Broadband Access Aggregation and DSL Configuration Guide, Cisco IOS Release 15MT
Subscriber Profile Support
Downloads: This chapterpdf (PDF - 1.27MB) The complete bookPDF (PDF - 2.83MB) | The complete bookePub (ePub - 1.76MB) | Feedback

Subscriber Profile Support

Contents

Subscriber Profile Support

The Subscriber Profile Support feature introduces new functionality for the Subscriber Service Switch architecture, a Cisco IOS subsystem that connects subscribers to network access services at Layer 2. This new functionality affects how the Subscriber Service Switch Manager determines a service for each subscriber with a combination of a policy and a service lookup model.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Prerequisites for Configuring Subscriber Profile Support

Before configuring the Subscriber Profile Support feature, you need to be familiar with concepts introduced in the Cisco Release 12.2(13)T feature module Subscriber Service Switch , and with the authentication, authorization, and accounting (AAA) and PPP access processes.

Information About Subscriber Profile Support

New Call Management Support for Subscriber Service Switch Architecture

The Subscriber Service Switch architecture in Cisco IOS Release 12.3(4)T offers a significant improvement in scalability by providing the ability to bypass PPP when forwarding a call. Instead, call service selection is decided entirely by a Subscriber Service Switch Manager. Client call processes that terminate subscriber lines or receive subscriber calls send their requests for service direction to the Subscriber Service Switch Manager, which determines service based on service keys collected by the Subscriber Service Switch client and a preestablished call service policy. Examples of service keys are a NAS Port ID (network access server port identifier) and an unauthenticated PPP name. Refer to the Subscriber Service Switch feature module for more information about service keys.

The Subscriber Profile Support feature introduces the subscriber profile command and its service subcommands, which support the Subscriber Service Switch policy for searching a subscriber profile database for authorization data and determining the services that will be granted to the requesting customer.

How to Configure Subscriber Profile Support

The tasks described in this section assume that an operational network running the Subscriber Service Switch architecture has been configured.

Configuring VPDN Service for the Subscriber Service Switch Policy

In this task, you configure virtual private dial-up network (VPDN) service by directing the software to obtain the configuration from a predefined VPDN group.

SUMMARY STEPS

    1.    enable

    2.    configure terminal

    3.    subscriber profile profile-name

    4.    service vpdn group vpdn-group-name

    5.    exit


DETAILED STEPS
     Command or ActionPurpose
    Step 1 enable


    Example:
    Router> enable
     

    Enables privileged EXEC mode.

    • Enter your password if prompted.
     
    Step 2 configure terminal


    Example:
    Router# configure terminal
     

    Enters global configuration mode.

     
    Step 3 subscriber profile profile-name


    Example:
    Router(config)# subscriber profile Domain1
     

    Names a Subscriber Service Switch policy for local searches of a subscriber profile database for authorization data when a AAA network authorization method list is configured, and enters subscriber profile configuration mode.

    Note   

    Make sure that the aaa authorization network default local global configuration command is included in the configuration. (Do not use the aaa authorization network default command without the localkeyword.)

     
    Step 4 service vpdn group vpdn-group-name


    Example:
    Router(config-sss-profile)# service vpdn group 1
     

    Provides VPDN service by obtaining the configuration from a VPDN group defined by the vpdn-group VPDN profile configuration command.

     
    Step 5 exit


    Example:
    Router(config-sss-profile)# exit
     

    Exits subscriber profile configuration mode.

     

    What to Do Next

    See the RADIUS Subscriber Service Switch Services Configuration section for information about creating the script for the corresponding RADIUS AV pair Subscriber Service Switch attribute.

    Configuring Local Termination Service for the Subscriber Service Switch Policy

    In this task, you define local termination service for the Subscriber Service Switch policy.

    SUMMARY STEPS

      1.    enable

      2.    configure terminal

      3.    subscriber profile profile-name

      4.    service local

      5.    exit


    DETAILED STEPS
       Command or ActionPurpose
      Step 1 enable


      Example:
      Router> enable
       

      Enables privileged EXEC mode.

