|
The SESM installation process uses default values and values you enter during installation to configure the sample portal applications. Read this section if you want to change or fine-tune configuration after installation.
The SESM portal applications use the following MBeans:
To change attributes in these MBeans, you can either:
The installation process configures all three of the sample portal applications (NWSP, WAP, and PDA) using the same default port numbers. These port numbers are:
These applications use different MBean configuration files. The files are located in a directory named for the application under the installation directory:
nwsp
config
nwsp.xml
wap
config
wap.xml
pda
config
pda.xml
The Logger MBean configures both logging and debugging tools. The logging tool traces business events in the SESM portal. The debugging mechanism produces messages useful to developers in debugging applications. Table 5-1 describes the attributes in the Logger MBean.
Attribute Name | Explanation |
---|---|
Turns debugging on or off. That is, it controls whether Log.debug calls executed by the SESM application are displayed in the log file. Note Logging remains on regardless of this value. That is, all Log.trace and Log.warning calls executed in the SESM application are written to the log file regardless of the value of the debug attribute. To turn off logging, comment out the entire Logger MBean. Values for this attribute are:
The following parameters control the contents of debug messages that the application generates: logFrame, logStack, logThread, debugPatterns, and debugThreads. The following parameters control the types of logging messages produced: trace and warning. Installed default: false | |
By specifying one or more patterns, you turn on a filtering mechanism that excludes any message that does not match the pattern. The patterns are file, class, or method names. Pattern matching is based on substring matches. For example, if you specify the pattern RADIUS, the software focuses on RADIUS messages. To specify multiple patterns, separate the patterns using a comma. Installed default: empty, which means that you receive all messages. | |
Specifies a specific thread name for which to show debugging messages. You can specify multiple thread names, separating them using a comma. For example: 6,13,22. By default, no thread name is specified. Because each user interaction with the SESM web application takes place in a thread named for that user, this parameter can be used to focus the logging trace on a specific user activity. Enter a list of thread names separated by commas. Installed default: empty | |
Specifies the level of detail in debugging messages. When the debug attribute is set to false, this attribute is ignored. Values are MAX, MED, or LOW. Installed default: LOW | |
Specifies format of dates in the log file. Installed default: yyyyMMdd:HHmmss.SSS | |
Specifies the filename and location for the logging (tracing) of business events performed by the SESM application. The installed default is:
Where:
| |
Controls whether or not to log the calling member function. Installed default: false | |
Controls whether or not to log stack traces. Installed default: false | |
Controls whether or not to log thread IDs. Installed default: true | |
Controls whether or not to route log messages to stderr, in addition to the log file. This parameter is useful for monitoring the SESM web application at the command line. Displaying output to stderr is not recommended for production deployments. Installed default: true | |
Controls whether or not to log trace messages. These messages indicate entry and exit to code points. Installed default: true | |
Controls whether or not to log warning messages (nonfatal exceptions). Installed default: true |
The ManagementConsole MBean configures the portal's management console port, including valid user names and passwords for accessing the console. See the "Configuring the ManagementConsole MBean" section for more information.
The SESM MBean configures SESM features and options, including the SESM mode.Table 5-2 describes the attributes in the SESM MBean.
Attribute Name | Explanation |
---|---|
An SESM portal runs in one of the following modes.
The value for mode is a Java system property named: This system property is different from most of the other system properties used in the MBean configuration files, in that, by default, the startup script does not set this system property. Therefore, the application runs in the mode specified in the MBean configuration file unless you explicitly override that value at run time. The installation program sets the default value to match the type of installation you perform (RADIUS, LDAP, or Demo.) To change the mode, you can:
| |
Enables or disables the single sign-on feature.
