Intelligent Services Gateway Configuration Guide, Cisco IOS XE Release 3S
Configuring ISG Support for Prepaid Billing
Downloads: This chapterpdf (PDF - 1.41MB) The complete bookPDF (PDF - 5.68MB) | The complete bookePub (ePub - 1.23MB) | The complete bookMobi (Mobi - 2.46MB) | Feedback

Configuring ISG Support for Prepaid Billing

Contents

Configuring ISG Support for Prepaid Billing

Intelligent Services Gateway (ISG) is a software feature set that provides a structured framework in which edge devices can deliver flexible and scalable services to subscribers. ISG prepaid billing support allows an ISG to check a subscriber's available credit to determine whether to allow the subscriber access to a service and how long the access can last. ISG prepaid billing works on a repeated re-authorization model in which fragments of credit, called quotas, are allotted by a prepaid billing server. This model allows a subscriber to be connected to multiple simultaneous prepaid services, each with a different billing rate. ISG supports time-based and volume-based prepaid billing.

This module describes how to configure ISG support for prepaid billing for IPv4, IPv6 and dual-stack sessions.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Prerequisites for ISG Prepaid Billing Support

  • A subscriber session is created and a method of service activation is in place.

  • Traffic classes for IPv4, IPv6, and dual-stack sessions are configured.

Restrictions for ISG Prepaid Billing Support

  • ISG prepaid billing support can only be applied to traffic flows that have been defined by an ISG traffic class.

  • ISG prepaid billing support can not be applied to per-user ACL on IPv6 traffic.

  • Quotas are measured in seconds for time and in bytes for volume. There is no way to change the unit of measure.

  • The volume quota is for combined upstream and downstream traffic.

  • The volume quota supports a maximum value of 4 GB.

Information About ISG Prepaid Billing Support

Overview of ISG Support for Prepaid Billing

ISG prepaid billing is supported for IPv4, IPv6, and dual-stack subscribers. This feature allows ISG to check the subscriber's available credit to determine whether to activate a specified service and how long the session can last. The subscriber’s credit is administered by a prepaid billing server as a series of quotas representing either a duration of use (in seconds) or an allowable data volume (in bytes). A quota is an allotment, or fragment, of available credit. Allocating quotas in fragments rather than providing all the credit at once enables ISG to support the use of credit for multiple simultaneous prepaid sessions.

ISG uses the RADIUS protocol to facilitate interaction between ISG and external authentication, authorization, and accounting (AAA) servers and prepaid billing servers. A single device can serve as the AAA server and the billing server.

To obtain the first quota for a session, ISG submits an authorization request to the AAA server. The AAA server contacts the prepaid billing server, which forwards the quota values to ISG. ISG then monitors the session to track the quota usage. When the quota runs out or a specified limit is reached, ISG performs re-authorization. During re-authorization, the prepaid billing server may provide ISG with an additional quota if there is available credit. If no further quota is provided, ISG will log the user off from the service or perform some other specified action.

When a service is deactivated, the cumulative usage is provided to the prepaid billing server in an Accounting-Stop message.

ISG Prepaid Volume Monitor Polling Timer and QV Values

The Cisco IOS prepaid volume monitor polling timer determines when ISG will initiate a prepaid reauthorization. The polling timer value is (15 seconds < polling-monitor-time < 300 seconds). This value is calculated dynamically based on the QV value (which defines the volume-based quota), the actual rate, and the configured volume threshold. The prepaid volume monitor polling timer is not directly configurable.

To avoid allocating more volume quota than the subscriber is entitled to during the first authorization (when usage rate is unknown), the QV value should be a minimum of (15 x access rate). In cases in which the usage rate is known, the QV value should be at least (15 x usage rate).

In cases in which the input access rate is much higher than the QV value, it is recommended that the correct QV value be calculated using the following formula: access rate x 15 > QV < access rate x 300. For example, an ADSL2 or VDSL user access-rate can be up to 20 Mbps. That is approximately 2.5 megabytes (MB) of data in one second. Calculate the QV value by using the following formula: 2.5 MB x 15 seconds > QV < 2.5 MB x 300 seconds. This calculation results in a QV value between 37.5 MB and 750 MB, however we recommend you do not choose either the highest or lowest value in this range. For example, you might pick a value of QV = 100 MB.