      • Enter your password if prompted.
       
      Step 2 configure terminal


      Example:
      Router# configure terminal
       

      Enters global configuration mode.

       
      Step 3 subscriber profile profile-name


      Example:
      Router(config)# subscriber profile Domain1
       

      Names a Subscriber Service Switch policy for local searches of a subscriber profile database for authorization data when a AAA network authorization method list is configured, and enters subscriber profile configuration mode.

      Note   

      Make sure that the aaa authorization network default local global configuration command is included in the configuration. (Do not use the aaa authorization network default command without the localkeyword.)

       
      Step 4 service local


      Example:
      Router(config-sss-profile)# service local
       

      Configures local termination, and is the default Subscriber Service Switch policy.

       
      Step 5 exit


      Example:
      Router(config-sss-profile)# exit
       

      Exits subscriber profile configuration mode.

       

      What to Do Next

      See the RADIUS Subscriber Service Switch Services Configuration section for information about creating the script for the corresponding RADIUS AV pair Subscriber Service Switch attribute.

      Configuring Denial of Service for the Subscriber Service Switch Policy

      In this task, you configure a Subscriber Service Switch policy that denies service to a subscriber.

      SUMMARY STEPS

        1.    enable

        2.    configure terminal

        3.    subscriber profile profile-name

        4.    service deny

        5.    exit


      DETAILED STEPS
         Command or ActionPurpose
        Step 1 enable


        Example:
        Router> enable
         

        Enables privileged EXEC mode.

        • Enter your password if prompted.
         
        Step 2 configure terminal


        Example:
        Router# configure terminal
         

        Enters global configuration mode.

         
        Step 3 subscriber profile profile-name


        Example:
        Router(config)# subscriber profile Domain1
         

        Names a Subscriber Service Switch policy for local searches of a subscriber profile database for authorization data when a AAA network authorization method list is configured, and enters subscriber profile configuration mode.

        Note   

        Make sure that the aaa authorization network default local global configuration command is included in the configuration. (Do not use the aaa authorization network default command without the localkeyword.)

         
        Step 4 service deny


        Example:
        Router(config-sss-profile)# service deny
         

        Denies service to the subscriber.

         
        Step 5 exit


        Example:
        Router(config-sss-profile)# exit
         

        Exits subscriber profile configuration mode.

         

        What to Do Next

        See the RADIUS Subscriber Service Switch Services Configuration section for information about creating the script for the corresponding RADIUS AV pair Subscriber Service Switch attribute.

        RADIUS Subscriber Service Switch Services Configuration

        The Cisco AV pairs have been extended to include Subscriber Service Switch service configuration. Subscriber Service Switch values are prefixed with "sss:", as follows:

        cisco-avpair = "sss:sss-service=vpdn" cisco-avpair = "sss:sss-service=local" cisco-avpair = "sss:sss-service=deny"

        Configuration Examples for Subscriber Profile Support

        VPDN Service for the Subscriber Service Switch Policy Examples

        The following example provides VPDN service to users in the domain cisco.com, and uses VPDN group 1 to obtain VPDN configuration information:

        !
        subscriber profile cisco.com
         service vpdn group 1
        

        The following example provides VPDN service to DNIS 1234567, and uses VPDN group 1 to obtain VPDN configuration information:

        !
        subscriber profile dnis:1234567
         service vpdn group 1
        

        The following example provides VPDN service using a remote tunnel (used on the multihop node), and uses VPDN group 1 to obtain VPDN configuration information:

        !
        subscriber profile host:lac
         service vpdn group 1

        Local Termination for the Subscriber Service Switch Policy Example

        The following example provides local termination service to users in the domain cisco.com:

        !
        subscriber profile cisco.com
         service local

        Denial of Service for the Subscriber Service Switch Policy Example

        The following example denies service to users in the domain cisco.com:

