Cisco Systems OL-4387-02 manual Redirection for Unauthorized Services, 10-2

Page 64

Chapter 10 SSG TCP Redirect

The SSG TCP Redirect feature always sends redirected packets to a captive portal group that consists of one or more servers. SSG selects one server from the group in a round-robin fashion to receive the redirected packets. For upstream packets, SSG modifies the destination IP address and TCP port to reflect the destination captive portal. For downstream packets, SSG returns the source IP address and port to the original packet’s destination. SSG uses the same redirect server if multiple TCP sessions from the same user are redirected. When the TCP session terminates or is idle for more than 60 seconds, SSG clears translations of packets made before being sent to the captive portal. In host-key mode with overlapping user IP addresses, redirection works only for host-keyed servers.

Note This feature applies only to non-PPP users. PPP users are always authenticated as part of the PPP negotiation process. PPP users logging off from SESM are also redirected.

The following describes the behavior of redirection for unauthorized users:

If a user is subject to redirection or captivation, then packets from the user that match the protocol and ports configured as the redirection and captivation filter are sent to SESM. If the user packet does not match the filter, SSG drops the packet.

SSG drops all packets to the user, unless the packet arrives from the SESM or the Open Garden network.

Redirection for Unauthorized Services

Redirection for unauthorized services redirects TCP sessions from authenticated users who have not been authorized to access service networks. SSG TCP Redirect redirects the packets to a captive portal, such as SESM. SESM can then prompt for the service logon.

SSG can redirect unauthorized TCP sessions for different networks to different servers. For network-based redirection, a list of networks are used for unauthorized service redirect. The network list is associated with a group of servers. Only one network list can be associated with a server group.

The server group can also be associated with a port or a list of ports. Servers handle particular captive portal applications as defined by the port that they use. TCP sessions redirected to servers can be restricted based on a port or port list. A port list defines a named list of interesting destination TCP ports. The port list is associated with a server group and is used to restrict the applications redirected to a server group. Only one port list or port can be associated with a server group.

If none of the destination networks matches the networks in the network list, you can set up a default server group to receive redirected packets by using the redirect unauthorized-servicecommand.

[no] redirect unauthorized-service [destination network-list network-listname]to

group-name

SSG TCP Redirect also restricts access to certain networks that are part of another authorized service. For example, in Figure 10-1the user is allowed to access ServiceA. IPTVService is part of ServiceA, but the user is not authorized to access IPTVService. SSG redirects TCP sessions from the user to IPTVService (10.1.1.1/32), but allows access to anywhere else in ServiceA (10.0.0.0/8).

Cisco 10000 Series Router Service Selection Gateway Configuration Guide

10-2

OL-4387-02

 

 

