The Cisco Subscriber Edge Services Manager (SESM) is an extensible set of applications for providing on-demand value-added services and access control at the network edge. Internet service providers (ISPs) and network access providers (NAPs) deploy SESM solutions to provide value-added services to their subscriber base or management capabilities to their administrators.
SESM solutions consist of customized web portals that implement the deployer's business model, show branded identities, offer customized and branded web page content, and control the subscriber experience with personalized web page content based on subscriber attributes such as location, access device, browser preferences, language, and interests. Captive portal features can further control subscriber experiences by capturing subscriber requests and redirecting browsers.
Some examples of value-added services that can be offered through SESM portal applications are:
One-stop, on-demand service selection—SESM supports service selection by issuing connection requests to a cooperating network access device.
Network and service access control.
Messaging and advertising—These services can be incorporated with other SESM solutions, such as service selection, or they can stand alone, for example, for a subscriber base whose only service is automatically connected Internet access.
Subscriber account self-management and service self-subscription—These services allow individual subscribers to control and manage their account information. In SESM Release 3.1(5), these self-care applications require a deployment using an LDAP directory and the extensions provided by the Cisco Security/Subscriber Policy Engine (SPE) software. Self-care services can be incorporated with other SESM solutions or stand alone.
Firewall provisioning—SESM provides the interface for subscribers to control traffic to and from their connection. The deployer can also issue traffic filters, which take precedence over the personal filters entered by subscribers.
Profile provisioning—A customized SESM portal could act as an administrative tool to provision subscribers and push profiles or selected profile information to a RADIUS database or other operational support system (OSS).
SESM solutions can be deployed independently of the access network, access type and access device. Subscribers access SESM portals using any Internet browser on any access device. They do not need to download any software or plug-ins. Supported access technologies include
Laptop and pocket organizer access over 802.11b
Mobile phone access over General Packet Radio Service (GPRS)
Digital Subscriber Line (DSL) modems
Desktop system access over leased lines
Supported protocols include:
Point-to-Point Protocol (PPP) over ATM or Ethernet
Routed or Bridged Ethernet
RFC 1483 (Multiprotocol Encapsulation over ATM)
Wireless LANs
SESM is inherently scalable with a stateless architecture to support transparent load balancing and failover. SESM applications can run on any platform that supports the Java Runtime Environment (JRE). Platforms tested in our labs include Sun Solaris, Windows NT, Windows 2000, Red Hat Linux, and SuSE Linux.
Cisco Distributed Administration Tool (CDAT)—A web-based tool from which administrators can perform the following management functions:
Remotely manage and monitor SESM applications
Maintain data in the SESM container in an LDAP directory
RADIUS Data Proxy (RDP) server—A multipurpose RADIUS server that can transform RADIUS requests into LDAP format to work with SPE extensions.
Sample portal applications that you can install and configure for demonstration purposes or as a starting point for customizations:
New World Service Provider (NWSP) portal—A comprehensive example of most features offered by the SESM web development kit.
Wireless Access Protocol (WAP) portal—Designed specifically for deployment in the mobile wireless industry.
Personal Digital Assistant (PDA) portal—Shows web pages formatted for a PDA device.
Sample captive portal solution—Includes the following applications:
Captive Portal application—A gateway application for use with the SSG and other applications in a captive portal solution. The default configuration for this application redirects subscriber browsers to either the Message Portal application or the NWSP application.
Message Portal application—Produces sample greetings and advertising pages to demonstrate SESM captive portal features.
Bundled SESM RADIUS server—A RADIUS server that reads and processes profiles in Merit format. This server is useful for developing and testing SESM customizations.
SESM solutions work in conjunction with additional network software components. Depending on the goals of the solution, SESM deployments might require one or more of the following components:
SESM-SPE—This package integrates the Cisco Subscriber Policy Engine (SPE) product with the SESM product to provide access to an LDAP compliant directory for subscriber and service profile information. SPE also provides enhanced functionality for SESM web applications and use of the role-based access control (RBAC) model to manage subscriber access.
