background image

Configuring ISG as a RADIUS Proxy

  Configuration Examples for ISG RADIUS Proxy

14

accounting method-list FWDACCT 

client 10.45.45.2 

timer request 5 

client 10.45.45.3 

key aashica#@!$%&/ 

timer ip-address 120 

! This control policy references the method list called "RP" that was configured using the 

aaa authorization radius-proxy command above.

policy-map type control PROXYRULE 

class type control always event session-start 

1 proxy aaa list RP  

!  

bba-group pppoe global 

interface GigabitEthernet 2/1/0

ip address 10.45.45.1 255.255.255.0 

ip subscriber routed

initiator radius-proxy 

no ip route-cache cef 

no ip route-cache 

no cdp enable 

!

! The control policy "PROXYRULE" is applied to the interface.

service-policy type control PROXYRULE 

radius-server host 10.2.36.253 auth-port 1812 acct-port 1813 key cisco 

radius-server host 10.76.86.83 auth-port 1665 acct-port 1666 key rad123 

radius-server vsa send accounting 

radius-server vsa send authentication 

aaa new-model 

aaa group server radius EAP 

server 10.2.36.253 auth-port 1812 acct-port 1813 

ISG RADIUS Proxy and Layer 4 Redirect: Example

The following example shows an ISG policy configured for both ISG RADIUS proxy and Layer 4 
redirection:

aaa authorization network default local

!

redirect server-group REDIRECT

server ip 10.255.255.28 port 23

!

class-map type traffic match-any traffic1

match access-group input 101

policy-map type service service1

class type traffic traffic1

redirect list 101 to group REDIRECT

!

policy-map type control PROXYRULE 

Summary of Contents for IOS XE

Page 1: ...arters Cisco Systems Inc 170 West Tasman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 527 0883 Cisco IOS XE Intelligent Services Gateway Configuration Guide Release 2 ...

Page 2: ...co Pulse Cisco SensorBase Cisco StackPower Cisco StadiumVision Cisco TelePresence Cisco Unified Computing System Cisco WebEx DCE Flip Channels Flip for Good Flip Mino Flipshare Design Flip Ultra Flip Video Flip Video Design Instant Broadband and Welcome to the Human Network are trademarks Changing the Way We Work Live Play and Learn Cisco Capital Cisco Capital Design Cisco Financed Stylized Cisco ...

Page 3: ...entation Feedback page x Documentation Objectives Cisco IOS XE documentation describe the tasks and commands available to configure and maintain Cisco networking devices Audience The Cisco IOS XE documentation set is intended for users who configure and maintain Cisco networking devices such as routers and switches but who may not be familiar with the configuration and maintenance tasks the relati...

Page 4: ...or example the key combination D or Ctrl D means that you hold down the Control key while you press the D key Keys are indicated in capital letters but are not case sensitive string A string is a nonquoted set of characters shown in italics For example when setting a Simple Network Management Protocol SNMP community string to public do not use quotation marks around the string otherwise the string...

Page 5: ...co com Listed are configuration guides command references and supplementary references and resources that comprise the documentation set Cisco IOS XE Documentation Set page iv Cisco IOS XE Documentation on Cisco com page iv Configuration Guides Command References and Supplementary Resources page v Convention Description Courier font Courier font is used for information that is displayed on a PC or...

Page 6: ...elease and all commands that are new modified removed or replaced in the release Reference book for system messages for all Cisco IOS XE releases Cisco IOS XE Documentation on Cisco com The following sections describe the documentation organization and how to access various document types Use Cisco Feature Navigator to find information about Cisco IOS XE software image support To access Cisco Feat...

Page 7: ...ing of SPA interface processors SIPs and shared port adapters SPAs that are supported on the Cisco ASR 1000 Series Router Cisco ASR 1000 Series Aggregation Services Routers Software Configuration Guide Overview of software functionality that is specific to the Cisco ASR 1000 Series Aggregation Services Routers Cisco IOS XE Access Node Control Protocol Configuration Guide Cisco IOS Access Node Cont...

Page 8: ... Addressing Services Configuration Guide Cisco IOS IP Addressing Services Command Reference IP addressing Address Resolution Protocol ARP Network Address Translation NAT Domain Name System DNS Dynamic Host Configuration Protocol DHCP and Next Hop Address Resolution Protocol NHRP Cisco IOS XE IP Application Services Configuration Guide Cisco IOS IP Application Services Command Reference Enhanced Ob...

Page 9: ...cs ios ios_xe ipv6 configuratio n guide ip6 roadmap_xe html Cisco IOS XE ISO CLNS Configuration Guide Cisco IOS ISO CLNS Command Reference ISO Connectionless Network Service CLNS Cisco IOS XE LAN Switching Configuration Guide Cisco IOS LAN Switching Command Reference VLANs and multilayer switching MLS Cisco IOS XE Multiprotocol Label Switching Configuration Guide Cisco IOS Multiprotocol Label Swit...

Page 10: ...IOS XE Security Configuration Guide Securing the Data Plane Access Control Lists ACLs Firewalls Context Based Access Control CBAC and Zone Based Firewall Cisco IOS Intrusion Prevention System IPS Flexible Packet Matching Unicast Reverse Path Forwarding uRPF Threat Information Distribution Protocol TIDP and TMS Cisco IOS XE Security Configuration Guide Securing User Services AAA includes Network Ad...

Page 11: ...de Operating in the distributed mode the SBC is a toolkit of functions that can be used to deploy and manage VoIP services such as signaling interworking network hiding security and quality of service Cisco Unified Border Element SP Edition Configuration Guide Unified Model Cisco Unified Border Element SP Edition Command Reference Unified Model The Cisco Unified Border Element SP Edition is a high...

Page 12: ...all Cisco IOS XE software releases Cisco IOS Debug Command Reference Alphabetical list of debug commands including brief descriptions of use command syntax and usage guidelines Cisco IOS XE system messages List of Cisco IOS XE system messages and descriptions System messages may indicate problems with your system may be informational only or may help diagnose problems with communications lines int...

Page 13: ...n Without Limitation Continuum EtherFast EtherSwitch Event Center Explorer Follow Me Browsing GainMaker iLYNX IOS iPhone IronPort the IronPort logo Laser Link LightStream Linksys MeetingPlace MeetingPlace Chime Sound MGX Networkers Networking Academy PCNow PIX PowerKEY PowerPanels PowerTV PowerTV Design PowerVu Prisma ProConnect ROSA SenderBase SMARTnet Spectrum Expert StackWise WebEx and the WebE...

Page 14: ...About Cisco IOS XE Software Documentation Additional Resources and Documentation Feedback xii ...

Page 15: ...iguration Guide For information about the software documentation set see the About Cisco IOS XE Software Documentation document Initially Configuring a Device Initially configuring a device varies by platform For information about performing an initial configuration see the hardware installation documentation that is provided with the original packaging of the product or go to the Product Support ...

Page 16: ...sentative Using the CLI This section describes the following topics Understanding Command Modes page ii Using the Interactive Help Feature page v Understanding Command Syntax page vi Understanding Enable and Enable Secret Passwords page viii Using the Command History Feature page viii Abbreviating Commands page ix Using Aliases for CLI Commands page ix Using the no and default Forms of Commands pa...

Page 17: ...s Manage device file systems Global configuration From privileged EXEC mode issue the configure terminal command Router config Issue the exit command or the end command to return to privileged EXEC mode Configure the device Interface configuration From global configuration mode issue the interface command Router config if Issue the exit command to return to global configuration mode or the end com...

Page 18: ...reak signal Ctrl C Ctrl Shift 6 or the send break command was entered and the router was configured to enter diagnostic mode when the break signal was received Router diag If a Cisco IOS XE process failure is the reason for entering diagnostic mode the failure must be resolved and the router must be rebooted to exit diagnostic mode If the router is in diagnostic mode because of a transport map con...

Page 19: ... executing a downloaded image context display the context of a loaded image cookie display contents of cookie PROM in hex rommon 2 The following example shows how the command prompt changes to indicate a different command mode Router enable Router configure terminal Router config interface ethernet 1 1 Router config if ethernet Router config line exit Router config end Router Note A keyboard alter...

Page 20: ...s List entry access profile Apply user profile to interface access template Create a temporary access List entry alps ALPS exec commands archive manage archive files snip partial command Router config zo zone zone pair partial command Tab Router config we Tab webvpn command Router config if pppoe enable Enable pppoe max sessions Maximum PPPOE sessions command keyword Router config if pppoe enable ...

Page 21: ...brackets Indicate that the option is an argument Sometimes arguments are displayed without angle brackets A B C D Indicates that you must enter a dotted decimal IP address Angle brackets are not always used to indicate that an IP address is an argument WORD all capital letters Indicates that you must enter one word Angle brackets are not always used to indicate that a WORD is an argument LINE all ...

Page 22: ...eywords that are single integer values If you choose a number for the first character of your password followed by a space the system will read the number as if it were the numeric keyword and not as part of your password When both passwords are set the enable secret password takes precedence over the enable password To remove a password use the no form of the commands no enable password or no ena...

Page 23: ...eature for a terminal session issue the terminal no history command in user EXEC or privileged EXEC mode or the no history command in line configuration mode Abbreviating Commands Typing a complete command name is not always required for the command to execute The CLI recognizes an abbreviated command when the abbreviation contains enough characters to uniquely identify the command For example the...

Page 24: ...ettings the default form enables the command and returns the settings to their default values The no form is documented in the command pages of command references The default form is generally documented in the command pages only when the default form performs a different function than the plain and no forms of the command To see what default commands are available on your system enter default in ...

Page 25: ... include the expression protocol Router show interface include protocol FastEthernet0 0 is up line protocol is up Serial4 0 is up line protocol is up Serial4 1 is up line protocol is up Serial4 2 is administratively down line protocol is down Serial4 3 is administratively down line protocol is down Understanding CLI Error Messages You may encounter some error messages while using the CLI Table 5 s...

Page 26: ...ed to NVRAM On platforms with a Class A flash file system the configuration is saved to the location specified by the CONFIG_FILE environment variable The CONFIG_FILE variable defaults to NVRAM Additional Information Part 1 Using the Cisco IOS Command Line Interface CLI of the Cisco IOS XE Configuration Fundamentals Configuration Guide http www cisco com en US docs ios ios_xe fundamentals configur...

Page 27: ...rtified Internetwork Expert logo Cisco IOS Cisco Lumin Cisco Nexus Cisco Press Cisco Systems Cisco Systems Capital the Cisco Systems logo Cisco Unity Collaboration Without Limitation Continuum EtherFast EtherSwitch Event Center Explorer Follow Me Browsing GainMaker iLYNX IOS iPhone IronPort the IronPort logo Laser Link LightStream Linksys MeetingPlace MeetingPlace Chime Sound MGX Networkers Networ...

Page 28: ...Using the Command Line Interface in Cisco IOS XE Software Additional Information xiv ...

Page 29: ...ture Feature and Release Support Table 1 lists ISG feature support for Cisco IOS XE Release 2 Use Cisco Feature Navigator to find information about platform support and software image support Cisco Feature Navigator enables you to determine which Cisco IOS XE software images support a specific software release feature set or platform To access Cisco Feature Navigator go to http www cisco com go cf...

Page 30: ...ngs clients to query DHCP servers regarding the owner and the lease expiration time of an IP address Configuring ISG Access for IP Subscriber Sessions Cisco IOS XE Release 2 5 ISG AAA Wireless Enhancements This feature enhances ISG RADIUS proxy functionality to provide additional support for mobile wireless environments It includes changes to RADIUS attribute 31 processing Configuring ISG as a RAD...

Page 31: ...rol Dynamic Rate Limiting ISG can change the allowed bandwidth of a session or flow by dynamically applying rate limiting policies Configuring ISG Network Forwarding Policies Cisco IOS XE Release 2 2 ISG Instrumentation Advanced Conditional Debugging ISG provides the ability to define various conditions for filtering debug output Conditional debugging generates very specific and relevant informati...

Page 32: ...OS XE Release 2 2 ISG Policy Control Policy Domain Based Auto domain Proxy ISG control policies manage the primary services and rules used to enforce particular contracts Polices can be configured to interpret the domain as a request to activate the service associated with that domain name allowing users to automatically receive services in accordance with the domain that they are attempting to co...

Page 33: ...allows the portal to identify the ISG gateway from which the session originated Configuring ISG Port Bundle Host Key Cisco IOS XE Release 2 2 ISG Session Auth Single Sign On Single sign on eliminates the need to authenticate a session more than once when a subscriber has access to services provided by other devices in the administrative domain of the access or service provider Overview of ISG Cisc...

Page 34: ...any variants of P2P encapsulation such as PPP PPPoE and PPPoA Configuring ISG Access for PPP Sessions Cisco IOS XE Release 2 2 ISG Session Lifecycle Idle Timeout The ISG idle timeout controls how long a connection can be idle before it is terminated Configuring ISG Policies for Session Maintenance Cisco IOS XE Release 2 2 ISG Session Lifecycle Packet of Disconnect POD An ISG can be configured to i...

Page 35: ...nity Collaboration Without Limitation Continuum EtherFast EtherSwitch Event Center Explorer Follow Me Browsing GainMaker iLYNX IOS iPhone IronPort the IronPort logo Laser Link LightStream Linksys MeetingPlace MeetingPlace Chime Sound MGX Networkers Networking Academy PCNow PIX PowerKEY PowerPanels PowerTV PowerTV Design PowerVu Prisma ProConnect ROSA SenderBase SMARTnet Spectrum Expert StackWise W...

Page 36: ...Intelligent Services Gateway Features Roadmap 8 ...

Page 37: ... the latest feature information and caveats see the release notes for your platform and software release To find information about the features documented in this module and to see a list of the releases in which each feature is supported see the Feature Information for the Overview of ISG section on page 9 Use Cisco Feature Navigator to find information about platform support and Cisco IOS XE sof...

Page 38: ...d service edge of a network and is applicable to a range of subscriber network environments such as digital subscriber line DSL public wireless LAN PWLAN and mobile wireless Moreover ISG has been designed to accommodate a flexible distribution of subscriber and service information within a given solution Figure 1 illustrates a typical DSL deployment for which service profile data may be stored in ...

Page 39: ...r 3 depending on the packet types that are being handled by the session For instance a PPP session is a Layer 2 session in that it includes all packets transferred over a link that was established using PPP negotiation An IP session is Layer 3 because it includes all IP packets exchanged with a subscriber device at a single IP address Whether a session is Layer 2 or Layer 3 will to some extent det...

Page 40: ...ailable at session start can be used to drive the extraction of further identity from the subscriber and determine new policy for the session The following example illustrates how ISG might handle subscriber identity For an IP session where session start is signaled by a DHCP protocol event a TCP redirection policy could be activated This policy would facilitate the collection of a username and cr...

