed in that order.
Specifies the secret (the password) used for the L2TP tunnelauthentication.
Cisco-AVpair = "vpdn:tunnel-password=secret"
Syntax Description
VPDN IP Address
Specifies the IP addresses of the home gateways (LNSes) to receive the L2TP connections.
Cisco-AVpair =
"vpdn:ip-addresses=address1[<delimiter>address2][<delimiter>address3]..."
Syntax Description
In the following example, the LAC sends the first PPP session through a tunnel to 10.1.1.1, the second
PPP session to 10.2.2.2, and the third to 10.3.3.3. The fourth PPP session is sent through the tunnel to
10.1.1.1, and so forth. If the LAC fails to establish a tunnel with any of the IP addresses in the first group,
then it attempts to connect to those in the second group (10.4.4.4 and 10.5.5.5).
VPDN Tunnel ID
Specifies the name of the tunnel that must match the tunnel ID specified in the LNS VPDN group.
Cisco-AVpair = "vpdn:tunnel-id=name"
Syntax Description
Specifies the number of seconds for the hello keepalive interval. Hello packets are sent when no data has
been sent on a tunnel for the number of seconds configured here.
Cisco-AVpair = "vpdn:l2tp-hello-interval=interval"
Syntax Description
attribute filter
Some services require the MSISDN to be hidden from the service provider. To support this capability,
you can add an attribute filter to the service profile. You can specify the attributes to be filtered from
authentication and accounting records sent to the remote AAA server.
The SSG Service-Info VSA lists the RADIUS attributes to filter from user authentication for the service;
this capability applies to both proxy RADIUS service and L2TP tunnel service. At present you can only
filter attribute 31 (Calling Station ID).
The Calling Station ID is filtered only from connection authentication for proxy and L2TP tunnel
services and for connection accounting records sent to the remote AAA server.
Table 34 shows the format of the Service-Info VSA needed to enable attribute filtering.
Table 35 lists the attributes used for service logon with and without the MSISDN and with MSISDN
filter set to F31.
Table 35 Service Logon Comparison (With MSISDN, Without MSISDN, and With MSISDN
Filter)
Connection Connection
Service Connection Accounting to Accounting to Prepaid Prepaid
Logon Authentication1 Local AAA Remote AAA2 (Re)authorization Accounting
Without Host Calling ID Host Calling ID Host Calling ID Host Calling ID Host Calling ID
MSISDN
You can use the show ssg connection command to display the attributes that are being filtered.
(Optional) Specifies the primary and/or secondary DNS servers for this service.
If two servers are specified, SSG can send DNS requests to the primary DNS server until performance
is diminished or it fails (failover).
Service-Info = "Dip_address_1[;ip_address_2]"
Syntax Description
Example
Service-Info = "D192.168.1.2;192.168.1.3"
Domain Name
(Optional) Specifies domain names that get DNS resolution from the DNS servers specified by the DNS
server address.
Service-Info = “Oname1[;name2]...[;nameX]”
Syntax Description
name1 Domain name that gets DNS resolution from this server.
name2...X (Optional) Additional domain names that get DNS resolution from this
server.
Usage
Use the DNS Resolution attribute to specify domain names that get DNS resolution from this DNS
server.
Example
Service-Info = "Ocisco.com;cisco-sales.com"
Note Multiple instances of the Domain Name attribute can occur within a single service profile.
Full Username
Indicates that RADIUS authentication and accounting requests use the full username (user@service).
This attribute is supported by SSG with SSD or SESM in RADIUS mode.
Service-Info = “X”
The size of the full username is limited to the smaller of the following values:
• 246 bytes (10 bytes less than the standard RADIUS protocol limitation)
• 10 bytes less than the maximum size of the RADIUS attribute supported by your proxy
MTU Size
Specifies the PPP MTU size of SSG as a LAC. By default, the PPP MTU size is 1500 bytes.
Service-Info = "Bsize"
Note SESM in LDAP mode does not support the use of this attribute.
