SSG Logon and Logoff, Single Host Logon | Cisco Systems OL-4387-02

C H A P T E R 3

SSG Logon and Logoff

The Cisco 10000 series router supports the following SSG features for logon and logoff related functions:

•Single Host Logon, page 3-1

•SSG Autologoff, page 3-2

•SSG Prepaid Idle Timeout, page 3-3

•SSG Session and Idle Timeout, page 3-6

This chapter describes each of SSG logon and logoff features.

Single Host Logon

The Single Host Logon feature enables users to enter authentication information only twice. To log on to a service through the SESM web application, a subscriber enters authentication information once for the PPP session and once for the service. The subscriber does not have to log on to the SESM. Instead, the SESM uses the PPP authenticated information from the SSG.

For non-PPP users, when a subscriber authenticates using the SESM application, the subscriber does not have to log on again for the remainder of the non-PPP session. However, the subscriber still has to log on to services. For more information, refer to Cisco Subscriber Edge Services Manager and Subscriber Policy Engine Installation and Configuration Guide.

Prerequisites for Single Host Logon

To use the Single Host Logon feature, you must install and configure Cisco SESM Release 3.1(1) or later.

Cisco 10000 Series Router Service Selection Gateway Configuration Guide

	OL-4387-02	3-1

Image 25

Cisco Systems OL-4387-02 manual SSG Logon and Logoff, Prerequisites for Single Host Logon