Page 41: ...valuated A control policy rule consists of a control class a flexible condition clause an event for which the condition is evaluated and one or more control actions Control actions are general system functions such as authenticate or activate a service Control policies may be activated on various targets such as interfaces or ATM virtual circuits VCs and typically control the extraction and authen...

Page 42: ...ucture to provide session functionality Use of existing Cisco IOS infrastructure to track session state and life cycle Creation of a session context at first instance of subscriber interaction thereby facilitating the immediate application of policy to subscriber traffic Flexible distribution of service data Range of accounting options including prepaid accounting postpaid accounting tariff switch...

Page 43: ...ce overheads associated with this practice Subscriber Access Model The trust model will to a large extent determine the choice of access protocol However the access model will also depend on other factors such as the underlying media for example ATM versus Ethernet type of endpoint for example PC cell phone PDA mobility requirements the system s ability to influence the software installed on a sub...

Page 44: ... intervals traditional postpaid Billing according to policies provisioned for the session Billing according to the time of day tariff switching Additional References The following sections provide references related to ISG Related Documents Technical Assistance Related Topic Document Title ISG commands Cisco IOS Intelligent Services Gateway Command Reference Description Link The Cisco Support webs...

Page 45: ...isco Unity Collaboration Without Limitation EtherFast EtherSwitch Event Center Fast Step Follow Me Browsing FormShare GigaDrive HomeLink Internet Quotient IOS iPhone iQuick Study IronPort the IronPort logo LightStream Linksys MediaTone MeetingPlace MeetingPlace Chime Sound MGX Networkers Networking Academy Network Registrar PCNow PIX PowerPanels ProConnect ScriptShare SenderBase SMARTnet Spectrum ...

Page 46: ...Overview of ISG Feature Information for the Overview of ISG 10 ...

Page 47: ...w to configure ISG control policies Finding Feature Information For the latest feature information and caveats see the release notes for your platform and software release To find information about the features documented in this module and to see a list of the releases in which each feature is supported see the Feature Information for ISG Control Policies section on page 21 Use Cisco Feature Navi...

Page 48: ...es of Control Policies page 3 Control Policies Control policies define the actions that the system will take in response to specified events and conditions For example a control policy can be configured to authenticate specific subscribers and then provide them with access to specific services A control policy is made of one or more control policy rules A control policy rule is an association of a...

Page 49: ...actions configured for the radius timeout and access reject events the system can distinguish between the different reasons for an authentication failure Different events are thrown by the system for example a received authentication reject or an unavailable RADIUS server event This allows the control policy to specify different actions for each type of authentication failure For example if the RA...

Page 50: ...i vpi number 6 greater than or equal not nas port adapter adapter number channel channel number ipaddr ip address port port number shelf shelf number slot slot number sub interface sub interface number type interface type vci vci number vlan vlan id vpi vpi number 7 less than not nas port adapter adapter number channel channel number ipaddr ip address port port number shelf shelf number slot slot ...

Page 51: ... match all class1 Creates or modifies a control class map which defines the conditions under which the actions of a control policy map will be executed and enters control class map configuration mode Step 4 available authen status authenticated domain authenticated username dnis media mlp negotiated nas port no username protocol service name source ip address timer tunnel name unauthenticated doma...

Page 52: ... number channel channel number ipaddr ip address port port number shelf shelf number slot slot number sub interface sub interface number type interface type vci vci number vlan vlan id vpi vpi number Example Router config control classmap less than or equal nas port ipaddr 10 10 10 10 Optional Creates a condition that evaluates true if the specified subscriber NAS port identifier is less than or e...

Page 53: ...it id name ipaddr ip address port port number remote id name shelf shelf number slot slot number sub interface sub interface number type async atm basic rate enm ether fxo fxs none primary rate synch vlan vty vci vci number vlan vlan id vpi vpi number Example Router config control classmap match nas port type ether slot 3 Optional Creates a condition that evaluates true if a subscriber s NAS port ...

Page 54: ...tional Creates a condition that evaluates true upon expiry of a specified policy timer Step 21 match tunnel name tunnel name regexp regular expression Example Router config control classmap match tunnel name regexp L Optional Creates a condition that evaluates true if a subscriber s virtual private dialup network VPDN tunnel name matches the specified tunnel name Step 22 match unauthenticated doma...

Page 55: ...omain authenticated username auto detect circuit id plus remote id dnis mac address nas port remote id plus circuit id source ip address tunnel name unauthenticated domain unauthenticated username vendor class id 7 action number collect aaa list list name identifier authen status authenticated domain authenticated username dnis mac address media mlp negotiated nas port no username protocol service...

Page 56: ...piry Example Router config control policymap class type control always event session start Specifies a control class for which actions may be configured and enters control policy map class configuration mode A policy rule for which the control class is always will always be treated as the lowest priority rule within the control policy map Step 5 action number authenticate aaa list list name Exampl...

Page 57: ... config control policymap class control 1 proxy accounting aaa list default Optional Specifies the list that the request should be proxied to Step 10 action number service disconnect local vpdn Example Router config control policymap class control 3 service disconnect Optional Specifies a network service type for PPP sessions Step 11 action number service policy type control policy map name Exampl...

Page 58: ...ted username dnis mac address media mlp negotiated nas port no username protocol service name source ip address timer tunnel name unauthenticated domain unauthenticated username vrf Example Router config control policymap class control 1 set APJ identifier authen status Optional Sets a variable name Step 14 action number set timer name of timer minutes Example Router config control policymap class...

Page 59: ...AILED STEPS Command or Action Purpose Step 1 enable Example Router enable Enables privileged EXEC mode Enter your password if prompted Step 2 configure terminal Example Router configure terminal Enters global configuration mode Step 3 service policy type control policy map name Example Router config service policy type control policy1 Applies a control policy Command or Action Purpose Step 1 enabl...

Page 60: ...nfiguration mode Step 4 service policy type control policy map name Example Router config if service policy type control policy1 Applies a control policy Command or Action Purpose Command or Action Purpose Step 1 enable Example Router enable Enables privileged EXEC mode Enter your password if prompted Step 2 configure terminal Example Router configure terminal Enters global configuration mode Step...

Page 61: ...ss Media Example page 19 Control Policies for Automatic Subscriber Login Example page 20 Command or Action Purpose Step 1 enable Example Router enable Enables privileged EXEC mode Enter your password if prompted Step 2 show class map type control Example Router show class map type control Displays information about ISG control class maps The display includes statistics on the number of times a par...

Page 62: ...RS event session start 1 service local class type control MY LOCAL USERS event session start 1 service local class type control always event session start 2 service disconnect policy map type control ppp users class type control always event session start 1 collect identifier unauthenticated domain 2 service policy type control MY POLICY Verifying a Control Policy Examples The following examples s...

Page 63: ... timeout 720 0x2D0 ssg account info QU 10000 D 20000 Rules actions and conditions executed subscriber rule map ppp users condition always event session start 1 collect identifier unauthenticated domain 2 service policy type control MY POLICY subscriber condition map match all MY FORWARDING USERS match identifier unauthenticated domain xyz com TRUE subscriber rule map MY POLICY condition MY FORWARD...

Page 64: ...imeout 720 0x2D0 ssg account info QU 10000 D 20000 Rules actions and conditions executed subscriber rule map ppp users condition always event session start 1 collect identifier unauthenticated domain 2 service policy type control MY POLICY subscriber condition map match all MY FORWARDING USERS match identifier unauthenticated domain xyz com FALSE subscriber rule map MY POLICY condition MY FORWARDI...

Page 65: ... the NAS port associated with this subscriber Specifically only subscribers that arrive on a Gigabit Ethernet interface and on slot 3 will evaluate to true Configure the control class maps class map type control match all MATCHING USERS class type control NOT ATM match media ether match nas port type ether slot 3 class map type control match none NOT ATM match media atm If the conditions in the cl...

Page 66: ... radius aaa authentication login LOCAL local access list 100 permit ip any any class map type traffic match any all traffic match access group input 100 match access group output 100 policy map type service redirectprofile class type traffic all traffic redirect to ip 10 0 0 148 port 8080 class map type control match all CONDA match source ip address 209 165 201 1 255 255 255 0 class map type cont...

Page 67: ...ntroduced support for a given feature in a given Cisco IOS XE software release train Unless noted otherwise subsequent releases of that Cisco IOS XE software release train also support that feature MIB MIBs Link No new or modified MIBs are supported by this feature To locate and download MIBs for selected platforms Cisco IOS XE releases and feature sets use Cisco MIB Locator found at the following...

Page 68: ... ISG Policy Control Policy Triggers Cisco IOS XE Release 2 2 ISG control policies can be configured with time based volume based and duration based policy triggers Time based triggers use an internal clock allowing policies to be applied at specific times Volume based triggers are based on packet count when the packet count reaches a specified value the specified policy is applied Duration based t...

Page 69: ...ot imply a partnership relationship between Cisco and any other company 0910R Any Internet Protocol IP addresses used in this document are not intended to be actual addresses Any examples command display output and figures included in the document are shown for illustrative purposes only Any use of actual IP addresses in illustrative content is unintentional and coincidental 2006 2009 Cisco System...

Page 70: ...Configuring ISG Control Policies Feature Information for ISG Control Policies 24 ...

Page 71: ...re release To find information about the features documented in this module and to see a list of the releases in which each feature is supported see the Feature Information for ISG Access for PPP Sessions section on page 13 Use Cisco Feature Navigator to find information about platform support and Cisco IOS XE software image support To access Cisco Feature Navigator go to http www cisco com go cfn...

Page 72: ...ons you should understand the following concepts Overview of ISG Access for PPP Sessions page 2 ISG Subscriber IP Address Management for PPP Sessions page 3 VRF Transfer for PPP Sessions page 3 Default Policy for ISG Access for PPP Sessions page 3 Overview of ISG Access for PPP Sessions Layer 2 sessions are established by means of control protocols that operate between the peer entities and the IS...

Page 73: ...e a PPP session comes up with the IP address from the network access point NAP the subscriber can access a web portal and choose a service provider On VRF transfers in PPP sessions ISG must reassign the IP address from the new domain to the PPP session In PPP sessions the IP address is reassigned by IPCP renegotiation Without PPP renegotiation VRF transfer is not supported for PPP sessions Default...

Page 74: ...ol policies See the Configuration Examples for ISG Access for PPP Sessions section on page 9 for an example of a control policy for Layer 2 access 3 Enable ISG VRF transfer for PPP sessions 4 Verify and troubleshoot the configuration as needed This section contains the following tasks Enabling ISG VRF Transfer for PPP Sessions page 4 Troubleshooting ISG Access for PPP Sessions page 7 Enabling ISG ...

Page 75: ...minal 3 policy map type service policy map name 4 ip vrf forwarding name of vrf 5 sg service type primary 6 sg service group service group name DETAILED STEPS Command or Action Purpose Step 1 enable Example Router enable Enables privileged EXEC mode Enter your password if prompted Step 2 configure terminal Example Router configure terminal Enters global configuration mode Step 3 policy map type se...

Page 76: ...e type primary Defines the service as a primary service A primary service is a service that contains a network forwarding policy A primary service must be defined as a primary service by using the sg service type primary command Any service that is not a primary service is defined as a secondary service by default Step 6 sg service group service group name Example Router config service policymap s...

Page 77: ...gr service key session handle session handle service key service session key domainip vrf ip address ip address vrf id vrf id ip address ip address mac address mac address nativeip vrf ip address ip address vrf id vrf id portbundle ip ip address bundle bundle number session handle session handle Example Router show idmgr session key ip address 10 0 0 1 Displays information related to ISG session a...

Page 78: ...nostic information about packets during Subscriber Service Switch SSS call setup Step 5 debug subscriber error Example Router debug subscriber error Displays diagnostic information about errors that can occur during SSS call setup Step 6 debug subscriber event Example Router debug subscriber event Displays diagnostic information about SSS call setup events Step 7 debug subscriber fsm Example Route...

Page 79: ...or PPP Sessions Example The following example shows the configuration of an ISG policy that provides services to PPP subscribers This example configures ISG to perform the following actions PPP local termination ISG will provide local termination by activating the service ispa for subscribers matching the domain ispa The system will authenticate the subscriber using method list list1 For local ter...

Page 80: ...ontrol L2_ACCESS Define a control policy rule that activates a forwarding service on the basis of the ATM VPI VCI on which the call came in class type control NAS_PORT_CONDITION event session start 1 service policy type service xconnect Define a control policy rule that collects the domain name from the protocol The domain name is available from a structured user name e g user domain class type co...

Page 81: ...vice policy type control L2_ACCESS VRF Transfer for PPP Sessions Using IPCP Renegotiation Example The following example shows a configuration that uses PPPoE to establish a session and the RADIUS service profile that is created to associate the VRF In this example when a PPP session initially comes up it belongs to the default routing table and the IP address is assigned from the default IP addres...

Page 82: ...ice Info R10 1 1 0 255 255 255 0 Framed Protocol PPP Service Type Framed Additional References The following sections provide references related to ISG access for PPP sessions Related Documents Related Topic Document Title ISG commands Cisco IOS Intelligent Services Gateway Command Reference AAA configuration tasks The Authentication Authorization and Accounting AAA section in the Cisco IOS XE Sec...

Page 83: ...tion Link The Cisco Support website provides extensive online resources including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies To receive security and technical information about your products you can subscribe to various services such as the Product Alert Tool accessed from Field Notices the Cisco Technical Services Newsletter and...

Page 84: ...the IronPort logo LightStream Linksys MediaTone MeetingPlace MeetingPlace Chime Sound MGX Networkers Networking Academy Network Registrar PCNow PIX PowerPanels ProConnect ScriptShare SenderBase SMARTnet Spectrum Expert StackWise The Fastest Way to Increase Your Internet Quotient TransPath WebEx and the WebEx logo are registered trademarks of Cisco Systems Inc and or its affiliates in the United St...

Page 85: ...ent assumes that Network Address Translation is performed on a Layer 3 gateway other than the ISG Finding Feature Information For the latest feature information and caveats see the release notes for your platform and software release To find information about the features documented in this module and to see a list of the releases in which each feature is supported see the Feature Information for ...

Page 86: ...s IP Subnet Session Restrictions IP subnet sessions are not supported on an interface configured with the ip subscriber l2 connected command IP subnet sessions are supported only when the ip subscriber routed command is configured on the interface ISG DHCP Restrictions ISG cannot relay DHCP requests when a Layer 3 DHCP relay agent is between the ISG device and subscriber devices Dynamic VPN Select...

Page 87: ...d for ISG IP subscriber sessions or traffic class sessions Upon switchover an IP session must be re created or restarted for DHCP sessions when the session becomes active again SSO and ISSU are not supported for any features on IP subscriber sessions or traffic class sessions Information About ISG Access for IP Subscriber Sessions Before you configure ISG access for subscriber sessions you should ...

