Table of Contents

Overview

Benefits

Restrictions
Prerequisites
Configuring Features

Enabling SSG

Verifying that SSG is Enabled

Configuring Local Service Profiles

Verifying Local Service Profiles

Configuring Security

Verifying Security

Configuring a Default Network

Verifying the Default Network

Configuring Interfaces

Verifying Interfaces

Configuring Services

Verifying Services

Configuring Fastswitching

Verifying Fastswitching

Configuring Multicast

Verifying Multicast

Configuring RADIUS Interim Accounting

Verifying Interim Accounting

Configuring Cisco Express Forwarding

Verifying Cisco Express Forwarding

Configuring IOS Network Address Translation

Verifying IOS Network Address Translation

Configuring VPI/VCI Indexing to Service Profile

Verifying VPI/VCI Indexing to Service Profile
Monitoring VPI/VCI Indexing to Service Profile

Configuring the Proxy RADIUS Enhancements

Example: Proxy RADIUS Enhancements
Verifying the Proxy RADIUS Enhancements

Configuring L2TP

Configuring the NRP as a LAC
Configuring the RADIUS Profiles for SSG Support of L2TP
Configuring the LNS
L2TP Example
Monitoring L2TP

Configuring Local Forwarding

Example: Local Forwarding
Verifying Local Forwarding

Configuring an Open Garden

Creating a Local Profile for an Open Garden
Adding the Local Profile to the Open Garden List
Verifying the Open Garden Configuration

Configuring HTTP Redirection

Defining a Captive Portal Group
Adding a TCP Port to the Portal Group
Setting a Default Redirection Group
Verifying the HTTP Redirection

Configuring RADIUS Profiles

SSG Vendor-Specific Attributes

Cisco-AVpair Attributes
Account-Info Attributes
Service-Info Attributes
Control-Info Attributes

User Profiles

Cisco AVPair Attributes
User Profile Attributes
Example User Profile

Service Profiles

Cisco-AVPair Attributes
Standard Service Profile Attributes
SSG Specific Service Profile Attributes
Example Service Profile

Service Group Profiles

Example Service Group Profile

Pseudo-Service Profiles

Transparent Passthrough Filter Pseudo-Service Profile
Next Hop Gateway Pseudo-Service Profile

RADIUS Accounting Records

Account Logon
Account Logoff
Connection Start
Connection Stop
Attributes Used in Accounting Records

Service User
Service Name
Octets Output
Octets Input

Configuration Example

Security
Default Network
Interfaces
Services
Service Search Order
Next-Hop Table
Max Services
Local Service Profile
Transparent Passthrough Filter
Redundancy
Fastswitching
Multicast
RADIUS Interim Accounting
CEF
IOS NAT
Service Name to VC Mapping

Monitoring and Troubleshooting SSG

RADIUS

Service Selection Gateway

This chapter describes the Service Selection Gateway (SSG) features supported in Cisco IOS Release 12.1(5)DB/DC and the RADIUS profiles, vendor-specific attributes and accounting records used with the SSG features. This chapter contains the following sections:

• Overview

• Restrictions

• Prerequisites

• Configuring Features

• Configuring RADIUS Profiles

• RADIUS Accounting Records

• Configuration Example

• Monitoring and Troubleshooting SSG

Overview

Introduced in Cisco IOS Release 12.0(3)DC, the SSG feature is a switching solution for service providers who offer intranet, extranet, and Internet connections to subscribers using broadband access technology such as xDSL, cable modems, or wireless to allow simultaneous access to network services. The SSG with Web Selection works in conjunction with the Cisco Service Selection Dashboard (SSD). The Cisco SSD is a customizable web-based application that allows users to select from multiple passthrough and proxy services through a standard web browser.

Figure 4-1 shows a diagram of a typical network topology including the SSG. This is an end-to-end, service-oriented DSL deployment consisting of Digital Subscriber Line Access Multiplexers (DSLAMs), ADSL modems, and other internetworking components and servers. The SSG resides in the Cisco 6400 universal access concentrator, which acts as a central control point for Layer 2 and Layer 3 services. This can include services available through Asynchronous Transfer Mode (ATM) virtual circuits (VCs), virtual private dial-up networks (VPDNs), or normal routing methods.

The SSG communicates with the authentication, authorization, and accounting (AAA) management network where Remote Access Dial-In User Service (RADIUS), Dynamic Host Configuration Protocol (DHCP), and Simple Network Management Protocol (SNMP) servers reside and with the Internet service provider (ISP) network, which may connect to the Internet, corporate networks, and value-added services.

• If the user is not valid, the AAA server sends an Access-Reject message.

• If the user is valid, the AAA server sends an Access-Accept message with information specific to the user's profile about which services the user is authorized to use. The SSG logs the user in, creates a host object in memory, and sends the response to the Cisco SSD.

Note that when a non-Point-to-Point Protocol (non-PPP) user, such as in a bridged-networking environment, disconnects from a service without logging off, the connection remains open and the user can reaccess the service without going through the log in procedure. This is because no direct connection (PPP) exists between the subscribers and the SSG. To prevent non-PPP users from being logged in to services indefinitely, be sure to configure the Session-Timeout and/or Idle-Timeout RADIUS attributes.

---

Note   The Cisco SSD functionality described throughout this document is available only with the SSG with Web Selection product.

