Manuals / Cisco Systems / Computer Equipment / Network Router

Cisco Systems OL-4387-02 manual Initial Captivation, 10-3

Models: OL-4387-02

1 110

Download 110 pages 54.42 Kb

Page 65

Initial Captivation

Chapter 10 SSG TCP Redirect

Figure 10-1 Restricting Access to Networks within Authorized Services

ServiceA

10.0.0.0/8

IPTVService 10.1.1.1/32

87908

The following describes the behavior of redirection for unauthorized services:

•If a packet arrives from an unauthorized SSG user or it is destined to an unauthorized service, SSG redirects the packet if the packet matches the protocol and ports configured as the redirection filter. If the packet does not match the filter, SSG drops the packet.

•If a packet arrives from an unauthorized service or is destined to an unauthorized SSG user, SSG drops the packet.

•If a user’s connection is subject to redirection or captivation, SSG redirects to SESM any packets from the connection that match the protocol and ports for redirection and captivation.

•If packets from the connection do not match the protocol and ports configured as a filter, SSG drops the packets.

Initial Captivation

Initial captivation redirects certain packets from users for a specific period of time. After a user logs on, packets to certain TCP ports are redirected to a server for advertisements and branding. SSG captivates the user by redirecting all user packets to those TCP ports regardless of the destination address.

Captivation is active for a specified duration, starting from the first redirected session.

If you configure initial captivation globally by using the CLI, captivation applies to all authenticated users. You can also enable initial captivation in the RADIUS user profile as an Account-Info attribute to override the CLI setting.

The user profile contains the following information for initial captivation:

•Server group name

Note Use the CLI to configure the server group and associate a port or port list to the server group.

•Duration of captivation

•Service name (optional)

Note If you specify the optional service name, captivation activates only when logon to that service occurs.