Syntax Description
RADIUS Server
(Required for proxy services.) Specifies the remote RADIUS servers that SSG uses to authenticate,
authorize, and perform accounting for a service logon for a proxy service type. This attribute is only used
in proxy service profiles and is required.
You can configure each remote RADIUS server with timeout and retransmission parameters. SSG will
perform failover among the servers.
Service-Info =
“SRadius-server-address;auth-port;acct-port;secret-key[;retrans;timeout;deadtime]”
Syntax Description
Example
Service-Info = "S192.168.1.1;1645;1646;cisco"
Specifies whether SSG uses the CHAP or PAP protocol to authenticate users for proxy services.
Service-Info = "Aauthen-type"
Syntax Description
Example
Service-Info = "AC"
Service-Defined Cookie
Enables you to include user-defined information in RADIUS authentication and accounting requests.
This attribute is supported by SSG with SSD or SESM in RADIUS mode.
Service-Info = “Vstring”
Syntax Description
string Information that you choose to include in the RADIUS authentication and
accounting requests.
The size of the user-defined string is limited to the smaller of the following values:
• 246 bytes (10 bytes less than the standard RADIUS protocol limitation)
• 10 bytes less than the maximum size of the RADIUS attribute supported by
your proxy
Note • SSG does not parse or interpret the value of the Service-Defined Cookie. You must configure the
proxy RADIUS server to interpret this attribute.
• SSG supports only one Service-Defined Cookie per RADIUS service profile.
Service Description
Syntax Description
Example
Service-Info = "ICompany Intranet Access"
Service Mode
(Optional) Defines whether the user is able to log on to this service while simultaneously connected to
other services (concurrent mode) or whether the user cannot access any other services while using this
service (sequential mode). The default is concurrent mode.
Service-Info = “Mmode”
Syntax Description
Example
Service-Info = "MS"
(Optional) Specifies the next-hop key for this service. Each SSG uses its own next-hop gateway table to
associate this key with an actual IP address.
Service-Info = “Gkey”
Syntax Description
Example
Service-Info = "Gnexthop1"
Service Route
Syntax Description
ip_address IP address.
mask Subnet mask.
Usage
Use the Service Route attribute to specify networks that exist for a service.
Example
Service-Info = "R192.168.1.128;255.255.255.192"
Note There can be multiple instances of the Service Route attribute within a single service profile.
Service URL
(Optional) Specifies the URL that is displayed in the SESM HTTP address field when the service opens.
Service-Info = “Hurl”
or
Service-Info = “Uurl”
If the SESM web application is designed to use HTML frames, this attribute also specifies whether the
service is displayed in a new browser window or in a frame in the current (SESM) window, as follows:
• Hurl—URL for a service displayed in a frame in the SESM browser window.
• Uurl—URL for a service displayed in its own browser window.
Note In a frameless application, both H and U cause a new browser window to open for the service. The
NWSP application is a frameless application.
Example
Service-Info = "Uhttp://www.fictiousname.com"
Type of Service
Syntax Description
type P—Pass-through. Indicates that the user’s packets are forwarded through
the SSG. This is the default.
T—Tunnel. Indicates that this is a tunneled service.
X—Proxy. Indicates that the SSG performs proxy service.
Attribute Description
Account-Info Attributes
Group Description Provides a description of the service group.
Service Group (Reply attribute) Lists services that belong to the service group.
Multiple instances of this attribute can occur within a single user profile.
Use one attribute for each service.
Service Name Lists the service subgroups that belong to the service group. When
configured, the service-group and service-name attributes can define an
organized directory structure for accessing services.
There can be multiple instances of this attribute within a service-group
profile. Use one attribute for each service subgroup that belongs to this
service group.
Standard Attributes1
Password (Check attribute) Specifies the password.
Service-Type (Check attribute) Specifies the level of service. Must be “outbound.”
1. Standard attributes are described in detail in RFC 2138.
Group Description
Describes the service group to SESM. If this attribute is omitted, the service group profile name is used.
Account-Info = "Idescription"
Syntax Description
Example
Account-Info = "ICompany Intranet Access"
Service Group
In user profiles, the Service Group attribute subscribes a user to a service group. In service group
profiles, this attribute lists the service subgroups that belong to the service group.