---

---

Note   As of Cisco IOS Release 12.1(5)DC, a service object stays in the system after all users log off. The same service object is reused when a user logs on to the service again. The administrator can remove the service object by using the clear ssg service service name command if the administrator knows that the service is obsolete.

---

Benefits

Web-Based Dashboard

The SSG with Web Selection works with the Cisco SSD, a specialized web server that allows users to log in to and disconnect from multiple passthrough and proxy services through a standard web browser.

After the user opens a web browser, the SSG allows access to a single IP address or subnet, referred to as the "default network." This is typically the IP address of the Cisco SSD. The Cisco SSD prompts the user for a username and password. After the user is authenticated, the Cisco SSD presents a list of available services.

The SSG is designed to work with RADIUS-based AAA servers that accept vendor-specific attributes (VSAs).

• Passthrough Service

The SSG can forward traffic through any interface through normal routing or a next hop table. Because Network Address Translation (NAT) is not performed for this type of traffic, overhead is reduced. Passthrough service is ideal for standard Internet access.

• Proxy Service

When a subscriber requests access to a proxy service, the SSG will proxy the Access-Request to the remote AAA server. Upon receiving an Access-Accept from the remote RADIUS server, the SSG logs in the subscriber. To the remote AAA server, the SSG appears as a client.

During remote authentication, if the RADIUS server assigns an IP address to the subscriber, the SSG performs NAT between the assigned IP address and the subscriber's real IP address. If the remote RADIUS server does not assign an IP address, NAT is not performed.

When a user selects a proxy service, there is another username and password prompt. After authentication, the service is accessible until the user logs out from the service, logs out from the Cisco SSD, or is timed out.

• Transparent Passthrough—Supported only in Cisco IOS Releases 12.0(3)DC and 12.0(5)DC

When enabled, transparent passthrough allows unauthenticated subscriber traffic to be routed through the SSG in either direction. Filters can be specified to control transparent passthrough traffic. Some of the applications for this feature include:

• Making the SSG easy to integrate into an existing network by not requiring users who have authenticated with network access servers (NAS) to authenticate with the SSG

• To allow management traffic (such as TACACS+, RADIUS, and SNMP) from NASs connected to the host network to pass through to the service provider network

• To allow visitors or guests to access certain parts of the network

• Multicast

The SSG supports multicast traffic, which includes normal multicast packets and Internet Group Management Protocol (IGMP) packets.

In order for the SSG to forward multicast packets to the IOS routing engine, it must be configured as follows:

• The interface where multicast packets are received must be configured as an uplink or downlink interface, or a service must be bound to the interface. An uplink interface is an interface to services; a downlink interface is an interface to subscribers.

• SSG multicast must be enabled, in addition to IOS multicast.

If multicast is not enabled, multicast packets received on the interface will be dropped.

• PPP Termination Aggregation (PTA) and PTA Multi-Domain (PTA-MD)

PPP Termination Aggregation (PTA) can only be used by PPP-type users. AAA is performed exactly as in the proxy service type. A subscriber logs in to a service by using a PPP dialer application with a username of the form user@service. The SSG recognizes the @service as a service profile and loads the service profile from the local configuration or a AAA server. The SSG forwards the AAA request to the remote RADIUS server as specified by the service profile's RADIUS-Server Attribute. An address is assigned to the subscriber through RADIUS Attribute 8 or Cisco-AVpair "ip:addr-pool." NAT is not performed, and all user traffic is aggregated to the remote network. With PTA, users can only access one service. Users will not have access to the default network or the Cisco SSD.

While PTA terminates the PPP session into a single routing domain, PTA-MD terminates the PPP sessions into multiple IP routing domains, thus supporting a wholesale VPN model where each domain is isolated from the other by an ATM core and has the capability to support overlapping IP addresses.

The SSG uses IOS access control lists (ACLs) to prevent users, services, and passthrough traffic from accessing specific IP addresses and ports.

• Transparent Passthrough—Supported only in Cisco IOS Releases 12.0(3)DC and 12.0(5)DC

Upstream and downstream attributes, including inacl and outacl attributes, can be added to a special pseudo-service profile that can be downloaded to the SSG from a RADIUS server. Additionally, locally configured ACLs can be used. After the ACLs have been defined, they are applied to all traffic passed by the transparent passthrough feature.

Service Access Order

When users are accessing multiple services, the SSG must determine the services for which the packets are destined. To do this, the SSG uses an algorithm to create a service access order list that is stored in the user's host object and contains services that are currently open and the order in which they are searched.

The algorithm that creates this list orders the open services based on the size of the network, which is determined by the subnet mask of the Service Route RADIUS attribute. A subnet that contains more hosts implies a larger network. In the case of networks that are the same size, the services will be listed in the order in which they were last accessed.

The next hop gateway attribute is used to specify the next hop key for a service. Each SSG uses its own next hop gateway table that associates this key with an actual IP address.

DNS Redirection

When the SSG receives a DNS request, it performs domain name matching by using the Domain Name attribute from the service profiles of the currently logged in services.

If a match is not found and the user is not logged in to a service that has Internet connectivity, the request is forwarded to the DNS server defined in the client's Transmission Control Protocol/Internet Protocol (TCP/IP) stack.

In a dial-up networking or bridged (non-PPP) network environment, a user can disconnect from the NAS and release the IP address without logging out from the SSG. If this happens, the SSG continues to allow traffic to pass from that IP address, and this can be a problem if the IP address is obtained by another user.