Page 88: ... represents all the traffic that is associated with a single IP subnet IP subnet sessions are used to apply uniform edge processing to packets associated with a particular IP subnet When an IP subnet session is configured ISG treats the subnet as a single subscriber which means that ISG features and functionality are applied to the subnet traffic as an aggregate IP subnet sessions are supported fo...

Page 89: ...r 3 forwarding is either absent or not used to direct subscriber traffic in the Layer 2 access network IP addresses of the subscribers may or may not be on the same subnet as the Layer 2 connected physical interfaces Figure 1 shows an example of a Layer 2 connected access network Figure 1 Layer 2 Connected Access Network Routed Access Networks Routed subscriber traffic is routed through a Layer 3 ...

Page 90: ...by the appearance of an IP packet with an unclassified source IP address which means that an IP session does not yet exist for that IP address Unclassified source MAC address For Layer 2 connected IP subscribers a new IP session is triggered by the appearance of an IP packet with an unclassified source MAC address which means that an IP session does not yet exist for that MAC address RADIUS Access...

Page 91: ...nvolved in the assignment of an IP address for the subscriber DHCP If DHCP is being used to assign IP addresses and the IP address that is assigned by DHCP is correct for the service domain ISG does not have to be involved in the assignment of an IP address for the subscriber If the IP address that is assigned by DHCP is not correct for the service domain or if the domain changes because of a VRF ...

Page 92: ...k should use a Layer 2 separation mechanism to differentiate the IP address spaces For example the access network may put each IP address space in a different VLAN In cases in which the access network serves both local IP subscribers and roaming users the static private IP address of a roaming subscriber may overlap the native private IP address of another subscriber For example a public wireless ...

Page 93: ...Internet NAT must be performed For routed IP subscribers the subscriber IP address serves as the key for an IP session ISG associates IP traffic with an IP session as follows In the upstream direction the source IP address of an IP packet is used to identify the IP session The source IP address is the subscriber IP address In the downstream direction the destination IP address of an IP packet is u...

Page 94: ...IP subscribers both the subscriber MAC address unique within a VLAN and the IP address serve as the keys for the IP session but they are used in different directions In the upstream direction the VLAN ID and source MAC address of an IP packet are used to identify the IP session In the downstream direction both the destination IP address and the VLAN ID of an IP packet are used to identify the IP s...

Page 95: ...ly be altered once the current lease has expired Subscribers will not have access to the selected domain before the next DHCP renew request is received Using short initial lease times minimizes the interval between a VRF change and a DHCP renewal If long lease times are used an out of band method of initiating IP address change should be implemented When DHCP can be used to assign a new address at...

Page 96: ...called equal access networking must be supported Equal access networking is often mandated by regulatory rules stating that an access provider should allow service providers equal access to a retail subscriber network ISG dynamic VPN selection facilitates equal access networking by allowing subscribers to transfer between network services IP Session Termination An IP session may be terminated in o...

Page 97: ...icy appears in the output for the show subscriber policy rules command as follows Rule internal rule session restart Class map always event session restart Action 1 service disconnect delay 60 Executed 0 Default Services for IP Subscriber Sessions Newly created IP sessions may require a default service to allow subsequent subscriber packets to be processed appropriately for example to permit or fo...

Page 98: ...bscribers that are routed through a Layer 3 access network with at least one transit router before reaching the ISG Perform this task to configure ISG to create IP sessions for routed IP subscribers SUMMARY STEPS 1 enable 2 configure terminal 3 interface type number 4 ip subscriber routed 5 initiator dhcp class aware radius proxy unclassified ip address 6 end DETAILED STEPS Command or Action Purpo...

Page 99: ...upon receipt of the specified packet type dhcp ISG will initiate an IP session upon receipt of a DHCP DISCOVER packet The class aware keyword allows ISG to influence the IP address assigned by DHCP by providing DHCP with a class name radius proxy ISG will initiate an IP session upon receipt of a RADIUS Access Request packet unclassified ip address ISG will initiate an IP session upon receipt of th...

Page 100: ...es are routable in the access domain Step 5 initiator dhcp class aware radius proxy unclassified mac address Example Router config subscriber initiator unclassified mac address Configures ISG to create an IP subscriber session upon receipt of the specified packet type dhcp ISG initiates an IP session upon receipt of a DHCP DISCOVER packet The class aware keyword allows ISG to influence the IP addr...

Page 101: ...Returns to privileged EXEC mode Command or Action Purpose Command or Action Purpose Step 1 enable Example Router enable Enables privileged EXEC mode Enter your password if prompted Step 2 configure terminal Example Router configure terminal Enters global configuration mode Step 3 interface type number subinterface number Example Router config interface GigabitEthernet 0 0 0 1 Specifies an interfac...

Page 102: ...routed 7 initiator static ip subscriber list list name 8 end DETAILED STEPS Command or Action Purpose Step 1 enable Example Router enable Enables privileged EXEC mode Enter your password if prompted Step 2 configure terminal Example Router configure terminal Enters global configuration mode Step 3 ip subscriber list list name Example Router config ip subscriber list mylist Specifies the IP subscri...

Page 103: ...ype number Example Router config interface GigabitEthernet 2 0 0 Specifies an interface and enters interface configuration mode Step 6 ip subscriber l2 connected or ip subscriber routed Example Router config if ip subscriber l2 connected or Router config if ip subscriber routed Specifies the type of IP subscriber to be hosted on the interface and enters ISG IP subscriber configuration mode Note It...

Page 104: ...erface type number Example Router config interface gigabitethernet 0 0 0 Specifies an interface and enters interface configuration mode Step 4 ip subscriber routed Example Router config if ip subscriber routed Specifies the type of IP subscriber to be hosted on the interface and enters ISG IP subscriber configuration mode Step 5 initiator unclassified ip address Example Router config subscriber in...

Page 105: ...n unauthenticated username 7 action number set timer name of timer minutes DETAILED STEPS Command or Action Purpose Step 1 enable Example Router enable Enables privileged EXEC mode Enter your password if prompted Step 2 configure terminal Example Router configure terminal Enters global configuration mode Step 3 policy map type control policy map name Example Router config policy map type control M...

Page 106: ...icated domain unauthenticated username Example Router config control policymap class control 1 authorize identifier source ip address Optional Initiates a request for authorization on the basis of the specified identifier Step 6 action number service policy type service unapply aaa list list name name service name identifier authenticated domain authenticated username dnis nas port tunnel name una...

Page 107: ...ep 1 enable Example Router enable Enables privileged EXEC mode Enter your password if prompted Step 1 show subscriber session detailed identifier identifier uid session id username name Example Router show subscriber session detailed Displays information about ISG policies and features for subscriber sessions Step 2 show ip subscriber dangling seconds detail ip ip address mac mac address vrf vrf n...

Page 108: ...er IP addresses To enable ISG to influence the IP addresses assigned to subscribers you associate a DHCP address pool class with an address domain The DHCP address pool class must also be configured in a service policy map service profile or user profile which is associated with a subscriber When a DHCP request is received from a subscriber DHCP uses the address pool class that is associated with ...

Page 109: ...t with a class name The class name refers to a class configured using the ip dhcp pool command and can reference a pool of addresses or a relay destination SUMMARY STEPS 1 enable 2 configure terminal 3 interface type number 4 ip address ip address mask secondary 5 ip subscriber l2 connected routed 6 initiator dhcp class aware 7 end DETAILED STEPS Command or Action Purpose Step 1 enable Example Rou...

Page 110: ... name 4 classname class name 5 end 6 show policy map type service DETAILED STEPS Step 5 ip subscriber l2 connected routed Example Router config if ip subscriber Enables ISG IP subscriber configuration mode Step 6 initiator dhcp class aware Example Router config if initiator dhcp class aware Configures ISG to create IP sessions upon receipt of DHCP DISCOVER packets The class aware keyword allows IS...

Page 111: ...d with the class Prerequisites A DHCP address pool must be configured Classes configured within the DHCP address pool must match the DHCP address pool classes configured in the service or user profile SUMMARY STEPS 1 Add the DHCP Class attribute to the user or service profile Step 3 policy map type service policy name Example Router config policy map type service service1 Creates a service policy ...

Page 112: ...HCP servers available on the network and to specify the DHCP lease query for routed IP sessions Note The DHCP server IP address needs to be configured for routed IP sessions if the DHCP lease query is performed Prerequisites The DHCP server must support the DHCP lease protocol The IP address of the phone must be assigned by DHCP address assignments The traffic must be classified as Layer 3 SUMMARY...

Page 113: ...Restrictions IP interface features such as quality of service QoS and access lists are not supported on multiservice interfaces Only one multiservice interface can belong to a single VRF For example the following configuration will not work interface multiservice 1 ip vrf forwarding VRF_A Command or Action Purpose Step 1 enable Example Router enable Enables privileged EXEC mode Enter your password...

Page 114: ...es serve as demarcation points for the IP subscriber to switch from one VPN domain to another Figure 3 illustrates the multiservice interface model Figure 3 Multiservice Interface Model One multiservice interface must be configured for each VPN routing domain SUMMARY STEPS 1 enable 2 configure terminal 3 interface multiservice interface number 4 ip vrf forwarding vrf name 5 ip address ip address m...

Page 115: ...vice SUMMARY STEPS 1 enable 2 configure terminal 3 policy map type service policy map name 4 ip vrf forwarding name of vrf 5 sg service type primary 6 sg service group service group name Step 3 interface multiservice interface number Example Router config interface multiservice 1 Creates a multiservice interface which enables dynamic VPN selection and enters interface configuration mode Step 4 ip ...

Page 116: ... a service policy map which is used to define an ISG service and enters service policy map configuration mode Step 4 ip vrf forwarding name of vrf Example Router config service policymap ip vrf forwarding vrf2 Associates the service with a VRF Step 5 sg service type primary Example Router config service policymap sg service type primary Defines the service as a primary service A primary service is...

Page 117: ...er sessions with a specific session identifier Step 3 show ip subscriber dangling seconds detail ip ip address mac mac address vrf vrf name dangling seconds detail ip ip address Example Router show ip subscriber vrf vrf3 Displays information about ISG IP subscriber sessions Step 4 show idmgr memory detailed component substring service key session handle session handle string service key key value ...

Page 118: ...age 35 ISG Layer 2 Connected IP Subscriber Example page 35 DHCP Initiated Session Recovery Example page 36 ISG Interface with DHCP Class Aware Capability Example page 36 Command or Action Purpose Step 1 debug subscriber event error packet policy service Example Router debug subscriber service Displays debugging messages pertaining to subscriber policies policy server events and changes to service ...

Page 119: ...401 ip subscriber routed initiator dhcp class aware initiator unclassified ip address initiator radius proxy ISG Layer 2 Connected IP Subscriber Example The following example shows how to configure ISG to create IP sessions for subscribers who connect to ISG on GigabitEthernet interface0 0 1 401 through a Layer 2 connected access network ISG will create IP sessions upon receipt of any frame with a...

Page 120: ... the service SERVICE_DHCP is activated the DHCP pool DHCP_POOL2 is used for address assignment Otherwise the default pool DHCP_POOL1 is used interface GigabitEthernet1 0 0 400 encapsulation dot1Q 400 ip address 10 1 15 1 255 255 255 0 secondary ip address 10 1 10 1 255 255 255 0 no snmp trap link status service policy type control RULE_406a ip subscriber l2 connected initiator dhcp class aware ip ...

Page 121: ... 0 255 255 0 0 lease 0 0 10 class default DHCP Relay Agent Coresident with ISG Configuration In the following configuration example there are two ISPs poolA and poolB The poolA ISP and its customers are allowed to have addresses in the ranges 10 1 0 0 16 and 10 3 0 0 16 and are relayed to the DHCP server at 10 55 10 1 The poolB ISP and its customers are allowed to have addresses in the range 10 2 ...

Page 122: ... 255 255 0 0 default router 20 10 1 1 lease 0 0 2 class vrf class vrf1 ip dhcp class vrf class vrf1 policy map type control TAL class type control always event session start 1 service policy type service name pbhk 2 authorize identifier mac address interface GigabitEthernet0 0 7 ip address 10 1 1 0 255 255 0 0 load interval 30 negotiation auto no cdp enable service policy type control TAL ip subsc...

Page 123: ... The Cisco Support website provides extensive online resources including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies To receive security and technical information about your products you can subscribe to various services such as the Product Alert Tool accessed from Field Notices the Cisco Technical Services Newsletter and Really S...

Page 124: ...xy Cisco IOS XE Release 2 2 This feature enables ISG to dynamically interact with DHCP and apply policies that influence the IP addresses that DHCP assigns subscribers The following section provides information about this feature Assigning ISG Subscriber IP Addresses Using DHCP page 24 IP Session Recovery for DHCP Initiated IP Sessions Cisco IOS XE Release 2 2 ISG provides a default policy and the...

Page 125: ...interface IP interface sessions are provisioned through the CLI that is a session is created when the IP interface session commands are entered The following sections provide information about this feature Information About ISG Access for IP Subscriber Sessions page 3 Creating ISG IP Interface Sessions page 17 ISG Session Creation IP Session Protocol Event DHCP Cisco IOS XE Release 2 2 Most ISG se...

Page 126: ... 3 How to Configure ISG for IP Subscriber Sessions page 13 ISG Session Multicast Coexistence Cisco IOS XE Release 2 5 0 The ISG Session Multicast Coexistence feature introduces the ability to host all the subscribers and services data and multicast on the same VLAN by enabling multicast and IP sessions to coexist on the same e subinterface for Cisco ASR 10000 Series Aggregation Routers The followi...

Page 127: ...ates in the United States and certain other countries All other trademarks mentioned in this document or website are the property of their respective owners The use of the word partner does not imply a partnership relationship between Cisco and any other company 0910R Any Internet Protocol IP addresses used in this document are not intended to be actual addresses Any examples command display outpu...

Page 128: ...Configuring ISG Access for IP Subscriber Sessions Feature Information for ISG Access for IP Subscriber Sessions 44 ...

Page 129: ...est feature information and caveats see the release notes for your platform and software release To find information about the features documented in this module and to see a list of the releases in which each feature is supported see the Feature Information for MQC Support for IP Sessions section on page 7 Use Cisco Feature Navigator to find information about platform support and Cisco IOS XE sof...

Page 130: ...mation About MQC Support for IP Sessions To use and troubleshoot the MQC Support for IP Sessions feature you should understand the following concepts Supported Interfaces page 2 ISG Policers page 2 Precedence Order in Policy Maps page 3 Supported Interfaces MQC is not supported on the following interfaces Bridge Group Virtual Interface BVI GEC Interfaces configured for Layer 2 Tunnel Protocol L2TP...

Page 131: ...the previously existing configuration is reapplied if no higher precedence configuration source is in effect Given those precedence qualifications the policy map is determined as follows If there is no policy map on the session the incoming policy map is not applied If an existing policy map is configured from a higher priority source than an incoming one the incoming policy map is not applied If ...