Installed default: true | |
In RADIUS mode, set this attribute to false, because SSG automatically makes the connections immediately after authentication. You do not need SESM to request those connections. In LDAP mode, the SSG performs automatic connections if it obtains a service list from the RDP. If SSG does not obtain the service list from RDP, you should set this attribute to true. The Add Services option, which is set during RDP installation, controls whether or not the RDP returns a service list to SSG. The Add Services option configures RDP to either:
| |
Specifies the time in seconds that a service or group object must be idle in the cache before its resources are deallocated from memory. Installed default: 600 | |
The minimum time in seconds that an SESM session can be in memory without being accessed. If this value is 0 or undefined, the application calculates a value as: profileCachePeriod * 2. Installed default: 1200 | |
| |
SESM applications include automatic memory management features that constantly work to free unused memory. If this attribute is set correctly, the application does not run out of memory. If this attribute is set too small, the application might run out of memory and terminate abnormally. The installed default is correct for the NWSP application. You might need to adjust the value for customized applications. If subscribers are receiving the server busy message too frequently, increase the amount of memory reserved for the application. This value is set in the startup script. See the "SESM Portal Application Memory Requirements" section for more information. Installed default: 10485760 |
The SESMDemoMode MBean configures SESM in demo mode. Table 5-3 describes the attributes in the SESMDemoMode MBean.
Attribute Name | Explanation |
---|---|
Specifies the file that contains data for the demo mode. The installed value is:
Where:
The NWSP start script derives the value for application.home from an expected (installed) directory structure. To change the value of application.home, edit the start script. |
The DESSMode MBean configures SPE attributes used by the SESM application. Table 5-4 describes the attributes in the DESSMode MBean.
Attribute Name | Explanation |
---|---|
The time in seconds between checking the authorization tokens. Default: 300 seconds | |
The length of time in seconds a token can remain in cache without being used before it is deleted. Default: 600 seconds | |
naming | The component in distinguished name (dn) that the LDAP directory uses to allow access to the directory. For example: |
The SSG MBean configures communication between SESM web applications and SSGs. These components communicate using the RADIUS protocol, so this MBean includes RADIUS protocol attributes. The MBean also includes attributes that determine which SSG should handle a subscriber request. Table 5-5 describes the attributes in the SSG MBean.
Object | Attribute Name | Explanation |
---|---|---|
Global attributes The global attributes apply to all SSGs that the SESM web application might communicate with. To determine how an SSG is configured, use the show run command on the SSG host. | The global value for RADIUS ports on the SSG hosts. This value must match the value that was configured on the SSG device using the following command:
You can create subnet entries in the MBean configuration file to override this global value for specific SSGs. | |
The number of seconds the SESM web application waits before timing out RADIUS packets that it sends to SSG. You cannot override this global value. Installed default: 5 | ||
The number of times the SESM web application resends a RADIUS packet to SSG if no response is received. You cannot override this global value. Installed default: 3 | ||
The global value for the RADIUS protocol shared secret used for communication between the SESM web application and the SSGs. This value must match the value entered on the SSG device using the You can create subnet entries in the MBean configuration file to override this global value for specific SSGs. | ||
The global value for the mask that the SESM web application applies to incoming subscriber IP addresses to derive an IP address for the SSG. You can create subnet entries in the MBean configuration file to override this global value for specific subnets. | ||
The global value for the maximum number of simultaneous requests that SESM portals can send to an SSG. The RADIUS protocol queues additional requests and issues them as the SSG returns responses or timeout messages for previous requests. Installed default: 20 | ||
SSG global attributes (continued) | The global value for the port bundle length that SSGs use when the port-bundle host key feature is enabled. The port bundle length is the number of bits that SSG uses to indicate bundled slots. For example, a value of 4 indicates 16 bundled slots. This value must match the value used in the following command on the SSG host: ssg port-map length
Default: You set this value during installation. | |
The global value indicating whether or not the port-bundle host key feature is enabled on the SSGs. If BUNDLE_LENGTH is zero, then the value of this switch is important.
| ||
MIN_LOCAL_PORT MAX_LOCAL_PORT | Together, these two attributes specify a range of UDP ports for RADIUS protocol requests from the SESM portal application to the SSG. By using these attributes, you restrict the source ports used by NWSP to only the ports in the specified range. For example, you might want to restrict port usage if a firewall separates SESM from other components. In that case, you can configure the firewall to allow traffic through the specified range of ports. You can create subnet entries in the MBean configuration file to override this global value for specific SSGs. | |
Use subnet entries to override the global values or to map client subnets to specific SSGs when the port-bundle host key feature is not being used. See the "Associating SSGs with Subscriber Requests" section on page 5-15 for more information about using subnet entries. | Subnet entries use positional arguments. | The format for a subnet entry is: <Call name="setSubnetAttribute"> The call to setSubnetAttribute has four positional arguments:
1. subnetAddress is the subnet for which you are explicitly setting a value, overriding the globally set value. 2. subnetMask is the mask that can be applied to the subscriber's IP address to derive the subnet. 3. argumentName is the argument that you are explicitly setting: ssg port-map length
4. argumentValue is the value for argumentName. |
Table 5-6 describes the attributes in the AAA MBean.
