Manuals / Cisco Systems / Computer Equipment / Network Router

Cisco Systems OL-4387-02 manual Upstream Access Control List, Domain Name, Full Username, MTU Size

Models: OL-4387-02

1 110

Download 110 pages 54.42 Kb

Page 50

Upstream Access Control List

Chapter 7 Service Profiles and Cached Service Profiles

Service Profiles

Upstream Access Control List

Specifies either an IOS standard access control list or an extended access control list to be applied to upstream traffic coming from the user.

Cisco-AVpair = “ip:inacl[#number]={standard-access-control-list extended-access-control-list}”

Domain Name

(Optional) Specifies domain names that get DNS resolution from the DNS server(s) specified by the DNS server address.

Service-Info = “Oname1[;name2]...[;nameX]”

Full Username

Indicates that RADIUS authentication and accounting requests use the full username (user@service).

Service-Info = “X”

MTU Size

Specifies the PPP MTU size of the SSG as a LAC. By default, the PPP MTU size is 1500 bytes.

Service-Info = "Bsize"

Note In Directory Enabled Service Selection Subscription (DESS) mode, SESM does not support the use of this attribute.

RADIUS Server

Specifies the remote RADIUS servers that SSG uses to authenticate, authorize, and perform accounting for a service logon for a proxy service type. This attribute is only used in proxy service profiles and is required.

You can configure each remote RADIUS server with timeout and retransmission parameters. SSG will perform failover among the servers.

Service-Info =

“SRadius-server-address;auth-port;acct-port;secret-key[;retrans;timeout;deadtime]”

Service Authentication Type

Specifies whether the SSG uses the CHAP or PAP protocol to authenticate users for proxy services.

Service-Info = "Aauthen-type"

Cisco 10000 Series Router Service Selection Gateway Configuration Guide

7-2	OL-4387-02

Image 50

Cisco Systems OL-4387-02 manual Upstream Access Control List, Domain Name, Full Username, MTU Size, RADIUS Server

