cc/td/doc/solution/sesm/sesm_317
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

Configuring RADIUS for SESM Deployments

Configuring RADIUS for SESM Deployments

This appendix describes the configuration steps required to include a RADIUS server in a Cisco Subscriber Edge Services Manager (SESM) deployment. This appendix includes the following topics:

Configuring SSG to Communicate with the RADIUS Server

You must configure SSG to communicate with the RADIUS server. To do so, use the radius-server host Cisco IOS command on the SSG host. Different ports are used for handling authentication and accounting packets. For example:

    radius-server host 10.3.3.2 auth-port 1812 acct-port 1813 key cisco

To use different RADIUS servers for authentication and accounting, use two commands as follows:

    radius-server host 10.3.3.2 auth-port 1812 acct-port 0 key cisco radius-server host 10.3.3.3 auth-port 0 acct-port 1813 key cisco

Configuring RADIUS Clients

The RADIUS protocol is based on a client server model. The RADIUS server is the server. Multiple dial-in Network Access Server (NAS) devices are the clients. Before communication can occur, each client must be configured on the server.

An SESM deployment requires that you configure the following NAS clients on the RADIUS server:

Table C-1 summarizes the information that might be required to define a NAS client on the RADIUS server. See your RADIUS server vendor documentation for more specific requirements, syntax, and procedures.


Table C-1: NAS Client Configuration
Property Description

Name or IP Address

Identifies the client. Use either IP address or host name.

Shared Secret

Must match a shared secret value configured on the client. If the shared secrets do not match, the RADIUS server issues an access-reject message.

A shared secret is a value that is configured on both the client and the server. It is never sent over the network. The shared secret is used for MD5 encryption of the profile password.

Type

For SSG—Cisco:NAS

For SESM—RAD_RFC+ACCT_RFC

The following sample entries show a Merit RADIUS format defining SESM web portals and an SSG host as RADIUS clients. The examples use the value cisco as the shared secret on all of the clients.

#Entries for SESM-Server clients 10.3.3.2       cisco     type=RAD_RFC+ACCT_RFC 10.3.3.101     cisco     type=RAD_RFC+ACCT_RFC 10.3.3.102     cisco     type=RAD_RFC+ACCT_RFC #Entries for SSG host 192.168.1.6     cisco     type=Cisco:NAS

Defining Attributes

RADIUS servers use an attribute dictionary to define the attributes that can appear in profiles. An attribute dictionary contains:

SESM applications, including RDP, CDAT, and the portal applications, internally predefine the standard RADIUS attributes and the Cisco SSG VSAs. You can use these predefined attributes in RADIUS and LDAP profiles whether or not they are defined in an attribute dictionary. See the "SESM Predefined Attributes" section for predefined attribute names.

Defining New RADIUS Attributes for SESM Deployments

To define additional attributes to use in profiles, such as Cisco VSAs not predefined in the SESM code and non-Cisco VSAs, use the following methods:

SESM Predefined Attributes

Table C-2 lists the standard RADIUS attribute names that are predefined in SESM applications. Table C-3 shows the Cisco SSG VSAs that are predefined in SESM applications.


Table C-2: Standard RADIUS Attributes Predefined in SESM Applications
RADIUS Attribute Names1

