Cisco Systems OL-4387-02 manual Service Authorization, Service Reauthorization

Page 28

Chapter 3 SSG Logon and Logoff

SSG Prepaid Idle Timeout

Service Authorization

SSG sends a service authorization request to the billing server upon initial service authorization. Explicit service authorization is required whenever a user attempts to connect to a prepaid service to ensure that the user has sufficient credit to connect to that service. The billing server responds with the available quota (allotment of prepaid credit) to SSG. If the returned available quota is greater than zero or not present, SSG allows the user to connect to the service and begins metering based on the allotted quota. For this authorization, an Access-Request is generated once the service is identified as a prepaid service. The Access-Request is generated for service authorization regardless of the service type (for example, virtual private dial-up network (VPDN), passthrough, proxy, or tunnel).

The billing server responds to the service authorization Access-Request with an Access-Accept that defines the quota parameters for the connection. Authorization for a service is provided based on the presence and content of the Quota (Attribute 26) and the Idle Timeout (Attribute 28) vendor-specific attributes (VSAs) in the Access-Accept.

Service Reauthorization

SSG sends a service reauthorization request to the billing server at the following times:

When a prepaid user’s quota is consumed

After the configured idle timeout expires

When the user’s remaining quota reaches the configured threshold value

The SSG Prepaid Idle Timeout feature enables you to configure how traffic is handled during reauthorization. By default, traffic continues during reauthorization. If the billing server returns a zero quota in the reauthorization response, SSG disconnects the connection but the data that was in progress during the reauthorization goes through and is not accounted. You can configure SSG to either drop or forward traffic during reauthorization. You can also configure a threshold value, which configures SSG to reauthorize a connection with the billing server before a prepaid user’s allocated quota is completely consumed.

By configuring the ssg prepaid reauthorization drop-packetcommand, SSG drops the traffic on a connection during reauthorization and the time used during the reauthorization is not accounted to that connection. SSG deducts the reauthorization times from the total session duration time and sends the Account Session Time (Attribute 46) in the Accounting Stop and Update packets.

If the billing server responds with a time-based connection to redirect the traffic, then SSG redirects TCP traffic. The time of the TCP redirection is also not accounted to the user’s connection.

The reauthorization request for SSG Prepaid Idle Timeout is similar to the reauthorization request for SSG Prepaid. However, the SSG Prepaid Idle Timeout reauthorization request contains an additional attribute: Reauthorization Reason. If the Reauthorization Reason attribute is not present, the billing server assumes that the reason for the reauthorization request is Primary Quota Consumed. The values of the Reauthorization Reason attribute are the following:

Quota Consumed (QR0)

Idle Timer Expired (QR1)

For more information, refer to the SSG Prepaid Idle Timeout, Release 12.2(15)B feature module.

Cisco 10000 Series Router Service Selection Gateway Configuration Guide

3-4

OL-4387-02

 

 