• Idle-Timeout attribute—Specifies the maximum time a session or connection can remain idle before it is disconnected.

• Session-Timeout attribute—Specifies the maximum amount of time a host or service object can remain active at any one time.

Concurrent or Sequential Service Access Mode

SSG services can be configured for concurrent or sequential access. Concurrent access allows users to log in to this service while simultaneously connected to other services. Sequential access requires that the user log out of all other services before accessing a service configured for sequential access.

Extended High System Availability

The SSG supports extended high system availability (EHSA) redundancy. You can configure this chassis redundancy at the slot level of the Cisco 6400 for adjacent slot or subslot pairs. For example, if you have SSGs installed in slots 1 and 2, you can set a preferred device between the two. To ensure that configuration is consistent between redundant SSGs, you can configure automatic synchronization between the two SSGs. You can also manually force the primary and secondary devices in a redundant pair to switch roles. See the Cisco 6400 Software Setup Guide for more information on EHSA redundancy.

SSG Single Host Logon

Subscribers only perform two login sessions to log in to a service through Cisco SSD:

Restrictions

Open Garden

The software does not support binding two services to the same interface. If a configuration has open garden and proxy service bound to the same interface, the open garden functionality will fail.

CEF

CEF works with Point-to-Point Protocol over Ethernet (PPPoE) only and does not work with Fast Ethernet.

VPI/VCI Indexing to Service Profile

VPI/VCI indexing to service profile only works for Point-to-Point Protocol over ATM (PPPoA).

Proxy RADIUS Enhancements

For the proxy RADIUS enhancements, the sizes of the user-defined string and full username are limited to the smaller of the following values:

HTTP Redirect

The HTTP Redirect feature requires Service Selection Dashboard, Release 3.0(1) to implement captive portal capability.

Prerequisites

Cisco Service Selection Dashboard

If you want to perform Layer 3 service selection, you must install and configure the Cisco Service Selection Dashboard as described in the following documents:

• Cisco Service Selection Dashboard User Guide

• Cisco Service Selection Dashboard 2.5(1) Installation and Configuration Guide

Single Host Login

In order to use the Single Host Login feature, you must install and configure Cisco SSD version 2.5 or later versions.

Layer 2 Tunnel Protocol

To achieve 2000 L2TP sessions, you need at least 128 MB of DRAM on the NRP.

Configuring Features

This section contains the following tasks:

• Enabling SSG

• Configuring Local Service Profiles

• Configuring Security

• Configuring a Default Network

• Configuring Interfaces

• Configuring Services

• Configuring Fastswitching

• Configuring Multicast

• Configuring RADIUS Interim Accounting

• Configuring Cisco Express Forwarding

• Configuring IOS Network Address Translation

• Configuring VPI/VCI Indexing to Service Profile

• Configuring the Proxy RADIUS Enhancements

• Configuring L2TP

• Configuring Local Forwarding

• Configuring an Open Garden

• Configuring HTTP Redirection

Enabling SSG

As of Cisco IOS Release 12.0(7) DC, SSG is disabled by default. To enable SSG, enter the following command in global configuration mode:

Verifying that SSG is Enabled

To verify that SSG is enabled, enter the EXEC command show running-config.

Configuring Local Service Profiles

This task is required if you want to use Layer 2 service selection; otherwise, it is optional. You can configure local service profiles in addition to the service profiles on the remote RADIUS server. See "Service Profiles" for information on configuring service profiles on the remote RADIUS server.

Verifying Local Service Profiles

Enter the show running-config command to verify that local service profiles have been configured correctly.

Configuring Security

Verifying Security

Enter the show running-config command to verify that security has been configured correctly.

Configuring a Default Network

Configure the first IP address or subnet that users will be able to access without authentication. This is the address where the Cisco SSD resides.

Verifying the Default Network

Enter the show running-config command to verify that the default network has been configured correctly.

Configuring Interfaces

If you are going to use PPP to connect subscribers to the SSG, you do not have to configure any downlink interfaces. If you are using non-PPP connections, such as bridging or LAN, you must configure at least one downlink interface.

Verifying Interfaces

Enter the show ssg direction command to verify that interfaces have been configured correctly.

Configuring Services

Note   Every service must be bound to an uplink interface.

Verifying Services

Enter the show ssg service command to verify that services have been bound to interfaces correctly. Enter the show running-config command to verify that the service search order and maximum services have been configured correctly. Enter the show ssg next-hop command to verify all mappings between services and IP addresses.

Configuring Fastswitching

Note   This task is optional. Fastswitching is enabled by default.

Verifying Fastswitching

Enter the show running-config command to verify that fastswitching has been enabled. Because fastswitching is enabled by default, it will not be displayed in the running configuration. If fastswitching has been disabled, the following line will appear in the output of the show running-config command:

Configuring Multicast

Note   This task is optional. Multicast is disabled by default.