ISG Prepaid Threshold

By default, ISG sends reauthorization requests to the billing server when a subscriber’s quota is exhausted. ISG prepaid thresholds allow ISG to send reauthorization requests before a quota is used up. When a prepaid threshold is configured, ISG sends a reauthorization request to the billing server when the amount of remaining quota is equal to the value of the threshold. Prepaid thresholds can be configured for both time and volume.

For example, if the prepaid threshold is configured for 10 seconds, and the prepaid billing server sends ISG a quota of 30 seconds, ISG will send a reauthorization request to the prepaid billing server when the subscriber has used up 20 seconds of the quota and has 10 seconds remaining.

ISG Prepaid Idle Timeout

The ISG prepaid idle timeout can be used to suspend a prepaid service session if no traffic is received for a specified period of time. ISG keeps the session up during the suspension but releases all quota previously received for the prepaid session. Subsequent traffic on the session will cause ISG to send a reauthorization request and download a new quota for the session.

Benefits of ISG Prepaid Billing

Concurrent Prepaid Service Access

The ISG Support for Prepaid Billing feature is capable of supporting concurrent prepaid service access while maintaining the same pool of quota at the prepaid billing server. ISG services can be configured for concurrent or sequential access. Concurrent access allows users to log on to a service while simultaneously connected to other services.

Real-Time Billing

The ISG Support for Prepaid Billing feature allows for real-time billing with maximum flexibility, regardless of the type of service and billing scheme. Users can be billed on a flat rate, air-time, or volume basis.

Redirection Upon Exhaustion of Quota

When a user runs out of quota, ISG can redirect the user to a portal where the user can replenish the quota without being disconnected from the service.

Returning Residual Quota

ISG can return residual quota to the billing server from services that a user is logged into but not actively using. The quota that is returned to the billing server can be applied to other services that the user is actively using.

Threshold Values

ISG enables you to configure threshold values that cause prepaid sessions to be reauthorized before the subscriber completely consumes the allotted quota for a service.

Traffic Status During Reauthorization

You can prevent revenue leaks by configuring ISG to drop connected traffic during reauthorization of a service. The user remains connected to the service and does not need to log in to the service again, but no traffic is forwarded during the reauthorization process. This prevents a user from continuing to use a service for which the user has run out of quota while ISG sends a reauthorization request to the billing server.

Simultaneous Volume-Based and Time-Based Prepaid Billing

ISG supports rating on both time and volume simultaneously for prepaid services. The prepaid billing server may allocate quotas in both time and volume, and ISG monitors the session on both these parameters. ISG performs a reauthorization whenever either of these quota types is exhausted.

How to Configure ISG Support for Prepaid Billing

Configuring RADIUS Attribute Support for ISG Prepaid Billing

Perform this task to enable ISG to include RADIUS attribute 44 in Access-Request packets and attribute 55 in Accounting-Request packets.

SUMMARY STEPS

    1.    enable

    2.    configure terminal

    3.    radius-server attribute 44 include-in-access-req [vrf vrf-name]

    4.    radius-server attribute 55 include-in-acct-req

    5.    end

    6.    show subscriber session [detailed] [identifier identifier | uid session-id| username name]


DETAILED STEPS
     Command or ActionPurpose
    Step 1 enable


    Example:
    Router> enable
     

    Enables privileged EXEC mode.

    • Enter your password if prompted.

     
    Step 2 configure terminal


    Example:
    Router# configure terminal
     

    Enters global configuration mode.

     
    Step 3 radius-server attribute 44 include-in-access-req [vrf vrf-name]


    Example:
    Router(config)# radius-server attribute 44 include-in-access-req
     

    Sends RADIUS attribute 44 (Accounting Session ID) in Access-Request packets before user authentication.

