Cisco Systems OL-4387-02 manual Initial Captivation, 10-3

Page 65

Chapter 10 SSG TCP Redirect

Figure 10-1 Restricting Access to Networks within Authorized Services

ServiceA

10.0.0.0/8

IPTVService 10.1.1.1/32

87908

The following describes the behavior of redirection for unauthorized services:

•If a packet arrives from an unauthorized SSG user or it is destined to an unauthorized service, SSG redirects the packet if the packet matches the protocol and ports configured as the redirection filter. If the packet does not match the filter, SSG drops the packet.

•If a packet arrives from an unauthorized service or is destined to an unauthorized SSG user, SSG drops the packet.

•If a user’s connection is subject to redirection or captivation, SSG redirects to SESM any packets from the connection that match the protocol and ports for redirection and captivation.

•If packets from the connection do not match the protocol and ports configured as a filter, SSG drops the packets.

Initial Captivation

Initial captivation redirects certain packets from users for a specific period of time. After a user logs on, packets to certain TCP ports are redirected to a server for advertisements and branding. SSG captivates the user by redirecting all user packets to those TCP ports regardless of the destination address.

Captivation is active for a specified duration, starting from the first redirected session.

If you configure initial captivation globally by using the CLI, captivation applies to all authenticated users. You can also enable initial captivation in the RADIUS user profile as an Account-Info attribute to override the CLI setting.

The user profile contains the following information for initial captivation:

•Server group name

Note Use the CLI to configure the server group and associate a port or port list to the server group.

•Duration of captivation

•Service name (optional)

Note If you specify the optional service name, captivation activates only when logon to that service occurs.