USER_NAME

USER_PASSWORD

CHAP_PASSWORD

NAS_IP_ADDRESS

NAS_PORT

SERVICE_TYPE

FRAMED_PROTOCOL

FRAMED_IP_ADDRESS

FRAMED_IP_NETMASK

FRAMED_ROUTING

FILTER_ID

FRAMED_MTU

FRAMED_COMPRESSION

LOGIN_IP_HOST

LOGIN_SERVICE

LOGIN_TCP_PORT

REPLY_MESSAGE

CALLBACK_NUMBER

CALLBACK_ID

FRAMED_ROUTE

FRAMED_IPX_NETWORK

STATE

CLASS

VENDOR

SESSION_TIMEOUT

IDLE_TIMEOUT

TERMINATION_ACTION

CALLED_STATION_ID

CALLING_STATION_ID

NAS_IDENTIFIER

PROXY_STATE

LOGIN_LAT_SERVICE

LOGIN_LAT_NODE

LOGIN_LAT_GROUP

FRAMED_APPLETALK_LINK

FRAMED_APPLETALK_NETWORK

FRAMED_APPLETALK_ZONE

ACCT_STATUS_TYPE

ACCT_DELAY_TIME

ACCT_INPUT_OCTETS

ACCT_OUTPUT_OCTETS

ACCT_SESSION_ID

ACCT_AUTHENTIC

ACCT_SESSION_TIME

ACCT_INPUT_PACKET

ACCT_OUTPUT_PACKETS

ACCT_TERMINATE_CAUSE

ACCT_MULTI_SESSION_ID

ACCT_LINK_COUNT

ACCT_INPUT_GIGAWORDS

ACCT_OUTPUT_GIGAWORDS

EVENT_TIMESTAMP

CHAP_CHALLENGE

NAS_PORT_TYPE

PORT_LIMIT

LOGIN_LAT_PORT

ARAP_PASSWORD

ARAP_FEATURES

ARAP_ZONE_ACCESS

ARAP_SECURITY

ARAP_SECURITY_DATA

PASSWORD_RETRY

PROMPT

CONNECT_INFO

CONFIGURATION_TOKEN

EAP_MESSAGE

MESSAGE_AUTHENTICATOR

ARAP_CHALLENGE_RESPONSE

ACCT_INTERIM_INTERVAL

NAS_PORT_ID

FRAMED_POOL

1A hyphen (-) can replace the underbar (_) in RADIUS attribute names. The attribute names are not case-sensitive.


Table C-3: Cisco SSG VSAs Predefined in SESM Applications
RADIUS Attribute Vendor ID Subattribute Name1 Type

26

9

1

Cisco-Av

String

26

9

250

Account-Info

String

26

9

251

Service-Info

String

26

9

252

Command-Code

BINARY

26

9

253

Control-Info

String

1The hyphen (-) and underbar (_) are interchangeable in RADIUS attribute names. The attribute names are not case-sensitive.

Dynamically Defining Attributes in Profiles for Testing and Development

SESM allows you to dynamically define a new attribute when you first use it in a profile. This feature is intended only for testing, demonstration, and development purposes. Use the dynamic attribute feature only in the following circumstances:

Dynamic attributes are defined as new subattributes under the standard RADIUS vendor-specific attribute number 26.

Valid formats are:

[attributeName](radiusAttributeId, vendorId, vendorSubattribute, datatype)

Where:

This field is optional. If it is used, subsequent profiles can use just the attributeName, without the attribute definition. However, you must be sure that the profile containing the attribute definition gets used before any other profiles that use only the attributeName.

If attributeName is not used, you use only the attribute definition in the profiles.

An example follows:

demoVSA(26, 1, 1, BINARY)

Other valid syntax is:

name([[type=]26],[vendorId=]vendorId,[vendorType=]vendorType,[dataType=]dataType)

Merit File Examples

In a Merit file, define a new attribute and assign a value in the following format:

[attributeName](attributeDefinition) = "attributeValue"

MY_ATTRIBUTE(type=26, vendorId=9, vendorType=555, dataType=INTEGER) = "34"

BINARY_ATTRIBUTE(type=26, vendorId=9, vendorType=556, dataType=BINARY) = "0x3F45"

(26,9557,IPADDRESS) = "34.43.54.240"

CDAT Examples

In CDAT, define a new attribute and assign a value in the Local RADIUS attributes field as follows:

[attributeName](attributeDefinition):attributeValue

For example:

MY_ATTRIBUTE(type=26, vendorId=9, vendorType=555, dataType=INTEGER):34

BINARY_ATTRIBUTE(type=26, vendorId=9, vendorType=556, dataType=BINARY) :"0x3F45"

(26,9,557,IPADDRESS):34.43.54.240

Configuring Service Profiles

Service profiles define the services that subscribers can select from an SESM web portal. You must configure a service profile for each service that will be accessible through the SESM web portal.

Table C-4 briefly describes the attributes in a RADIUS service profile. Use the following references for more information.


Table C-4: Attributes in Service Profiles
Attribute Description

Service profile name

An identifying name for a service profile. Each profile name must be unique.

Service profile names are used in the subscriber profiles to indicate that a subscriber is subscribed to the service.

Password

Must match the service password on the RADIUS server. SESM obtains the service password directly from the RADIUS server.