     
    Step 4 radius-server attribute 55 include-in-acct-req


    Example:
    Router(config)# radius-server attribute 55 include-in-acct-req 
     

    Sends the RADIUS attribute 55 (Event-Timestamp) in Accounting-Request packets.

     
    Step 5 end


    Example:
    Router(config)# end
     

    Exits the current configuration mode and returns to privileged EXEC mode.

     
    Step 6 show subscriber session [detailed] [identifier identifier | uid session-id| username name]


    Example:
    Router# show subscriber session detailed
     

    (Optional) Displays ISG subscriber session information.

     

    Creating an ISG Prepaid Billing Configuration

    Perform this task to create or modify an ISG prepaid billing configuration. This configuration can be referenced in service profiles or service policy maps in which ISG prepaid support is enabled.

    A default prepaid configuration exists with the following parameters:

    subscriber feature prepaid default
     threshold time 0 seconds
     threshold volume 0 bytes
     method-list authorization default
     method-list accounting default
     password cisco
    

    The default configuration will not show up in the output of the show running-config command unless you change any one of the parameters.

    The parameters of named prepaid configurations are inherited from the default configuration, so if you create a named prepaid configuration and want only one parameter to be different from the default configuration, you have to configure only that parameter.

    Before You Begin

    This task assumes that AAA method lists, server groups, and servers have been configured. See the Cisco IOS Security Configuration Guide: Securing User Services for more information.

    SUMMARY STEPS

      1.    enable

      2.    configure terminal

      3.    subscriber feature prepaid {name-of-config | default}

      4.    interim-interval number-of-minutes

      5.    method-list {accounting | authorization} name-of-method-list

      6.    password password

      7.    threshold {time seconds | volume {kilobytes Kbytes | megabytes Mbytes | bytes bytes}}

      8.    end

      9.    show subscriber session [detailed] [identifier identifier | uid session-id| username name]


    DETAILED STEPS
       Command or ActionPurpose
      Step 1 enable


      Example:
      Router> enable
       

      Enables privileged EXEC mode.

      • Enter your password if prompted.

       
      Step 2 configure terminal


      Example:
      Router# configure terminal
       

      Enters global configuration mode.

       
      Step 3 subscriber feature prepaid {name-of-config | default}


      Example:
      Router(config)# subscriber feature prepaid conf-prepaid
       

      Creates a new ISG prepaid configuration or specifies an existing configuration so it can be modified, and enters prepaid configuration mode.

       
      Step 4 interim-interval number-of-minutes


      Example:
      Router(config-prepaid)# interim-interval 5
       

      Enables interim prepaid accounting and specifies the interval at which ISG will send interim prepaid accounting records.

       
      Step 5 method-list {accounting | authorization} name-of-method-list


      Example:
      Router(config-prepaid)# method-list accounting list1
       

      Specifies the AAA method list to be used for ISG prepaid accounting or authorization.

       
      Step 6 password password


      Example:
      Router(config-prepaid)# password cisco
       

      Configures the password to be used for ISG prepaid authorization and reauthorization requests.

       
      Step 7 threshold {time seconds | volume {kilobytes Kbytes | megabytes Mbytes | bytes bytes}}


      Example:
      Router(config-prepaid)# threshold time 20
       

      Configures the threshold at which ISG will send a reauthorization request to the prepaid billing server.

      • The quota provided by the billing server minus the configured threshold equals the value at which ISG will send a reauthorization request

      • This command can be entered twice to configure thresholds in both time and volume.

       
      Step 8 end


      Example:
      Router(config-prepaid)# end
       

      Exits the current configuration mode and returns to privileged EXEC mode.

       
      Step 9 show subscriber session [detailed] [identifier identifier | uid session-id| username name]


      Example:
      Router# show subscriber session detailed
       

      (Optional) Displays ISG subscriber session information.

       

      Enabling ISG Prepaid Billing

      Perform one of the following tasks to enable prepaid billing in a service policy map or a remote service profile:

      Enabling ISG Prepaid Billing in a Service Policy Map

      Perform this task to enable ISG prepaid billing support in a service policy map.