Contents

Corporate Headquarters Copyright 2004, Cisco Systems, Inc All rights reserved Iii N T E N T S Configuration Example for SSG AutoDomain Configuration Example for SSG Open Garden Configuration of VPI/VCI Static Binding to a Service Profile Vii SSG Unconfig Viii Audience About This GuideDocument Organization Document Conventions Obtaining Documentation Related DocumentationCisco.com Obtaining Technical Assistance Documentation FeedbackDocumentation CD-ROM Ordering Documentation Opening a TAC Case Cisco TAC WebsiteTAC Case Priority Definitions Xiii Xiv Obtaining Additional Publications and Information Service Selection Gateway Service Selection Gateway Overview SSG Topology Example Access Protocols Default Network SSG Restrictions Supported SSG Features Service Selection Gateway Overview SSG Restrictions SSG Architecture Model SSG Prerequisites Service Selection Gateway Overview SSG Architecture Model OL-4387-02 Limitations and Restrictions Scalability and Performance Scalability and Performance Limitations and Restrictions Single Host Logon SSG Logon and LogoffPrerequisites for Single Host Logon SSG Autologoff Configuration of SSG AutologoffRestrictions for SSG Autologoff Configuration Example for SSG Autologoff SSG Prepaid Idle TimeoutExample 3-1 SSG Autologoff Using ARP Ping Example 3-2 SSG Autologoff Using Icmp Ping Service Reauthorization Service Authorization Prerequisites for SSG Prepaid Idle Timeout Restrictions for SSG Prepaid Idle TimeoutConfiguration of SSG Prepaid Idle Timeout Configuration Example for SSG Prepaid Idle Timeout Example 3-5 SSG Service-Specific TCP Redirect SSG Session and Idle TimeoutExample 3-7 SSG Threshold Volume Example 3-6 SSG Threshold Time SSG Full Username Radius Attribute Authentication and AccountingRestrictions for SSG Full Username Radius Attribute Example 4-1 Radius Freeware Format Example Radius Accounting Records Account Login and LogoutExample 4-3 Radius Accounting-Start Record Example 4-4 Radius Accounting-Stop Record Service Connection and Termination Authentication and Accounting Radius Accounting Records PPP Terminated Aggregation Service Selection MethodsPTA-Multidomain Restrictions for PTA-MD Web Service Selection Sesm and SSG Performance OL-4387-02 SSG AutoDomain Service Connection Configuration Example for SSG AutoDomain Configuration of SSG AutoDomainRestrictions for SSG AutoDomain Example 6-2 AutoDomain Exclude Profile SSG VSA Format Example 6-1 SSG AutoDomainExample 6-3 AutoDomain Exclude File Format SSG Prepaid Configuration of SSG PrepaidRestrictions for SSG Prepaid SSG Open Garden Configuration Example for SSG Prepaid Configuration Example for SSG Open Garden Configuration of SSG Open GardenSSG Port-Bundle Host Key Restrictions for SSG Open Garden Restrictions for SSG Port-Bundle Host Key Configuration of SSG Port-Bundle Host Key Mutually Exclusive Service SelectionExclude Networks Prerequisites for SSG Port-Bundle Host Key Configuration of Mutually Exclusive Service Selection OL-4387-02 Downstream Access Control List Service Profiles Service Authentication Type Upstream Access Control ListDomain Name Full Username Service Description Service-Defined CookieService Mode Service Next-Hop Gateway Type of Service Cached Service ProfilesService Profile Example Example 7-1 Service Profile Configuration of Cached Service Profiles OL-4387-02 SSG Hierarchical Policing Overview SSG Hierarchical PolicingSSG Hierarchical Policing Token Bucket Scheme Restrictions for SSG Hierarchical Policing SSG Hierarchical Policing Configuration Example 8-2 Enabling Per-Session Policing on a Router Configuration Examples for SSG Hierarchical Policing OL-4387-02 Transparent Passthrough Interface Configuration For example Access Side Interfaces Multicast Protocols on SSG Interfaces Configuration of Transparent PassthroughNetwork Side Interfaces Restrictions of Transparent Passthrough Configuration of Multicast Protocols on SSG Interfaces SSG TCP Redirect Redirection for Unauthenticated Users10-1 10-2 Redirection for Unauthorized Services 10-3 Initial Captivation Restrictions for SSG TCP Redirect Configuration of SSG TCP RedirectPrerequisites for SSG TCP Redirect 10-4 Example 10-1 Binding a Server Group to a Port 10-5Example 10-2 Limiting Redirected TCP Sessions 10-6 Configuring SSG TCP Redirect 10-7 Configuration Examples for SSG TCP RedirectExample 10-3 Defining a Captive Portal Server Group Example 10-4 Defining Network Lists Example 10-5 Defining Port Lists 10-8 VPI/VCI Static Binding to a Service Profile Miscellaneous SSG Features11-1 Configuration of Radius Virtual Circuit Logging AAA Server Group Support for Proxy ServicesRadius Virtual Circuit Logging 11-2 11-3 Packet Filtering Upstream Access Control List-inacl Downstream Access Control List-outaclRestrictions for Packet Filtering 11-4 Configuration of Packet Filtering SSG UnconfigConfiguration Example for Packet Filtering Restrictions for SSG Unconfig Configuration of SSG Unconfig Prerequisites for SSG UnconfigConfiguration Examples for SSG Unconfig 11-6 Service Translation SSG Enhancements for Overlapping Services11-7 11-8 11-9 Restrictions for Service Translation 11-10 Configuration of Service Translation 11-11 Expansion of Service IDs 11-12 Network Sets 12-1 Monitoring and Maintaining SSG Per-Service Statistics Troubleshooting RadiusRestrictions for Per-Service Statistics 12-2 12-3 Monitoring the Parallel Express Forwarding Engine 12-4 Figure A-1 SSG Example Topology SSG Configuration Example Username cisco password 0 cisco clock timezone PST Example A-1 Cisco 10000 Router SSG Configuration Ssg accounting interval 300 ssg profile-cache Full-duplex Peer default ip address pool SSG-POOL Exec-timeout 0 0 password lab SSG Implementation Notes SSG Feature Implementation Notes Mpls Also see the Restrictions for SSG TCP Redirect section on OL-4387-02 GL-1 O S S a R Y GL-2 GL-3 GL-4 GL-5 GL-6 IN-1 D E IN-2 DSL G-1 IN-3 ISP G-2 L2TP IN-4 Radius IN-5 Reauthorizing prepaid IN-6 TCP IN-7 VRF G-5 VSA IN-8