Cisco 10000 Series Router Service Selection Gateway Configuration Guide

	OL-4387-02	10-3

Image 65

Contents Corporate Headquarters Copyright 2004, Cisco Systems, Inc All rights reserved Iii N T E N T SConfiguration Example for SSG AutoDomain Configuration Example for SSG Open Garden Configuration of VPI/VCI Static Binding to a Service Profile Vii SSG UnconfigViii Document Organization About This GuideAudience Document Conventions Cisco.com Related DocumentationObtaining Documentation Obtaining Technical Assistance Documentation FeedbackDocumentation CD-ROM Ordering DocumentationOpening a TAC Case Cisco TAC WebsiteTAC Case Priority Definitions XiiiXiv Obtaining Additional Publications and InformationService Selection Gateway Service Selection Gateway OverviewSSG Topology Example Access Protocols Default NetworkSSG Restrictions Supported SSG FeaturesService Selection Gateway Overview SSG Restrictions SSG Architecture Model SSG PrerequisitesService Selection Gateway Overview SSG Architecture Model OL-4387-02 Limitations and Restrictions Scalability and PerformanceScalability and Performance Limitations and Restrictions Prerequisites for Single Host Logon SSG Logon and LogoffSingle Host Logon Restrictions for SSG Autologoff Configuration of SSG AutologoffSSG Autologoff Configuration Example for SSG Autologoff SSG Prepaid Idle TimeoutExample 3-1 SSG Autologoff Using ARP Ping Example 3-2 SSG Autologoff Using Icmp PingService Reauthorization Service AuthorizationPrerequisites for SSG Prepaid Idle Timeout Restrictions for SSG Prepaid Idle TimeoutConfiguration of SSG Prepaid Idle Timeout Configuration Example for SSG Prepaid Idle TimeoutExample 3-5 SSG Service-Specific TCP Redirect SSG Session and Idle TimeoutExample 3-7 SSG Threshold Volume Example 3-6 SSG Threshold TimeSSG Full Username Radius Attribute Authentication and AccountingRestrictions for SSG Full Username Radius Attribute Example 4-1 Radius Freeware Format ExampleRadius Accounting Records Account Login and LogoutExample 4-3 Radius Accounting-Start Record Example 4-4 Radius Accounting-Stop RecordService Connection and Termination Authentication and Accounting Radius Accounting Records PTA-Multidomain Service Selection MethodsPPP Terminated Aggregation Restrictions for PTA-MD Web Service SelectionSesm and SSG Performance OL-4387-02 SSG AutoDomain Service ConnectionRestrictions for SSG AutoDomain Configuration of SSG AutoDomainConfiguration Example for SSG AutoDomain Example 6-3 AutoDomain Exclude File Format Example 6-1 SSG AutoDomainExample 6-2 AutoDomain Exclude Profile SSG VSA Format Restrictions for SSG Prepaid Configuration of SSG PrepaidSSG Prepaid SSG Open Garden Configuration Example for SSG PrepaidConfiguration Example for SSG Open Garden Configuration of SSG Open GardenSSG Port-Bundle Host Key Restrictions for SSG Open GardenRestrictions for SSG Port-Bundle Host Key Configuration of SSG Port-Bundle Host Key Mutually Exclusive Service SelectionExclude Networks Prerequisites for SSG Port-Bundle Host KeyConfiguration of Mutually Exclusive Service Selection OL-4387-02 Downstream Access Control List Service ProfilesService Authentication Type Upstream Access Control ListDomain Name Full UsernameService Description Service-Defined CookieService Mode Service Next-Hop GatewayType of Service Cached Service ProfilesService Profile Example Example 7-1 Service ProfileConfiguration of Cached Service Profiles OL-4387-02 SSG Hierarchical Policing Token Bucket Scheme SSG Hierarchical PolicingSSG Hierarchical Policing Overview Restrictions for SSG Hierarchical Policing SSG Hierarchical Policing ConfigurationExample 8-2 Enabling Per-Session Policing on a Router Configuration Examples for SSG Hierarchical PolicingOL-4387-02 Transparent Passthrough Interface ConfigurationFor example Access Side InterfacesMulticast Protocols on SSG Interfaces Configuration of Transparent PassthroughNetwork Side Interfaces Restrictions of Transparent PassthroughConfiguration of Multicast Protocols on SSG Interfaces 10-1 Redirection for Unauthenticated UsersSSG TCP Redirect 10-2 Redirection for Unauthorized Services10-3 Initial CaptivationRestrictions for SSG TCP Redirect Configuration of SSG TCP RedirectPrerequisites for SSG TCP Redirect 10-4Example 10-2 Limiting Redirected TCP Sessions 10-5Example 10-1 Binding a Server Group to a Port 10-6 Configuring SSG TCP Redirect10-7 Configuration Examples for SSG TCP RedirectExample 10-3 Defining a Captive Portal Server Group Example 10-4 Defining Network ListsExample 10-5 Defining Port Lists 10-811-1 Miscellaneous SSG FeaturesVPI/VCI Static Binding to a Service Profile Configuration of Radius Virtual Circuit Logging AAA Server Group Support for Proxy ServicesRadius Virtual Circuit Logging 11-211-3 Packet FilteringUpstream Access Control List-inacl Downstream Access Control List-outaclRestrictions for Packet Filtering 11-4Configuration of Packet Filtering SSG UnconfigConfiguration Example for Packet Filtering Restrictions for SSG UnconfigConfiguration of SSG Unconfig Prerequisites for SSG UnconfigConfiguration Examples for SSG Unconfig 11-611-7 SSG Enhancements for Overlapping ServicesService Translation 11-8 11-9 Restrictions for Service Translation11-10 Configuration of Service Translation11-11 Expansion of Service IDs11-12 Network Sets12-1 Monitoring and Maintaining SSGPer-Service Statistics Troubleshooting RadiusRestrictions for Per-Service Statistics 12-212-3 Monitoring the Parallel Express Forwarding Engine12-4 Figure A-1 SSG Example Topology SSG Configuration ExampleUsername cisco password 0 cisco clock timezone PST Example A-1 Cisco 10000 Router SSG ConfigurationSsg accounting interval 300 ssg profile-cache Full-duplex Peer default ip address pool SSG-POOL Exec-timeout 0 0 password lab SSG Implementation Notes SSG Feature Implementation NotesMpls Also see the Restrictions for SSG TCP Redirect section on OL-4387-02 GL-1 O S S a R YGL-2 GL-3 GL-4 GL-5 GL-6 IN-1 D EIN-2 DSL G-1IN-3 ISP G-2 L2TPIN-4 RadiusIN-5 Reauthorizing prepaidIN-6 TCPIN-7 VRF G-5 VSAIN-8