Account-Info = "Gname"
Syntax Description
Example
Account-Info = "GServiceGroup1"
Note Multiple instances of the Service Group attribute can occur within a user or service-group
profile. Use one attribute for each service subgroup.
Service Name
In user profiles, the Service Name attribute subscribes the user to the specified service. In service-group
profiles, this attribute lists services that belong to the service group.
Account-Info = "Nname"
Syntax Description
Example
Account-Info = "Ncisco.com"
Note Multiple instances of the Service Name attribute can occur within a user or service profile. Use
one attribute for each service.
Pseudo-Service Profiles
Pseudo-service profiles are used to define variable-length tables or lists of information in the form of
services. There are currently two types of pseudo-service profiles: Transparent Pass-Through Filter and
Next-Hop Gateway. The following sections describe both profiles.
Transparent pass-through is designed to allow unauthenticated traffic (users or network devices that have
not logged in to the SSG through SESM) to be routed through normal Cisco IOS processing.
Table 37 lists the Cisco AVPair attributes that appear within transparent pass-through filter
pseudo-service profiles. The Cisco-AVpair attributes are used to configure ACLs.
Attribute Description
Downstream Access Control List Specifies either a Cisco IOS standard access control list or an
(outacl) extended access control list to be applied to downstream traffic
going to the user.
Upstream Access Control List Specifies either a Cisco IOS standard access control list or an
(inacl) extended access control list to be applied to upstream traffic
coming from the user.
Syntax Description
Example
Cisco-AVpair = "ip:outacl#101=deny tcp 192.168.1.0 0.0.0.255 any eq 21"
Note Multiple instances of the Downstream Access Control List attribute can occur within a single
profile. Use one attribute for each access control list statement. Multiple attributes can be used
for the same ACL. Multiple attributes are downloaded according to the number specified and are
executed in that order.
Syntax Description
Example
Cisco-AVpair = "ip:inacl#101=deny tcp 192.168.1.0 0.0.0.255 any eq 21"
Note Multiple instances of the Upstream Access Control List attribute can occur within a single
profile. Use one attribute for each access control list statement. Multiple attributes can be used
for the same ACL. Multiple attributes are downloaded according to the number specified and are
executed in that order.
The Transparent Pass-Through Filter pseudo-service profile allows or denies access to IP addresses and
ports accessed through the transparent pass-through feature.
To define what traffic can pass through, SSG downloads the Transparent Pass-Through Filter
pseudo-service profile. This profile contains a list of ACL attributes. Each item contains an IP address
or range of IP addresses and a list of port numbers and specifies whether traffic is allowed or denied.
To create a filter for transparent pass-through, create a profile that contains ACL attributes that define
what can and cannot be accessed.
Because multiple SSGs might access services from different networks, each service profile can specify
a next-hop key, which is any string identifier, rather than an actual IP address. For each SSG to determine
the IP address of the next hop, each SSG downloads its own next-hop gateway table, which associates
keys with IP addresses. Table 38 describes the attribute that can be used in Next-Hop Gateway
pseudo-service profiles.
Attribute Usage
Next-Hop Gateway Table Entry Associates next-hop gateway keys with IP addresses.
Note The Next-Hop Gateway Table Entry attribute is used only in Next-Hop Gateway pseudo-service profiles
and should not appear in service profiles or user profiles.
Syntax Description
key Service name or key specified in the Next-Hop Gateway service profile.
ip_address IP address of the next hop for this service.
Usage
Use this attribute to create a next-hop gateway table for the selected SSG.
To define the IP address of the next hop for each service, SSG downloads a special service profile that
associates the next-hop gateway key for each service with an IP address.
To create a next-hop gateway table, create a service profile and give it any name. Use this attribute to
associate service keys with their IP addresses. When you have finished, repeat this process for each SSG.
Example
Control-Info = "GNHT_for_SSG_1;192.168.1.128"
To create a next-hop gateway table, create a profile and give it any name. Use the Next-Hop Gateway
Entry attribute to associate service keys with their IP addresses. When you have finished, repeat this
process for each SSG if the next-hop IP addresses are different.