Page 63 Page 65
Image 64
Page 63 Page 65
Contents Corporate Headquarters Copyright 2004, Cisco Systems, Inc All rights reserved N T E N T S IiiConfiguration Example for SSG AutoDomain Configuration Example for SSG Open Garden Configuration of VPI/VCI Static Binding to a Service Profile SSG Unconfig ViiViii Audience About This GuideDocument Organization Document Conventions Obtaining Documentation Related DocumentationCisco.com Documentation Feedback Obtaining Technical AssistanceDocumentation CD-ROM Ordering DocumentationCisco TAC Website Opening a TAC CaseTAC Case Priority Definitions XiiiObtaining Additional Publications and Information XivService Selection Gateway Overview Service Selection GatewaySSG Topology Example Default Network Access ProtocolsSupported SSG Features SSG RestrictionsService Selection Gateway Overview SSG Restrictions SSG Prerequisites SSG Architecture ModelService Selection Gateway Overview SSG Architecture Model OL-4387-02 Scalability and Performance Limitations and RestrictionsScalability and Performance Limitations and Restrictions Single Host Logon SSG Logon and LogoffPrerequisites for Single Host Logon SSG Autologoff Configuration of SSG AutologoffRestrictions for SSG Autologoff SSG Prepaid Idle Timeout Configuration Example for SSG AutologoffExample 3-1 SSG Autologoff Using ARP Ping Example 3-2 SSG Autologoff Using Icmp PingService Authorization Service ReauthorizationRestrictions for SSG Prepaid Idle Timeout Prerequisites for SSG Prepaid Idle TimeoutConfiguration of SSG Prepaid Idle Timeout Configuration Example for SSG Prepaid Idle TimeoutSSG Session and Idle Timeout Example 3-5 SSG Service-Specific TCP RedirectExample 3-7 SSG Threshold Volume Example 3-6 SSG Threshold TimeAuthentication and Accounting SSG Full Username Radius AttributeRestrictions for SSG Full Username Radius Attribute Example 4-1 Radius Freeware Format ExampleAccount Login and Logout Radius Accounting RecordsExample 4-3 Radius Accounting-Start Record Example 4-4 Radius Accounting-Stop RecordService Connection and Termination Authentication and Accounting Radius Accounting Records PPP Terminated Aggregation Service Selection MethodsPTA-Multidomain Web Service Selection Restrictions for PTA-MDSesm and SSG Performance OL-4387-02 Service Connection SSG AutoDomainConfiguration Example for SSG AutoDomain Configuration of SSG AutoDomainRestrictions for SSG AutoDomain Example 6-2 AutoDomain Exclude Profile SSG VSA Format Example 6-1 SSG AutoDomainExample 6-3 AutoDomain Exclude File Format SSG Prepaid Configuration of SSG PrepaidRestrictions for SSG Prepaid Configuration Example for SSG Prepaid SSG Open GardenConfiguration of SSG Open Garden Configuration Example for SSG Open GardenSSG Port-Bundle Host Key Restrictions for SSG Open GardenRestrictions for SSG Port-Bundle Host Key Mutually Exclusive Service Selection Configuration of SSG Port-Bundle Host KeyExclude Networks Prerequisites for SSG Port-Bundle Host KeyConfiguration of Mutually Exclusive Service Selection OL-4387-02 Service Profiles Downstream Access Control ListUpstream Access Control List Service Authentication TypeDomain Name Full UsernameService-Defined Cookie Service DescriptionService Mode Service Next-Hop GatewayCached Service Profiles Type of ServiceService Profile Example Example 7-1 Service ProfileConfiguration of Cached Service Profiles OL-4387-02 SSG Hierarchical Policing Overview SSG Hierarchical PolicingSSG Hierarchical Policing Token Bucket Scheme SSG Hierarchical Policing Configuration Restrictions for SSG Hierarchical PolicingConfiguration Examples for SSG Hierarchical Policing Example 8-2 Enabling Per-Session Policing on a RouterOL-4387-02 Interface Configuration Transparent PassthroughAccess Side Interfaces For exampleConfiguration of Transparent Passthrough Multicast Protocols on SSG InterfacesNetwork Side Interfaces Restrictions of Transparent PassthroughConfiguration of Multicast Protocols on SSG Interfaces SSG TCP Redirect Redirection for Unauthenticated Users10-1 Redirection for Unauthorized Services 10-2Initial Captivation 10-3Configuration of SSG TCP Redirect Restrictions for SSG TCP RedirectPrerequisites for SSG TCP Redirect 10-4Example 10-1 Binding a Server Group to a Port 10-5Example 10-2 Limiting Redirected TCP Sessions Configuring SSG TCP Redirect 10-6Configuration Examples for SSG TCP Redirect 10-7Example 10-3 Defining a Captive Portal Server Group Example 10-4 Defining Network Lists10-8 Example 10-5 Defining Port ListsVPI/VCI Static Binding to a Service Profile Miscellaneous SSG Features11-1 AAA Server Group Support for Proxy Services Configuration of Radius Virtual Circuit LoggingRadius Virtual Circuit Logging 11-2Packet Filtering 11-3Downstream Access Control List-outacl Upstream Access Control List-inaclRestrictions for Packet Filtering 11-4SSG Unconfig Configuration of Packet FilteringConfiguration Example for Packet Filtering Restrictions for SSG UnconfigPrerequisites for SSG Unconfig Configuration of SSG UnconfigConfiguration Examples for SSG Unconfig 11-6Service Translation SSG Enhancements for Overlapping Services11-7 11-8 Restrictions for Service Translation 11-9Configuration of Service Translation 11-10Expansion of Service IDs 11-11Network Sets 11-12Monitoring and Maintaining SSG 12-1Troubleshooting Radius Per-Service StatisticsRestrictions for Per-Service Statistics 12-2Monitoring the Parallel Express Forwarding Engine 12-312-4 SSG Configuration Example Figure A-1 SSG Example TopologyExample A-1 Cisco 10000 Router SSG Configuration Username cisco password 0 cisco clock timezone PSTSsg accounting interval 300 ssg profile-cache Full-duplex Peer default ip address pool SSG-POOL Exec-timeout 0 0 password lab SSG Feature Implementation Notes SSG Implementation NotesMpls Also see the Restrictions for SSG TCP Redirect section on OL-4387-02 O S S a R Y GL-1GL-2 GL-3 GL-4 GL-5 GL-6 D E IN-1DSL G-1 IN-2ISP G-2 L2TP IN-3Radius IN-4Reauthorizing prepaid IN-5TCP IN-6VRF G-5 VSA IN-7IN-8
Top Page Image Contents