Verifying Multicast

Enter the show running-config command to verify that multicast has been enabled. If multicast is disabled, which is the default, it will not be displayed in the running configuration. If multicast is enabled, the following line will appear in the output of the show running-config command:

Configuring RADIUS Interim Accounting

The SSG supports intermittent RADIUS accounting updates. When a user logs in to the SSG, the SSG sends an accounting start record to the local RADIUS server. When a user logs in to a service, the SSG sends a connection start record to the local RADIUS server and to the remote RADIUS proxy server. During the time that the user is logged in to the SSG, the SSG sends accounting update records at specified intervals to the appropriate server. When a user logs off from a service, the SSG sends a connection stop record to the local RADIUS server and to the remote RADIUS proxy server. When a user logs off from the SSG, the SSG sends an accounting stop record to the local RADIUS server. See "RADIUS Accounting Records" for more information.

This task is optional. Set the interval at which accounting updates are sent to the accounting server.

Verifying Interim Accounting

Enter the show running-config command to verify that the accounting interval has been set correctly.

Configuring Cisco Express Forwarding

Note   CEF works with Point-to-Point Protocol over Ethernet (PPPoE) only and does not work with Fast Ethernet. SSG does not support simultaneous use of Cisco Express Forwarding (CEF) and Routed Bridge Encapsulation (RBE).

The SSG works with Cisco Express Forwarding (CEF) switching technology to provide maximum Layer 3 switching performance. Because CEF is topology-driven rather than traffic-driven, its performance is unaffected by network size or dynamics.

Note   This task is optional. CEF is disabled by default. CEF only works with PPPoE.

Verifying Cisco Express Forwarding

Enter the show running-config and show ip cef commands to verify that CEF has been enabled.

Configuring IOS Network Address Translation

The SSG uses IOS Network Address Translation (NAT) to map the inside IP addresses of subscribers to the outside IP addresses from the destination service networks. This replaces the SSG NAT used in Cisco IOS Release 12.0(3)DC.

To configure IOS Network Address Translation (NAT), you must specify an inside interface from which clients connect to the SSG and an outside interface from which services are accessed. Enter interface or subinterface configuration mode for the desired inside and outside interfaces and enter the appropriate command below.

Note   This task is optional.

Verifying IOS Network Address Translation

Enter the show running-config command to verify that inside and outside ports have been specified correctly. Enter the show ip nat translations command to view your NAT addresses.

Configuring VPI/VCI Indexing to Service Profile

Note   VPI/VCI indexing to service profile only works for Point-to-Point Protocol over ATM (PPPoA).

The SSG supports virtual path identifier/virtual channel identifier (VPI/VCI) closed user groups by allowing VPI/VCIs to be bound to a given service. All users accessing the SSG through the VPI/VCI or range of VPI/VCIs will be able to access the service. You can specify whether users are allowed to access only the bound service or other additional services to which they subscribe. A closed user group service can only be selected through the VPI/VCI and not by entering the domain name in the user name of a Point-to-Point Protocol (PPP) session.

To configure VPI/VCI closed user groups, you must bind VPI/VCIs to a given service as described below. Closed user groups allow all users accessing the SSG through the VPI/VCI or range of VPI/VCIs to access the service. You can specify whether users are allowed to access only the bound service or other additional services to which they subscribe. A closed user group service can only be selected through the VPI/VCI and not by entering the domain name in the user name of a PPP session.

Note   This task is optional.

Verifying VPI/VCI Indexing to Service Profile

Enter the show running-config and show ssg vc-service-map command to view service name to VC mappings.

Monitoring VPI/VCI Indexing to Service Profile

Configuring the Proxy RADIUS Enhancements

Before configuring this feature, see the restrictions for Proxy RADIUS Enhancements.

Two new Service-Info vendor-specific attributes (VSAs) are available for proxy RADIUS service profiles:

• Service-Defined Cookie—A configurable VSA that allows user-defined information to be included in the RADIUS authentication and accounting requests.

• Full Username Attribute—Enables usage of the full username (user@service) in the RADIUS authentication and accounting requests.

To configure the proxy RADIUS enhancements, enter one or both of these Service-Info VSAs in the proxy RADIUS service profile:

For general information on configuring RADIUS profiles for SSG, see the "Configuring RADIUS Profiles" section.

The SSG uses vendor-specific RADIUS attributes. You must customize the AAA server's RADIUS dictionary to incorporate the SSG vendor-specific attributes.

Table 4-1 lists vendor-specific attributes used by the SSG to support the proxy RADIUS enhancements. The vendor ID for all of the Cisco-specific attributes is 9.

Example: Proxy RADIUS Enhancements

The following proxy RADIUS service profile contains a Service-Defined Cookie and a Full Username Attribute:

Verifying the Proxy RADIUS Enhancements

Step 2   To check the content of the RADIUS profiles, refer to the user documentation for your RADIUS server.

Configuring L2TP

Note   Before configuring this feature, see the prerequisites for Layer 2 Tunnel Protocol.

Configuring the NRP as a LAC

To configure the Cisco 6400 NRP as a LAC, enter the following command in global configuration mode:

Verifying the NRP-LAC Configuration

To verify the NRP-LAC configuration, enter the EXEC command show running-config.

Configuring the RADIUS Profiles for SSG Support of L2TP

For general information on configuring RADIUS profiles for SSG, see the "Configuring RADIUS Profiles" section.

The SSG uses vendor-specific RADIUS attributes. You must customize the AAA server's RADIUS dictionary to incorporate the SSG vendor-specific attributes.

Table 4-2 lists vendor-specific attributes used by the SSG to support L2TP. The vendor ID for all the Cisco-specific attributes is 9.