In SESM, configure this password in the servicePassword attribute in the AAA MBean.

Service-Type

Standard RADIUS attribute number 6. The value must be "outbound."

Session-Timeout

Standard RADIUS attribute number 27. Specifies the maximum length of time, in seconds, that this service (the service object on SSG) can remain active in a session at any one time. When the time expires, SSG deletes the service object, which disconnects the subscriber from the service. If the host key feature is enabled on the SSG, the SSG signals the state change to the SESM web portal.

Note   The NWSP application does not relay this state change to the subscriber.

If Session-Timeout is not set, there is no limit on how long the subscriber can use the service.

In a dial-up networking or bridged (non-PPP) network environment, a subscriber can disconnect from the NAS and release the IP address without logging out from the SSG. If this happens, the SSG continues to allow traffic to pass from that IP address, which can be a problem if the IP address is obtained by another user. You can use the Session-Timeout and the Idle-Timeout attributes to prevent this problem.

Idle-Timeout

Standard RADIUS attribute number 28. Specifies the maximum length of time, in seconds, that a service connection can remain idle before it is disconnected. See the explanation of the Session-Timeout attribute, above, for more information about setting this attribute.

Service-Info

A vendor-specific attribute (attribute number 26), vendor 9, subattribute 251. Valid values for Service-Info attributes are:

Service-Info (continued)

Note   In a frameless application, both U and H cause a new browser window to open for the service. The NWSP application is a frameless application.

Cisco-AVpair

A vendor-specific attribute (attribute number 26), vendor 9, subattribute 1. Valid values for the Cisco-AVpair attribute in a service profile are:

Note   A profile can include multiple instances of inacl attributes and multiple instances of outacl attributes. Use one attribute for each ACL statement. Multiple attributes can be used for the same ACL.

Example Service Profiles

The service configuration examples in this section use a Merit RADIUS format.

Example Service Profile for Passthrough Service
internet Password = "servicecisco", Service-Type = Outbound
    Service-Info = "IInternet", Service-Info = "R153.153.153.0;255.255.255.0", Service-Info = "MC", Service-Info = "TP"
Example Service Profile for Proxy Service
corporate Password = "servicecisco", Service-Type = Outbound
    Service-Info = "ICorporate Intranet (proxy)", Service-Info = "R154.154.154.0;255.255.255.0", Service-Info = "S10.3.3.101;1812;1813;cisco", Service-Info = "MC", Service-Info = "TX"
Example Service Profile Using Timeout Values
iptv Password = "servicecisco", Service-Type = Outbound
    Service-Info = "IIP/TV", Service-Info = "R160.160.160.0;255.255.255.0", Service-Info = "MC", Service-Info = "TP" Idle-Timeout = 60, Session-Timeout = 60

Configuring Service Group Profiles

Service group profiles contain a list of services. Table C-5 briefly describes the attributes in a RADIUS service group profile.


Table C-5: Attributes in Service Group Profiles
Attribute Description

Password

The password required to obtain the profile.

Service-Type

Standard RADIUS attribute number 6. The level of service. Must be outbound.

Account-Info

A vendor-specific attribute (attribute number 26), vendor 9, subattribute 250. Valid values for Account-Info attributes are:

  • "Idescription"—Describes the service group. If this field is omitted, the service group profile name is used.

  • "GName"—Service group name.

  • "Nname"—Lists the services that belong to the group.

  • "TE"—Indicates that this is a mutually exclusive service group.

Example Service Group Profiles

The service group configuration examples in this section use a Merit RADIUS format.

Example Service Group Profile
SvcGroup1 Password = "servicecisco", Service-Type = Outbound
    Account-Info = "Nvidconf", Account-Info = "Ndistlearn", Account-Info = "Ncorporate", Account-Info = "Nbanking"
Example Service Group Profile for a Mutex Group
MutexGrp1 Password = "groupcisco", Service-Type = Outbound
    Account-Info = "IBandwidth-QoS", Account-Info = "Nbw-gold", Account-Info = "Nbw-silver", Account-Info = "Nbw-bronze", Account-Info = "TE"

Configuring Subscriber Profiles

Subscriber profiles define SESM logon names and passwords, access control lists associated with each logon, and subscribed services for each logon.

In an SESM RADIUS mode deployment, you must define a subscriber profile for each subscriber that will sign onto an SESM portal from a web browser.