      Before You Begin

      ISG prepaid billing is enabled in a traffic class within a service policy map. This task assumes that you have defined the traffic class map and associated IP access lists. See the module "Configuring ISG Subscriber Services" for more information.

      SUMMARY STEPS

        1.    enable

        2.    configure terminal

        3.    policy-map type service policy-map-name

        4.    [priority] class type traffic class-map-name

        5.    prepaid config name-of-configuration

        6.    end

        7.    show subscriber session [detailed] [identifier identifier | uid session-id| username name]


      DETAILED STEPS
         Command or ActionPurpose
        Step 1 enable


        Example:
        Router> enable
         

        Enables privileged EXEC mode.

        • Enter your password if prompted.

         
        Step 2 configure terminal


        Example:
        Router# configure terminal
         

        Enters global configuration mode.

         
        Step 3 policy-map type service policy-map-name


        Example:
        Router(config)# policy-map type service mp3
         

        Creates or defines a service policy map, which is used to define an ISG service, and enters service policy-map configuration mode.

         
        Step 4 [priority] class type traffic class-map-name

        Example:
        Router(config-service-policymap)# class type traffic class-acl-101 
         

        Associates a previously configured traffic class with the policy map, and enters control policy-map traffic class configuration mode.

         
        Step 5 prepaid config name-of-configuration


        Example:
        Router(config-control-policymap-class-traffic)# prepaid config conf-prepaid
         

        Enables ISG support for prepaid billing and applies a configuration that defines the prepaid billing parameters.

        Note   

        The presence of this command does not guarantee that prepaid billing will be applied to the flow. This command causes the first prepaid authorization request. Whether prepaid billing will be applied to the flow is determined by the billing server.

         
        Step 6 end


        Example:
        Router(config-control-policymap-class-traffic)# end
         

        Exits the current configuration mode and returns to privileged EXEC mode.

         
        Step 7 show subscriber session [detailed] [identifier identifier | uid session-id| username name]


        Example:
        Router# show subscriber session detailed
         

        (Optional) Displays ISG subscriber session information.

         
        What to Do Next

        You may want to configure a method of activating the service policy map or service profile; for example, control policies can be used to activate services. For more information about methods of service activation, see the module "Configuring ISG Subscriber Services."

        Enabling ISG Prepaid Billing in Service Profile on the AAA Server

        Perform this task to enable ISG support for prepaid billing in a service profile that is configured on a remote AAA server.

        SUMMARY STEPS

          1.    Do one of the following:

          • Add the ISG Traffic Class attribute to the service profile.
          • Cisco-AVpair = "ip:traffic-class=in access-group [<acl_number> | name <acl_name>] [priority <n>]"
          • Cisco-AVpair = "ip:traffic-class=out access-group [<acl_number> | name <acl_name>] [priority <n>]"

          2.    Add the ISG Prepaid Billing VSA to the service profile.


        DETAILED STEPS
           Command or ActionPurpose
          Step 1Do one of the following:
          • Add the ISG Traffic Class attribute to the service profile.
          • Cisco-AVpair = "ip:traffic-class=in access-group [<acl_number> | name <acl_name>] [priority <n>]"
          • Cisco-AVpair = "ip:traffic-class=out access-group [<acl_number> | name <acl_name>] [priority <n>]"
           

          Specifies input and output traffic to which the service will apply.

          • Both an input and output traffic classifier can be added to a service profile.

           
          Step 2 Add the ISG Prepaid Billing VSA to the service profile.

          Example:
          26,9,1 = "prepaid-config={<name-of-config> 
          | 
          default"
           

          Enables ISG support for prepaid billing and applies a configuration that defines the prepaid billing parameters.

           
          What to Do Next

          You may want to configure a method of activating the service policy map or service profile; for example, control policies can be used to activate services. For more information about methods of service activation, see the module "Configuring ISG Subscriber Services".