Page 132: ...class name Command or Action Purpose Step 1 enable Example Router enable Enables privileged EXEC mode Enter your password if prompted Step 2 configure terminal Example Router configure terminal Enters global configuration mode Step 3 policy map type service service name Example Router config policy map type service service1 Enters policy map configuration mode Specifies the policy map name and its...

Page 133: ...ss map match any EF WAN Router config cmap match qos group 6 Router config cmap policy map PREMIUM_MARK_IN Router config pmap class EF customer Router config pmap c set cos 6 Router config pmap c set dscp ef Router config pmap c set qos group 6 Router config pmap c class class default Router config pmap c set dscp af11 Router config pmap c set qos group 1 Router config pmap c set cos 1 Router conf...

Page 134: ...l interface GigabitEthernet0 0 0 Router config if ip address 10 0 0 1 255 255 255 0 Router config if pppoe enable group global Router config if service policy type control INT Additional References The following sections provide references related to the MQC Support for IP sessions feature Related Documents MIBs Related Topic Document Title How to configure ISG control policies Configuring ISG Con...

Page 135: ...nity Collaboration Without Limitation EtherFast EtherSwitch Event Center Fast Step Follow Me Browsing FormShare GigaDrive HomeLink Internet Quotient IOS iPhone iQuick Study IronPort the IronPort logo LightStream Linksys MediaTone MeetingPlace MeetingPlace Chime Sound MGX Networkers Networking Academy Network Registrar PCNow PIX PowerPanels ProConnect ScriptShare SenderBase SMARTnet Spectrum Expert...

Page 136: ...Configuring MQC Support for IP Sessions Feature Information for MQC Support for IP Sessions 8 ...

Page 137: ...g Feature Information For the latest feature information and caveats see the release notes for your platform and software release To find information about the features documented in this module and to see a list of the releases in which each feature is supported see the Feature Information for ISG Port Bundle Host Key section on page 9 Use Cisco Feature Navigator to find information about platfor...

Page 138: ...IP packets for example for PPP sessions or for DHCP initiated IP sessions with transparent autologon Information About ISG Port Bundle Host Key Before you configure the ISG Port Bundle Host Key feature you should understand the following concepts Overview of ISG Port Bundle Host Key page 2 Port Bundle Host Key Mechanism page 2 Benefits of ISG Port Bundle Host Key page 3 Overview of ISG Port Bundle...

Page 139: ...dle Host Key feature enables external portal access regardless of subscriber IP address or VRF membership Without the use of port bundle host keys all subscribers accessing a single external portal must have unique IP addresses Furthermore since port bundle host keys isolate VRF specific addresses from the domain in which the portal resides routing considerations are simplified Portal Provisioning...

Page 140: ...the service policy map or service profile for example control policies can be used to activate services For more information about methods of service activation see the module Configuring ISG Subscriber Services Command or Action Purpose Step 1 enable Example Router enable Enables privileged EXEC mode Enter your password if prompted Step 2 configure terminal Example Router configure terminal Enter...

Page 141: ...arameters and specify the interface for which ISG will use translation tables to derive the IP address and port number for downstream traffic Port Bundle Length The port bundle length is used to determine the number of ports in one bundle By default the port bundle length is four bits The maximum port bundle length is ten bits See Table 2 for available port bundle length values and the resulting p...

Page 142: ...1 enable 2 configure terminal 3 ip portbundle 4 match access list access list number 5 length bits 6 source interface type interface number 7 exit 8 interface type number 9 ip portbundle outside DETAILED STEPS 5 32 2016 6 64 1008 7 128 504 8 256 252 9 512 126 10 1024 63 Table 2 Port Bundle Lengths and Resulting Port per Bundle and Bundle per Group Values Port Bundle Length in bits Number of Ports ...

Page 143: ...pport a maximum port bundle length of 7 Step 6 source interface type interface number Example Router config portbundle source loopback 0 Specifies the interface for which the main IP address will be mapped by ISG to the destination IP addresses in subscriber traffic It is recommended that you use a loopback interface as the source interface Step 7 exit Example Router config portbundle exit Returns...

Page 144: ... Host Key Configuration Example The following example shows how to configure the ISG Port Bundle Host Key feature to apply to all sessions policy map type service ISGPBHKService ip portbundle Command or Action Purpose Step 1 enable Example Router enable Enables privileged EXEC mode Enter your password if prompted Step 2 show ip portbundle status free inuse Example Router show ip portbundle status ...

Page 145: ...o specific configuration information For information about a feature in this technology that is not documented here see the Intelligent Services Gateway Features Roadmap Related Topic Document Title ISG commands Cisco IOS Intelligent Services Gateway Command Reference Description Link The Cisco Support website provides extensive online resources including documentation and tools for troubleshootin...

Page 146: ...udy IronPort the IronPort logo LightStream Linksys MediaTone MeetingPlace MeetingPlace Chime Sound MGX Networkers Networking Academy Network Registrar PCNow PIX PowerPanels ProConnect ScriptShare SenderBase SMARTnet Spectrum Expert StackWise The Fastest Way to Increase Your Internet Quotient TransPath WebEx and the WebEx logo are registered trademarks of Cisco Systems Inc and or its affiliates in ...

Page 147: ...responding ISG session This document describes how to configure ISG as a RADIUS proxy Finding Feature Information For the latest feature information and caveats see the release notes for your platform and software release To find information about the features documented in this module and to see a list of the releases in which each feature is supported see the Feature Information for ISG RADIUS P...

Page 148: ... corresponding IP session upon successful authentication This functionality provides an automatic login facility with respect to ISG for subscribers that are authenticated by devices that are closer to the network edge When configured as a RADIUS proxy ISG proxies all RADIUS requests generated by a client device and all RADIUS responses generated by the corresponding AAA server as described in RFC...

Page 149: ...ribute Processing and RADIUS Request Correlation page 3 3GPP Attribute Support page 4 Attribute Processing and RADIUS Request Correlation When authentication and accounting requests originate from separate RADIUS client devices ISG uses correlation rules to associate all the requests with the appropriate session The association of the disparate RADIUS flows with the underlying session is performed...

Page 150: ...lowing procedures Initiating ISG RADIUS Proxy IP Sessions page 5 required Configuring ISG RADIUS Proxy Global Parameters page 6 required Configuring ISG RADIUS Proxy Client Specific Parameters page 8 optional Defining an ISG Policy for RADIUS Proxy Events page 10 required Verifying ISG RADIUS Proxy Configuration page 11 optional Clearing ISG RADIUS Proxy Sessions page 12 optional Table 1 3GPP Attr...

Page 151: ...ure terminal Enters global configuration mode Step 3 interface type number Example Router config interface GigabitEthernet 0 0 0 Specifies an interface for configuration and enters interface configuration mode Step 4 ip subscriber interface l2 connected routed Example Router config if ip subscriber routed Enables ISG IP subscriber support on an interface specifies the access method that IP subscri...

Page 152: ...s proxy 5 session identifier attribute number vsa vendor id type number 6 calling station id format mac address msisdn 7 accounting method list method list name default 8 accounting port port number 9 authentication port port number 10 key 0 7 word 11 timer ip address request seconds 12 end DETAILED STEPS Command or Action Purpose Step 1 enable Example Router enable Enables privileged EXEC mode En...

Page 153: ...on which the ISG listens for accounting packets from RADIUS clients The default port is 1646 Step 9 authentication port port number Example Router config locsvr proxy radius authentication port 1111 Specifies the port on which the ISG listens for authentication packets from RADIUS clients The default port is 1645 Step 10 key 0 7 word Example Router config locsvr proxy radius key radpro Configures ...

Page 154: ...dentifier attribute number vsa vendor id type number 7 calling station id format mac address msisdn 8 accounting method list method list name default 9 accounting port port number 10 authentication port port number 11 key 0 7 word 12 timer ip address request seconds 13 end DETAILED STEPS Command or Action Purpose Step 1 enable Example Router enable Enables privileged EXEC mode Enter your password ...

Page 155: ... the calling station id format Step 8 accounting method list method list name default Example Router config locsvr radius client accounting method list fwdacct Specifies the server to which accounting packets from RADIUS clients are forwarded Step 9 accounting port port number Example Router config locsvr radius client accounting port 2222 Specifies the port on which the ISG listens for accounting...

Page 156: ...ample Router config locsvr radius client timer ip address 5 Specifies the amount of time ISG waits for the specified event before terminating the session ip address Specifies the amount of time ISG waits for an IP address to be assigned to the session request Specifies the amount of time ISG waits to receive an Access Request from a client device Step 13 end Example Router config locsvr radius cli...

Page 157: ... following group group name Uses a subset of RADIUS servers for authorization as defined by the server group group name command group radius Uses the list of all RADIUS servers for authorization as defined by the aaa group server radius command Step 5 policy map type control policy map name Example Router config policy map type control proxyrule Creates or modifies a control policy map which defin...

Page 158: ...adius proxy session id id number ip ip address Example Router show radius proxy session ip 10 10 10 10 Displays information about an ISG RADIUS proxy session Note The ID can be found in the output of the show radius proxy client command Step 3 show subscriber session identifier authen status authenticated unauthenticated authenticated domain domain name authenticated username username dnis dnis me...

Page 159: ...start stop group EAP aaa accounting network FLOWACCT start stop group EAP aaa server radius proxy session identifier attribute 1 calling station id format msisdn authentication port 1111 accounting port 2222 key radpro message authenticator ignore The method list FWDACCT was configured by the aaa accounting network FWDACCT start stop group EAP command above Command or Action Purpose Step 1 enable ...

Page 160: ...y PROXYRULE is applied to the interface service policy type control PROXYRULE radius server host 10 2 36 253 auth port 1812 acct port 1813 key cisco radius server host 10 76 86 83 auth port 1665 acct port 1666 key rad123 radius server vsa send accounting radius server vsa send authentication aaa new model aaa group server radius EAP server 10 2 36 253 auth port 1812 acct port 1813 ISG RADIUS Proxy...

Page 161: ...lied before account logon Rules actions and conditions executed subscriber rule map PROXYRULE condition always event session start 1 proxy aaa list RP 2 service policy type service name service1 Session inbound features Feature Layer 4 Redirect L4 redirect is applied to the session at session start Rule table is empty Traffic classes Traffic class session ID 67 ACL Name 101 Packets 0 Bytes 0 Unmat...

Page 162: ...69 RADIUS Extensions Description Link The Cisco Support website provides extensive online resources including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies To receive security and technical information about your products you can subscribe to various services such as the Product Alert Tool accessed from Field Notices the Cisco Techn...

Page 163: ...S software release train Unless noted otherwise subsequent releases of that Cisco IOS XE software release train also support that feature Table 2 Feature Information for ISG RADIUS Proxy Feature Name Releases Feature Information ISG AAA Wireless Enhancements Cisco IOS XE Release 2 5 0 This feature enhances ISG RADIUS proxy to provide additional support for mobile wireless environments It includes ...

Page 164: ...d States and certain other countries All other trademarks mentioned in this document or website are the property of their respective owners The use of the word partner does not imply a partnership relationship between Cisco and any other company 0910R Any Internet Protocol IP addresses used in this document are not intended to be actual addresses Any examples command display output and figures inc...

Page 165: ...e features documented in this module and to see a list of the releases in which each feature is supported see the Feature Information for RADIUS Based Policing section on page 17 Use Cisco Feature Navigator to find information about platform support and Cisco IOS XE software image support To access Cisco Feature Navigator go to http www cisco com go cfn An account on Cisco com is not required Cont...

Page 166: ...olicing features supported on the Cisco ASR 1000 Series Aggregation Services Router you should understand the following topics RADIUS Attributes page 2 Parameterized QoS Policy as VSA 1 page 5 Parameterization of QoS ACLs page 5 RADIUS Attributes RADIUS communicates with the ISG device by embedding specific attributes in Access Accept and change of authentication CoA messages RADIUS based policing...

Page 167: ...ementing the changes specified in the Cisco VSA the ISG does not make the changes to the originally configured QoS policy on the ISG device Instead the ISG copies the active QoS policy for the session and then makes the required changes to the policy copy which is referred to as a transient policy The originally configured QoS policy on the ISG device is not changed The following sections describe...

Page 168: ...cy child1 The qos actions list field indicates a QoS action such as police followed by the action parameters enclosed in parentheses and separated by commas For example the following sample configuration specifies the police action and defines the parameters bps burst normal burst max conform action exceed action and violate action Parentheses enclose the action parameters voip aggregate police 20...

Page 169: ... acct 1 c d voip 1 10000 In the above example All services are enabled on target Parameterized QoS policy in the second command syntax is not echoed in the ISG service Parameterized QoS policy in the first command syntax is echoed Parameterization of QoS ACLs The Parameterization of QoS Access Control Lists ACLs feature supports multiple ISG and QoS parameterized services in a single Access Accept...

Page 170: ...ible Configuring Per Service Policing Using RADIUS To configure per service policing perform the following configuration tasks Configuring a Hierarchical QoS Child Policy with Policing page 6 Configuring a Hierarchical QoS Parent Policy with Policing page 8 Configuring Per Service Policing on the RADIUS Server page 10 Configuring a Hierarchical QoS Child Policy with Policing Use the following proc...

Page 171: ...ge 10000 Shapes traffic to the indicated bit rate average is the maximum number of bits sent out in each interval Available only on the PRE3 mean rate is the committed information rate CIR in bits per second Step 6 police bps burst normal burst max conform action action exceed action action violate action action Example Router config pmap c police 10000 Configures traffic policing bps is the avera...

Page 172: ...eat steps 2 through 5 for each traffic class you want to define in each policy map Specify either the shape command or the police command for a traffic class but not both commands for the same class You may also specify other commands for each traffic class such as the priority set precedence and random detect commands For more information on the commands you can specify for a traffic class see th...

Page 173: ...rfaces set prec transmit value Sets the IP precedence value set qos transmit value Sets the QoS group value transmit Transmits the packet The packet is not altered Step 4 class class default Example Router config pmap class class default Modifies the class default traffic class and enters policy map class configuration mode Step 5 shape average mean rate burst size excess burst size account qinq d...

Page 174: ...Examples for RADIUS Based Policing This section provides the following configuration examples Adding Parameterization of QoS ACLs Example page 10 Setting the Policing Rate Using an Access Accept Message Examples page 12 Setting the Policing Rate Using a CoA Message Examples page 13 Adding Parameterization of QoS ACLs Example The following example shows how to parameterize the set source IP address...

Page 175: ...atch any voip 10 10 1 0 28 10 3 20 29 match access group name IPOne acl 10 10 1 0 28 10 3 20 29 The old class is replaced with the new class in the output QoS policy of the subscriber along with any other attributes Adding Parameterization of QoS ACLs with ISG Service accounting The following example shows how to add QoS accounting by configuring the Intelligent Services Gateway ISG accounting ser...