Attribute Name | Explanation |
---|---|
The maximum number of simultaneous requests that SESM web applications can send to a RADIUS server. This is a RADIUS protocol attribute. The RADIUS protocol queues additional requests and issues them as the server returns responses or timeout messages for previous requests. Installed default: 256 | |
The number of seconds the SESM web application waits before timing out RADIUS packets that it sends to the AAA server. Installed default: 4 | |
The number of times the SESM web application resends packets to the AAA server if no response is received. Installed default: 3 | |
The IP address or the host name of the primary AAA server. | |
The port number that the primary RADIUS server listens on. Default: 1812 | |
The shared secret used between the RADIUS server and the SESM web application. The shared secret must be the same for the primary and secondary servers. It must match the secret specified when you configured SESM as a NAS client on the RADIUS server. Default: | |
The IP address or host name of the secondary AAA server. If you are not using a secondary RADIUS server, reenter the primary server. | |
The port number that the secondary RADIUS server listens on. If you are not using a secondary server, reenter the primary server. Default: 1812 | |
The password that the SESM web application uses to request service profiles from the RADIUS server. It must match the service password values used in the service profiles in the RADIUS database. Default: | |
The password that the SESM web application uses to request group profiles from the RADIUS server. It must match the service group password values used in the service group profiles in the RADIUS database. Default: |
The Firewall MBean configures fields on the NWSP My Firewall page. Table 5-7 describes the attributes in the Firewall MBean.
The Firewall MBean defines a list of firewall protocols and firewall applications, which are SESM concepts used in a different way than the OSI protocol and application concepts. You can specify ACLs on firewall applications, but not on firewall protocols.
<Key>ip</Key>
<Value>ip</Value>
<Key>tcp</Key>
<Value>tcp</Value>
<Key>ftp</Key>
<Value>tcp, 21</Value>
<Key>https</Key>
<Value>tcp,443</Value>
<Key>imap</Key>
<Value>tcp,143</Value>
<Key>ip</Key>
<Value>ip</Value>
<Key>tcp</Key>
<Value>tcp</Value>
<Key>ftp</Key>
<Value>ftp</Value>
<Key>email</Key>
<Value>smtp,pop2,pop3,imap</Value>
<Key>www</Key>
<Value>http,https</Value>
SESM includes many predefined firewall protocols and firewall applications. You can see all of these predefined values by accessing the NWSP Agent View. In the Firewall MBean, click in the value column for the read-only attributes AllApplicationDescriptions and AllProtocolDescriptions.
You can use the customProtocols and customApplications attributes in the Firewall MBean to define additional firewall protocols and firewall applications.
Attribute Name | Explanation |
---|---|
Defines additional firewall protocols. Each item in the array consists of two elements:
For example: <Key>tcp</Key>
<Value>tcp</Value>
<Key>ftp</Key>
<Value>tcp, 21</Value>
See the "Firewall Protocols and Applications" section for a definition and more examples of firewall protocols. Several firewall protocols are predefined in SESM and do not need to be explicitly defined here. | |
Defines additional firewall applications. Each item in the array consists of two elements:
<Key>ftp</Key>
<Value>ftp</Value>
<Key>www</Key>
<Value>http,https</Value>
See the "Firewall Protocols and Applications" section for a definition and more examples of firewall applications. | |
Specifies the firewall applications that appear on the NWSP My Firewall page, in the Applications/Protocols column. Items in this list must be defined as predefined or custom firewall applications. To see a list of all defined applications, open the portal's Agent View management console and click in the value column of the AllApplicationsDescriptions attribute, a read-only attribute in the Firewall MBean. Note The text that represents an application on the My Firewall page is defined in the portal application's resource bundles. See the "Configuring the NWSP My Firewall Page" section for more information. | |
Specifies direction (in or out) for the default access control direction in the ACLs created by SESM. See the "Creating Subscriber-Configured Personal Firewalls" section for more information about created ACLs. Value values for direction are:
All connections have a return path. A block on in also affects traffic traveling in the opposite direction, and vice-versa. For any ACL, the choice of whether to control the in or out direction is a matter of preference. | |
Sets the return option for TCP applications. Recommended values are: permit and default. Default refers to the Permit/Deny All Else button on the My Farewell page. Default: permit Note You can alter the My Firewall JSP to add a button allowing the subscriber to choose the TCP return option. The JSP contains commented-out code for an ipPermission button, which you could copy to implement a return TCP permission button. |
The WebApp MBean configures options of the SESM portal application, including:
Table 5-8 describes the attributes in the WebApp MBean.