          Redirecting Subscriber Traffic upon Exhaustion of Credit

          Service providers often want to offer subscribers an opportunity to recharge their accounts when they have run out of credit for their prepaid services. The tasks in this section enable you to redirect a subscriber’s Layer 4 traffic to a specified server when the subscriber has run out of credit.

          Before you configure ISG Layer 4 Redirect for exhaustion of credit, you should understand the following concept:

          Perform the following tasks to redirect a subscriber’s Layer 4 traffic upon exhaustion of credit:

          Credit-Exhausted Event

          The ISG credit-exhausted event occurs when the prepaid server responds with an Access-Accept packet with a quota value of zero (time or volume) and an idle timeout greater than zero. In this case, the prepaid server has determined for certain that the subscriber does not have enough credit, but the idle timeout provides a grace period in which the subscriber could recharge the account. Typically, a service provider would want to redirect the subscriber’s traffic to a web portal where the subscriber could recharge the account. At the end of the idle-timeout interval, ISG will send a reauthorization request.

          The default ISG behavior is to drop subscriber packets when the credit-exhausted event occurs. However, in case of dual-stack subscriber, the ISG redirects the subscriber to the portal in case of credit exhaustion.


          Note


          Layer 4 redirection is one action that a service provider could take when a subscriber has run out of credit. Other actions can be configured instead of or in addition to Layer 4 redirection.


          Configuring L4 Redirection in a Service Policy Map

          Perform this task to configure ISG Layer 4 redirection in a service policy map.

          The ISG Layer 4 Redirect feature can also be configured in a service profile on a AAA server. For more information about redirecting Layer 4 subscriber traffic, see the "Redirecting Subscriber Traffic Using ISG Layer 4 Redirect" module.

          Before You Begin

          The ISG Layer 4 Redirect feature is configured under a traffic class within the service policy map. This task assumes that you have defined the traffic class map. See the "Configuring ISG Subscriber Services" module for more information.

          Traffic can be redirected to a server or server group. If you are redirecting traffic to a server group, this task assumes that the server group has been configured. See the "Configuring ISG Subscriber Services" module for more information about configuring server groups.

          SUMMARY STEPS

            1.    enable

            2.    configure terminal

            3.    policy-map type service policy-map-name

            4.    [priority] class type traffic class-name

            5.    redirect to {group server-group-name | ip ip-address [port port-number]}[duration seconds] [frequency seconds]

            6.    end

            7.    show subscriber session [detailed] [identifier identifier | uid session-id| username name]


          DETAILED STEPS
             Command or ActionPurpose
            Step 1 enable


            Example:
            Router> enable
             

            Enables privileged EXEC mode.

            • Enter your password if prompted.

             
            Step 2 configure terminal


            Example:
            Router# configure terminal
             

            Enters global configuration mode.

             
            Step 3 policy-map type service policy-map-name


            Example:
            Router(config)# policy-map type service redirect-service
             

            Creates or defines a service policy map, which is used to define an ISG service and enters service policy-map configuration mode.

             
            Step 4 [priority] class type traffic class-name

            Example:
            Router(config-service-policymap)# class type traffic class-all
             

            (Optional) Associates a previously configured traffic class with the policy map, and enters service policy-map traffic class configuration mode.

             
            Step 5 redirect to {group server-group-name | ip ip-address [port port-number]}[duration seconds] [frequency seconds]


            Example:
            Router(config-service-policymap-class-traffic)# redirect to group redirect-sg
             

            Redirects traffic to a specified server or server group.

             
            Step 6 end


            Example:
            Router(config-control-policymap-class-traffic)# end
             

            Exits the current configuration mode and returns to privileged EXEC mode.

             
            Step 7 show subscriber session [detailed] [identifier identifier | uid session-id| username name]


            Example:
            Router# show subscriber session detailed
             

            (Optional) Displays ISG subscriber session information.

             

            Applying a Service Policy Map to Subscriber Traffic upon Exhaustion of Credit

            Perform this task to configure a control policy and apply a service policy map to subscriber traffic upon exhaustion of credit.