Contents

Cisco Systems, Inc 170 West Tasman Drive San Jose, CA JanuaryCorporate Headquarters 800 553-NETS Fax 408Copyright 2004, Cisco Systems, Inc All rights reserved C O N T E N T S Service Selection Gateway OverviewDefault Network AudienceConfiguration Examples for Account Login and Logout Configuration Example for SSG AutoDomainConfiguration Example for SSG Prepaid Configuration of SSG AutologoffService Profiles Configuration Example for SSG Open GardenConfiguration of Mutually Exclusive Service Selection Service-Defined CookieConfiguring Port-Based Redirection for Unauthenticated Users Configuration of VPI/VCI Static Binding to a Service ProfileInterface Configuration Limiting Redirection for Unauthenticated UsersRestrictions for SSG Unconfig SSG UnconfigPer-Service Statistics Service TranslationOL-4387-02 viiiContents Document Organization About This GuideAudience ChapterTitle Document ConventionsChapter DescriptionRelated Documentation Cisco 10000 Series Router Feature MapCisco 10000 Series Router Software Configuration Guides Obtaining DocumentationDocumentation CD-ROM Documentation FeedbackObtaining Technical Assistance Ordering DocumentationTAC Case Priority Definitions Cisco TAC WebsiteOpening a TAC Case http//tools.cisco.com/RPF/register/register.doObtaining Additional Publications and Information C H A P T E R Service Selection Gateway OverviewService Selection Gateway Figure 1-1 SSG Topology Example Packets from a User and Destined for the Default Network Default NetworkAccess Protocols Packets from the Default Network and Destined for an SSG UserService Selection Methods, page Service Connection, page Supported SSG FeaturesSSG Logon and Logoff, page Authentication and Accounting, page Service Profiles and Cached Service Profiles, pageAny interface requiring tunneling for example, L2TP or GRE tunneling Internet SSG PrerequisitesSSG Architecture Model GamingIn Figure 1-2, subscribers access the SESM web portal application using any web browser on a variety of devices such as a desktop computer over DSL. The Cisco 10000 series router the SSG node forwards unauthenticated SSG traffic from the subscriber to SESM, configured as the captive portal and default network. The SSG feature set of the router allows the service provider to design a service selection access network Chapter 1 Service Selection Gateway Overview SSG Architecture Model OL-4387-02C H A P T E R Scalability and PerformanceLimitations and Restrictions Best-Access to network B at rate Good-Access to network B at rate Single Host Logon SSG Prepaid Idle Timeout, page SSG Session and Idle Timeout, pageSSG Logon and Logoff Prerequisites for Single Host LogonRestrictions for SSG Autologoff Configuration of SSG AutologoffSSG Autologoff ARP pingSSG Prepaid Idle Timeout Configuration Example for SSG AutologoffService Authorization Service ReauthorizationConfiguration of SSG Prepaid Idle Timeout Restrictions for SSG Prepaid Idle TimeoutPrerequisites for SSG Prepaid Idle Timeout Configuration Example for SSG Prepaid Idle TimeoutSSG Session and Idle Timeout SSG Full Username RADIUS Attribute Authentication and AccountingConfiguration Examples for SSG Full Username RADIUS Attribute Restrictions for SSG Full Username RADIUS AttributeAccount Login and Logout, page Account Login and LogoutConfiguration Examples for Account Login and Logout Service Connection and Termination, pageService Connection and Termination Configuration Examples for Service Connection and TerminationService-Type-Indicates the type of service PPP Terminated Aggregation Service Selection MethodsWeb Service Selection, page PTA-MultidomainWeb Service Selection Restrictions for PTA-MDSESM and SSG Performance Chapter 5 Service Selection Methods Web Service Selection OL-4387-02SSG AutoDomain Service ConnectionMutually Exclusive Service Selection, page SSG AutoDomain, page SSG Prepaid, page SSG Open Garden, pageRestrictions for SSG AutoDomain Configuration of SSG AutoDomainConfiguration Example for SSG AutoDomain Example 6-3 AutoDomain Exclude File Format Example 6-1 SSG AutoDomainExample 6-2 AutoDomain Exclude Profile SSG VSA Format Restrictions for SSG Prepaid Configuration of SSG PrepaidSSG Prepaid Configuration Example for SSG Prepaid SSG Open GardenSSG Open Garden, Release 12.24B feature module Configuration of SSG Open GardenConfiguration Example for SSG Open Garden SSG Port-Bundle Host KeyRestrictions for SSG Port-Bundle Host Key SSG Port-Bundle Host Key, Release 12.24B feature module Mutually Exclusive Service SelectionConfiguration of SSG Port-Bundle Host Key Exclude NetworksExample 6-5 Configuring a Mutually Exclusive Service Selection Group Configuration of Mutually Exclusive Service SelectionConfiguration Example for Mutually Exclusive Service Selection OL-4387-02 6-10Chapter 6 Service Connection Mutually Exclusive Service Selection Service Profiles, page Cached Service Profiles, page Service ProfilesDownstream Access Control List Service Profiles and Cached Service ProfilesDomain Name Upstream Access Control ListService