Figure 1-1 shows the software included in the SESM packages. Each package is available in versions appropriate for the Sun Solaris, Linux, or Windows platforms.
The Cisco Distributed Administration Tool (CDAT) is a web-based management tool for administrators. CDAT is a J2EE web application. It runs in a J2EE container and uses the services of a JMX server for configuration.
With CDAT, administrators can:
Remotely view and change configuration attributes for SESM applications. Configuration changes can be temporary (that is, apply to the currently running instance only) or they can be persistent, in which case the changes are applied to the application's configuration files.
Remotely monitor SESM application activity and performance.
Manage data in the SPE extensions to an LDAP directory. CDAT provides the means for creating and maintaining users, services, user groups, service groups, roles, and policy rules for the RBAC model.
For more information, see:
The Cisco Subscriber Edge Services Manager Installation and Configuration Guide—Contains information about installing and configuring CDAT and using its remote management features to configure SESM applications.
The Cisco Distributed Administration Tool Guide—Contains information about the SPE directory extensions and how to use CDAT to create profiles in the RBAC model.
Map RADIUS protocol requests to LDAP protocol requests with SPE extensions—The RDP configured in this manner is a required element in any SESM deployment that includes an LDAP directory.
RDP is a Java2 application that uses the services of a JMX server for configuration. It is not a web application and therefore does not run in a J2EE container.
For more information about configuring RDP, see the Cisco Subscriber Edge Services Manager Installation and Configuration Guide.
Images and JSPs for each sample portal application
Configuration and startup files for each sample portal application
Sample data files containing profiles appropriate for each sample portal application. The sample data can be used to run the sample application in Demo mode.
The SESM sample applications are fully functioning web applications that were built using the SESM development library. These applications use the services of the Jetty web server and the JMX management server.
Deployers can customize this application to detect the type and make of various WAP devices used by their subscribers, and tailor the pages to the features of each device.
Deployers can customize this application to detect the type and make of various PDA devices used by their subscribers, and tailor the pages to the features of each device.
The Cisco Subscriber Edge Services Manager Web Developer Guide provides detailed information about each of these sample portal applications.
A sample captive portal solution is included with SESM that illustrates all supported types of redirection. The sample solution includes the following applications:
Most deployers will use the captive portal application as installed but provide their own content applications for the HTTP redirections. The content applications can be any web application. When they are SESM web portals, they can use all of the features in the SESM web development kit, including the device and locale awareness features.
See the Cisco Subscriber Edge Services Manager Installation and Configuration Guide for more information about captive portal features and how to install and configure the captive portal solution.
All of the SESM packages include the bundled SESM RADIUS server. The SESM RADIUS server is suitable for developing, testing, and demonstrating SESM deployments. It reads and updates profiles in a Merit flat file format.
The bundled SESM RADIUS server comes with the following attributes internally predefined:
Standard RADIUS attributes
Cisco SSG VSAs
A configuration feature, the RADIUSDictionary MBean, lets you easily define additional attributes.
The sample SESM portal applications and CDAT are installed with configuration files and startup scripts that are ready to run using the Jetty web server and the Sun example JMX server. RDP is installed with configuration files and a startup script that is ready to run using the JMX server.
This section describes the software components, in addition to the SESM applications, that might be required in SESM deployments. Each SESM solution has its own requirements regarding these components. The additional software components are:
The SESM applications require J2EE-compliant servers. The SESM packages bundle suitable J2EE components required for running the SESM applications.
Note The SESM packages do not include a Java Software Development Kit (JSDK), which is required for
SESM development. See the Cisco Subscriber Edge Services Manager Web Developer Guide for
recommended JSDK version numbers.
During SESM installation, the sample portal applications and CDAT and their corresponding configuration files and startup scripts are set up to use the Jetty server components from Mort Bay Consulting. If desired, web developers at your site can deploy a J2EE-compliant server other than the Jetty server.