Table 4-3 lists the Cisco-AVpair attributes used in the service profile to configure VPDN.

Table 4-4 lists the Account-Info attribute used in the user profile to subscribe the user to a VPDN service.

Table 4-5 lists the Service-Info attribute used in the service profile to define the L2TP service parameter.

Configuring the LNS

To configure the LNS, typically a Cisco 7200 or another NRP, enter the following commands beginning in global configuration mode.

L2TP Example

This section provides the following configuration examples:

• SSG as a LAC Example

• RADIUS User Profile Example

• RADIUS Service Profile Example

• LNS Configuration Example

SSG as a LAC Example

RADIUS User Profile Example

RADIUS Service Profile Example

LNS Configuration Example

Monitoring L2TP

The following privileged EXEC commands will help you monitor and maintain the SSG support of L2TP.

Configuring Local Forwarding

To enable SSG to forward packets locally, enter the following command in global configuration mode:

Example: Local Forwarding

In the following configuration, local forwarding is enabled:

Verifying Local Forwarding

To verify that you enabled local forwarding, enter the show running-config EXEC command.

Configuring an Open Garden

Note   The SSG does not support binding two services to the same interface. If a configuration has open garden and proxy service bound to the same interface, the open garden functionality will fail.

An Open Garden is one or more domains that can be accessed without user authentication. This differs from a "Walled Garden." A "Walled Garden" refers to a collection of Web sites, or networks in general, that a user can access after providing minimal authentication information.

The Open Garden enhancement enables a list of as many as 100 domains to be associated with the default network. If a subscriber creates a DNS request for one of those domain names, the DNS request is resolved by the SSG to the default network.This ensures that a subscriber can access the Service Selection Dashboard, which typically resides on the management network with a private address, even when the subscriber is assigned a public DNS server.

To configure an open garden:

1. Create a local profile for each open garden network desired.

• Specify the networks available to the user

• Specify the available domains

• Specify the DNS IP address in the open garden network.

2. Add this new profile to the open garden list.

Creating a Local Profile for an Open Garden

Enter the local-profile profile-name command to enter profile configuration mode and to create and name a local profile.

Table 4-2 lists VSAs (vendor-specific attributes) used by the SSG. The vendor ID for all Cisco-specific attributes is 9.

Adding the Local Profile to the Open Garden List

Enter the ssg open-garden profile-name command to add the new profile to the list of open garden networks.

Syntax Description

Example

Rouer# ssg open-garden opengarden_network1

Verifying the Open Garden Configuration

Step 2   To verify the open garden configuration, enter the following command:

Configuring HTTP Redirection

Note   The HTTP Redirect feature requires Service Selection Dashboard, Release 3.0(1) to implement captive portal capability.

The Hypertext Transfer Protocol (HTTP) Redirect feature works with the Cisco Service Selection Dashboard (SSD) to implement captive portals. If a user has not logged in and sends packets upstream to a configurable group of TCP ports, SSG sends those packets to a captive portal group (one or more servers). The SSD handles the incoming packets in a suitable manner, such as returning a login page.

The group of captive portals consists of one or more SSDs. The SSG redirects packets to the captive portal groups on a round-robin basis.

The HTTP Redirect feature provides a means for user authentication without requiring the user to know the dashboard URL. It enables service providers to implement captive portals, own the user experience, advertise value-added services, and build a brand experience.

Note   HTTP Redirect is supported in 12.1(5)DC for bridged or routed users. It supports subscribers coming in on bridged or routed interfaces. This feature does not support subscribers coming in with PPP and RBE. SSG operates by using standard Internet protocols with AAA and other Web servers the user chooses. A customer can currently use any Web server that can handle the HTTP Redirect. Cisco SSD version 3.0 can receive HTTP Redirection from SSG and handles the request. Release 3.0(1) of the SSD, which is scheduled to FCS in June 2001.

To configure HTTP redirection:

Step 2   Add a TCP port to the portal group.

Step 3   Set a default group for redirection of unauthorized users.

Defining a Captive Portal Group

To define a group of one or more servers that make up the captive portal group, enter the
ssg http-redirect group group-name server ip-address port command.

Adding a TCP Port to the Portal Group

To add a TCP port to a list of ports that can be redirected by the captive portal group, enter the ssg http-redirect port incoming destination port number group group-name command.

Syntax Description

Example

Router# ssg http-redirect port 8080 group SSDGroup

Setting a Default Redirection Group

To select a captive portal group for redirection of traffic from an unauthorized user, enter the
ssg http-redirect unauthorized-user group group-name command.

Syntax Description

Example

Router# ssg http-redirect unauthorized-user group SSDGroup

Verifying the HTTP Redirection

To verify that the HTTP redirection is set or to view any direct mappings, enter the show ssg http-redirect group [name] command or the show ssg http-redirect mappings [ip-address] command and check for the HTTP redirect statements in the output.

If the group keyword is used and the optional name field is omitted, the command displays a list of all defined portal groups. If the name field is included, the command displays information about that group.

If the mappings keyword is used and the optional ip-address is omitted, then a list of IP addresses for all hosts with stored mappings is displayed. If the ip-address field is included, then any mappings for the host with that IP address is displayed.

Configuring RADIUS Profiles

The SSG uses vendor-specific RADIUS attributes to define RADIUS profiles. You must customize the AAA server's RADIUS dictionary to incorporate the SSG vendor-specific attributes described inSSG Vendor-Specific Attributes.