Attribute Name | Explanation |
---|---|
Controls whether or not the application prompts the user for confirmation before it acts on a request to start a service. Default: FALSE | |
Controls whether or not the application prompts the user for confirmation before it acts on a request to log off. Default: TRUE | |
Controls whether or not the application prompts the user for confirmation before it acts on a request to log off of the SESM application. Default: TRUE | |
The number of seconds of inactivity allowed before the application closes a session. This value overrides the timeout value in the nwsp.jetty.xml file. Default: 7200 | |
Controls the maximum length of user names and passwords. Default: 30 | |
These attributes are related to the captive portal solution. See Table 11-4 for explanations of these attributes. | |
You can create arbitrary attributes and associate them with subscriber requests in the manner described for location awareness in the "Configuring Location Awareness" section. |
A typical SESM deployment consists of multiple SSGs. The installation process configures communication with one SSG when you choose the appropriate options. This section describes how to configure communication with additional SSGs. It includes the following topics:
You can set the attributes that associate an SSG with subscriber requests globally, by client subnet, or for a specific client IP address, as follows:
Note To use the port-bundle host key feature, the SSG device must be running Cisco IOS Release 12.2(2)B or later and the SSG port-bundle host key feature must be configured appropriately. |
When the port-bundle host key feature is enabled on an SSG, the SSG replaces the subscriber IP address in the request with a software token (or key) when it forwards the request to SESM. The SESM application uses this key in its responses to SSG, and the SSG does an internal translation to an actual host object.
The key is a unique combination of an SSG IP address from a range of IP addresses and a port number from a range of port numbers, as follows:
The IP address and port ranges are configured on each SSG. The key uniquely identifies each subscriber currently logged on to SESM, even when multiple subscribers are using the same IP address.
To use the port-bundle host key feature to associate SSGs, follow these procedures:
1. Enable and configure the port-bundle host key feature on all of the SSGs, as described in the Configuring the Host Key Port Bundle Feature on SSG.
2. Configure the same values on all of the SSG hosts for the following attributes:
ssg radius-helper
authenticationPort
ssg radius-helper
key
ssg port-map length
3. When the SESM installation program prompts you, enter the globally-configured values in Step 2. These values are saved as global elements in the SSG MBean, as the following example illustrates.
When the port-bundle host key feature is enabled and configured, you can set all parameters globally.
<Configure name="com.cisco.aggbu:name=SSG">
<Call name="setGlobalAttribute"><Arg>PORT</Arg><Arg>1812</Arg></Call>
<Call name="setGlobalAttribute"><Arg>SECRET</Arg><Arg>cisco</Arg></Call>
<Call name="setGlobalAttribute"><Arg>MASK</Arg><Arg>255.255.255.255</Arg></Call>
<Call name="setGlobalAttribute"><Arg>BUNDLE_LENGTH</Arg><Arg>4</Arg></Call>
</Configure>
In this example, all SSGs are configured to use a port of 1812 and a shared RADIUS secret of cisco
. The BUNDLE_LENGTH of 4 indicates that port-bundle host key is configured on all SSGs.
The MASK attribute specifies the mask that SESM applies to the client (source) IP address in a received message to determine the client's subnet, and, from that, the SSG IP address. However, when a host key is used, the client (source) IP address is the SSG IP address. The SESM installation program provides the default mask of 255.255.255.255.
If port-bundle host key is enabled on all SSGs, but some are configured differently, you can configure the global case and then specifically configure exceptions. For example, if all but one SSG is assigned the same shared secret, you can configure the shared secret attribute globally, and then add one subnet entry to configure the different secret for the single SSG.
The installation program lets you provide one set of SSG global attribute values and one subnet entry. It records these attribute values in the <Configure name="SSG"> section of the application MBean configuration file, as illustrated in the following example.