The following is an example of a user profile. The profile is formatted for use with a freeware RADIUS
server:
bert Password = "ernie"
Session-Timeout = 21600,
Account-Info = "GServiceGroup1",
Account-Info = "Nservice1.com",
Account-Info = "Ngamers.net"
The following is the same profile as above, formatted for CiscoSecure ACS for UNIX:
user = bert {
radius = SSG {
check_items = {
2 = "ernie"
}
reply_attributes = {
27 = 21600
9,250 = "GServiceGroup1”
9,250 = "Nservice1.com"
9,250 = "Ngamers.net"
Service Profile Formatted for use with a Freeware RADIUS Server: Example
The following is a service profile formatted for use with a freeware RADIUS server:
service1.com Password = "cisco", Service-Type = outbound,
Idle-Timeout = 1800,
Service-Info = "R192.168.1.128;255.255.255.192",
Service-Info = "R192.168.2.0;255.255.255.192",
Service-Info = "R192.168.3.0;255.255.255.0",
Service-Info = "Gservice1",
Service-Info = "D192.168.2.81",
Service-Info = "MC",
Service-Info = "TP",
Service-Info = "ICompany Intranet Access",
Service-Info = "Oservice1.com"
Service Profile Formatted for use with a Freeware RADIUS Server Formatted for CiscoSecure ACS for UNIX:
Example
The following is the same profile as above, formatted for CiscoSecure ACS for UNIX:
user = service1.com {
radius = SSG {
check_items = {
2 = "cisco"
6 = 5
}
reply_attributes = {
28 = 1800
9,251 = "R192.168.1.128;255.255.255.192"
9,251 = "R192.168.2.0;255.255.255.192"
9,251 = "R192.168.3.0;255.255.255.0"
9,251 = "Gservice1"
9,251 = "D192.168.2.81"
9,251 = "MC"
9,251 = "TP"
9,251 = "ICompany Intranet Access"
9,251 = “Oservice1.com”
}
Service Group Profile Formatted for use with a Freeware RADIUS Server: Example
The following is an example of a service group profile. The profile is formatted for use with a freeware
RADIUS server:
ServiceGroup1 Password = "cisco", Service-Type = outbound,
Account-Info = "Nservice1.com",
Account-Info = "Ngamers.net",
Account-Info = "GServiceGroup3",
Account-Info = "GServiceGroup4",
Account-Info = "IStandard User Services"
Service Group Profile Formatted for use with a Freeware RADIUS Server Formatted for CiscoSecure ACS for UNIX:
Example
The following is the same service-group profile, formatted for CiscoSecure ACS for UNIX:
user = ServiceGroup1 {
radius = SSG {
check_items = {
2 = "cisco"
6 = 5
reply_attributes = {
9,250 = "Nservice1.com"
9,250 = "Ngamers.net"
9,250 = "GServiceGroup3"
9,250 = "GServiceGroup4"
The following is the same profile as above, formatted for CiscoSecure ACS for UNIX:
user = ssg-filter {
radius = SSG {
check_items = {
2 = "cisco"
6 = 5
reply_attributes = {
9,1 = "ip:inacl#3=deny tcp 192.168.1.0 0.0.0.255 any eq 21",
9,1 = "ip:inacl#7=permit ip any any"
}
}
}
The following is the same Next-Hop Gateway pseudo-service profile, formatted for CiscoSecure ACS
for UNIX:
user = nht1{
radius= SSG {
check_items= {
2=cisco
6=5
}
reply_attributes= {
9,253="Gservice3;192.168.103.3"
9,253="Gservice2;192.168.103.2"
9,253="Gservice1;192.168.103.1"
9,253="GLabservices;192.168.4.2"
9,253="GWorldwide_Gaming;192.168.4.2"
}
}
Note This section applies if you are using SSG with SSD or SESM in RADIUS or LDAP mode.
This section describes events that generate RADIUS accounting records and the attributes associated
with the accounting records sent from SSG to the accounting server.