You must set up user and service RADIUS profiles on the AAA server as described in this section. Service profiles can also be defined locally as described in the "Configuring Local Service Profiles" section. You can optionally set up pseudo-service profiles. The following profiles are described:

• User Profiles

• Service Profiles

• Service Group Profiles

• Pseudo-Service Profiles

These profiles contain RADIUS attributes that define specific AAA elements. The syntax for these attributes is described in this section.

SSG Vendor-Specific Attributes

Table 4-7 lists vendor-specific attributes used by the SSG. By sending an Access-Request packet with the vendor-specific attributes shown in the table, the Cisco Service Selection Dashboard (SSD) can send requests to the SSG to log on and log off an account and disconnect and connect services. The vendor ID for all of the Cisco-specific attributes is 9.

The following sections describe the format of each subattribute.

---

Note   All RADIUS attributes are case sensitive.

---

Cisco-AVpair Attributes

The Cisco-AVpair attributes are used in user and service profiles to configure ACLs and VPDN.

Account-Info Attributes

The Account-Info attributes are used in user profiles and service group profiles.

User profiles define the password, services, and groups to which the user is subscribed.

Service group profiles contain a list of services and service groups and can be used to create sophisticated directory structures for locating and logging in to services. When a user is subscribed to a service group, the user is automatically subscribed to all services and groups within that service group. A service group profile includes the name of the service group, the password, the service type (outbound), a list of services and/or a list of other service groups.

Example (RADIUS Freeware Format)

Account-Info = "Nservice1.com"

Example (CiscoSecure ACS for UNIX Format)

9,250 = "Nservice1.com"

Service-Info Attributes

The Service-Info attributes are used to define a service. The following attributes define the parameters for a service.

Control-Info Attributes

The Control-Info attribute is used to define lists or tables of information.

User Profiles

RADIUS user profiles contain a password, a list of subscribed services and groups, and access control lists.

Cisco AVPair Attributes

This section describes Cisco AVPair attributes that appear within user profiles. The Cisco-AVpair attributes are used to configure ACLs.

Upstream Access Control List

Downstream Access Control List

User Profile Attributes

This section specifies standard and vendor-specific RADIUS attributes that can be used in SSG user profiles.

Service Name

Service Group

Auto Service

This attribute subscribes the user to a service and automatically logs the user on to the service when the user accesses the Cisco SSD. Each user profile can have more than one auto service attribute.

Account-Info = "Aservicename [;username;password]"

Syntax Description

servicename	Name of the service.
username	Username used to access the service. Required for proxy services.
password	Password used to access the service. Required for proxy services.

Example

Account-Info = "Agamers.net;jdoe;secret"

---

Note   The user must be subscribed to this service. See "Service Name".

---

Example User Profile

The following is an example of a user profile. The profile is formatted for use with a freeware RADIUS server:

The following is the same profile as above, formatted for CiscoSecure ACS for UNIX:

Service Profiles

Service profiles include the password, service type (outbound), type of service (passthrough or proxy), the service access mode (sequential or concurrent), the DNS server IP address, networks that exist in the service domain, access control lists, and other optional attributes.

Cisco-AVPair Attributes

This section describes Cisco AVPair attributes that appear within service profiles. Table 4-14 lists the Cisco-AVpair attributes used to configure ACLs.

Table 4-15 lists the Cisco-AVpair attributes used in service profiles.

Upstream Access Control List

Downstream Access Control List

VPDN IP Address

VPDN Tunnel ID

This attribute specifies the name of the tunnel that must match the tunnel ID specified in the LNS VPDN group, as shown in Step 4 in the "Configuring the LNS" section.

Syntax Description

Example (RADIUS Freeware Format)

Cisco-AVpair="vpdn:tunnel-id=My-Tunnel"

Example (CiscoSecure ACS for UNIX)

9,1="vpdn:tunnel-id=My-Tunnel"

L2TP Tunnel Password

Standard Service Profile Attributes

This section specifies standard RADIUS attributes that can be used in SSG service profiles.

SSG Specific Service Profile Attributes

This section specifies VSAs that can appear within service profiles.

Type of Service

This attribute indicates whether the service is proxy, tunnel, or passthrough. This attribute is optional.

Service Mode

This attribute defines whether the user is able to log on to this service while simultaneously connected to other services (concurrent) or whether the user cannot access any other services while using this service (sequential). The default is concurrent. This attribute is optional.

DNS Server Address

This attribute specifies the primary and secondary DNS servers for this service. If two servers are specified, the SSG can send DNS requests to the primary DNS server until performance is diminished or it fails (failover). This attribute is optional.

Service Route

Use the Service Route attribute to specify networks that exist for a service. For more information, see "Service Access Order".

Note   An Internet service is typically specified as "R0.0.0.0;0.0.0.0" in the service profile.

Example

Service-Info = "R192.168.1.128;255.255.255.192"

Note   There can be multiple instances of this attribute within a single service profile.

RADIUS Server

This attribute specifies the remote RADIUS server that the SSG will use to authenticate, authorize, and perform accounting for a service log on for a proxy service type. This attribute is only used in proxy service profiles. This attribute is required for proxy service profiles.