Page 176: ...of the Premium class in the Child policy The Child policy is applied to the class default class of the Parent policy radius subscriber 6 framed protocol ppp service framed vsa cisco generic 1 string qos policy out add class sub class default Premium police 200000 RADIUS Access Accept Message The ISG receives the following RADIUS Access Accept message Notice that the above Cisco VSA configured in t...

Page 177: ...sage to change the policing rate of a service and is based on the following ISG configuration policy map Child class Premium police 12000 policy map Parent class class default shape average 10000 service policy Child RADIUS Configuration The following Cisco VSA is configured in a user s profile on RADIUS This VSA modifies the Premium class of the Child policy which is applied to the class default ...

Page 178: ... policy map New_Child New cloned child policy class Premium police 200000 New policing rate policy map New_Parent New cloned parent policy class class default shape average 10000 service policy New_Child New cloned child policy attached to the new cloned parent policy Verifying RADIUS Based Policing To verify the configuration of RADIUS based policing on the ISG use any of the following commands i...

Page 179: ...guration you want to display If you do not specify class name the router displays the configuration of all of the classes configured in the policy map Router show policy map session output output uid The inbound or outbound policy maps configured per session Also displays the dynamic policy map that is applied to the subscriber session If you do not specify any arguments all sessions with configur...

Page 180: ...echnical issues with Cisco products and technologies To receive security and technical information about your products you can subscribe to various services such as the Product Alert Tool accessed from Field Notices the Cisco Technical Services Newsletter and Really Simple Syndication RSS Feeds Access to most tools on the Cisco Support website requires a Cisco com user ID and password http www cis...

Page 181: ...account on Cisco com is not required Note Table 1 lists only the Cisco IOS XE software release that introduced support for a given feature in a given Cisco IOS XE software release train Unless noted otherwise subsequent releases of that Cisco IOS XE software release train also support that feature Table 1 Feature Information for RADIUS Based Policing Feature Name Releases Feature Information ISG P...

Page 182: ...he use of the word partner does not imply a partnership relationship between Cisco and any other company 0910R Any Internet Protocol IP addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers Any examples command display output network topology diagrams and other figures included in the document are shown for illustrative purposes only Any use of...

Page 183: ...ts are received from a subscriber Finding Feature Information For the latest feature information and caveats see the release notes for your platform and software release To find information about the features documented in this module and to see a list of the releases in which each feature is supported see the Feature Information for ISG Automatic Subscriber Logon section on page 10 Use Cisco Feat...

Page 184: ...configure ISG automatic subscriber logon you should understand the following concepts Overview of ISG Automatic Subscriber Logon page 2 Supported Identifiers for ISG Automatic Subscriber Logon page 3 Authorization Based on Circuit ID and Remote ID page 3 Accounting Behavior When ISG Automatic Subscriber Logon Is Configured page 3 Overview of ISG Automatic Subscriber Logon Service providers commonl...

Page 185: ...l use the circuit ID and remote ID that are provided by the Layer 2 edge access device for authorization If the ip dhcp relay information option command is configured the ISG device will use the circuit ID and remote ID that are received in a DHCP message Accounting Behavior When ISG Automatic Subscriber Logon Is Configured Accounting Behavior for MAC Address Based Authorization If the MAC address...

Page 186: ...ill apply SUMMARY STEPS 1 enable 2 configure terminal 3 class map type control match all class map name 4 match source ip address ip address subnet mask or match nas port circuit id name or match nas port remote id name 5 end DETAILED STEPS Command or Action Purpose Step 1 enable Example Router enable Enables privileged EXEC mode Enter your password if prompted Step 2 configure terminal Example Ro...

Page 187: ...uit id DETAILED STEPS Step 4 match source ip address ip address subnet mask or match nas port circuit id name or match nas port remote id name Example Router config control classmap match source ip address 10 1 1 0 255 255 255 0 Creates a condition that will evaluate true if a subscriber s source IP address matches the specified IP address or Creates a condition that will evaluate true if a subscr...

Page 188: ...rol policy map which is used to define a control policy Step 4 class type control class map name always event session start Example Router config control policymap class type control TAL subscribers event session start Specifies a control class which defines the conditions that must be met in order for an associated set of actions to be executed Specify the control class map that was configured in...

Page 189: ...ll still be brought up but in the state unauthen The following sample output shows information for a session for which automatic subscriber authorization was successful Router show subscriber session all Current Subscriber Information Total sessions 1 Unique Session ID 3 Identifier aabb cc01 3000 SIP subscriber access type s IP Current SIP options Req Fwding Req Fwded Session Up time 00 00 24 Last...

Page 190: ...ss as the username If the authorization request is successful any automatic activation services specified in the returned user profile are activated for the session and the execution of rules within the control policy stops If the authorization is not successful the rule execution proceeds and the subscriber is redirected to the policy server to log in If the subscriber does not log in within five...

Page 191: ...o Internet proxy user cisco Service Profile Configuration Auto Internet Password cisco Cisco Service Info IAuto Internet Cisco Avpair traffic class input access group 100 proxy user Password cisco Idle Timeout 5 Additional References The following sections provide references related to ISG automatic subscriber logon Related Documents MIBs Related Topic Document Title ISG commands Cisco IOS Intelli...

Page 192: ...r go to http www cisco com go cfn An account on Cisco com is not required Note Table 1 list only the Cisco IOS XE software release that introduced support for a given feature in a given Cisco IOS software release train Unless noted otherwise subsequent releases of that Cisco IOS XE software release train also support that feature Description Link The Cisco Support website provides extensive online...

Page 193: ...ir respective owners The use of the word partner does not imply a partnership relationship between Cisco and any other company 0812R Any Internet Protocol IP addresses used in this document are not intended to be actual addresses Any examples command display output and figures included in the document are shown for illustrative purposes only Any use of actual IP addresses in illustrative content i...

Page 194: ...Configuring ISG Policies for Automatic Subscriber Logon Feature Information for ISG Automatic Subscriber Logon 12 ...

Page 195: ...e release To find information about the features documented in this module and to see a list of the releases in which each feature is supported see the Feature Information for ISG Interaction with External Policy Servers section on page 8 Use Cisco Feature Navigator to find information about platform support and Cisco IOS XE software image support To access Cisco Feature Navigator go to http www c...

Page 196: ...In this model the external policy server is typically an authentication authorization and accounting AAA server that uses RADIUS ISG is the RADIUS client Instead of a AAA server some systems use a RADIUS proxy component that converts to other database protocols such as Lightweight Directory Access Protocol LDAP The dynamic authorization model allows the external policy server to dynamically send p...

Page 197: ...TEPS Command or Action Purpose Step 1 enable Example Router enable Enables privileged EXEC mode Enter your password if prompted Step 2 configure terminal Example Router configure terminal Enters global configuration mode Step 3 aaa authentication login default list name method1 method2 Example Router config aaa authentication login PPP1 group radius Specifies one or more AAA authentication methods...

Page 198: ...l any session key 8 ignore server key session key 9 end Step 6 aaa authorization subscriber service default list name method1 method2 Example Router config aaa authorization subscriber service default radius Specifies one or more AAA authorization methods for ISG to use in providing a service Step 7 aaa accounting auth proxy system network exec connection commands level default list name vrf vrf n...

Page 199: ...le Router config locsvr da radius Specifies a client with which ISG will be communicating Step 5 port port number Example Router config locsvr da radius port 1600 Specifies the RADIUS server port Default is 1700 Step 6 server key 0 7 word Example Router config locsvr da radius server key cisco Specifies the encryption key shared with the RADIUS client Step 7 auth type all any session key Example R...

Page 200: ...thorization network default group CAR_SERVER aaa authorization subscriber service default local group radius aaa accounting network default start stop group CAR_SERVER aaa server radius dynamic author client 10 76 86 90 key cisco client 172 19 192 25 vrf VRF1 key cisco client 172 19 192 25 vrf VRF2 key cisco client 172 19 192 25 key cisco message authenticator ignore Additional References The foll...

Page 201: ...cription Link The Cisco Support website provides extensive online resources including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies To receive security and technical information about your products you can subscribe to various services such as the Product Alert Tool accessed from Field Notices the Cisco Technical Services Newsletter...

Page 202: ...isco the Cisco Certified Internetwork Expert logo Cisco IOS Cisco Press Cisco Systems Cisco Systems Capital the Cisco Systems logo Cisco Unity Collaboration Without Limitation Continuum EtherFast EtherSwitch Event Center Explorer Fast Step Follow Me Browsing FormShare GainMaker GigaDrive HomeLink iLYNX Internet Quotient IOS iPhone iQuick Study IronPort the IronPort logo Laser Link LightStream Link...

Page 203: ...Enabling ISG to Interact with External Policy Servers Feature Information for ISG Interaction with External Policy Servers 9 coincidental 2006 2009 Cisco Systems Inc All rights reserved ...

Page 204: ...Enabling ISG to Interact with External Policy Servers Feature Information for ISG Interaction with External Policy Servers 10 ...

Page 205: ...nding Feature Information For the latest feature information and caveats see the release notes for your platform and software release To find information about the features documented in this module and to see a list of the releases in which each feature is supported see the Feature Information for ISG Subscriber Services section on page 18 Use Cisco Feature Navigator to find information about pla...

Page 206: ...ic Policies page 3 ISG Features page 3 Service Groups page 4 Service Activation Methods page 4 ISG Services An ISG service is a collection of policies that may be applied to a subscriber session ISG services can be applied to any session regardless of subscriber access media or protocol and a single service may be applied to multiple sessions An ISG service is not necessarily associated with a des...

Page 207: ... that traffic class If there are multiple services with the traffic classes by default packets are matched according to the order in which the services are installed Traffic classes can also be assigned priority The priority of a traffic class determines which class will be used first for a specified match In other words if a packet matches more than one traffic class it will be classified to the ...

Page 208: ...an one such service at the same time Service Groups A service group is a grouping of services that may be simultaneously active for a given session Typically a service group includes one primary service and one or more secondary services Secondary services in a service group are dependent on the primary service and should not be activated unless the primary service is already active Once a primary...

Page 209: ...VICE1_CHECK match service name SERVICE1 policy map type control SERVICE1_CHECK event service start 1 service policy type service name SERVICE1 The same default behavior applies to subscriber logoffs with the ISG policy engine searching for a policy that matches the event service stop If a policy is configured it is the responsibility of the policy to specify how the service should be applied How t...

Page 210: ...olicy map name 4 authenticate aaa list name of list 5 classname dhcp pool name 6 ip portbundle 7 ip unnumbered interface type interface number 8 ip vrf forwarding name of vrf 9 service deny 10 service relay pppoe vpdn group VPDN group name 11 service vpdn group VPDN group name 12 sg service group service group name 13 sg service type primary secondary DETAILED STEPS Command or Action Purpose Step ...

Page 211: ...tethernet 0 0 0 Enables IP processing on an interface without assigning an explicit IP address to the interface Step 8 ip vrf forwarding name of vrf Example Router config service policymap ip vrf forwarding blue Associates the service with a VRF Configuring this command will make the service a primary service Step 9 service deny Example Router config service policymap service deny Denies network s...

Page 212: ...ess list in order to configure a service with a traffic policy that applies to all session traffic Prerequisites This task assumes that access control lists ACLs have been configured for classifying traffic SUMMARY STEPS 1 enable 2 configure terminal 3 class map type traffic match any class map name 4 match access group input access list number name access list name 5 match access group output acc...

Page 213: ...nfigure terminal Enters global configuration mode Step 3 class map type traffic match any class map name Example Router config class map type traffic match any class1 Creates or modifies a traffic class map which is used for matching packets to a specified ISG traffic class Step 4 match access group input access list number name access list name Example Router config traffic classmap match access ...

Page 214: ...e1 Creates or modifies a service policy map which is used to define an ISG service Step 4 priority class type traffic class map name Example Router config service policymap class type traffic classb Specifies a named traffic class whose policy you want to create or change The priority argument determines which class will be used first for a specified match When a packet matches more than one traff...

Page 215: ...p 7 redirect list access list number to group server group name ip ip address port port number duration seconds frequency seconds Example Router config service policymap class traffic redirect to ip 10 10 10 10 Redirects traffic to a specified server or server group Step 8 timeout absolute duration in seconds Example Router config control policymap class traffic timeout absolute 30 Specifies the s...

Page 216: ...ure automatic service activation for a service in a subscriber s user profile SUMMARY STEPS 1 Add the Auto Service attribute to the user profile Command or Action Purpose Step 1 enable Example Router enable Enables privileged EXEC mode Enter your password if prompted Step 2 configure terminal Example Router configure terminal Enters global configuration mode Step 3 policy map type service policy m...

Page 217: ...ta depleted service start service stop session default service session service found session start timed policy expiry 5 action number service policy type service name unapply policy map name DETAILED STEPS Command or Action Purpose Step 1 Add the Auto Service attribute to the user profile 26 9 251 Aservice name username password Automatically logs the subscriber in to the specified service when t...

Page 218: ...ifies a class and optionally an event for which actions may be configured Step 5 action number service policy type service name unapply policy map name Example Router config control policymap class control 1 service policy type service service1 Applies the specified service policy map To remove the service policy map use the unapply keyword Command or Action Purpose Command or Action Purpose Step ...

Page 219: ...SERVICE1_TC match access group input name SERVICE1_ACL_IN match access group output name SERVICE1_ACL_OUT policy map type service SERVICE1 10 class type traffic SERVICE1_TC accounting aaa list CAR_ACCNT_LIST class type traffic default in out drop AAA Server Configuration Attributes Cisco AVPair ip traffic class in access group name SERVICE1_ACL_IN priority 10 Cisco AVPair ip traffic class in defau...

Page 220: ... lists BOD1M_IN_ACL_IN and BOD1M_ACL_OUT are used to define the traffic class These examples are equivalent and show the two methods of service configuration in a service policy map that is configured directly on the ISG and in a service profile that is configured on a AAA server ISG Configuration class map type traffic match any BOD1M_TC match access group input name BOD1M_IN_ACL_IN match access ...

Page 221: ...e upon session start class map type traffic match any UNAUTHORIZED_TRAFFIC match access group input 100 policy map type service UNAUTHORIZED_REDIRECT_SVC class type traffic UNAUTHORIZED_TRAFFIC redirect to ip 10 0 0 148 port 8080 policy map type control UNAUTHEN_REDIRECT class type control always event session start 1 service policy type service name UNAUTHORIZED_REDIRECT_SVC Deactivating a Layer ...

Page 222: ...o com go cfn An account on Cisco com is not required Note Table 1 list only the Cisco IOS XE software release that introduced support for a given feature in a given Cisco IOS software release train Unless noted otherwise subsequent releases of that Cisco IOS XE software release train also support that feature Related Topic Document Title ISG commands Cisco IOS Intelligent Services Gateway Command ...

Page 223: ...e Your Internet Quotient TransPath WebEx and the WebEx logo are registered trademarks of Cisco Systems Inc and or its affiliates in the United States and certain other countries All other trademarks mentioned in this document or website are the property of their respective owners The use of the word partner does not imply a partnership relationship between Cisco and any other company 0812R Any Int...