Account Logon
When a user logs in, SSG sends a RADIUS accounting request on behalf of the user to the accounting
server. The following example shows the information contained in the RADIUS accounting-request
record:
Acct-Status-Type = Start
NAS-IP-Address = ip_address
User-Name = "username"
Acct-Session-Id = "session_id"
Framed-IP-Address = user_ip
Proxy-State = "n"
Attribute Description
Acct-Status-Type Indicates whether this Accounting-Request marks the beginning of
the user service (start) or the end (stop).
NAS-IP-Address IP address of SSG.
User-Name Name used to log on to the service provider network.
Acct-Session-Id Session number.
Framed-IP-Address IP address of the user’s system.
Proxy-State Accounting record queuing information (has no effect on account
billing).
Account Logoff
When a user logs out, the SSG sends a RADIUS accounting request on behalf of the user to the
accounting server. The following example shows the information contained in the RADIUS
accounting-request record:
Acct-Status-Type = Stop
NAS-IP-Address = ip_address
User-Name = "username"
Acct-Session-Time = time
Acct-Terminate-Cause = cause
Acct-Session-Id = "session_id"
Framed-IP-Address = user_ip
Proxy-State = "n"
Attribute Description
Acct-Status-Type Indicates whether this Accounting-Request marks the beginning of
the user service (start) or the end (stop).
NAS-IP-Address IP address of SSG.
User-Name Name used to log on to the service provider network.
Acct-Session-Time Length of session, in seconds.
Acct-Terminate-Cause Cause of account termination:
• User-Request
• Session-Timeout
• Idle-Timeout
• Lost-Carrier
Acct-Session-Id Session number.
Framed-IP-Address IP address of the user’s system.
Proxy-State Accounting record queuing information (has no effect on account
billing).
Connection Start
When a user accesses a service, SSG sends a RADIUS Accounting-Request to the accounting server. The
following example shows the information contained in the RADIUS Accounting-Request record:
NAS-IP-Address = 172.16.6.1
NAS-Port = 0
NAS-Port-Type = Virtual
User-Name = "username"
Acct-Status-Type = Start
Acct-Authentic = RADIUS
Service-Type = Framed
Acct-Session-Id = "00000010"
Framed-Protocol = PPP
Service-Info = "Nisp-name.com"
Service-Info = "Uusername"
Service-Info = "TP"
Acct-Delay-Time = 0
Attribute Description
NAS-IP-Address IP address of SSG.
NAS-Port Physical port number of the network access server that is
authenticating the user.
NAS-Port-Type Type of physical port that the network access server is using to
authenticate the user.
User-Name Name used to log on to the service provider network.
Acct-Status-Type Indicates whether this Accounting-Request marks the beginning of
the user service (start) or the end (stop).
Acct-Authentic Indicates how the user was authenticated, whether by RADIUS, the
network access server itself, or another remote authentication
protocol.
Service-Type Indicates the type of service requested or the type of service to be
provided. PPP and SLIP connections use the service type “Framed”.
Acct-Session-Id Session number.
Framed-Protocol Indicates the framing to be used for framed access.
Service-Info “Nname”. Name of the service profile.
Service-Info “Uname”. Username used to authenticate the user with the remote
RADIUS server. This attribute is used for proxy services.
Service-Info “Ttype”. Indicates whether the connection is proxy, tunnel, or
pass-through.
• P—Pass-through (usually the Internet)
• T—Tunnel
• X—Proxy
Acct-Delay-Time Indicates for how many seconds the client has been trying to send a
particular record.
Connection Stop
When a user terminates a service, SSG sends a RADIUS Accounting-Request to the accounting server.
