Enabling ISG to Interact with External Policy Servers
Intelligent Services Gateway (ISG) is a software feature set that provides a structured framework in which edge devices can deliver flexible and scalable services to subscribers. This document describes how to enable the ISG to retrieve session policies or accept dynamic updates to session policies from external policy servers.
Your software release
may not support all the features documented in this module. For the latest
caveats and feature information, see
Bug Search Tool and the
release notes for your platform and software release. To find information about
the features documented in this module, and to see a list of the releases in
which each feature is supported, see the feature information table.
Use Cisco Feature
Navigator to find information about platform support and Cisco software image
support. To access Cisco Feature Navigator, go to
An account on Cisco.com is not required.
Restrictions for ISG Interaction with External Policy Servers
The ISG and external policy servers should be available in the same virtual routing and forwarding (VRF) instance.
Information About ISG Interaction with External Policy Servers
ISG works with external devices, referred to as
policy servers that store per-subscriber and per-service information. ISG supports two models of interaction between the ISG and external policy servers: initial authorization and dynamic authorization.
In the initial authorization model, ISG must retrieve policies from the external policy server at specific points in a session. In this model, the external policy server is typically an authentication, authorization, and accounting (AAA) server that uses RADIUS. ISG is the RADIUS client. Instead of a AAA server, some systems use a RADIUS proxy component that converts to other database protocols, such as Lightweight Directory Access Protocol (LDAP).
The dynamic authorization model allows the external policy server to dynamically send policies to ISG. These operations can be initiated in-band by subscribers (through service selection) or through the actions of an administrator, or applications can change policies on the basis of some algorithm (for example, change session quality of service (QoS) at a certain time of day). This model is facilitated by the Change of Authorization (CoA) RADIUS extension. CoA introduces peer-to-peer capability to RADIUS that enables ISG and the external policy server to act as the RADIUS client and server respectively.
Triple Key Authentication for ISG
Triple key authentication is a method of authenticating users based on their username, password, and location after ISG redirects them to the Cisco Service Management Engine (SME) portal. The SME server provides the location based on the source IP address of the subscriber being authenticated. Before the Triple Key Authentication Support feature was introduced, users were authenticated only on the basis of the username and password (two-key authentication). The Triple Key Authentication Support feature also eases migration from Service Selection Gateway (SSG) to an ISG platform because SSG uses triple key authentication.
For SSG, the Cisco Subscriber Edge Services Manager (SESM) server populates RADIUS attribute 31 (calling-station ID) in the user-login request that it sends to the SSG with a string containing the subscriber’s location. The SSG then includes this location string in the access-request message that it sends to the RADIUS server where the login is authenticated based on the username, password, and location string.
With ISG triple key authentication, the ISG sends the location string within a Cisco vendor-specific attribute (VSA) that is included in the access-request message to the RADIUS server.
The location information is received from SME as Cisco VSA 250. This location information is included in session authentication requests, session accounting requests from the ISG, and prepaid authorization requests.
The table below shows the Cisco vendor-specific non-AVPair attribute used for triple key authentication.
Example: Enabling ISG to Interact with External Policy Servers
The following example shows how to configure ISG as a AAA client.
aaa group server radius CAR_SERVER
server 10.100.2.36 auth-port 1812 acct-port 1813
aaa authentication login default none
aaa authentication login IP_AUTHEN_LIST group CAR_SERVER
aaa authentication ppp default group CAR_SERVER
aaa authorization network default group CAR_SERVER
aaa authorization subscriber-service default local group radius
aaa accounting network default start-stop group CAR_SERVER
The following example shows how to configure ISG as a AAA server.
aaa server radius dynamic-author
client 10.76.86.90 server-key cisco
Example: Enabling the Location VSA for Triple Key Authentication
The following example shows how to enable ISG to use VSAs for accounting and authentication.
radius-server vsa send accounting
radius-server vsa send authentication
The following example shows an authentication record with the session information, including the location attribute. You can display this output by using the
debugradiusaccounting command or the
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.
Feature Information for ISG Interaction with External Policy Servers
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to
www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 2 Feature Information for ISG Interaction with External Policy Servers
ISG—Policy Control Policy Server CoA
Cisco IOS XE Release 3.3SG
This feature provides ISG support for the RADIUS Change of Authorization (CoA) extension, which facilitates dynamic authorization.
This feature was integrated into Cisco IOS XE Release 3.3SG.
ISG—Session Lifecycle Packet of Disconnect (POD)
Cisco IOS XE Release 3.3SG
This feature enables an external policy server to terminate an ISG session when it receives a RADIUS Packet of Disconnect (POD).