Page 224: ...Configuring ISG Subscriber Services Feature Information for ISG Subscriber Services 20 ...

Page 225: ...t feature information and caveats see the release notes for your platform and software release To find information about the features documented in this module and to see a list of the releases in which each feature is supported see the Feature Information for ISG Network Policies section on page 7 Use Cisco Feature Navigator to find information about platform support and Cisco IOS XE software ima...

Page 226: ...ng identifier must be specified to indicate which routing table should be used to make the routing decision each VRF represents an independent routing context within a single router Where the network policy type is forwarding forwarding decisions are made at Layer 2 which means that all subscriber packets are forwarded to and from a single virtual endpoint within the system This virtual endpoint r...

Page 227: ...in Service Policy Maps page 3 Configuring Network Policies for IP Sessions in Service Policy Maps page 5 Configuring Network Policies for PPP Sessions in Service Policy Maps Network policies can be configured in user profiles or service profiles on an external AAA server or in a service policy map on the ISG device Perform this task to configure a network forwarding policy for PPP sessions in a se...

Page 228: ...mple Router config service policymap service local Example Router config service policymap service relay pppoe vpdn group vpdn1 Provides virtual private dialup network VPDN service or Provides local termination service or Provides VPDN service by relaying PPPoE over VPDN L2TP tunnels If you terminate the service locally by configuring the service local command you can also specify the routing doma...

Page 229: ...on the device Note If a network forwarding policy is not specified in a user profile service profile or service policy map a subscriber session will inherit the network forwarding policy from another source See the Configuration Sources for Network Policies section on page 2 for more information SUMMARY STEPS 1 enable 2 configure terminal 3 policy map type service policy map name 4 ip vrf forwardi...

Page 230: ...a network forwarding policy for PPP sessions policy map type service my_service service vpdn group vpdn1 Network Forwarding Policy for IP Sessions Example The following example shows a service policy map configured with a network forwarding policy for IP sessions policy map type service my_service ip vrf forwarding vrf1 Step 4 ip vrf forwarding name of vrf Example Router config service policymap i...

Page 231: ...list only the Cisco IOS XE software release that introduced support for a given feature in a given Cisco IOS software release train Unless noted otherwise subsequent releases of that Cisco IOS XE software release train also support that feature Related Topic Document Title ISG commands Cisco IOS Intelligent Services Gateway Command Reference VPDN configuration tasks Cisco IOS XE VPDN Technologies ...

Page 232: ...ctive owners The use of the word partner does not imply a partnership relationship between Cisco and any other company 0812R Any Internet Protocol IP addresses used in this document are not intended to be actual addresses Any examples command display output and figures included in the document are shown for illustrative purposes only Any use of actual IP addresses in illustrative content is uninte...

Page 233: ...feature information and caveats see the release notes for your platform and software release To find information about the features documented in this module and to see a list of the releases in which each feature is supported see the Feature Information for ISG Accounting section on page 24 Use Cisco Feature Navigator to find information about platform support and Cisco IOS XE software image supp...

Page 234: ...traffic as defined by a traffic class is enabled in a service profile or service policy map When per flow accounting is configured the Parent Session ID vendor specific attribute VSA is included in accounting records so that per session and per flow accounting records can be correlated in the RADIUS server When accounting is configured in a user profile the service name attribute is not included i...

Page 235: ...ting session ID of the parent session The Acct Status Type attribute included in the Accounting Request record indicates whether the record marks the start or the end of the service The name of the service is included in accounting records for service logon and logoff Accounting records may be sent for events other than account and service logon and logoff See the Configuring Accounting chapter of...

Page 236: ...ormation in interim accounting records The billing server monitors all interim accounting updates and obtains the information about the traffic sent at each tariff rate Note Tariff switching is not required for time based billing services Because the billing server knows the service logon time stamp and logoff time stamp it can calculate the various tariffs that apply during that time How to Confi...

Page 237: ...o Avpair accounting list accounting_mlist_name 2 IETF RADIUS attribute Acct Interim Interval attribute 85 DETAILED STEPS Step 1 Cisco Avpair accounting list accounting_mlist_name Add the Accounting attribute to the user profile This attribute enables accounting and specifies the AAA method list to which accounting updates will be sent Step 2 IETF RADIUS attribute Acct Interim Interval attribute 85...

Page 238: ...ounting command See the Cisco IOS Security Command Reference for more information AAA servers must be configured to support ISG accounting Enabling Per Flow Accounting in a Service Profile on the AAA Server Perform this task to configure per flow accounting in a service profile on the AAA server Prerequisites This task assumes that you have defined IP access lists for specifying traffic SUMMARY ST...

Page 239: ...bute specifies the number of seconds between interim updates Enabling Per Flow Accounting in a Service Policy Map on the Router Perform this task to enable accounting in a local service policy map for a specific flow Prerequisites This task assumes that you have defined a traffic class map and associated IP access lists See the module Configuring ISG Subscriber Services for more information about ...

Page 240: ...rerequisites page 9 Enabling Per Service Accounting on the ISG page 9 Configuring RADIUS for Service Activation and Deactivation page 10 Step 3 policy map type service policy map name Example Router config policy map type service service1 Creates or defines a service policy map which is used to define an ISG service and enters service policy map configuration mode Step 4 class type traffic class m...

Page 241: ... for more information AAA servers must be configured to support ISG accounting Enabling Per Service Accounting on the ISG Use the following procedure to enable per service accounting on the ISG SUMMARY STEPS 1 enable 2 configure terminal 3 subscriber service session accounting 4 exit DETAILED STEPS Command or Action Purpose Step 1 enable Example Router enable Enables privileged EXEC mode Enter you...

Page 242: ...vice accounting the traffic class attribute should not be included in the service profile SUMMARY STEPS 1 Cisco Avpair accounting list accounting_mlist_name 2 IETF RADIUS attribute Acct Interim Interval attribute 85 DETAILED STEPS Step 1 Cisco Avpair accounting list accounting_mlist_name Add the Accounting attribute to the service profile This attribute enables accounting and specifies the AAA met...

Page 243: ...s list for matching traffic Step 4 exit Example Router config traffic classmap exit Exit traffic class map configuration mode Step 5 policy map type service policy map name Example Router config policy map type service polmap1 Creates or defines a service policy map which is used to define an ISG service and enters service policy map configuration mode Step 6 class type traffic class map name Exam...

Page 244: ...paid tariff switching will apply to the specified flow If you do not configure a traffic class postpaid tariff switching will apply to the session Perform this task to configure per session or per flow postpaid tariff switching Prerequisites ISG per session or per flow accounting must be configured in order for postpaid tariff switching to work SUMMARY STEPS 1 Cisco AVpair PPWhh mm ss days 2 Cisco...

Page 245: ...ntrol policies can be used to activate services For more information about methods of service activation see the module Configuring ISG Subscriber Services Verifying ISG Accounting and Postpaid Tariff Switching Perform the following tasks to verify ISG accounting and postpaid tariff switching configuration Display Information About a Subscriber Session page 13 Display AAA Subscriber Sessions page ...

Page 246: ...IP options Req Fwding Req Fwded Session Up time 3 minutes 45 seconds Last Changed 3 minutes 45 seconds AAA unique ID 0 Switch handle F300015F Session inbound features Feature Service accounting Service video1 Method List remote local Outbound direction Packets 84 Bytes 33600 Feature Policing Upstream Params Average rate 8000 Normal burst 1500 Excess burst 3000 Config level Service Session outbound...

Page 247: ...s Last Changed 2 minutes 59 seconds AAA unique ID 81 Switch handle 890003A0 Interface ATM6 0 1 Policy information Authentication status authen Config downloaded for session policy From Access Type Account Logon CH Client SM Event Got More Keys Profile name apply config only 2 references ssg account info SAfoo Rules actions and conditions executed subscriber rule map rule1 condition always event an...

Page 248: ...A subscribers SUMMARY STEPS 1 enable 2 show aaa user all unique id DETAILED STEPS Command or Action Purpose Step 1 enable Example Router enable Enables privileged EXEC mode Enter your password if prompted Step 2 show aaa sessions Example Router show aaa sessions Displays AAA subscriber session information Command or Action Purpose Step 1 enable Example Router enable Enables privileged EXEC mode En...

Page 249: ...00001 pre bytes out 291 4 0 0 1A1CAC90 0 00000001 paks_in 136 4 92215 16837 1A1CADF0 0 00000001 paks_out 275 4 0 0 1A1CAE00 0 00000001 pre paks in 292 4 0 0 1A1CAE10 0 00000001 pre paks out 293 4 0 0 No data for type EXEC No data for type CONN NET Username n a Session Id 000000A7 Unique Id 00000097 Start Sent 1 Stop Only N stop_has_been_sent N Method List 189F046C Name CAR_mlist Attribute list 1A1...

Page 250: ...Unique id 151 is currently in use Accounting log 0x20C201 Events recorded CALL START NET UP IPCP_PASS INTERIM START VPDN NET UP update method s PERIODIC update interval 60 Outstanding Stop Records 0 Dynamic attribute list 1A1CABE8 0 00000001 connect progress 68 4 Call Up 1A1CABF8 0 00000001 pre session time 294 4 0 0 1A1CAC08 0 00000001 nas tx speed 421 4 423630024 194014C8 1A1CAC18 0 00000001 nas...

Page 251: ...Num 1 Stop Received 0 Byte Packet Counts till Call Start Start Bytes In 0 Start Bytes Out 0 Start Paks In 0 Start Paks Out 0 Byte Packet Counts till Service Up Pre Bytes In 0 Pre Bytes Out 0 Pre Paks In 0 Pre Paks Out 0 Cumulative Byte Packet Counts Bytes In 11434660 Bytes Out 0 Paks In 92215 Paks Out 0 StartTime 12 02 40 IST Oct 16 2007 AuthenTime 12 02 40 IST Oct 16 2007 Component IEDGE_ACCOUNTI...

Page 252: ..._id 00003EAB Flow_handle 0 Authentication status authen Downloaded User profile excluding services service type 2 Framed ssg account info Ntc_svc1 ssg account info Atc_svc1 Downloaded User profile including services service type 2 Framed ssg account info Ntc_svc1 ssg account info Atc_svc1 timeout 2000 0x7D0 idletime 2000 0x7D0 traffic class in access group name 101 traffic class out access group n...

Page 253: ...iated with this session Service tc_svc1 Active Time 00 11 36 AAA Service ID 806290049 Interface Virtual Template1 Active Time 00 11 36 Configuration Examples for ISG Accounting This section contains the following examples Per Flow Accounting Examples page 21 Per Service Accounting Example page 22 Per Service Accounting on ISG Example page 22 ISG Postpaid Tariff Switching Examples page 22 Per Flow ...

Page 254: ...ce session accounting subscriber authorization enable vpdn enable Per Service Accounting on ISG Example The following example shows how to configure per service accounting in a service policy map on the ISG device class map type traffic match any classmap1 policy map type service polmap1 class type traffic classmap1 accounting aaa list mlist1 ISG Postpaid Tariff Switching Examples The following ex...

Page 255: ...tion Authorization and Accounting AAA section in the Cisco IOS Security Command Reference Description Link The Cisco Support website provides extensive online resources including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies To receive security and technical information about your products you can subscribe to various services such ...

Page 256: ...ted otherwise subsequent releases of that Cisco IOS XE software release train also support that feature Table 1 Feature Information for ISG Accounting Feature Name Releases Feature Configuration Information ISG Accounting Per Session Service and Flow Cisco IOS XE Release 2 2 ISG accounting provides the means to bill for account or service usage ISG accounting uses the RADIUS protocol to facilitate...

Page 257: ...o Systems Inc and or its affiliates in the United States and certain other countries All other trademarks mentioned in this document or website are the property of their respective owners The use of the word partner does not imply a partnership relationship between Cisco and any other company 0910R Any Internet Protocol IP addresses used in this document are not intended to be actual addresses Any...

Page 258: ...ices each with a different billing rate ISG supports time and volume based prepaid billing This module provides information about how to configure ISG support for prepaid billing Finding Feature Information For the latest feature information and caveats see the release notes for your platform and software release To find information about the features documented in this module and to see a list of...

Page 259: ...lume Monitor Polling Timer and QV Values page 3 ISG Prepaid Threshold page 3 ISG Prepaid Idle Timeout page 3 Benefits of ISG Prepaid Billing page 4 Overview of ISG Support for Prepaid Billing ISG prepaid billing support allows ISG to check the available credit for a subscriber to determine whether to activate the service for the subscriber and how long the session can last The subscriber s credit ...

Page 260: ...ess rate x 300 For example an ADSL2 or VDSL user access rate can be up to 20 Mbps That is approximately 2 5 megabytes MB of data in one second Calculate the QV value by using the following formula 2 5 MB x 15 seconds QV 2 5 MB x 300 seconds This calculation results in a QV value between 37 5 MB and 750 MB however we recommend you do not choose either the highest or lowest value in this range For e...

Page 261: ...is actively using Threshold Values ISG enables you to configure threshold values that cause prepaid sessions to be reauthorized before the subscriber completely consumes the allotted quota for a service Traffic Status During Reauthorization You can prevent revenue leaks by configuring ISG to drop connected traffic during reauthorization of a service The user remains connected to the service and ne...

Page 262: ... created and a method of service activation is in place Configuring RADIUS Attribute Support for ISG Prepaid Billing Perform this task to enable ISG to include RADIUS attribute 44 in Access Request packets and attribute 55 in Accounting Request packets SUMMARY STEPS 1 enable 2 configure terminal 3 radius server attribute 44 include in access req vrf vrf name 4 radius server attribute 55 include in...

Page 263: ...es privileged EXEC mode Enter your password if prompted Step 2 configure terminal Example Router configure terminal Enters global configuration mode Step 3 radius server attribute 44 include in access req vrf vrf name Example Router config radius server attribute 44 include in access req Sends RADIUS attribute 44 Accounting Session ID in Access Request packets before user authentication Step 4 rad...

Page 264: ...terim interval number of minutes 5 method list accounting authorization name of method list 6 password password 7 threshold time seconds volume kilobytes Kbytes megabytes Mbytes bytes bytes 8 end 9 show subscriber session detailed identifier identifier uid session id username name DETAILED STEPS Command or Action Purpose Step 1 enable Example Router enable Enables privileged EXEC mode Enter your p...

Page 265: ...thod list accounting list1 Specifies the AAA method list to be used for ISG prepaid accounting or authorization Step 6 password password Example Router config prepaid password cisco Configures the password to be used for ISG prepaid authorization and reauthorization requests Step 7 threshold time seconds volume kilobytes Kbytes megabytes Mbytes bytes bytes Example Router config prepaid threshold t...