        !
        subscriber profile cisco.com
         service deny

        RADIUS Subscriber Service Support Profiles Examples

        The following examples show typical RADIUS AV pair scripts to enable VPDN service and to define the service keys that are collected:

        # 
        # Domain "cisco.com" users get VPDN service with the enclosed configuration.
        # 
        cisco.com Password = "cisco"
        User-Service-Type = Outbound-User,
        cisco-avpair = "sss:sss-service=vpdn",
        cisco-avpair = "vpdn:tunnel-id=nas-provider",
        cisco-avpair = "vpdn:ip-addresses=10.0.3.96",
        cisco-avpair = "vpdn:nas-password=secret1",
        cisco-avpair = "vpdn:gw-password=secret2"
        #
        # Users with DNIS 1234567 get VPDN service with the enclosed configuration.
        #
        dnis:1234567 Password = "cisco"
        User-Service-Type = Outbound-User,
        cisco-avpair = "sss:sss-service=vpdn",
        cisco-avpair = "vpdn:tunnel-id=nas-provider",
        cisco-avpair = "vpdn:ip-addresses=10.0.3.96",
        cisco-avpair = "vpdn:nas-password=secret1",
        cisco-avpair = "vpdn:gw-password=secret2"
        #
        # Users on the remote tunnel (LAC) get VPDN service with the enclosed configuration.
        #
        host:lac Password = "cisco"
        User-Service-Type = Outbound-User,
        cisco-avpair = "sss:sss-service=vpdn",
        cisco-avpair = "vpdn:tunnel-id=nas-provider",
        cisco-avpair = "vpdn:ip-addresses=10.0.3.96",
        cisco-avpair = "vpdn:nas-password=secret1",
        cisco-avpair = "vpdn:gw-password=secret2"

        Additional References

        Related Documents

        Related Topic

        Document Title

        AAA

        Cisco IOS Security Configuration Guide; refer to " Part 1: Authentication, Authorization, and Accounting (AAA) "

        AAA commands: complete command syntax, command mode, defaults, usage guidelines, and examples

        Cisco IOS Security Command Reference

        Broadband access, PPPoE

        Cisco IOS Wide-Area Networking Configuration Guide; refer to " Part 2: Broadband Access"

        Broadband access, PPPoE, commands: complete command syntax, command mode, defaults, usage guidelines, and examples

        Cisco IOS Wide-Area Networking Command Reference

        PPP

        Cisco IOS Dial Technologies Configuration Guide; refer to "Part 9: PPP Configuration "

        VPDN

        Cisco IOS Dial Technologies Configuration Guide; refer to "Part 8: Virtual Templates, Profiles, and Networks "

        PPP and VPDN commands: complete command syntax, command mode, defaults, usage guidelines, and examples

        Cisco IOS Dial Technologies Command Reference

        Subscriber Service Switch

        Subscriber Service Switch feature module

        Standards

        Standards

        Title

        None

        --

        MIBs

        MIBs

        MIBs Link

        None

        To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

        http:/​/​www.cisco.com/​go/​mibs

        RFCs

        RFCs

        Title

        None

        --

        Technical Assistance

        Description

        Link

        Technical Assistance Center (TAC) home page, containing 30,000 pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.

        http:/​/​www.cisco.com/​public/​support/​tac/​home.shtml

        Feature Information for Subscriber Profile Support

        The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

        Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

        Table 1 Feature Information for Phrase Based on Module Title

        Feature Name

        Releases

        Feature Information

        Subscriber Profile Support

        12.3(4)T

        The Subscriber Profile Support feature introduces new functionality for the Subscriber Service Switch architecture, a Cisco IOS subsystem that connects subscribers to network access services at Layer 2. This new functionality affects how the Subscriber Service Switch Manager determines a service for each subscriber with a combination of a policy and a service lookup model.

        The following commands were introduced or modified: service deny, service local, service vpdn group, subscriber profile.