In this example, port-bundle host key is enabled on all SSGs. In addition, all SSGs are using the same port, secret, and client IP address mask, except that one SSG uses a different port. In this case, you can set all parameters globally, and then use one subnet entry to define:
In the following example, the SSG that services subnet 10.1.1.0 uses port 1245.
<Configure name="com.cisco.aggbu:name=SSG">
<Call name="setGlobalAttribute"><Arg>PORT</Arg><Arg>1812</Arg></Call>
<Call name="setGlobalAttribute"><Arg>SECRET</Arg><Arg>cisco</Arg></Call>
<Call name="setGlobalAttribute"><Arg>MASK</Arg><Arg>255.255.255.255</Arg></Call>
<Call name="setGlobalAttribute"><Arg>BUNDLE_LENGTH</Arg><Arg>4</Arg></Call>
<Call name="setSubnetAttribute"><Arg>10.1.1.0</Arg><Arg>255.255.255.0</Arg><Arg>PORT
</Arg><Arg>1245</Arg></Call>
</Configure>
Each request arriving at an SESM web application contains a source, or client, IP address. SESM uses this client IP address to determine which SSG should handle each request.
<Call name="setSubnetAttribute">
<Arg>10.2.0.0</Arg><Arg>255.255.0.0</Arg><Arg>IP</Arg><Arg>10.6.7.1</Arg></Call>
In this example, port-bundle host key is not being used. In this case, you must explicitly define the mapping from subscriber subnet to the SSG IP address.
<Configure name="com.cisco.aggbu:name=SSG">
<Call name="setGlobalAttribute"><Arg>PORT</Arg><Arg>1645</Arg></Call>
<Call name="setGlobalAttribute"><Arg>SECRET</Arg><Arg>cisco</Arg></Call>
<Call name="setGlobalAttribute"><Arg>MASK</Arg><Arg>255.255.255.255</Arg></Call>
<Call name="setGlobalAttribute"><Arg>BUNDLE_LENGTH</Arg><Arg>0</Arg></Call>
<Call name="setSubnetAttribute"><Arg>10.1.1.0</Arg><Arg>255.255.255.0</Arg><Arg>IP
</Arg><Arg>10.21.1.2</Arg></Call>
<Call name="setSubnetAttribute"><Arg>10.1.2.0</Arg><Arg>255.255.255.0</Arg><Arg>IP
</Arg><Arg>10.21.2.2</Arg></Call>
<Call name="setSubnetAttribute"><Arg>10.1.3.0</Arg><Arg>255.255.255.0</Arg><Arg>IP
</Arg><Arg>10.21.3.2</Arg></Call>
<Call name="setSubnetAttribute"><Arg>10.1.4.0</Arg><Arg>255.255.255.0</Arg><Arg>IP
</Arg><Arg>10.21.4.2</Arg></Call>
</Configure>
The Cisco SESM is a collection of components for creating specialized Java 2 Platform, Enterprise Edition (J2EE) web server applications. J2EE provides a framework for using various Java-based components to develop multi-tiered applications. The multi-tiered application (as opposed to the 2-tiered client server application) provides many opportunities for isolating and controlling functional pieces of a large application. For more information about the J2EE development platform, see:
A Cisco SESM application consists of the following:
<installDir>nwsp
call "%SCRIPTDIR%start.cmd" nwsp %PORTNO%
jetty
subdirectory. For example, for the NWSP application, the configuration filename is: nwsp.jetty.xml
To create the required configuration files and startup scripts for a customized SESM application that will run in a Jetty server, follow these steps:
Step 1 Create a configuration file for the new application in the container's config directory. You can copy the nwsp.jetty.xml file and appropriately rename it. For example:
jetty
config
newApplication.jetty.xml
Step 2 Edit the new file.
Step 3 Create a startup script for the new application by copying the startNWSP script and appropriately renaming the copy. For example:
jetty
bin
startNewApplication
Step 4 Edit the new file, changing the application name and the port number parameters.
Step 5 Copy the nwsp directory structure, and rename the nwsp objects appropriately. For example, copy:
nwsp
config
nwsp.xml
docroot
docs
Step 6 See the Cisco Subscriber Edge Services Manager Web Developer Guide for information about customizing the JSPs, images, and other components. That guide also describes how to update the docroot folder, recompile affected components, and edit the web.xml file.
