cc/td/doc/solution/sesm/sesm_315
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

SESM Solutions for Subscriber Self-Care
Subscriber Self-Care Solution Description
Personal Account Maintenance
Personal Firewalls
Subaccount Creation
Service Self-Subscription
SESM Self-Care Demo

SESM Solutions for Subscriber Self-Care


This chapter describes SESM features that support subscriber self-care solutions. It includes the following topics:

Subscriber Self-Care Solution Description

This section describes the common characteristics of SESM self-care solutions. Topics are:

Subscriber Experiences in Self-Care Solutions

The SESM self-care solutions allow subscribers to make on-demand updates to their personal information at any time and see those changes take effect within minutes of submitting the change, with no involvement from the deployer. Subscribers can submit updates using the SESM portal. The self-care portal pages can be branded, personalized, and customized using any SESM web development features.

The NWSP portal contains pages that illustrate the following types of self-care activities:

See the "Supported Data Fields in a Self-Care Solution" section for ways to extend the self-care examples shown in NWSP.

Security in Self-Care Solutions

The following features provide security in SESM self-care solutions:

Deployment Requirements for Self-Care Solutions

This section lists the required components for self-care solutions.

Cisco Service Selection Gateway

The Cisco Service Selection Gateway (SSG) is required in the self-care solutions described in this chapter. These solutions require SSG for the following services:

SSG configuration details for self-care solutions are the same as those for service selection and connection solutions. The SESM portal and RDP must be running on the SSG default network and configured to communicate with the SSG. For more information about how SESM, SSG, and RDP work together, see the "Request Processing in SESM LDAP Mode Deployments" section.

SESM Portal

The SESM self-care solutions require that SESM portals are deployed in LDAP mode.

RADIUS Data Proxy

The RADIUS Data Proxy (RDP) is a required component in self-care solutions.

The RDP cache refresh time is directly related to the length of time subscribers must wait to see their updates take effect. Due to the possibility of just having missed a refresh, the minimum guaranteed time is double the cache refresh time. The installed default for cache refresh is 10 minutes.

LDAP Directory

The profile data that you want subscribers to update must reside in profiles on an LDAP directory. The LDAP protocol provides the features that allow for on-demand updates to profile data.

We recommend deploying a primary and a secondary directory and using the LDAP directory failover features.

Cisco Distributed Administration Tool

The Cisco Distributed Administration Tool (CDAT) is the tool for administrators to use in adding and maintaining subscriber profiles in the LDAP directory.

CDAT must have access to the LDAP directory. Multiple instances of CDAT can be installed on different systems, giving distributed administrative access to the directory.

Portal Customizations for Self-Care Solutions

The SESM portal is the subscriber interface to self-care activity. You can integrate a self-care solution with a service selection and connection solution or deploy it as a standalone solution. The NWSP application illustrates several self-care solutions as different pages in the same application:

Service provider developers can use the SESM web developer kit to customize the portal page on which subscribers can enter or update the account information. Customizations related to self-care features might include:

Supported Data Fields in a Self-Care Solution

SESM 3.1(5) supports the following categories of data in a subscriber profile. Developers can add any field from these categories to an SESM portal page and optionally provide access to them for on-demand updates by subscribers:

http://www.cisco.com/univercd/cc/td/doc/solution/sesm/sesm_315/instconf/cradius.htm#xtocid5

http://www.cisco.com/univercd/cc/td/doc/solution/sesm/sesm_313/toolguid/appb_sch.htm#xtocid0

Subscriber Profile Requirements for Self-Care Solutions

The following requirements apply to subscriber profiles in SESM self-care solutions:

Service provider administrators use the Cisco Distributed Administration Tool (CDAT) to add subscriber profiles to the LDAP directory. Administrators use CDAT to:

Personal Account Maintenance

Figure 5-1 shows the My Account Page in NWSP. See the "Supported Data Fields in a Self-Care Solution" section for other supported fields that you might want to add to a personal account maintenance page.


Figure 5-1   NWSP My Account Page


The initial display of the My Account Details page reflects the contents of the subscriber profile. After subscribers enter or update their personal details, they can go back to the My Account Details page in about 20 minutes to see the changes. In Demo mode, the changes are not recorded in the profile.

Personal Firewalls

The SESM personal firewall feature provides a way for subscribers to restrict or permit traffic to and from their connection by making choices on a web portal page. The portal page presents a list of applications that are available for firewall protection. The SESM deployer configures the list of applications using the Firewall MBean.

Deployers can also configure firewall controls for subscribers which cannot be changed by the subscriber. Administrators use CDAT to configure these controls.

The underlying technology for the SESM personal firewall feature is extended access control lists (ACLs) added as attributes in subscriber profiles in an LDAP directory.

The ACLs are stored in the subscriber profiles as standard RADIUS attribute with number 26 (vendor specific attribute), subattribute number 1 (Cisco AV-pair). A subscriber profile might have many ACL entries, which together determine which traffic is permitted and denied on the connection.

The ACLs are added to the profile in two ways:

SESM and SSG implement the firewall as follows:

Figure 5-2 shows the My Firewall page in NWSP.


Figure 5-2   NWSP My Firewall Page


By clicking the Permit, Deny, and Default radio buttons on this page, subscribers can control the upstream and downstream traffic to their IP address.