Page 27 Page 29
Image 28
Page 27 Page 29
Contents Corporate Headquarters Copyright 2004, Cisco Systems, Inc All rights reserved N T E N T S IiiConfiguration Example for SSG AutoDomain Configuration Example for SSG Open Garden Configuration of VPI/VCI Static Binding to a Service Profile SSG Unconfig ViiViii Audience About This GuideDocument Organization Document Conventions Obtaining Documentation Related DocumentationCisco.com Documentation Feedback Obtaining Technical AssistanceDocumentation CD-ROM Ordering DocumentationCisco TAC Website Opening a TAC CaseTAC Case Priority Definitions XiiiObtaining Additional Publications and Information XivService Selection Gateway Overview Service Selection GatewaySSG Topology Example Default Network Access ProtocolsSupported SSG Features SSG RestrictionsService Selection Gateway Overview SSG Restrictions SSG Prerequisites SSG Architecture ModelService Selection Gateway Overview SSG Architecture Model OL-4387-02 Scalability and Performance Limitations and RestrictionsScalability and Performance Limitations and Restrictions Single Host Logon SSG Logon and LogoffPrerequisites for Single Host Logon SSG Autologoff Configuration of SSG AutologoffRestrictions for SSG Autologoff SSG Prepaid Idle Timeout Configuration Example for SSG AutologoffExample 3-1 SSG Autologoff Using ARP Ping Example 3-2 SSG Autologoff Using Icmp PingService Authorization Service ReauthorizationRestrictions for SSG Prepaid Idle Timeout Prerequisites for SSG Prepaid Idle TimeoutConfiguration of SSG Prepaid Idle Timeout Configuration Example for SSG Prepaid Idle TimeoutSSG Session and Idle Timeout Example 3-5 SSG Service-Specific TCP RedirectExample 3-7 SSG Threshold Volume Example 3-6 SSG Threshold TimeAuthentication and Accounting SSG Full Username Radius AttributeRestrictions for SSG Full Username Radius Attribute Example 4-1 Radius Freeware Format ExampleAccount Login and Logout Radius Accounting RecordsExample 4-3 Radius Accounting-Start Record Example 4-4 Radius Accounting-Stop RecordService Connection and Termination Authentication and Accounting Radius Accounting Records PPP Terminated Aggregation Service Selection MethodsPTA-Multidomain Web Service Selection Restrictions for PTA-MDSesm and SSG Performance OL-4387-02 Service Connection SSG AutoDomainConfiguration Example for SSG AutoDomain Configuration of SSG AutoDomainRestrictions for SSG AutoDomain Example 6-2 AutoDomain Exclude Profile SSG VSA Format Example 6-1 SSG AutoDomainExample 6-3 AutoDomain Exclude File Format SSG Prepaid Configuration of SSG PrepaidRestrictions for SSG Prepaid Configuration Example for SSG Prepaid SSG Open GardenConfiguration of SSG Open Garden Configuration Example for SSG Open GardenSSG Port-Bundle Host Key Restrictions for SSG Open GardenRestrictions for SSG Port-Bundle Host Key Mutually Exclusive Service Selection Configuration of SSG Port-Bundle Host KeyExclude Networks Prerequisites for SSG Port-Bundle Host KeyConfiguration of Mutually Exclusive Service Selection OL-4387-02 Service Profiles Downstream Access Control ListUpstream Access Control List Service Authentication TypeDomain Name Full UsernameService-Defined Cookie Service DescriptionService Mode Service Next-Hop GatewayCached Service Profiles Type of ServiceService Profile Example Example 7-1 Service ProfileConfiguration of Cached Service Profiles OL-4387-02 SSG Hierarchical Policing Overview SSG Hierarchical PolicingSSG Hierarchical Policing Token Bucket Scheme SSG Hierarchical Policing Configuration Restrictions for SSG Hierarchical PolicingConfiguration Examples for SSG Hierarchical Policing Example 8-2 Enabling Per-Session Policing on a RouterOL-4387-02 Interface Configuration Transparent PassthroughAccess Side Interfaces For exampleConfiguration of Transparent Passthrough Multicast Protocols on SSG InterfacesNetwork Side Interfaces Restrictions of Transparent PassthroughConfiguration of Multicast Protocols on SSG Interfaces SSG TCP Redirect Redirection for Unauthenticated Users10-1 Redirection for Unauthorized Services 10-2Initial Captivation 10-3Configuration of SSG TCP Redirect Restrictions for SSG TCP RedirectPrerequisites for SSG TCP Redirect 10-4Example 10-1 Binding a Server Group to a Port 10-5Example 10-2 Limiting Redirected TCP Sessions Configuring SSG TCP Redirect 10-6Configuration Examples for SSG TCP Redirect 10-7Example 10-3 Defining a Captive Portal Server Group Example 10-4 Defining Network Lists10-8 Example 10-5 Defining Port ListsVPI/VCI Static Binding to a Service Profile Miscellaneous SSG Features11-1 AAA Server Group Support for Proxy Services Configuration of Radius Virtual Circuit LoggingRadius Virtual Circuit Logging 11-2Packet Filtering 11-3Downstream Access Control List-outacl Upstream Access Control List-inaclRestrictions for Packet Filtering 11-4SSG Unconfig Configuration of Packet FilteringConfiguration Example for Packet Filtering Restrictions for SSG UnconfigPrerequisites for SSG Unconfig Configuration of SSG UnconfigConfiguration Examples for SSG Unconfig 11-6Service Translation SSG Enhancements for Overlapping Services11-7 11-8 Restrictions for Service Translation 11-9Configuration of Service Translation 11-10Expansion of Service IDs 11-11Network Sets 11-12Monitoring and Maintaining SSG 12-1Troubleshooting Radius Per-Service StatisticsRestrictions for Per-Service Statistics 12-2Monitoring the Parallel Express Forwarding Engine 12-312-4 SSG Configuration Example Figure A-1 SSG Example TopologyExample A-1 Cisco 10000 Router SSG Configuration Username cisco password 0 cisco clock timezone PSTSsg accounting interval 300 ssg profile-cache Full-duplex Peer default ip address pool SSG-POOL Exec-timeout 0 0 password lab SSG Feature Implementation Notes SSG Implementation NotesMpls Also see the Restrictions for SSG TCP Redirect section on OL-4387-02 O S S a R Y GL-1GL-2 GL-3 GL-4 GL-5 GL-6 D E IN-1DSL G-1 IN-2ISP G-2 L2TP IN-3Radius IN-4Reauthorizing prepaid IN-5TCP IN-6VRF G-5 VSA IN-7IN-8
Top Page Image Contents