Table C-6 briefly describes the attributes in a RADIUS subscriber profile. Use the following references for more information:


Table C-6: Attributes in Subscriber Profiles
Attribute Description

User-Name

Standard RADIUS attribute number 1. The subscriber name used for authentication.

User-Password

Standard RADIUS attribute number 2. The subscriber password used for authentication.

Called-Station_Id

Standard RADIUS attribute number 30. The access point name (APN), which can optionally be used for authentication.

Calling-Station_Id

Standard RADIUS attribute number 31. The MSISDN, which can optionally be used for authentication.

NAS-Identifier

Standard RADIUS attribute number 32. The NAS identifier, which can optionally be used for authentication.

Session-Timeout

Standard RADIUS attribute number 27. Specifies the maximum length of time, in seconds, that this subscriber session (the edge session on SSG) can remain active at any one time. When the time expires, SSG ends the session. If the host key feature is enabled on the SSG, the SSG signals the state change to the SESM web portal.

Note   The NWSP application does not relay this state change to the subscriber.

If Session-Timeout is not set, there is no limit on how long the session lasts.

In a dial-up networking or bridged (non-PPP) network environment, a subscriber can disconnect from the NAS and release the IP address without logging out from the SSG. If this happens, the SSG continues to allow traffic to pass from that IP address, which can be a problem if the IP address is obtained by another user. You can use the Session-Timeout and the Idle-Timeout attributes to prevent this problem.

Idle-Timeout

Standard RADIUS attribute number 28. Specifies the maximum length of time, in seconds, that a subscriber session can remain idle before it is disconnected. See the explanation of the Session-Timeout attribute, above, for more information about setting this attribute.

Account-Info

Note   In SSG Release 12.2.4(B) or later, if a point-to-point protocol (PPP) subscriber profile does not include any VSAs, the SSG does not create a host object for the subscriber and therefore, the SSG does not apply any control over the subscriber's access. The fact that the PPP link is established and the SSG is not applying any control means that the subscriber has unrestricted access to any downstream connections defined in the subscriber's profile or by the Cisco IOS configuration on the SSG host device. If it is important to avoid this situation, make sure that all PPP clients are subscribed to at least one service or define any other Cisco SSG VSA in the profile, such as a Uurl or Hurl attribute.

A vendor-specific attribute (attribute number 26), vendor 9, subattribute 250. Valid values for Account-Info attributes are:

Note   The service list displayed by SESM does not include A entries. It only shows N entries. To display an auto connect service on the SESM service list, include both an A and an N entry for the service in the profile. See the "Example Subscriber Profile for Auto Services" section for an example.

Note   In a frameless application, both U and H cause a new browser window to open for the home page. The NWSP application is a frameless application.

Account-Info (continued)

Note   The $ in a subattribute code indicates that the subattribute is used only by SESM, and not by SSG or other Cisco network devices.

Note   Deployers might see $ subcodes in access accept messages from SSG that are not documented below. SSG uses $ subcodes to identify information about the subscriber that it passes along for SESM use, such as MAC address, VPI/VCI, MSISDN number, and other connection information. Those codes are not documented in this guide because they are not used in subscriber profiles.

The PDA application running in Demo mode demonstrates brand awareness by displaying different branded pages based on the user group values of bronze, silver, and gold. See the aaa.properties file.

Account-Info (continued)

  • "$AAaccountAttributeName;type;attributeValue"—Meaningful in Demo mode only to demonstrate the LDAP mode account self-care features. Use this attribute to specify the initial values that will appear in the fields on the My Account page in the NWSP application running in Demo mode. Use a separate attribute line for each field.

The accountAttributeName is a name for a field on the My Account page in the NWSP application. These are X.500 fields. See the Cisco Distributed Administrator Tool Guide for a list of the X.500 names. You can add more fields to the demo if you alter the NWSP application to display more fields, as described in the Cisco Subscriber Edge Services Manager Web Developer Guide.

The type indicates a type for attributeValue and is one of the following:

  • S—attributeValue is a simple string.

  • V—attributeValue is an array of strings.

The attributeValue indicates the value to be displayed in the field in NWSP. If type is V, surround attributeValue with braces ({}) and delimit each element in the array with a semicolon.