In general, if a service is marked as an auto connect service, the SSG performs the automatic connection after the subscriber authenticates. There is a special case with SESM in LDAP mode in which SESM is involved with automatic connection.
A subscriber profile specifies services for automatic connection. The subscriber profile also controls whether or not the service is hidden or not. If an auto connect service is hidden, it does not appear in the service list displayed on a service connection page.
In RADIUS mode, to configure a service for automatic connection, use the Account-Info A attribute in the subscriber profile. See Table C-6 for more information.
In LDAP mode, to configure a service for automatic connection:
In LDAP mode, the SSG performs automatic connections if it has the service list. If SSG does not have the service list, the SESM application can perform the automatic connections. During RDP installation, the Add Services option configures RDP to either:
<Set name="autoConnect" type="boolean">false</Set>
true
to enable automatic connections by the SESM web application.To change the setting of the RDP service list option, reinstall RDP.
The status page in an SESM portal shows the status for all services, including automatically connected services. In NWSP, the selection page includes service status indicators for each service listed. Hidden services are not listed. See the "Configuring a Service for Automatic Connection" section for an explanation of a hidden service.
Immediately after logging in, the service status for auto connect services might display as not connected. This happens if the service indicators display before the connection is completed. Proxy and tunnel services, for example, can take a while to connect. If the subscriber refreshes the window or selects the status window, the automatically connected services display with a connected status.
If the subscriber's home URL is set to an autoconnect service, the pop-up window for the service might appear before the connection completes. If this occurs, the following message appears in the pop-up window:
Page cannot be displayed.
The URL is correct. If the subscriber waits a short time and resubmits the request using the URL already displayed in the window, the service pages appear.
In LDAP mode, a subscriber can use the SESM self-management features to select or deselect the auto connect property. These changes are recorded immediately in the LDAP directory, but the change is not effective immediately. Changes are not visible in SESM until the cache timeout period in RDP elapses.
For example, a subscriber might select the auto connect property for a service, log out of SESM, log back in, and notice that the service was not automatically connected. Caching in the RDP causes this delay.
Caching in RDP improves system performance. The deployer can turn off caching or reduce the cache period, but those actions impact performance.
An SESM session might expire, for example, because the subscriber closed the browser or navigated away from the SESM pages. When an SESM session expires:
We recommend running SESM portal applications with single sign-on turned on.
This section describes the various ways that an SESM application can implement and use location awareness. The section includes the following topics:
An SESM portal application can determine the location of a subscriber in the following ways:
The application developer can use the following methods to control and present content in the JSPs based on the location:
The NWSP application shows location awareness capabilities in the following ways:
To configure an SESM portal application to determine location based on IP addresses, use the following procedure:
Step 1 Edit the application MBean configuration file. For example, edit nwsp.xml.
Step 2 In the SSG MBean in the configuration file, use SSG subnet entries with the SESSION_LOCATION attribute, as follows:
<Call name="setSubnetAttribute"><Arg>ipAddress</Arg><Arg>mask</Arg>
<Arg>SESSION_LOCATION</Arg><Arg>location</Arg></Call>
Where:
nwsp
docroot
london
newyork
paris
Note The user shape mechanism and the addDimension calls are different features and are not related. The user shape mechanism has no dependencies on any values defined in the addDimension calls. |
See Table 5-5 for more information about formatting subnet entries.
Step 3 For the location determination to be meaningful, the SESM portal application must use the "LOCATION" attribute in the SESMSession object in some way. In the NWSP application, the location is a dimension in the user shape and determines the image used in the NWSP banner. See the Cisco Subscriber Edge Services Manager Web Developer Guide for information about setting and using the location attribute in the locationDimension.jsp.
The following example associates locations with subscriber subnets. The example associates a different subscriber network with each of the three example locations defined in Step 2. In the NWSP application, when subscribers from the 144.0.0.0 network point their browsers to the NWSP URL, they receive a page containing the words New York under the NWSP logo.