Page 266: ...ice mp3 Creates or defines a service policy map which is used to define an ISG service and enters service policy map configuration mode Step 4 priority class type traffic class map name Example Router config service policymap class type traffic class acl 101 Associates a previously configured traffic class with the policy map and enters control policy map traffic class configuration mode Step 5 pr...

Page 267: ...control policymap class traffic end Exits the current configuration mode and returns to privileged EXEC mode Step 7 show subscriber session detailed identifier identifier uid session id username name Example Router show subscriber session detailed Optional Displays ISG subscriber session information Command or Action Purpose Command or Action Purpose Step 1 Add the ISG Traffic Class attribute to t...

Page 268: ...erver has determined for certain that the subscriber does not have enough credit but the idle timeout provides a grace period in which the subscriber could recharge the account Typically a service provider would want to redirect the subscriber s traffic to a web portal where the subscriber could recharge the account At the end of the idle timeout interval ISG will send a reauthorization request Th...

Page 269: ...er configure terminal Enters global configuration mode Step 3 policy map type service policy map name Example Router config policy map type service redirect service Creates or defines a service policy map which is used to define an ISG service and enters service policy map configuration mode Step 4 priority class type traffic class name Example Router config service policymap class type traffic cl...

Page 270: ...type control control class name always event credit exhausted 5 action number service policy type service name policy map name 6 end 7 show subscriber session detailed identifier identifier uid session id username name DETAILED STEPS Step 6 end Example Router config control policymap class traffic end Exits the current configuration mode and returns to privileged EXEC mode Step 7 show subscriber s...

Page 271: ...server responds to the reauthorization request that ISG sent when the threshold was met Step 3 policy map type control policy map name Example Router config policy map type control policyA Creates or modifies a policy map that defines a control policy Step 4 class type control control class name always event credit exhausted Example Router config control policymap class type control always event c...

Page 272: ...olicy map type control policy map name 4 class type control control class name always event quota depleted 5 action number set param drop traffic false 6 end 7 show subscriber session detailed identifier identifier uid session id username name DETAILED STEPS Command or Action Purpose Step 1 enable Example Router enable Enables privileged EXEC mode Enter your password if prompted Step 2 configure t...

Page 273: ...tication succeeded Step 3 Make sure the AAA method list referred to in the prepaid billing configuration is valid and has been configured with the aaa accounting network command Step 4 Use the test aaa command to make sure the AAA server is reachable from ISG Step 5 Use the debug subscriber policy prepaid command to display debug messages about prepaid operation Step 5 action number set param drop...

Page 274: ...st that will be used for this service to authenticate subscribers is called cp mlist That is the same method list to which the service accounting records will be sent Prepaid authorization reauthorization and accounting messages will be sent to the AAA method list called ap mlist aaa authorization network default local aaa authorization network ap mlist group sg2 aaa authentication login cp mlist ...

Page 275: ...ta depleted 1 set param drop traffic false class type control always event credit exhausted 1 service policy type service name l4redirect policy map type service l4redirect class type traffic CLASS ALL redirect to group SESM subscriber feature prepaid conf prepaid threshold time 100 threshold volume 1000 bytes method list author prepaidlist method list accounting default password cisco Additional ...

Page 276: ...o access Cisco Feature Navigator go to http www cisco com go cfn An account on Cisco com is not required MIB MIBs Link To locate and download MIBs for selected platforms Cisco IOS XE software releases and feature sets use Cisco MIB Locator found at the following URL http www cisco com go mibs Description Link The Cisco Support website provides extensive online resources including documentation and...

Page 277: ...ink LightStream Linksys MeetingPlace MeetingPlace Chime Sound MGX Networkers Networking Academy PCNow PIX PowerKEY PowerPanels PowerTV PowerTV Design PowerVu Prisma ProConnect ROSA SenderBase SMARTnet Spectrum Expert StackWise WebEx and the WebEx logo are registered trademarks of Cisco Systems Inc and or its affiliates in the United States and certain other countries All other trademarks mentioned...

Page 278: ...alive support is configured for monitoring session data traffic in the upstream direction for idleness Address Resolution Protocol ARP is used for Layer 2 connected subscribers For routed host Layer 3 connected subscribers the protocol defaults to Internet Control Message Protocol ICMP ICMP is also used in configurations where the access interface does not support ARP Finding Feature Information F...

Page 279: ...hich the idle timer is applied is always outbound ISG supports both per session and per flow accounting Per session accounting is the aggregate of all the flow traffic for a session Per session accounting can be enabled in a user profile or in a service profile or service policy map Information About Configuring Policies for Session Maintenance Before you configure the ISG session maintenance time...

Page 280: ...live feature configured for the subscriber If a session is idle for a configured period of time keepalive requests are sent to the subscriber This action verifies that the connection is still active The protocol to use for the keepalive request and response can be configured based on the IP subscriber session type If it is a directly connected host Layer 2 connection ARP is used For routed host La...

Page 281: ...ed to the hosts must enable directed broadcast forwarding so that the IP subnet broadcast gets translated into a Layer 2 broadcast When these two conditions are satisfied you can optimize the ICMP keepalive configuration to minimize the number of ICMP packets Note Because enabling directed broadcasts increases the risk of denial of service attacks the use of subnet directed broadcasts is not turne...

Page 282: ...Step 2 configure terminal Example Router configure terminal Enters global configuration mode Step 3 policy map type service policy map name Example Router config policy map type service policy1 Enters policy map configuration mode so you can begin configuring the service policy Step 4 priority class type traffic class map name Example Router config control policymap class type traffic class1 Assoc...

Page 283: ...to a user or service profile DETAILED STEPS Configuring the Connection Timer in a Service Policy Map Perform this task to set the connection timer in a service policy map SUMMARY STEPS 1 enable 2 configure terminal 3 policy map type service policy map name 4 priority class type traffic class map name 5 timeout idle duration in seconds 6 end DETAILED STEPS Command or Action Purpose Step 1 Session T...

Page 284: ...ce policy map name Example Router config policy map type service policy1 Enters policy map configuration mode so you can begin configuring the service policy Step 4 priority class type traffic class map name Example Router config control policymap class type traffic class1 Associates a previously configured traffic class to the policy map Step 5 timeout idle duration in seconds Example Router conf...

Page 285: ...mers page 9 Debug Commands Available for the Session Maintenance Timers page 9 Enabling the Session Maintenance Timer Debug Commands page 9 Prerequisites for Troubleshooting the Session Maintenance Timers Before performing the task in this section it is recommended that you be familiar with the use of Cisco IOS debug commands described in the introductory chapters of the Cisco IOS Debug Command Re...

Page 286: ...ble 1 lists the debug commands that can be used to diagnose problems with the session maintenance timers Enabling the Session Maintenance Timer Debug Commands Perform this task to enable the session maintenance timer debug commands SUMMARY STEPS 1 enable 2 debug command 3 end DETAILED STEPS Table 1 Debug Commands for Troubleshooting Session Maintenance Timers Command Purpose debug subscriber featu...

Page 287: ...ample a PPP over Ethernet PPPoE or PPP over ATM PPPoA session this feature application will fail and the following applies If the feature is applied at a session start event both the feature application and the session will fail If this feature is pushed onto a session after the session start event the push will fail SUMMARY STEPS 1 enable 2 configure terminal 3 policy map type service policy map ...

Page 288: ...onfigured only in this mode Step 4 keepalive idle period1 attempts max retries interval period2 protocol ICMP broadcast ARP Example Router config service policymap keepalive idle 7 attempts 3 interval 1 protocol arp Configures the maximum idle period number of requests interval between requests and protocol for keepalive messages The ranges and defaults are Idle period range 5 to 2147483647 second...

Page 289: ...efaults are as follows Idle period range is 5 to 2147483647 seconds default is 10 seconds Attempts range is 3 to 10 default is 5 Interval default is 1 to 60 seconds Protocol for Layer 2 connections the default is ARP for routed connections the default is ICMP Broadcast option by default this option is disabled Note If a service profile includes an ISG traffic class configuration the keepalive feat...

Page 290: ...rnal policy server and enters dynamic authorization local server configuration mode Step 5 client ip address Example Router config locsvr da radius client 10 10 10 11 Specifies a RADIUS client from which a device will accept Change of Authorization CoA and disconnect requests The example specifies 10 10 10 11 as the IP address of the RADIUS client Step 6 port port number Example Router config locs...

Page 291: ...rvice video service class type traffic traffic class police input 20000 30000 60000 police output 21000 31500 63000 timeout absolute 4800 class type traffic default output drop Connection Idle Timer Configuration in a Service Policy Map Example The following example limits idle connection time in a service policy map to 30 seconds class map type traffic match any traffic class match access group i...

Page 292: ...ubscriber Information Total sessions 1 Unique Session ID 4 Identifier user01 SIP subscriber access type s PPPoE PPP Current SIP options Req Fwding Req Fwded Session Up time 00 01 44 Last Changed 00 01 46 AAA unique ID 5 Interface Virtual Access2 1 Policy information Context 02DE7380 Handle AD00000C Authentication status authen User profile excluding services Framed Protocol 1 PPP username user01 F...

Page 293: ...nfigured features Jan 12 18 43 15 167 SSF Vt1 uid 4 Associate segment element handle 0xF4000003 for session 67108875 1 entries Jan 12 18 43 15 167 SSF Vt1 uid 4 Idle Timeout Group feature install Jan 12 18 43 15 167 SSF uid 4 Idle Timeout Adding feature to outbound segment s Jan 12 18 43 15 167 Idle Timeout uid 4 Idle timer start duration 2000 seconds direction outbound Jan 12 18 43 16 327 SSM FH ...

Page 294: ...oubleshooting and resolving technical issues with Cisco products and technologies To receive security and technical information about your products you can subscribe to various services such as the Product Alert Tool accessed from Field Notices the Cisco Technical Services Newsletter and Really Simple Syndication RSS Feeds Access to most tools on the Cisco Support website requires a Cisco com user...

Page 295: ...specific software release feature set or platform To access Cisco Feature Navigator go to http www cisco com go cfn An account on Cisco com is not required Note Table 2 list only the Cisco IOS XE software release that introduced support for a given feature in a given Cisco IOS software release train Unless noted otherwise subsequent releases of that Cisco IOS XE software release train also support...

Page 296: ...ers The use of the word partner does not imply a partnership relationship between Cisco and any other company 0910R Any Internet Protocol IP addresses used in this document are not intended to be actual addresses Any examples command display output and figures included in the document are shown for illustrative purposes only Any use of actual IP addresses in illustrative content is unintentional a...

Page 297: ...Configuring ISG Policies for Session Maintenance Feature Information for Configuring ISG Policies for Session Maintenance 20 ...

Page 298: ...bscriber authentication initial and periodic advertising captivation redirection of application traffic and DNS redirection Finding Feature Information For the latest feature information and caveats see the release notes for your platform and software release To find information about the features documented in this module and to see a list of the releases in which each feature is supported see th...

Page 299: ... can be forwarded to a server that redirects the users to a logon page Similarly if users try to access a service to which they have not logged on the packets can be redirected to a server that provides a service logon screen The Layer 4 Redirect feature supports three types of redirection which can be applied to subscriber sessions or to flows Permanent redirection Specified traffic is redirected...

Page 300: ...pots subscribers may have a static DNS server addresses which may not be reachable at certain locations Redirecting DNS queries to a local DNS server allows applications to work properly without requiring reconfiguration How to Configure ISG Layer 4 Redirect There are three ways to apply Layer 4 redirection to sessions One way is to configure redirection directly on a physical main interface or lo...

Page 301: ...server group name ip ip address port port number duration seconds frequency seconds Command or Action Purpose Step 1 enable Example Router enable Enables privileged EXEC mode Enter your password if prompted Step 2 configure terminal Example Router configure terminal Enters global configuration mode Step 3 redirect server group group name Example Router config redirect server group ADVT SERVER Defi...

Page 302: ... 2 configure terminal Example Router configure terminal Enters global configuration mode Step 3 interface type number Example Router config interface fastethernet 0 0 505 Specifies an interface and enters interface configuration mode Step 4 ip subscriber Example Router config if ip subscriber Optional Enables ISG IP subscriber configuration mode Step 5 identifier interface Example Router config su...

Page 303: ...e Step 1 enable Example Router enable Enables privileged EXEC mode Enter your password if prompted Step 2 configure terminal Example Router configure terminal Enters global configuration mode Step 3 policy map type service policy map name Example Router config policy map type service service1 Creates or modifies a service policy map which is used to define an ISG service Step 4 class type traffic ...

Page 304: ...er 4 redirection in a service profile you may want to configure a method of activating the service profile for example control policies can be used to activate services For more information about methods of service activation see the module Configuring ISG Subscriber Services Verifying ISG Traffic Redirection Perform this task to verify the configuration and operation of ISG Layer 4 traffic redire...

Page 305: ...n Up time 40 minutes 30 seconds Last Changed 40 minutes 30 seconds AAA unique ID 135 Switch handle F000086 Interface ATM2 0 53 Policy information Authentication status unauthen Config downloaded for session policy From Access Type IP Interface Client SM Event Service Selection Request Service Profile name blind rdt 2 references username blind rdt l4redirect redirect to group sesm grp Rules actions...

Page 306: ... Session Up time 42 minutes 54 seconds Last Changed 42 minutes 54 seconds AAA unique ID 133 Switch handle 17000084 Interface FastEthernet0 0 505 Policy information Authentication status unauthen Session inbound features Feature Layer 4 Redirect Rule Cfg Definition 1 INT Redirect to group sesm grp Configuration sources associated with this session Interface FastEthernet0 0 505 Active Time 42 minute...

Page 307: ...n the subscriber logs out of the service redirection is applied again service policy type control THE_RULE class map type traffic match any CLASS ALL class map type traffic match any CLASS 100_110 match access group input 100 match access group output 110 policy map type service blind rdt class type traffic CLASS ALL redirect to group PORTAL policy map type service svc rdt class type traffic CLASS...

Page 308: ...f the lifetime of the session service policy type control initial rdt policy map type control intial rdt class type control always event session start 1 service policy type service name initial rdt profile policy map type service initial rdt profile class type traffic CLASS ALL redirect to group ADVT duration 60 Periodic Redirection Examples The following example shows how to redirect subscriber t...

Page 309: ...ed to the ISG Layer 4 Redirect feature Related Documents Technical Assistance Related Topic Document Title ISG commands Cisco IOS Intelligent Services Gateway Command Reference Description Link The Cisco Support website provides extensive online resources including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies To receive security an...

Page 310: ...nk Internet Quotient IOS iPhone iQuick Study IronPort the IronPort logo LightStream Linksys MediaTone MeetingPlace MeetingPlace Chime Sound MGX Networkers Networking Academy Network Registrar PCNow PIX PowerPanels ProConnect ScriptShare SenderBase SMARTnet Spectrum Expert StackWise The Fastest Way to Increase Your Internet Quotient TransPath WebEx and the WebEx logo are registered trademarks of Ci...