For example:

    "$AAgivenName;S;James" "$AAhobbies;V;{sports;news;travel}"
The NWSP application running in Demo mode demonstrates subaccounts. In the aaa.properties file, subgolduser is defined as a subaccount to golduser.

Cisco-AVpair

A vendor-specific attribute (attribute number 26), vendor 9, subattribute 1. Valid values for the Cisco-AVpair attribute in a subscriber profile are:

Note   A profile can include multiple instances of inacl attributes and multiple instances of outacl attributes. Use one attribute for each ACL statement. Multiple attributes can be used for the same ACL.

Example Subscriber Profiles

The subscriber profile examples in this section are in a Merit RADIUS format.

Example Subscriber Profile for Auto Services
user1 Password = "cisco"
    Service-Type = Framed-User, Account-Info = "Ainternet", (hidden on the subscriber's web page) Account-Info = "Ninternet" (makes it visible)
    Note   The first Account-Info line specifies automatic connection to the service. If you do not include the second line, the auto connection service does not appear on the SESM web portal. To display the service on the SESM web portal, you must include both entries as shown in the example.

Example Subscriber Profile for Demo Mode
golduser Password = "cisco"
    Service-Type = Framed-User, Account-Info = "$UGgold", Account-Info = "Ainternet_gold", Account-Info = "Ninternet_gold", Account-Info = "Ncorporate", Account-Info = "Ngames", Account-Info = "Ndiscount_shopping", Account-Info = "Hhttp://www.spiderbait.com", Account-Info = "$PESelf Manage", Account-Info = "$PESubaccount Manage", Account-Info = "$PEService Subscription", Account-Info = "$SAbanking", Account-Info = "$GAnewsgroup", Account-Info = "$AAinitials;V;{A}", Account-Info = "$AAgender;S;female", Account-Info = "$AAsurname;S;Goodbody", Account-Info = "$AAtitle;S;Miss", Account-Info = "$AAgivenName;S;Felicity", Account-Info = "$AAhobbies;V;{science;news;travel}"

See the aaa.properties file in the nwps/config directory for more examples.

Configuring Next Hop Gateway Profiles

Next Hop Gateway profiles associate next hop gateway keys with IP addresses. Because multiple SSGs might access services from different networks, service profiles can specify next hop keys. (See the service-info G attribute in Table C-4.) If this is the case, you must configure a next hop gateway pseudo-service profile to resolve the keys to valid IP addresses.

An example next hop gateway pseudo-service profile follows:

ssg-next-hop Password = "xssg-key"
    Control-Info = "Gl2tp-net7;192.168.1.101", Control-Info = "Gl2tp-net40;192.168.1.102", Control-Info = "Gweb-key;192.168.1.101", Control-Info = "Gproxy-radius-key;192.168.1.101", Control-Info = "Gxint-24;192.168.1.101"

Configuring the RADIUS Accounting Feature

If you configure a RADIUS accounting port, SSG generates accounting records and forwards them to the RADIUS server. To configure a RADIUS server for accounting only, you must perform the following configuration steps.

The subscriber actions that cause SSG to generate a RADIUS accounting record are:

Use the following references for more information:

Configuring Cisco Access Registrar for SESM Deployments

This section describes how to configure the Cisco Access Registrar (Cisco AR) for an SESM deployment. The section includes profile examples in Cisco AR format.

Configuring the RADIUS Ports

By default, Cisco Access Registrar listens on ports 1645 and 1646 for any type of RADIUS request. You can configure Cisco Access Registrar to listen on ports 1812 and 1813 instead by entering the following commands:

    add /Radius/Advanced/Ports/1812 add /Radius/Advanced/Ports/1813

These commands cause Cisco Access Registrar to listen on the explicitly defined ports, 1812 and 1813, for all types of RADIUS requests. It no longer listens on the default ports.

Cisco SSG VSAs in Cisco Access Registrar Dictionary

Cisco Access Registrar is installed with the following Cisco VSAs already defined in its attribute dictionary:

Configuring NAS Clients in Cisco Access Registrar

Use the following commands to configure the NAS clients required by an SESM deployment:

    add /Radius/Clients/SESM1 "" 10.3.3.2 cisco add /Radius/Clients/SESM2 "" 10.3.3.101 cisco add /Radius/Clients/SESM1 "" 10.3.3.102 cisco

Configuring Attribute Profiles in Cisco Access Registrar

This section shows commands for creating sample profiles in Cisco Access Registrar format.