Service Next Hop Gateway

This attribute specifies the next hop key for this service. Each SSG uses its own next hop gateway table that associates this key with an actual IP address. For information on creating a next hop gateway table, see "Next Hop Gateway Table Entry". This attribute is optional.

Syntax Description

Example

Service-Info = "Gnexthop1"

Domain Name

This attribute specifies domain names that get DNS resolution from the DNS server(s) specified in DNS server address. This attribute is optional.

Use the DNS Resolution attribute to specify domain names that get DNS resolution from this DNS server. For more information, see "Service Access Order".

Example

Service-Info = "Ocisco.com;cisco-sales.com"

Note   There can be multiple instances of this attribute within a single service profile.

Service Description

Service-Defined Cookie

This attribute enables you to include user defined information in the RADIUS authentication and accounting requests.

Service-Info = "Vstring"

Syntax Description

string

Information of your choice that you wish to include in the RADIUS authentication and accounting requests.

Example (RADIUS Freeware Format)

Service-Info = "VserviceIDandAAA-ID"

Example (CiscoSecure ACS for UNIX)

9,251="VserviceIDandAAA-ID"

---

Note   SSG does not parse or interpret the value of the Service-Defined Cookie. You must configure the proxy RADIUS server to interpret this attribute.

---

---

Note   SSG supports only one Service-Defined Cookie per RADIUS service profile.

---

Full Username Attribute

Example Service Profile

The following is an example of a service profile. The profile is formatted for use with a freeware RADIUS server:

The following is the same profile as above, formatted for CiscoSecure ACS for UNIX:

Service Group Profiles

Service group profiles contain a list of services and service groups and can be used to create directory structures for locating and logging on to services. When a user is subscribed to a service group, the user automatically is subscribed to all services and groups within that service group. A service group profile includes the password and the service type (outbound) as check attributes and a list of services and a list of service groups as reply attributes.

This section specifies vendor-specific attributes that can be used in SSG service group profiles.

Service Name

Service Group

Group Description

This attribute provides a description of the service group to the Cisco SSD. If this attribute is omitted, the service group profile name is used.

Example Service Group Profile

The following is an example of a service group profile. The profile is formatted for use with a freeware RADIUS server:

The following is the same service group profile, formatted for CiscoSecure ACS for UNIX:

Pseudo-Service Profiles

This section describes pseudo-service profiles that are used to define variable length tables or lists of information in the form of services. There are currently two types of pseudo-service profiles: Transparent Passthrough Filter and Next Hop Gateway. The following sections describe both profiles.

Transparent Passthrough Filter Pseudo-Service Profile

Transparent passthrough is designed to allow unauthenticated traffic (users or network devices that have not logged in to the SSG through the Cisco SSD) to be routed through normal IOS processing. Transparent passthrough is supported only in Cisco IOS Releases 12.0(3)DC and 12.0(5)DC.

Table 4-19 lists the Cisco AVPair attributes that appear within transparent passthrough filter pseudo-service profiles. The Cisco-AVpair attributes are used to configure ACLs.

Upstream Access Control List

Downstream Access Control List

The Transparent Passthrough Filter pseudo-service profile allows or denies access to IP addresses and ports accessed through the transparent passthrough feature.

Example Transparent Passthrough Filter Pseudo-Service Profile

Next Hop Gateway Pseudo-Service Profile

Because multiple SSGs might access services from different networks, each service profile can specify a next hop key, which is any string identifier, rather than an actual IP address. For each SSG to determine the IP address of the next hop, each SSG downloads its own next hop gateway table that associates keys with IP addresses.

Next Hop Gateway Table Entry

Because multiple SSGs might access services from different networks, each service profile specifies a next hop key rather than an actual IP address. For each SSG to determine the IP address of the next hop, each SSG downloads its own next hop gateway table that associates keys with IP addresses. For information on defining next hop keys, see the "Service Next Hop Gateway" section.

Note   This attribute is only used in Next Hop Gateway pseudo-service profiles and should not appear in service profiles or user profiles.

Syntax Description

Usage

Use this attribute to create a next hop gateway table for the selected SSG.

To define the IP address of the next hop for each service, the SSG downloads a special service profile that associates the next hop gateway key for each service with an IP address.

To create a next hop gateway table, create a service profile and give it any name. Use this attribute to associate service keys with their IP addresses. When you have finished, repeat this for each SSG.

For more information, see the ssg next-hop command in the Cisco 6400 Command Reference.

Example

Control-Info = "GNHT_for_SSG_1;192.168.1.128"

To create a next hop gateway table, create a profile and give it any name. Use the Next Hop Gateway Entry attribute to associate service keys with their IP addresses. When you have finished, repeat this for each SSG if the next hop IP addresses are different. For an example next hop gateway pseudo-service profile, see "Example Transparent Passthrough Filter Pseudo-Service Profile".

For more information, see the ssg next-hop command in the Cisco 6400 Command Reference.

Example NextHop Gateway Pseudo-Service Profile

The following is an example of the Next Hop Gateway pseudo-service profile. The profile is formatted for use with a freeware RADIUS server:

The following is the same Next Hop Gateway pseudo-service profile, formatted for CiscoSecure ACS for UNIX:

RADIUS Accounting Records

This section describes events that generate RADIUS accounting records and the attributes associated with the accounting records sent from the SSG to the accounting server.