Note Before deploying a J2EE server other than the Jetty server, determine whether your SESM solution
requires the port-bundle host key feature on the Cisco Service Selection Gateway. The Jetty server is
currently the only server that supports this feature. See the Cisco Subscriber Edge Services Manager
Installation and Configuration Guide for more information.
The installed sample applications, the configuration files, and the startup scripts are set up to use the Sun example JMX server from Sun Microsystems. The SESM installation program installs the JMX server along with the Jetty server. If desired, web developers at your site can deploy a JMX-compliant server other than the Sun example server.
See the Cisco Distributed Administration Tool Guide for information about the RBAC model, the DESS and AUTH extensions to an LDAP directory, and how to develop subscriber and service profile information in the RBAC model.
In SESM deployments, SSG performs authentication and service connection tasks on behalf of the SESM portal. Other SSG features important in SESM deployments include:
SSG Port-Bundle Host Key—Uniquely identifies each subscriber, which provides SESM with the following benefits:
Supports subscribers using overlapping and shared IP addresses
Eases SESM configuration by eliminating SSG to SESM server mapping requirements
SSG TCP Redirect for Services—Enables providers to implement a captive portal, own the user experience, build a brand experience, and provide:
User authentication without the user needing to know the SESM URL
Advertising and messaging features
SSG Open Gardens—Enables providers to specify domains that subscribers can access without service subscription (free services).
SSG Hierarchical Policing—Ensures that a subscriber does not utilize additional bandwidth for overall service or for a specific service that is outside the bounds of the subscriber's contract with the service provider.
SSG Prepaid—Enables real-time billing with maximum flexibility, regardless of the type of service and billing scheme. Users can be billed on a flat rate, air-time, or volume basis.
SSG Auto logoff—Enables per-minute billing plans for services. SSG auto logoff also prevents subscribers from being charged for services that they are not able to access.
See the following SSG documentation for descriptions of these and other SSG features:
The SSG runs on a Cisco router or other Cisco device. The Cisco SSG feature is currently supported on the following platforms:
Cisco 7200 Series high-performance multifunction routers
Cisco 7400 Series Internet routers
Cisco 6400 Universal Access Concentrator (UAC). Each node route processor (NRP) on the Cisco 6400 UAC runs its own Cisco IOS Software and can be an SSG host device.
The following SESM deployments require a RADIUS server:
SESM portals deployed in RADIUS mode—This deployment requires user and service profile information in a RADIUS database.
SESM portals deployed in LDAP mode with an RDP running in Proxy mode—This deployment requires user profiles in a RADIUS database. In Proxy mode, the RDP proxies authentication requests to a RADIUS database. RDP obtains service authorizations through SPE, based on the information in the directory.
SESM portals deployed in either RADIUS or LDAP mode when you want to use the SSG accounting features—For any SESM deployment, you can configure the SSG to generate accounting records and send them to a RADIUS server. The RADIUS accounting features are implemented independently from the RADIUS authentication and authorization features.
The Cisco Subscriber Edge Services Manager Installation and Configuration Guide describes the Cisco VSAs used in SESM deployments. The guide also describes how to configure a RADIUS server for SESM deployment, including specific information regarding the Cisco Access Registrar.
Subscriber account self care features—Subscribers can change their account information and see those changes take effect immediately.
Subscriber self subscription—Subscribers can subscribe to new services and have immediate access to the newly subscribed services.
Sub-account creation—Subscribers can create sub-accounts to their main account and use the sub-accounts immediately.
Some LDAP directories to consider in your deployment are:
iPlanet Directory Server Version 5.0 (Also known as Sun ONE) from Sun Microsystems.
Network Directory Service (NDS) eDirectory Version 8.5 from Novell, Inc.
The Cisco Subscriber Edge Services Manager Installation and Configuration Guide describes how to configure an LDAP server for SESM deployments, including specific information regarding iPlanet and NDS.
Table 1-2 lists the browsers and devices for which the SESM sample portal applications are designed. The Cisco Subscriber Edge Services Manager Web Developer Guide includes information about obtaining and configuring simulators.
Note These browser limitations apply only to the sample applications and are listed to ensure predictable
results during demonstrations.