Cisco 10000 Series Router Service Selection Gateway Configuration Guide

	OL-4387-02	10-3

Image 65

Cisco Systems OL-4387-02 manual Initial Captivation, 10-3

Contents

Corporate Headquarters JanuaryCisco Systems, Inc 170 West Tasman Drive San Jose, CA 800 553-NETS Fax 408Copyright 2004, Cisco Systems, Inc All rights reserved Default Network Service Selection Gateway OverviewC O N T E N T S AudienceConfiguration Example for SSG Prepaid Configuration Example for SSG AutoDomainConfiguration Examples for Account Login and Logout Configuration of SSG AutologoffConfiguration of Mutually Exclusive Service Selection Configuration Example for SSG Open GardenService Profiles Service-Defined CookieInterface Configuration Configuration of VPI/VCI Static Binding to a Service ProfileConfiguring Port-Based Redirection for Unauthenticated Users Limiting Redirection for Unauthenticated UsersPer-Service Statistics SSG UnconfigRestrictions for SSG Unconfig Service TranslationOL-4387-02 viiiContents Audience About This GuideDocument Organization ChapterChapter Document ConventionsTitle DescriptionCisco 10000 Series Router Software Configuration Guides Cisco 10000 Series Router Feature MapRelated Documentation Obtaining DocumentationObtaining Technical Assistance Documentation FeedbackDocumentation CD-ROM Ordering DocumentationOpening a TAC Case Cisco TAC WebsiteTAC Case Priority Definitions http//tools.cisco.com/RPF/register/register.doObtaining Additional Publications and Information C H A P T E R Service Selection Gateway OverviewService Selection Gateway Figure 1-1 SSG Topology Example Access Protocols Default NetworkPackets from a User and Destined for the Default Network Packets from the Default Network and Destined for an SSG UserSSG Logon and Logoff, page Authentication and Accounting, page Supported SSG FeaturesService Selection Methods, page Service Connection, page Service Profiles and Cached Service Profiles, pageAny interface requiring tunneling for example, L2TP or GRE tunneling SSG Architecture Model SSG PrerequisitesInternet GamingIn Figure 1-2, subscribers access the SESM web portal application using any web browser on a variety of devices such as a desktop computer over DSL. The Cisco 10000 series router the SSG node forwards unauthenticated SSG traffic from the subscriber to SESM, configured as the captive portal and default network. The SSG feature set of the router allows the service provider to design a service selection access network OL-4387-02 Chapter 1 Service Selection Gateway Overview SSG Architecture ModelC H A P T E R Scalability and PerformanceLimitations and Restrictions Best-Access to network B at rate Good-Access to network B at rate SSG Logon and Logoff SSG Prepaid Idle Timeout, page SSG Session and Idle Timeout, pageSingle Host Logon Prerequisites for Single Host LogonSSG Autologoff Configuration of SSG AutologoffRestrictions for SSG Autologoff ARP pingConfiguration Example for SSG Autologoff SSG Prepaid Idle TimeoutService Reauthorization Service AuthorizationPrerequisites for SSG Prepaid Idle Timeout Restrictions for SSG Prepaid Idle TimeoutConfiguration of SSG Prepaid Idle Timeout Configuration Example for SSG Prepaid Idle TimeoutSSG Session and Idle Timeout Configuration Examples for SSG Full Username RADIUS Attribute Authentication and AccountingSSG Full Username RADIUS Attribute Restrictions for SSG Full Username RADIUS AttributeConfiguration Examples for Account Login and Logout Account Login and LogoutAccount Login and Logout, page Service Connection and Termination, pageConfiguration Examples for Service Connection and Termination Service Connection and TerminationService-Type-Indicates the type of service Web Service Selection, page Service Selection MethodsPPP Terminated Aggregation PTA-MultidomainRestrictions for PTA-MD Web Service SelectionSESM and SSG Performance OL-4387-02 Chapter 5 Service Selection Methods Web Service SelectionMutually Exclusive Service Selection, page Service ConnectionSSG AutoDomain SSG AutoDomain, page SSG Prepaid, page SSG Open Garden, pageRestrictions for SSG AutoDomain Configuration of SSG AutoDomainConfiguration Example for SSG AutoDomain Example 6-3 AutoDomain Exclude File Format Example 6-1 SSG AutoDomainExample 6-2 AutoDomain Exclude Profile SSG VSA Format Restrictions for SSG Prepaid Configuration of SSG PrepaidSSG Prepaid SSG Open Garden Configuration Example for SSG PrepaidConfiguration Example for SSG Open Garden Configuration of SSG Open GardenSSG Open Garden, Release 12.24B feature module SSG Port-Bundle Host KeyRestrictions for SSG Port-Bundle Host Key Configuration of SSG Port-Bundle Host Key Mutually Exclusive Service SelectionSSG Port-Bundle Host Key, Release 12.24B feature module Exclude NetworksExample 6-5 Configuring a Mutually Exclusive Service Selection Group Configuration of Mutually Exclusive Service SelectionConfiguration Example for Mutually Exclusive Service Selection OL-4387-02 6-10Chapter 6 Service Connection Mutually Exclusive Service Selection Downstream Access Control List Service ProfilesService Profiles, page Cached Service Profiles, page Service