<Call name="setSubnetAttribute"><Arg>10.0.0.0</Arg><Arg>255.0.0.0</Arg>
<Arg>SESSION_LOCATION</Arg><Arg>london</Arg></Call>
<Call name="setSubnetAttribute"><Arg>1.0.0.0</Arg><Arg>255.0.0.0</Arg>
<Arg>SESSION_LOCATION</Arg><Arg>paris</Arg></Call>
<Call name="setSubnetAttribute"><Arg>144.0.0.0</Arg><Arg>255.0.0.0</Arg>
<Arg>SESSION_LOCATION</Arg><Arg>newyork</Arg></Call>
When the port-bundle host key feature is configured on the SSG, location must be associated with an SSG IP address, rather than the subscriber's IP address. In the following example, the IP address is an SSG source IP address included in the port mappings during port-bundle host key configuration.
<Call name="setSubnetAttribute"><Arg>10.52.199.20</Arg><Arg>255.255.255.255</Arg>
<Arg>SESSION_LOCATION</Arg><Arg>london</Arg></Call>
To configure an SESM portal application to assign values to arbitrary attributes, use the following procedure:
Step 1 Edit the application MBean configuration file. For example, edit nwsp.xml.
Step 2 In the WebApp MBean in the configuration file, use addDimension calls to add a new attribute and associate values with that attribute. The format for an addDimension call is:
<Call name="addDimension">
<Arg type="int">attributeID</Arg>
<Arg>attributeValue</Arg>
<Arg>attributeResult</Arg>
An example from nwsp.xml is:
<Call name="addDimension">
<Arg type="int">1</Arg>
<Arg>london</Arg>
<Arg>http:\\www.london.com</Arg>
Where:
To demonstrate configuration-based location awareness in NWSP, use the following procedure:
Step 1 Install SESM in Demo mode.
Step 2 Edit the following lines in nwsp.xml to include a specific IP addresses for two different client machines that are available for the demonstration.
<Call name="setSubnetAttribute"><Arg>NEED_REAL_IP_ADDRESS</Arg><Arg>255.0.0.0</Arg>
<Arg>SESSION_LOCATION</Arg><Arg>london</Arg></Call>
<Call name="setSubnetAttribute"><Arg>NEED_REAL_IP_ADDRESS</Arg><Arg>255.0.0.0</Arg>
<Arg>SESSION_LOCATION</Arg><Arg>paris</Arg></Call>
Step 3 (Optional) Edit the following lines in nwsp.xml to change the URLs associated with the london and paris locations.
<Call name="addDimension">
<Arg type="int">1</Arg>
<Arg>london</Arg>
<Arg>http://www.london.com</Arg>
</Call>
<Call name="addDimension">
<Arg type="int">1</Arg>
<Arg>paris</Arg>
<Arg>http://www.paris-france.org/</Arg>
</Call>
Step 4 Save the nwsp.xml file.
Step 5 Start NWSP using the NWPS startup script.
Step 6 Open browsers on each of the client systems.
Step 7 From each browser, go to the SESM URL. For example, go to http:\\ serverName:8080.
Step 8 Notice the images in the banners on each browser. One should say London; the other should say Paris.
Step 9 On a third machine, repeat steps 7 through 9. The banner should not include a city name, because the third browser's IP address is not associated with any location in the configuration file.
Step 10 From one of the browsers, connect to an Internet service (if the Internet service was not automatically configured.) When an Internet connection occurs, a service pop-up window appears, attempting to go to the URL in the addDimension call. For example, the browser displaying London in the banner attempts to go to www.london.com.
Note If you are using the Captive Portal application, the browser's original request is honored instead of this location-based attribute. |
This section describes how to configure the SESM personal firewall feature. Topics are:
The SESM firewall feature provides a way for subscribers to restrict or permit traffic to and from their connection by making choices on a web portal page. The portal page presents a list of applications that are available for firewall protection. The SESM deployer configures the list of applications using the Firewall MBean.
Deployers can also configure firewall controls for subscribers which cannot be changed by the subscriber. Administrators use CDAT to configure these controls.
These firewall features are supported only when SESM is running in LDAP mode with an RDP that is running in default (non-Proxy) mode.
The underlying technology for the SESM personal firewall feature is extended access control lists (ACLs) added as attributes in subscriber profiles in an LDAP directory.
The ACLs are stored in the subscriber profiles as standard RADIUS attribute with number 26 (vendor specific attribute), subattribute number 1 (Cisco AV-pair). A subscriber profile might have many ACL entries, which together determine which traffic is permitted and denied on the connection.