The following example shows the information contained in the RADIUS Accounting-Request record:
NAS-IP-Address = 192.168.2.48
NAS-Port = 0
NAS-Port-Type = Virtual
User-Name = "zeus"
Acct-Status-Type = Stop
Service-Type = Framed-User
Acct-Session-Id = "00000002"
Acct-Terminate-Cause = User-Request
Acct-Session-Time = 84
Acct-Input-Octets = 0
Acct-Output-Octets = 649
Acct-Input-Packets = 0
Acct-Output-Packets = 17
Framed-Protocol = PPP
Framed-IP-Address = 201.168.101.10
Control-Info = "I0;0"
Control-Info = "O0;649"
Service-Info = "Ninternet"
Service-Info = "Uzeus"
Service-Info = "TP"
Acct-Delay-Time = 0
Attribute Description
NAS-IP-Address IP address of SSG.
NAS-Port Physical port number of the network access server that is
authenticating the user.
NAS-Port-Type Type of physical port that the network access server is using to
authenticate the user.
User-Name Name used to log on to the service provider network.
Acct-Status-Type Indicates whether this Accounting-Request marks the beginning of
the user service (start) or the end (stop).
Service-Type Indicates the type of service requested or the type of service to be
provided. PPP and SLIP connections use the service type “Framed”.
Acct-Session-Id Session number.
Acct-Terminate-Cause Cause of service termination:
• User-Request
• Lost-Carrier
• Lost-Service
• Session-Timeout
• Idle-Timeout
Acct-Session-Time Indicates for how long, in seconds, the user has been receiving
service.
Acct-Input-Octets Number of octets that have been received from the port over the
course of providing a service.
Acct-Output-Octets Number of octets that have been sent to the port in the course of
delivering a service.
Acct-Input-Packets Number of octets that have been received from the port over the
course of providing a service to a framed user.
Acct-Output-Packets Number of octets that have been sent to the port in the course of
delivering a service to a framed user.
Framed-Protocol Indicates the framing to be used for framed access.
Framed-IP-Address IP address of the user’s system.
Control-Info “Irollover;value”. Number of times the 32-bit integer rolls over and
the value of the integer when it overflows for inbound data.
Attribute Description
Control-Info “Orollover;value”. Number of times the 32-bit integer rolls over
and the value of the integer when it overflows for outbound data.
Service-Info “Nname”. Name of the service profile.
Service-Info “Uname”. Username used to authenticate the user with the remote
RADIUS server. This attribute is used for proxy services.
Service-Info “Ttype”. Indicates whether the connection is proxy, tunnel, or
pass-through.
• P—Pass-through (usually the Internet)
• T—Tunnel
• X—Proxy
Acct-Delay-Time Indicates for how many seconds the client has been trying to send a
particular record.
Service User
The Service User attribute provides the username used by the SESM user to log on to the service and
presented for authentication with the home gateway.
Service-Info = "Uusername"
Syntax Description
Example
Service-Info = "Ujoe@cisco.com"
Note The Service User attribute is used only for accounting purposes and does not appear in profiles.
Service Name
Syntax Description
name Name of the service profile or service that belongs to a service group.
Example
Service-Info = "Nservice1.com"
Note The Service Name attribute is used only for accounting purposes and does not appear in profiles.
Octets Output
Current RADIUS standards support the counting of up to only 32 bits of information with the
ACCT-Output-Octets attribute. Standards such as ADSL have much higher throughput.
In order for the accounting server to keep track of and bill for usage, SSG uses the Octets Output
attribute.
The Octets Output attribute keeps track of how many times the 32-bit integer rolls over and the value of
the integer when it overflows for outbound data.
Control-Info = "Orollover;value"
Syntax Description
Usage
Use the Octets Output attribute to keep accurate track of and bill for usage. To calculate the actual
number of bytes of data represented by the Octets Output values, use the following formula:
rollover * 232 + value
Example
In the following example, rollover is 2 and value is 153 (2 * 232 + 153 = 8589934745):
Control-Info = "O2;153"
Note The Octets Output attribute is used only for accounting purposes and does not appear in profiles.
Octets Input
Current RADIUS standards support the counting of up to only 32 bits of information with the
ACCT-Input-Octets attribute. Standards such as ADSL have much higher throughput.
In order for the accounting server to keep track of and bill for usage, SSG uses the Octets Input attribute.
The Octets Input attribute keeps track of how many times the 32-bit integer rolls over and the value of
the integer when it overflows for inbound data.