Account Logon

When a user logs in, the SSG sends a RADIUS accounting-request on behalf of the user to the accounting server. The attributes associated with this record are:

Account Logoff

When a user logs off, the SSG sends a RADIUS accounting-request on behalf of the user to the accounting server. The attributes associated with this record are:

Connection Start

When a user accesses a service, the SSG sends a RADIUS accounting-request to the accounting server. The attributes associated with this record are:

Connection Stop

When a user terminates a service, the SSG sends a RADIUS accounting-request to the accounting server. The attributes associated with this record are:

Attributes Used in Accounting Records

Service User

This attribute indicates the username provided by the Cisco SSD user to log on to the service and for authentication with the home gateway.

Service-Info = "Uusername"

Syntax Description

username

The name provided by the user for authentication.

Example

Service-Info = "Ujoe@cisco.com"

---

Note   This attribute is only used for accounting purposes and does not appear in profiles.

---

Service Name

This attribute defines the name of the service.

Syntax Description

Example

Note   This attribute is only used for accounting purposes and does not appear in profiles.

Octets Output

Current RADIUS standards only support the counting of up to 32 bits of information with the ACCT-Output-Octets attribute. Standards such as ADSL have much higher throughput.

In order for the accounting server to keep track of and bill for this usage, the SSG uses the Octets attribute.

The Octets Output attribute keeps track of how many times the 32-bit integer rolled over and the value of the integer when it overflowed for outbound data.

Control-Info = "Orollover;value"

Syntax Description

rollover	Number of times the 32-bit integer rolled over to 0.
value	Value in the 32-bit integer when the stop record was generated and the service or user was logged out.

Usage

Use this attribute to accurately keep track of and bill for usage. To calculate the actual number of bytes, use the following formula:

rollover * 2³² + value

Example

In the following example, the rollover is 2 and the value is 153 (2 * 2³² + 153 = 8589934745):

Control-Info = "O2;153"

---

Note   This attribute is only used for accounting purposes and does not appear in profiles.

---

Octets Input

Current RADIUS standards only support the counting of up to 32 bits of information with the ACCT-Input-Octets attribute. Standards such as ADSL have much higher throughput.

In order for the accounting server to keep track of and bill for this usage, the SSG uses the Octets attribute.

The Octets Input attribute keeps track of how many times the 32-bit integer rolled over and the value of the integer when it overflowed for inbound data.

Control-Info = "Irollover;value"

Syntax Description

rollover	Number of times the 32-bit integer rolled over to 0.
value	Value in the 32-bit integer when the stop record was generated and the service or user was logged out.

Usage

Use this attribute to accurately keep track of and bill for usage. To calculate the actual number of bytes, use the following formula:

rollover * 2³² + value

Example

In the following example, the rollover is 3 and the value is 151 (3 * 2³² + 151 = 12884902039):

Control-Info = "I3;151"

---

Note   This attribute is only used for accounting purposes and does not appear in profiles.

---

Configuration Example

The configuration examples in this section support the network topology shown in Figure 4-2.

Security

Default Network

Interfaces

Services

The following is an example service profile as it would appear on the RADIUS server. It is formatted for CiscoSecure ACS for UNIX.

Service Search Order

Next-Hop Table

The following is an example next-hop table as it would appear on the RADIUS server. It is formatted for CiscoSecure ACS for UNIX.

Max Services

Local Service Profile

Transparent Passthrough Filter

The following is an example transparent passthrough filter as it would appear on the RADIUS server. It is formatted for CiscoSecure ACS for UNIX.

Redundancy

Fastswitching

There will be nothing in the running configuration for fastswitching when it is enabled.

Multicast

RADIUS Interim Accounting

The following example RADIUS accounting records will be sent to the appropriate server every 600 seconds while the user is logged on to the SSG:

Account Update

NAS-IP-Address = 172.16.11.1 NAS-Port = 0 NAS-Port-Type = Virtual User-Name = "cisco" Acct-Status-Type = Update Acct-Authentic = RADIUS Service-Type = Framed Acct-Session-Id = "00000000" Acct-Session-Time = 77 Acct-Input-Octets = 0 Acct-Output-Octets = 0 Acct-Input-Packets = 0 Acct-Output-Packets = 0 Framed-Protocol = PPP Framed-IP-Address = 172.16.11.12 Control-Info = "I0;0" Control-Info = "O0;0" Acct-Delay-Time = 0

Connection Update

NAS-IP-Address = 172.16.11.1 NAS-Port = 0 NAS-Port-Type = Virtual User-Name = "cisco" Acct-Status-Type = Update Acct-Authentic = RADIUS Service-Type = Framed Acct-Session-Id = "00000012" Acct-Session-Time = 8 Acct-Input-Octets = 0 Acct-Output-Octets = 0 Acct-Input-Packets = 0 Acct-Output-Packets = 0 Framed-Protocol = PPP Control-Info = "I0;0" Control-Info = "O0;0" Service-Info = "Nservice.com" Service-Info = "Uname" Service-Info = "TX" Acct-Delay-Time = 0

CEF

IOS NAT

Service Name to VC Mapping

Monitoring and Troubleshooting SSG

Table 4-21 describes the commands that help you monitor and maintain the SSG.

RADIUS

To troubleshoot communication between the RADIUS server and the NRP, enter the debug radius command.

Posted: Tue Feb 26 15:37:01 PST 2002
All contents are Copyright © 1992--2002 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.