The ACLs are added to the profile in two ways:
SESM and SSG implement the firewall as follows:
Figure 5-1 shows the My Firewall page.
The Firewall Enabled/Disabled button is set to:
Note We recommend removing this radio button from the My Account page for deployments that want to offer both subscriber and administrative firewall settings. See the "Restrictions" section 5-30 for more information. |
The Permit/Deny All Else button always initially appears with Deny All Else chosen.
The Application/Protocol field on the My Firewall page is configured by the deployer as follows:
The displayed state of the Permit/Deny/Default buttons for each application is set by the SESM portal application. For each application:
Suppose the subscriber clicks the following buttons on the My Firewall page (see Figure 5-1):
The ACLs that support the above application settings, as viewed in CDAT, are:
Cisco_AV:ip:inacl#138=permit tcp any any eq 443
Cisco_AV:ip:inacl#196=deny ip any any
Cisco_AV:ip:outacl#196=deny ip any any
Cisco_AV:ip:inacl#128=permit tcp any any eq 23
Cisco_AV:ip:outacl#129=permit tcp any any established
Cisco_AV:ip:inacl#138=permit tcp any any eq 80
This configuration sets ACLs on the in (upstream) path. It also sets an ACL on TCP for the out (downstream) path for TCP, allowing a return path only for established connections. This means that a return path only exists for connections that the user has started and it blocks connections that are attempted to be started from outside.
The ACLS that SESM creates from input on the My Firewall page are referred to here as application ACLs. In SESM Release 3.1(5), all ACLs created from input on the My Firewall page allow all addresses in both the source and destination fields.
The ACLs created by SESM are in the following form:
Where:
Note Finer control is intended for future releases. |
This section describes how to configure and use the administrative firewall feature. It includes the following topics:
Warning By using the Disable button, a subscriber can delete the deployer-imposed restrictions on the account. |
Warning An incorrectly formatted ACL entered through CDAT can prevent a subscriber from logging into the SESM portal. |
The Disable button on the My Firewall page deletes all ACLs from the subscriber profile.
To remove the Disable Button from the My Firewall page in NWSP, use the following procedure:
Step 1 Make sure a JDK is installed.
Step 2 Edit the nwsp/docroot/pages/firewallBody.jsp.
Step 3 Comment out lines 51 through 66.
Step 4 Recompile the JSP as described in "Recompiling a Customized JSP" section or precompile the JSP using the precompile script in:
tools
bin
precompile
To enter deployer-imposed ACLs, use the following procedure:
Step 1 Start the CDAT application.
Step 2 Access the subscriber or group profile.
Step 3 Enter the ACLs in the Local RADIUS attribute field, using the format described in the following section.
Step 4 If a subscriber is currently logged into an SESM session, the new ACLs do not take effect until the subscriber reauthenticates (logs out and logs in again). Also, the RDP cache needs to be refreshed, which by default takes 10 minutes. Due to the possibility of just having missed a refresh, the minimum guaranteed time is double the cache refresh time.
This section describes the format of the firewall entries in the Local RADIUS attribute field in CDAT. The general format for the Local RADIUS attribute field is:
In the case of the firewall ACL entries:
The format of the ACLs entered by administrators is:
Where:
Note If you intend to use both the deployer-imposed ACLs and the subscriber ACLs in a production deployment, you should modify the My Firewall page to remove the Disable button. See the "Removing the Disable Button from the My Firewall Page" section. |
In the following examples, the first one, with ACL number 100, was set by the deployer. The other s were generated by SESM based on actions from the My Firewall page.
Cisco_AV:ip:inacl#100=deny tcp any 10.0.0.0 0.0.0.0 eq 80
Cisco_AV:ip:outacl#196=deny ip any any
Cisco_AV:ip:inacl#128=permit tcp any any eq 23
Cisco_AV:ip:outacl#129=permit tcp any any established
Cisco_AV:ip:inacl#138=permit tcp any any eq 80
Note There is an implicit deny at the end of an ACL list. When an ACL list exists, only explicitly permitted traffic is permitted. |
The SESM firewall feature creates extended ACLs. For more information about ACL formats and processing, refer to the Cisco IOS documentation on extended ACLs. The following references point to documentation for Cisco IOS Release 12.2:
Posted: Mon Aug 26 08:24:18 PDT 2002
All contents are Copyright © 1992--2002 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.