Control-Info = "Irollover;value"
Syntax Description
Usage
Use the Octets Input attribute to keep accurate track of and bill for usage. To calculate the actual number
of bytes of data represented by the Octets Input values, use the following formula:
rollover * 232 + value
Example
In the following example, rollover is 3 and value is 151 (3 * 232 + 151 = 12884902039):
Control-Info = "I3;151"
Note The Octets Input attribute is used only for accounting purposes and does not appear in profiles.
Class Attribute
The class attribute is an arbitrary value that the network access server includes in all accounting packets
for this user if supplied by the RADIUS server.
The Full Username RADIUS attribute allows SSG to include the user’s full username and domain
(user@service) in the RADIUS authentication and accounting requests.
Acct-Session Id
A unique accounting identifier that makes it easy to match start and stop records in a log file.
Acct-session ID numbers restart at 1 each time the router is power cycled or the software is reloaded.
When a RADIUS client (GGSN) sends the 3GPP attributes (IMSI, ChargingID and SGSN address) in
sending Access Request Packet, SSG caches these attributes in this host’s proxy logon attributes. When
accounting records (start/interim/stop) are sent for this user (host/service accounting records) these
3GPP attributes will be sent.
Octets8 7 6 5 4 3 2 1
1 Type = 26
2 Length = n
3 Vendor id octet 1
4 Vendor id octet 2
5 Vendor id octet 3
6 Vendor id octet 4
7-n String
where n> = 7
These attributes must also be included, if available, in authorization requests (that is for pre-paid
authorization) and remote authentication requests (authentication of the user at a remote AAA sever for
proxy service).
NAS-Port in Authentications
When a user accesses a service, SSG sends a RADIUS Accounting-Request to the accounting server. The
RADIUS Accounting-Request record contains attributes to define the Network Access Server. The
NAS-Port attributes are described in Table 43.
Attribute Description
NAS-Port Physical port number of the network access server that is
authenticating the user. The NAS-Port value (32 bits) consists of
one or two 16-bit values (depending on the setting of the
radius-server extended-portnames command. Each 16-bit
number should be viewed as a 5-digit decimal integer for
interpretation as follows:
• For asynchronous terminal lines, async network interfaces, and
virtual async interfaces, the value is 00ttt where ttt is the line
number or async interface unit number.
• For ordinary synchronous network interface, the value is
10xxx.
• For channels on a primary rate ISDN interface, the value is
2ppcc.
• For channels on a basic rate ISDN interface, the value is 3bb0c.
• For other types of interfaces, the value is 6nnss.
NAS-Port-Type Type of physical port that the network access server is using to
authenticate the user. Physical ports are indicated by a numeric
value as follows:
0: Asynchronous
1: Synchronous
2: ISDN-Synchronous
3: ISDN-Asynchronous (V.120)
4:ISDN-Asynchronous (V.110)
5: Virtual
Additional References
The following sections provide references related to RADIUS Profiles and Attributes for SSG.
Related Documents
Related Topic Document Title
SSG commands Cisco IOS Service Selection Gateway Command Reference,
Release 12.4
SESM Cisco Subscriber Edge Services Manager documentation.
RADIUS commands Cisco IOS Security Command Reference, Release 12.4
RADIUS configuration tasks “Configuring RADIUS” chapter in the Cisco IOS Security
Configuration Guide, Release 12.4
Configuring L2TP Cisco IOS Dial Technologies Configuration Guide, Release 12.4
Cisco IOS Dial Technologies Command Reference, Release 12.4
Technical Assistance
Description Link
Technical Assistance Center (TAC) home page, http://www.cisco.com/public/support/tac/home.shtml
containing 30,000 pages of searchable technical
content, including links to products, technologies,
solutions, technical tips, and tools. Registered
Cisco.com users can log on from this page to access
even more content.
Note Table 44 lists only the Cisco IOS software release that introduced support for a given feature in a given
Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS
software release train also support that feature.
Table 44 Feature Information for RADIUS Profiles and Attributes for SSG