            Before You Begin

            If you specify a named control class map, this task assumes that the class map has been configured. See the "Configuring ISG Control Policies" module for information about configuring control class maps.

            SUMMARY STEPS

              1.    enable

              2.    configure terminal

              3.    policy-map type control policy-map-name

              4.    class type control {control-class-name | always} event credit-exhausted

              5.    action-number service-policy type service name policy-map-name

              6.    end

              7.    show subscriber session [detailed] [identifier identifier | uid session-id| username name]


            DETAILED STEPS
               Command or ActionPurpose
              Step 1 enable


              Example:
              Router> enable
               

              Enables privileged EXEC mode.

              • Enter your password if prompted.

               
              Step 2 configure terminal


              Example:
              Router# configure terminal
               

              Enters global configuration mode.

               
              Step 3 policy-map type control policy-map-name


              Example:
              Router(config)# policy-map type control policyA
               

              Creates or modifies a policy map that defines a control policy.

               
              Step 4 class type control {control-class-name | always} event credit-exhausted


              Example:
              Router(config-control-policymap)# class type control always event credit-exhausted
               

              Specifies a control class and event for which actions may be configured.

               
              Step 5 action-number service-policy type service name policy-map-name


              Example:
              Router(config-control-policymap-class-control)# 1 service-policy type service name redirect-profile
               

              Applies the specified service policy map or service profile in which the ISG Layer 4 Redirect feature has been configured.

               
              Step 6 end


              Example:
              Router(config-control-policymap-class-control)# end
               

              Exits the current configuration mode and returns to privileged EXEC mode.

               
              Step 7 show subscriber session [detailed] [identifier identifier | uid session-id| username name]


              Example:
              Router# show subscriber session detailed
               

              (Optional) Displays ISG subscriber session information.

               

              What to Do Next

              Control policies must be applied to a context by using the service-policy type control command.

              Forwarding Subscriber Traffic upon Depletion of Quota

              By default, ISG drops subscriber packets when a subscriber’s quota has been depleted. This task enables you to override the default and forward subscriber traffic when the quota-depleted event occurs.

              Before you perform this task you should understand the concept described in the Quota-Depleted Event section.

              Quota-Depleted Event

              A quota-depleted event occurs when a subscriber’s quota is exhausted and ISG has not yet received a reauthorization response from the billing server. This event can occur in two situations:

              • When a prepaid threshold is not configured and the subscriber’s quota is used up.

              • When a prepaid threshold is configured but the quota is exhausted before the prepaid server responds to the reauthorization request that ISG sent when the threshold was met.

              The quota-depleted event is not necessarily an indication that a subscriber does not have any more credit. ISG does not know for certain whether the subscriber has any more credit until a reauthorization response is returned from the billing server. For this reason, some service providers may choose to forward subscriber packets upon quota depletion until a reauthorization response is returned.

              The default ISG behavior is to drop subscriber packets when a quota-depleted event occurs.

              Before You Begin

              If you specify a named control class map, this task assumes that the class map has been configured. See the module "Configuring ISG Control Policies" for information about configuring control class maps.

              SUMMARY STEPS

                1.    enable

                2.    configure terminal

                3.    policy-map type control policy-map-name

                4.    class type control {control-class-name | always} event quota-depleted

                5.    action-number set-param drop-traffic false

                6.    end

                7.    show subscriber session [detailed] [identifier identifier | uid session-id| username name]


              DETAILED STEPS
                 Command or ActionPurpose
                Step 1 enable


                Example:
                Router> enable
                 

                Enables privileged EXEC mode.

                • Enter your password if prompted.

                 
                Step 2 configure terminal


                Example:
                Router# configure terminal
                 

                Enters global configuration mode.

                 
                Step 3 policy-map type control policy-map-name


                Example:
                Router(config)# policy-map type control policyB
                 

                Creates or modifies a policy map that can be applied globally, to an interface, or to an ATM VC to specify a control policy, and enters control policy-map configuration mode.