For each application, the initial displayed state of the Permit, Deny, and Default radio buttons depends upon the ACLs that exist in the subscriber profile. The SESM portal analyzes the ACLs to determine the appropriate settings to display.

The Application/Protocol column is configurable by the deployer:

Subaccount Creation

Subscriber subaccount creation and management allows a subscriber with a main account to create subaccounts, with different services and access information in each subaccount. For example, a family might have subaccounts for each family member, with a different set of authorized services within each subaccount. The main account can create and delete subaccounts and subscribe to services for the subaccounts, and control whether the subaccounts can subscribe to services themselves.

Figure 5-3 shows the NWSP Subaccounts page.


Figure 5-3   NWSP Subaccounts Page


From this page, a subscriber can:

Service Self-Subscription

Service self-subscription allows subscribers to sign up for new services and have immediate access to those services. This feature relieves the service provider from time-consuming service enrollment tasks. It also benefits the subscriber because there is no delay in receiving access to a new service. Subscribers can also unsubscribe from a service.

Figure 5-4 shows the My Services page from the NWSP application.


Figure 5-4   NWSP My Services Page


The page shows:

SESM Self-Care Demo

To demonstrate SESM self-care features using Demo mode, follow this procedure:


Step 1   Install NWSP (LDAP evaluation or licensed version) in Demo mode. See the "Quick Start for Installing and Running Portals in Demo Mode" section for instructions.

Step 2   Start NWSP. The start script path name is:

jetty
bin
startNWSP

See the "Starting a Demo" section for more information.

Step 3   Open a web browser and go to the NWSP page.

If the web browser is on the same system where NWSP is running, and you accepted the default port during installation, you can use the following URL:

http://localhost:8080

Otherwise, the URL is:

http://NWSPhostName:NWSPportNumber

Step 4   On the NWSP login page, log in using the following information:

User: golduser

Password: cisco


Note    To understand the relationship between values in a subscriber profile and the initial contents of the NWSP pages, examine the golduser profile in the nwsp/config/demo.txt file.

Step 5   Close the new browser window that opens as a result of the home URL specified in the profile.

Step 6   On the NWSP main page, click the MY SERVICES tab.

The My Services page initially displays information as recorded in the profiles in the demo.txt file.

You can change the service information on the My Services page to demonstrate self-management features. In Demo mode, the changes you make are not propagated into the demo.txt file.

Step 7   To demonstrate self-subscription to a new service, click the Subscribed radio button for one of the services in the Available list. The available services and service groups are obtained from the subscriber profile.


Note    To demonstrate subscription to a service group, subscribe to News.

After a confirmation prompt, the My Services page reappears, showing the new service in the Subscribed list. In Demo mode, the new service is not changed to subscribed in the subscriber profile.

Step 8   To demonstrate that the new service in immediately available for connection, click the newly subscribed service in the Current Services list.

The status of the new service changes to active.

Step 9   To demonstrate setting and changing service authentication values:

1. Check the service status to make sure the service is stopped. If not, click on it in the Current Services list to stop it.

2. Click the Set button for one of the services, and enter a user name and password of your choice. (The golduser profile in demo.txt does not configure any service authentication values for any of the services.)

3. Click OK.

4. Answer OK to the confirmation prompt.

5. When the My Services page reappears, click the service in the Current Services list to restart it.

6. To see the Authentication Failed message, enter an invalid user name or password on the authentication page.

7. To complete service authentication, enter the user name and password you just set on the My Services page.

Step 10   To demonstrate unsubscribing to a service, click the Available radio button next to the service.

After a confirmation prompt, the My Services page reappears, showing the service in the Available list. If the service was running at the time you unsubscribed, the service is now stopped.

Step 11   Although you can click on the Auto-connect and Hidden radio buttons in Demo mode, you cannot demonstrate the effects of these buttons because changes are not recorded in the subscriber profile when SESM is running in Demo mode.

Step 12   Click the MY ACCOUNT tab to display information recorded in the subscriber profile.

The page initially displays information as recorded in the profile in the demo.txt file. You can change the subscriber information on the My Account page to demonstrate self-management features. In Demo mode, the changes you make are not propagated into the demo.txt file.

Step 13   To demonstrate subaccount maintenance, click the SUB-ACCOUNTS tab.

The installed demo.txt file contains a profile for one subaccount user (subgolduser) under the main golduser account.

Step 14   To create a new subaccount under golduser:

1. Enter a new user ID in the New field.

2. Click New. The new subaccount appears in the subaccount list.

3. Enter a password in the Password field.

4. Click OK.

5. Click Service Subscription Edit.

6. Select services for the subaccount and decide if they should be automatically connected and hidden.

7. Click OK.

In Demo mode, the subaccount profile is not added to the demo.txt file. Therefore, you cannot log in using the new subaccount.



Demonstrating Personal Firewalls

You can use the My Firewall page in Demo mode to simulate firewall changes. To see the effects of the changes, you must use a fully configured system running in LDAP mode. In a fully configured system, the effects of changes made on the My Firewall page are visible in these ways:


hometocprevnextglossaryfeedbacksearchhelp
Posted: Mon Jan 13 12:38:27 PST 2003
All contents are Copyright © 1992--2002 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.