Internet Service Profile
add /Radius/Profiles/internet-profile set /Radius/Profiles/internet-profile/Attributes/Cisco-SSG-Service-Info IInternet
    R153.153.153.0;255.255.255.0 MC TP
Corporate Service Profile
add /Radius/Profiles/corporate-profile set /Radius/Profiles/corporate-profile/Attributes/Cisco-SSG-Service-Info "ICorporate
    Intranet(proxy)" R154.154.154.0;255.255.255.0 S10.3.3.101;1812;1813;cisco MC TX
IPTV Profile
add /Radius/Profiles/iptv-profile set /Radius/Profiles/iptv-profile/Attributes/Cisco-SSG-Service-Info IIP/TV
    R160.160.160.0;255.255.255.0 MC TP
set /Radius/Profiles/iptv-profile/Attributes/Idle-Timeout 60 set /Radius/Profiles/iptv-profile/Attributes/Session-Timeout 60
Standard Subscriber Profile
add /Radius/Profiles/std-user-profile set /Radius/Profiles/std-user-profile/Attributes/Service-Type Framed set /Radius/Profiles/std-user-profile/Attributes/Cisco-SSG-Account-Info Ainternet
    Ninternet
Pseudo-service Profile
add /Radius/Profiles/pseudo-service-profile set /Radius/Profiles/pseudo-service-profile/Attributes/Cisco-SSG-Control-Info
    Gl2tp-net7;192.168.1.101 Gl2tp-net40;192.168.1.102 Gweb-key;192.168.1.101 Gproxy-radius-key;192.168.1.101 Gxint-24;192.168.1.101

Configuring Cisco Access Registrar Userlists and Authentication and Authorization Services

This section describes how to configure userlists and authentication and authorization services on Cisco Access Registrar.

Configuring Userlist for SESM Services

The following commands configure userlists containing SESM services and corresponding attribute profiles.

add /Radius/Userlists/SESMservices add /Radius/Userlists/SESMservices/internet "" servicecisco TRUE "" internet-profile add /Radius/Userlists/SESMservices/corporate "" servicecisco TRUE "" corporate-profile add /Radius/Userlists/SESMservices/iptv "" servicecisco TRUE "" iptv-profile
Configuring Userlist for SESM Users

The following commands configure userlists containing SESM users and corresponding attribute profiles.

add /Radius/Userlists/SESMusers add /Radius/Userlists/SESMusers/user1 "" cisco TRUE "" std-user-profile add /Radius/Userlists/SESMusers/ssg-next-hop "" xssg-key TRUE "" pseudo-service-profile
Configuring AA Services

The following commands configure Cisco Access Register AA services. The first command configures services for the SESM services userlist. The second command configures services for SESM users userlist.

add /Radius/Services/Outbound "" local "" "" RejectAll "" SESMservices add /Radius/Services/SESMdefault "" local "" "" RejectAll "" SESMusers
Checking the Service-Type Attribute

The following commands configure Cisco Access Registrar to check the Service-Type attribute in the request. If Service-Type is set to Outbound, then the Outbound AA service is used; otherwise, the SESM default AA service is used.

set /Radius/DefaultAuthenticationService ${q|Service-Type}{SESMdefault} set /Radius/DefaultAuthorizationService ${q|Service-Type}{SESMdefault}

Configuring Accounting on Cisco Access Registrar

To configure accounting services, use the following commands:

add /Radius/Services/SESMaccounting "" file set /Radius/DefaultAccountingService SESMaccounting

Saving the Configuration and Reloading the Server

To save the configuration and reload the Cisco Access Registrar server, use the following commands:

save reload

Example RADIUS Profiles

The SESM product includes sample RADIUS profiles in MERIT flat file formats. The SESM sample portal applications running in Demo mode use the profiles in these MERIT files. The installation includes a separate MERIT file for each of the sample portal applications. The files are located in the config directory under each portal application directory. For example:

nwsp
    config
      aaa.properties

hometocprevnextglossaryfeedbacksearchhelp
Posted: Fri Oct 18 10:03:45 PDT 2002
All contents are Copyright © 1992--2002 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.