Profiles and Cached Service ProfilesService Authentication Type Upstream Access Control ListDomain Name Full UsernameService Description Service-Defined CookieService Mode Service Next-Hop GatewayService Profile Example Cached Service ProfilesType of Service Configuration of Cached Service Profiles OL-4387-02 Chapter 7 Service Profiles and Cached Service ProfilesCached Service Profiles SSG Hierarchical Policing Overview SSG Hierarchical PolicingSSG Hierarchical Policing Token Bucket Scheme C H A P T E RRestrictions for SSG Hierarchical Policing SSG Hierarchical Policing ConfigurationConfiguration Examples for SSG Hierarchical Policing Configuration Examples for SSG Hierarchical PolicingRouterconfig# local-profile cisco.com Routerconfig-prof# attribute 26 9 1 “QU1600030004000D2400040008000”OL-4387-02 Configuration Examples for SSG Hierarchical PolicingChapter 8 SSG Hierarchical Policing Transparent Passthrough Interface ConfigurationTransparent Passthrough, page C H A P T E RAccess Side Interfaces Multicast Protocols on SSG Interfaces Configuration of Transparent PassthroughNetwork Side Interfaces Restrictions of Transparent PassthroughConfiguration of Multicast Protocols on SSG Interfaces Redirection for Unauthenticated Users, page Redirection for Unauthenticated UsersRedirection for Unauthorized Services, page Initial Captivation, page SSG TCP Redirectgroup-name Redirection for Unauthorized Services10-2 10-3 Initial CaptivationRestrictions for SSG TCP Redirect Configuration of SSG TCP RedirectPrerequisites for SSG TCP Redirect 10-4Configuring Port-Based Redirection for Unauthenticated Users Configuration Considerations for SSG TCP RedirectLimiting Redirection for Unauthenticated Users Configuration Considerations for SSG TCP Redirect, pageCommand Configuring SSG TCP RedirectPurpose 10-6Configuration Example for Server Groups Configuration Examples for SSG TCP RedirectConfiguration Example for Network Lists Configuration Example for Server Groups, page10-8 Configuration Example for Port ListsExample 10-5 Defining Port Lists Chapter 10 SSG TCP RedirectVPI/VCI Static Binding to a Service Profile Miscellaneous SSG FeaturesRestrictions for VPI/VCI Static Binding to a Service Profile Configuration of VPI/VCI Static Binding to a Service ProfileConfiguration of RADIUS Virtual Circuit Logging AAA Server Group Support for Proxy ServicesRestrictions for AAA Server Group Support for Proxy Services RADIUS Virtual Circuit LoggingConfiguration Example for AAA Server Group Support for Proxy Services Configuration of AAA Server Group Support for Proxy ServicesDownstream Access Control List-outacl, page Upstream Access Control List-inacl, pageUpstream Access Control List-inacl Downstream Access Control List-outaclRestrictions for Packet Filtering 11-4Configuration of Packet Filtering SSG UnconfigConfiguration Example for Packet Filtering Restrictions for SSG UnconfigConfiguration of SSG Unconfig Prerequisites for SSG UnconfigConfiguration Examples for SSG Unconfig 11-6Service Translation SSG Enhancements for Overlapping ServicesService Translation, page Expansion of Service IDs, page 11-7Set1 0.0.0.0/0.0.0.0 Set2 10.58.253.0/255.255.255.0 Set3 11-811-9 Restrictions for Service TranslationPrerequisites for Service Translation Configuration Example for Service Translation Configuration of Service TranslationEnables service translation and indicates to the router to use the Service DefinitionsRestrictions for Expansion of Service IDs Expansion of Service IDsConfiguration Example for Expansion of Service IDs 11-1111-12 Network Sets12-1 Monitoring and Maintaining SSGCommand C H A P T E RPer-Service Statistics Troubleshooting RADIUSRestrictions for Per-Service Statistics Removes the specified serviceReference Guide Monitoring the Parallel Express Forwarding Engine12-3 CommandChapter 12 Monitoring and Maintaining SSG 12-4Monitoring the Parallel Express Forwarding Engine OL-4387-02A P P E N D I X A SSG Configuration ExampleAppendix A SSG Configuration Example Example A-1 Cisco 10000 Router SSG ConfigurationOL-4387-02 Appendix A SSG Configuration ExampleOL-4387-02 Appendix A SSG Configuration ExampleOL-4387-02 Appendix A SSG Configuration Exampleexec-timeout 0 0 password lab Appendix A SSG Configuration Examplentp clock-period 17181406 ntp update-calendar OL-4387-02SSG Implementation Notes SSG FeatureA P P E N D I X B Implementation NotesImplementation Notes SSG FeatureImplementation Notes Also see the “Restrictions for SSG TCP Redirect” section on pageSSG Feature OL-4387-02 Appendix B SSG Implementation NotesGL-1 G L O S S A R YDigital Subscriber Line GL-2 GL-3 GL-4 GL-5 xDSL GL-6Glossary OL-4387-02IN-1 I N D ESee CEF idle timeout IN-2Idle Timeout Attribute 28 3-4 inacl attributeIN-3 See PXFSee PPP IN-4 See RBEAutoDomain Exclude Networks 6-8IN-5 IN-6 See VPIVC G-5 VCI G-5 vendor-specific attributes definition G-5 virtual channel identifier See VCI virtual circuit See VCVPI G-5 VPI/VCI implementation notes B-3 service profiles subscriber IN-7web service selection 5-2 web sites accessing through Open Garden 6-5 VRF G-5 VSA definition G-5OL-4387-02 IN-8Index