Authentication Type Full UsernameService Mode Service-Defined CookieService Description Service Next-Hop GatewayService Profile Example Cached Service ProfilesType of Service Configuration of Cached Service Profiles OL-4387-02 Chapter 7 Service Profiles and Cached Service ProfilesCached Service Profiles SSG Hierarchical Policing Token Bucket Scheme SSG Hierarchical PolicingSSG Hierarchical Policing Overview C H A P T E RSSG Hierarchical Policing Configuration Restrictions for SSG Hierarchical PolicingRouterconfig# local-profile cisco.com Configuration Examples for SSG Hierarchical PolicingConfiguration Examples for SSG Hierarchical Policing Routerconfig-prof# attribute 26 9 1 “QU1600030004000D2400040008000”OL-4387-02 Configuration Examples for SSG Hierarchical PolicingChapter 8 SSG Hierarchical Policing Transparent Passthrough, page Interface ConfigurationTransparent Passthrough C H A P T E RAccess Side Interfaces Network Side Interfaces Configuration of Transparent PassthroughMulticast Protocols on SSG Interfaces Restrictions of Transparent PassthroughConfiguration of Multicast Protocols on SSG Interfaces Redirection for Unauthorized Services, page Initial Captivation, page Redirection for Unauthenticated UsersRedirection for Unauthenticated Users, page SSG TCP Redirectgroup-name Redirection for Unauthorized Services10-2 Initial Captivation 10-3Prerequisites for SSG TCP Redirect Configuration of SSG TCP RedirectRestrictions for SSG TCP Redirect 10-4Limiting Redirection for Unauthenticated Users Configuration Considerations for SSG TCP RedirectConfiguring Port-Based Redirection for Unauthenticated Users Configuration Considerations for SSG TCP Redirect, pagePurpose Configuring SSG TCP RedirectCommand 10-6Configuration Example for Network Lists Configuration Examples for SSG TCP RedirectConfiguration Example for Server Groups Configuration Example for Server Groups, pageExample 10-5 Defining Port Lists Configuration Example for Port Lists10-8 Chapter 10 SSG TCP RedirectRestrictions for VPI/VCI Static Binding to a Service Profile Miscellaneous SSG FeaturesVPI/VCI Static Binding to a Service Profile Configuration of VPI/VCI Static Binding to a Service ProfileRestrictions for AAA Server Group Support for Proxy Services AAA Server Group Support for Proxy ServicesConfiguration of RADIUS Virtual Circuit Logging RADIUS Virtual Circuit LoggingDownstream Access Control List-outacl, page Configuration of AAA Server Group Support for Proxy ServicesConfiguration Example for AAA Server Group Support for Proxy Services Upstream Access Control List-inacl, pageRestrictions for Packet Filtering Downstream Access Control List-outaclUpstream Access Control List-inacl 11-4Configuration Example for Packet Filtering SSG UnconfigConfiguration of Packet Filtering Restrictions for SSG UnconfigConfiguration Examples for SSG Unconfig Prerequisites for SSG UnconfigConfiguration of SSG Unconfig 11-6Service Translation, page Expansion of Service IDs, page SSG Enhancements for Overlapping ServicesService Translation 11-711-8 Set1 0.0.0.0/0.0.0.0 Set2 10.58.253.0/255.255.255.0 Set311-9 Restrictions for Service TranslationPrerequisites for Service Translation Enables service translation and indicates to the router to use the Configuration of Service TranslationConfiguration Example for Service Translation Service DefinitionsConfiguration Example for Expansion of Service IDs Expansion of Service IDsRestrictions for Expansion of Service IDs 11-11Network Sets 11-12Command Monitoring and Maintaining SSG12-1 C H A P T E RRestrictions for Per-Service Statistics Troubleshooting RADIUSPer-Service Statistics Removes the specified service12-3 Monitoring the Parallel Express Forwarding EngineReference Guide CommandMonitoring the Parallel Express Forwarding Engine 12-4Chapter 12 Monitoring and Maintaining SSG OL-4387-02SSG Configuration Example A P P E N D I X AExample A-1 Cisco 10000 Router SSG Configuration Appendix A SSG Configuration ExampleAppendix A SSG Configuration Example OL-4387-02Appendix A SSG Configuration Example OL-4387-02Appendix A SSG Configuration Example OL-4387-02ntp clock-period 17181406 ntp update-calendar Appendix A SSG Configuration Exampleexec-timeout 0 0 password lab OL-4387-02A P P E N D I X B SSG FeatureSSG Implementation Notes Implementation NotesSSG Feature Implementation NotesImplementation Notes Also see the “Restrictions for SSG TCP Redirect” section on pageSSG Feature Appendix B SSG Implementation Notes OL-4387-02GL-1 G L O S S A R YDigital Subscriber Line GL-2 GL-3 GL-4 GL-5 Glossary GL-6xDSL OL-4387-02IN-1 I N D ESee CEF Idle Timeout Attribute 28 3-4 IN-2idle timeout inacl attributeIN-3 See PXFSee PPP AutoDomain See RBEIN-4 Exclude Networks 6-8IN-5 VC G-5 VCI G-5 vendor-specific attributes definition G-5 See VPIIN-6 virtual channel identifier See VCI virtual circuit See VCweb service selection 5-2 web sites accessing through Open Garden 6-5 IN-7VPI G-5 VPI/VCI implementation notes B-3 service profiles subscriber VRF G-5 VSA definition G-5OL-4387-02 IN-8Index