Page 311: ...ies and ISG policing Finding Feature Information For the latest feature information and caveats see the release notes for your platform and software release To find information about the features documented in this module and to see a list of the releases in which each feature is supported see the Feature Information for ISG Policies for Regulating Network Access section on page 8 Use Cisco Featur...

Page 312: ...pports policing of upstream and downstream traffic ISG policing differs from policing configured using the MQC in that ISG policing can be configured in service profiles to support policing of traffic flows MQC policies cannot be configured in service profiles ISG policing can also be configured in user profiles and service profiles to support session policing How to Configure ISG Policies for Reg...

Page 313: ... configured on a AAA server in either a user profile or a service profile that does not specify a traffic class It can also be configured on the router in a service policy map Session based policing parameters that are configured in a user profile take precedence over session based policing parameters configured in a service profile or service policy map Flow Based Policing Flow based policing app...

Page 314: ...er configure terminal Enters global configuration mode Step 3 policy map type service policy map name Example Router config policy map type service service1 Creates or modifies a service policy map which is used to define an ISG service Step 4 priority class type traffic class map name Example Router config service policymap class type traffic silver Associates a previously configured traffic clas...

Page 315: ...icing Perform this task to verify ISG policing configuration SUMMARY STEPS 1 enable 2 show subscriber session detailed identifier identifier uid session id username name Command or Action Purpose Step 1 Add the following Policing vendor specific attribute VSA to the user profile on the AAA server 26 9 250 QU committed rate normal burst excess burst D com mitted rate normal burst excess burst or Ad...

Page 316: ...rmal burst 3000 Excess burst 6000 Config level Service The following example shows output for the show subscriber session command where upstream policing parameters are specified in a user profile and downstream policing parameters are specified in a service profile Router show subscriber session all Current Subscriber Information Total sessions 2 Unique Session ID 2 Session inbound features Featu...

Page 317: ...in 103 match access group out 203 policy map type service P3 class type traffic C3 police input 20000 30000 60000 police output 21000 31500 63000 Session Based Policing Configured in a User Profile on a AAA Server The following example shows policing configured in a user profile Cisco Account Info QU 23465 8000 12000 D 64000 Session Based Policing Configured in a Service Profile on a AAA Server Th...

Page 318: ... train Unless noted otherwise subsequent releases of that Cisco IOS XE software release train also support that feature Description Link The Cisco Support website provides extensive online resources including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies To receive security and technical information about your products you can subsc...

Page 319: ...tudy IronPort the IronPort logo LightStream Linksys MediaTone MeetingPlace MeetingPlace Chime Sound MGX Networkers Networking Academy Network Registrar PCNow PIX PowerPanels ProConnect ScriptShare SenderBase SMARTnet Spectrum Expert StackWise The Fastest Way to Increase Your Internet Quotient TransPath WebEx and the WebEx logo are registered trademarks of Cisco Systems Inc and or its affiliates in...

Page 320: ...Configuring ISG Policies for Regulating Network Access Feature Information for ISG Policies for Regulating Network Access 10 ...

Page 321: ...s for your platform and software release To find information about the features documented in this module and to see a list of the releases in which each feature is supported see the Feature Information for Configuring ISG Integration with SCE section on page 14 Use Cisco Feature Navigator to find information about platform support and Cisco IOS XE software image support To access Cisco Feature Na...

Page 322: ...additional policies will override the policy previously applied on the SCE This feature requires a control bus communication protocol which runs over RADIUS and RADIUS extensions as specified in RFC 3576 operating in two modes PUSH and PULL In PULL mode the ISG device waits for a query from the SCE In PUSH mode the download of an external feature is initiated by the ISG device as soon as an extern...

Page 323: ... of ISG and SCE in subscriber management Table 1 ISG and SCE Roles in Subscriber Management ISG pushes policies or external services to the SCE for a given subscriber session in the form of RADIUS change of authorization CoA messages External service activation can be triggered by the policy manager component inside the ISG or by an external authentication authorization and accounting AAA server T...

Page 324: ... Between SCE and ISG Communication between the SCE and the ISG device is managed by an external policy delegation EPD handler module in Cisco IOS software The EPD implements the control bus on the ISG and handles all messaging between the ISG device and SCE Details of communications between the ISG and AAA servers are found in the Cisco IOS Intelligent Services Gateway Configuration Guide This tas...

Page 325: ... SCE to provision update or deactivate a session and activate or deactivate policies A shared secret configured for a specific client overrides the key configured using the key shared secret command Step 5 authentication port port number Example Router config locsvr radius authentication port 1433 Specifies the port on which the EPD handler listens for session and identity query requests from SCE ...

Page 326: ...ing SCE Connection Parameter on ISG To configure the server connection management on either a per server or a global basis perform the steps in this section SUMMARY STEPS 1 enable 2 configure terminal 3 policy peer address ip address keepalive seconds 4 policy peer keepalive seconds 5 exit ...

Page 327: ...palive seconds Example Router config policy peer address 10 10 10 1 keepalive 6 Configures the keepalive value in seconds for a specific policy defined by the given IP address Valid values are from 5 to 3600 The default value is zero 0 If the default value is in effect on the ISG device the keepalive value proposed by the external policy device is used Step 4 policy peer keepalive seconds Example ...

Page 328: ...D_POLICY Configures the specified policy map on the ISG and enters policy map configuration mode Step 4 class type control class map name always event session start Example Router config control policymap class type control always event acct notification Specifies to apply actions matching conditions defined by the class map name or always for an event type Event types include the following accoun...

Page 329: ...mmands or on the AAA server Configuring Services on ISG To configure a service containing accounting features and to activate an external policy on the SCE device follow the steps in this section SUMMARY STEPS 1 enable 2 configure terminal 3 policy map type service service map name 4 class map type traffic class map name 5 accounting aaa list listname 6 sg service type external policy 7 policy nam...

Page 330: ...raffic class and enters control policy map class configuration mode Step 5 accounting aaa list listname Example Router config service policymap accounting aaa list list1 Configures accounting for ISG and enters service policy map configuration mode Step 6 sg service type external policy Example Router config control policymap sg service type external policy Defines the service as an external polic...

Page 331: ...ed to troubleshoot the integration of ISG with SCE show subscriber policy peer address ip address handle connection handle id all Examples This section contains sample output of the show subscriber policy peer command show subscriber policy peer all The following example shows sample output of the command when the all keyword is used Router show subscriber policy peer all Peer IP 10 0 0 10 Conn ID...

Page 332: ...tEthernet5 1 1 ip address 10 10 10 1 255 255 255 0 ISG Integration with SCE Example The following example shows how to configure two SCEs each with the same authentication and accounting ports ISG handles CoA messages on port 1700 for one SCE and on default port 3799 for the other SCE Peering is maintained for each SCE with the ISG via different keepalive intervals When a user session starts POLIC...

Page 333: ...ontrol bus in PUSH mode scmp scmp name ISG radius 10 10 10 2 secret cisco auth 1433 acct 1435 scmp subscriber send session start interface LineCard 0 subscriber anonymous group name all IP range 192 168 12 0 0xffffff00 scmp name ISG SCE Control Bus Setup Configured in PULL Mode The following example shows how to configure the SCE control bus in PULL mode scmp scmp name ISG radius 10 10 10 2 secret...

Page 334: ...to http www cisco com go cfn An account on Cisco com is not required Note Table 2 list only the Cisco IOS XE software release that introduced support for a given feature in a given Cisco IOS software release train Unless noted otherwise subsequent releases of that Cisco IOS XE software release train also support that feature Description Link The Cisco Support website provides extensive online reso...

Page 335: ... and certain other countries All other trademarks mentioned in this document or website are the property of their respective owners The use of the word partner does not imply a partnership relationship between Cisco and any other company 0812R Any Internet Protocol IP addresses used in this document are not intended to be actual addresses Any examples command display output and figures included in...

Page 336: ...Configuring ISG Integration with SCE Feature Information for Configuring ISG Integration with SCE 16 ...

Page 337: ...he operational interface to provision update delete and control activation of those policies Finding Feature Information For the latest feature information and caveats see the release notes for your platform and software release To find information about the features documented in this module and to see a list of the releases in which each feature is supported see the Feature Information for Servi...

Page 338: ...ard that is scalable efficient simple extensible and robust BEEP is a framework for designing application protocols Benefits of SGI SGI is a protocol that allows Cisco IOS XE software to be controlled using third party applications toolkits and development platforms for web services The SGI feature is a common model that can express ISG provisioning in many languages and it is easy to use How to E...

Page 339: ...nning including the running state It also shows statistical information about SGI sessions that have been started and are currently running The following is sample output from this command Router show sgi session sgi sessions open 1 max 10 started 15 session id 1 started at 9 08 05 state OPEN Command or Action Purpose Step 1 enable Example Router enable Enables privileged EXEC mode Enter your pass...

Page 340: ...pp beep 0x66245188 frame_available type M number 1 answer 1 more size 1400 Jul 1 20 55 11 372 sgi beep listen app beep 0x66245188 Content Type application xml xml version 1 0 encoding UTF 8 Jul 1 20 55 11 372 sgi beep listen app beep 0x66245188 frame_available type M number 1 answer 1 more size 111 Jul 1 20 55 11 372 sgi beep listen app beep 0x66245188 gitypes policyGroup objects sgiops insertPoli...

Page 341: ...g BEEP Listener Connection Example The following example shows how to configure the BEEP listener connection The port number is set to 2089 enable configure terminal sgi beep listener 2089 Additional References Related Documents MIBs Related Topic Document Title Overview of ISG Cisco IOS Intelligent Services Gateway Configuration Guide ISG commands Cisco IOS Intelligent Services Gateway Command Re...

Page 342: ...sco Press Cisco Systems Cisco Systems Capital the Cisco Systems logo Cisco Unity Collaboration Without Limitation EtherFast EtherSwitch Event Center Fast Step Follow Me Browsing FormShare GigaDrive HomeLink Internet Quotient IOS iPhone iQuick Study IronPort the IronPort logo LightStream Linksys MediaTone MeetingPlace MeetingPlace Chime Sound MGX Networkers Networking Academy Network Registrar PCNo...

Page 343: ... imply a partnership relationship between Cisco and any other company 0812R Any Internet Protocol IP addresses used in this document are not intended to be actual addresses Any examples command display output and figures included in the document are shown for illustrative purposes only Any use of actual IP addresses in illustrative content is unintentional and coincidental 2009 Cisco Systems Inc A...

Page 344: ...Service Gateway Interface Feature Information for Service Gateway Interface 8 ...

Page 345: ...s distributed conditional debugging Finding Feature Information For the latest feature information and caveats see the release notes for your platform and software release To find information about the features documented in this module and to see a list of the releases in which each feature is supported see the Feature Information for Distributed Conditional Debugging section on page 11 Use Cisco...

Page 346: ...em unusable For this reason use the Cisco IOS debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff Moreover it is best to use debug commands during periods of lower network traffic and fewer users or on a debug chassis with a single active session Debugging during these periods decreases the likelihood that increased debug comm...

Page 347: ...mponents that a session traverses For this reason the conditional debugging previously offered in the Cisco IOS XE software has been enhanced to facilitate debug filtering for ISG and is available as distributed conditional debugging Cisco IOS XE Software Components Supported by Distributed Conditional Debugging The following components are supported for ISG distributed conditional debugging Authe...

Page 348: ...ng Distributed Conditional Debugging page 7 Restrictions page 7 Enabling Distributed Conditional Debugging page 7 Displaying Debugging Conditions page 8 Troubleshooting Tips page 8 ISG Debug Condition Commands Table 1 lists the debug condition commands that you can issue at the EXEC prompt to enable distributed conditional debugging You can set more than one condition Command or Action Purpose Ste...

Page 349: ...on mac address hexadecimal MAC address Filters messages on the specified MAC address debug condition portbundle ip IP address bundle bundle number Filters messages on the specified Port Bundle Host Key PBHK debug condition session id session ID Filters messages on the specified session identifier Note The session identifier can be obtained by entering the show subscriber session command debug cond...

Page 350: ...e detail debug subscriber feature error debug subscriber feature event debug subscriber feature interface config error debug subscriber feature interface config event debug subscriber feature modem on hold detail debug subscriber feature modem on hold error debug subscriber feature modem on hold event debug subscriber feature portbundle error debug subscriber feature portbundle event debug subscri...

Page 351: ...onditions If multiple conditions are set the debugging messages corresponding to all the sessions that meet any of the conditions will be displayed Some conditions such as domain name will trigger debugging messages for all the sessions that belong to the particular domain Enabling Distributed Conditional Debugging Perform this task to enable distributed conditional debugging for ISG SUMMARY STEPS...

Page 352: ...y been set the following message is displayed Condition already set Command or Action Purpose Step 1 enable Example Router enable Enables privileged EXEC mode Enter your password if prompted Step 2 debug condition command Example Router debug condition username user cisco com Enter one or more of the debug condition commands listed in Table 1 to enable distributed conditional debugging Step 3 debu...

Page 353: ...contains the following examples Monitoring Interface Statistics Example page 9 Monitoring CPU Statistics Example page 10 Enabling ISG Distributed Conditional Debugging Example page 10 Displaying Debugging Conditions Example page 10 Filtering Debug Output Example page 10 Monitoring Interface Statistics Example The following example shows sample output for the show interface monitor command The disp...

Page 354: ...Only debugging messages for the defined user are displayed on the console Any other debugging messages associated with other users will not be displayed Router debug condition username user cisco com Condition 1 set Router debug ppp negotiation Router debug pppoe event Router debug subscriber session event Displaying Debugging Conditions Example The following example shows how to display debugging...

Page 355: ...vices Gateway Features Roadmap Related Topic Document Title ISG commands Cisco IOS Intelligent Services Gateway Command Reference Cisco IOS debug commands Cisco IOS Debug Command Reference Conditional debugging Conditionally Triggered Debugging chapter in the Cisco IOS Debug Command Reference Description Link The Cisco Support website provides extensive online resources including documentation and...

Page 356: ... Linksys MediaTone MeetingPlace MeetingPlace Chime Sound MGX Networkers Networking Academy Network Registrar PCNow PIX PowerPanels ProConnect ScriptShare SenderBase SMARTnet Spectrum Expert StackWise The Fastest Way to Increase Your Internet Quotient TransPath WebEx and the WebEx logo are registered trademarks of Cisco Systems Inc and or its affiliates in the United States and certain other countr...

Page 357: ...ny Internet Protocol IP addresses used in this document are not intended to be actual addresses Any examples command display output and figures included in the document are shown for illustrative purposes only Any use of actual IP addresses in illustrative content is unintentional and coincidental 2006 2009 Cisco Systems Inc All rights reserved ...

Page 358: ...Troubleshooting ISG with Session Monitoring and Distributed Conditional Debugging Feature Information for Distributed Conditional Debugging 14 ...

Reviews: