Upstream Access Control List, MTU Size | Cisco Systems OL-4387-02

Chapter 7 Service Profiles and Cached Service Profiles

Service Profiles

Upstream Access Control List

Specifies either an IOS standard access control list or an extended access control list to be applied to upstream traffic coming from the user.

Cisco-AVpair = “ip:inacl[#number]={standard-access-control-list extended-access-control-list}”

Domain Name

(Optional) Specifies domain names that get DNS resolution from the DNS server(s) specified by the DNS server address.

Service-Info = “Oname1[;name2]...[;nameX]”

Full Username

Indicates that RADIUS authentication and accounting requests use the full username (user@service).

Service-Info = “X”

MTU Size

Specifies the PPP MTU size of the SSG as a LAC. By default, the PPP MTU size is 1500 bytes.

Service-Info = "Bsize"

Note In Directory Enabled Service Selection Subscription (DESS) mode, SESM does not support the use of this attribute.

RADIUS Server

Specifies the remote RADIUS servers that SSG uses to authenticate, authorize, and perform accounting for a service logon for a proxy service type. This attribute is only used in proxy service profiles and is required.

You can configure each remote RADIUS server with timeout and retransmission parameters. SSG will perform failover among the servers.

Service-Info =

“SRadius-server-address;auth-port;acct-port;secret-key[;retrans;timeout;deadtime]”

Service Authentication Type

Specifies whether the SSG uses the CHAP or PAP protocol to authenticate users for proxy services.

Service-Info = "Aauthen-type"

Cisco 10000 Series Router Service Selection Gateway Configuration Guide

7-2	OL-4387-02

Image 50

Cisco Systems OL-4387-02 manual Upstream Access Control List, Domain Name, Full Username, MTU Size, Radius Server

Contents

Corporate Headquarters Copyright 2004, Cisco Systems, Inc All rights reserved N T E N T S Iii Configuration Example for SSG AutoDomain Configuration Example for SSG Open Garden Configuration of VPI/VCI Static Binding to a Service Profile SSG Unconfig Vii Viii Document Organization About This GuideAudience Document Conventions Cisco.com Related DocumentationObtaining Documentation Documentation CD-ROM Documentation FeedbackObtaining Technical Assistance Ordering Documentation TAC Case Priority Definitions Cisco TAC WebsiteOpening a TAC Case Xiii Obtaining Additional Publications and Information Xiv Service Selection Gateway Overview Service Selection Gateway SSG Topology Example Default Network Access Protocols Supported SSG Features SSG Restrictions Service Selection Gateway Overview SSG Restrictions SSG Prerequisites SSG Architecture Model Service Selection Gateway Overview SSG Architecture Model OL-4387-02 Scalability and Performance Limitations and Restrictions Scalability and Performance Limitations and Restrictions Prerequisites for Single Host Logon SSG Logon and LogoffSingle Host Logon Restrictions for SSG Autologoff Configuration of SSG AutologoffSSG Autologoff Example 3-1 SSG Autologoff Using ARP Ping SSG Prepaid Idle TimeoutConfiguration Example for SSG Autologoff Example 3-2 SSG Autologoff Using Icmp Ping Service Authorization Service Reauthorization Configuration of SSG Prepaid Idle Timeout Restrictions for SSG Prepaid Idle TimeoutPrerequisites for SSG Prepaid Idle Timeout Configuration Example for SSG Prepaid Idle Timeout Example 3-7 SSG Threshold Volume SSG Session and Idle TimeoutExample 3-5 SSG Service-Specific TCP Redirect Example 3-6 SSG Threshold Time Restrictions for SSG Full Username Radius Attribute Authentication and AccountingSSG Full Username Radius Attribute Example 4-1 Radius Freeware Format Example Example 4-3 Radius Accounting-Start Record Account Login and LogoutRadius Accounting Records Example 4-4 Radius Accounting-Stop Record Service Connection and Termination Authentication and Accounting Radius Accounting Records PTA-Multidomain Service Selection MethodsPPP Terminated Aggregation Web Service Selection Restrictions for PTA-MD Sesm and SSG Performance OL-4387-02 Service Connection SSG AutoDomain Restrictions for SSG AutoDomain Configuration of SSG AutoDomainConfiguration Example for SSG AutoDomain Example 6-3 AutoDomain Exclude File Format Example 6-1 SSG AutoDomainExample 6-2 AutoDomain Exclude Profile SSG VSA Format Restrictions for SSG Prepaid Configuration of SSG PrepaidSSG Prepaid Configuration Example for SSG Prepaid SSG Open Garden SSG Port-Bundle Host Key Configuration of SSG Open GardenConfiguration Example for SSG Open Garden Restrictions for SSG Open Garden Restrictions for SSG Port-Bundle Host Key Exclude Networks Mutually Exclusive Service SelectionConfiguration of SSG Port-Bundle Host Key Prerequisites for SSG Port-Bundle Host Key Configuration of Mutually Exclusive Service Selection OL-4387-02 Service Profiles Downstream Access Control List Domain Name Upstream Access Control ListService Authentication Type Full Username Service Mode Service-Defined CookieService Description Service Next-Hop Gateway Service Profile Example Cached Service ProfilesType of Service Example 7-1 Service Profile Configuration of Cached Service Profiles OL-4387-02 SSG Hierarchical Policing Token Bucket Scheme SSG Hierarchical PolicingSSG Hierarchical Policing Overview SSG Hierarchical Policing Configuration Restrictions for SSG Hierarchical Policing Configuration Examples for SSG Hierarchical Policing Example 8-2 Enabling Per-Session Policing on a Router OL-4387-02 Interface Configuration Transparent Passthrough Access Side Interfaces For example Network Side Interfaces Configuration of Transparent PassthroughMulticast Protocols on SSG Interfaces Restrictions of Transparent Passthrough Configuration of Multicast Protocols on SSG Interfaces 10-1 Redirection for Unauthenticated UsersSSG TCP Redirect Redirection for Unauthorized Services 10-2 Initial Captivation 10-3 Prerequisites for SSG TCP Redirect Configuration of SSG TCP RedirectRestrictions for SSG TCP Redirect 10-4 Example 10-2 Limiting Redirected TCP Sessions 10-5Example 10-1 Binding a Server Group to a Port Configuring SSG TCP Redirect 10-6 Example 10-3 Defining a Captive Portal Server Group Configuration Examples for SSG TCP Redirect10-7 Example 10-4 Defining Network Lists 10-8 Example 10-5 Defining Port Lists 11-1 Miscellaneous SSG FeaturesVPI/VCI Static Binding to a Service Profile Radius Virtual Circuit Logging AAA Server Group Support for Proxy ServicesConfiguration of Radius Virtual Circuit Logging 11-2 Packet Filtering 11-3 Restrictions for Packet Filtering Downstream Access Control List-outaclUpstream Access Control List-inacl 11-4 Configuration Example for Packet Filtering SSG UnconfigConfiguration of Packet Filtering Restrictions for SSG Unconfig Configuration Examples for SSG Unconfig Prerequisites for SSG UnconfigConfiguration of SSG Unconfig 11-6 11-7 SSG Enhancements for Overlapping ServicesService Translation 11-8 Restrictions for Service Translation 11-9 Configuration of Service Translation 11-10 Expansion of Service IDs 11-11 Network Sets 11-12 Monitoring and Maintaining SSG 12-1 Restrictions for Per-Service Statistics Troubleshooting RadiusPer-Service Statistics 12-2 Monitoring the Parallel Express Forwarding Engine 12-3 12-4 SSG Configuration Example Figure A-1 SSG Example Topology Example A-1 Cisco 10000 Router SSG Configuration Username cisco password 0 cisco clock timezone PST Ssg accounting interval 300 ssg profile-cache Full-duplex Peer default ip address pool SSG-POOL Exec-timeout 0 0 password lab SSG Feature Implementation Notes SSG Implementation Notes Mpls Also see the Restrictions for SSG TCP Redirect section on OL-4387-02 O S S a R Y GL-1 GL-2 GL-3 GL-4 GL-5 GL-6 D E IN-1 DSL G-1 IN-2 ISP G-2 L2TP IN-3 Radius IN-4 Reauthorizing prepaid IN-5 TCP IN-6 VRF G-5 VSA IN-7 IN-8