                 
                Step 4 class type control {control-class-name | always} event quota-depleted


                Example:
                Router(config-control-policymap)# class type control always event quota-depleted
                 

                Specifies a control class and event for which actions may be configured, and enters control policy-map class control configuration mode.

                 
                Step 5 action-number set-param drop-traffic false


                Example:
                Router(config-control-policymap-class-control)# 1 set-param drop-traffic false
                 

                Configures ISG to continue to allow traffic to pass when the quota has been depleted.

                 
                Step 6 end


                Example:
                Router(config-control-policymap-class-control)# end
                 

                Exits the current configuration mode and returns to privileged EXEC mode.

                 
                Step 7 show subscriber session [detailed] [identifier identifier | uid session-id| username name]


                Example:
                Router# show subscriber session detailed
                 

                (Optional) Displays ISG subscriber session information.

                 

                What to Do Next

                Control policies must be applied to a context by using the service-policy type control command.

                Troubleshooting ISG Prepaid Billing Support

                Perform these steps to troubleshoot ISG prepaid billing support.

                SUMMARY STEPS

                  1.    Use the show subscriber session command to make sure the service in which prepaid billing support is configured has been activated.

                  2.    If the service requires service authentication, make sure the authentication succeeded.

                  3.    Make sure the AAA method list referred to in the prepaid billing configuration is valid and has been configured with the aaa accounting network command.

                  4.    Use the test aaa command to make sure the AAA server is reachable from ISG.

                  5.    Use the debug subscriber policy prepaid command to display debug messages about prepaid operation.


                DETAILED STEPS
                  Step 1   Use the show subscriber session command to make sure the service in which prepaid billing support is configured has been activated.
                  Step 2   If the service requires service authentication, make sure the authentication succeeded.
                  Step 3   Make sure the AAA method list referred to in the prepaid billing configuration is valid and has been configured with the aaa accounting network command.
                  Step 4   Use the test aaa command to make sure the AAA server is reachable from ISG.
                  Step 5   Use the debug subscriber policy prepaid command to display debug messages about prepaid operation.

                  Configuration Examples for ISG Prepaid Billing Support

                  ISG Prepaid Billing Support Example

                  The following example shows ISG prepaid billing support configured with the following parameters:

                  • The time threshold is 20 seconds.

                  • The volume threshold is 1000 bytes.

                  • When the quota-depleted event occurs, ISG will drop subscriber packets until the billing server sends another quota.

                  • When the credit-exhausted event occurs, subscriber packets will be redirected to the server group “redirect-sg”.

                  • The prepaid service is called “mp3” and is configured directly on the router in a service policy map.

                  • The AAA method list that will be used for this service to authenticate subscribers is called “cp-mlist”. That is the same method list to which the service accounting records will be sent.

                  • Prepaid authorization, reauthorization and accounting messages will be sent to the AAA method list called “ap-mlist”.

                  !
                  aaa authorization network default local
                  aaa authorization network ap-mlist group sg2
                  aaa authentication login cp-mlist group sg1 
                  aaa accounting network cp-mlist start-stop group sg1
                  aaa accounting network ap-mlist start-stop group sg2
                  service-policy type control RULEA 
                  !
                  class-map type traffic match-any CLASS-ALL
                  !
                  class-map type traffic match-any CLASS-ACL-101
                      match access-group input 101
                  !
                  policy-map type control RULEA
                   class type control always event credit-exhausted
                    1 service-policy type service name redirectprofile
                  !
                  policy-map type service redirectprofile
                   class type traffic CLASS-ALL
                    redirect to group redirect-sg
                  policy-map type service mp3
                   class type traffic CLASS-ACL-101
                    accounting aaa list cp-mlist
                   !
                   authenticate aaa list cp-mlist
                  !
                  subscriber feature prepaid conf-prepaid
                   method-list accounting ap-mlist
                   method-list authorization default
                   password cisco
                   threshold time 20
                   threshold volume 1000 bytes

                  ISG Policies for Handling Credit-Exhausted and Quota-Depleted Prepaid Billing Events Example

                  In the following example, a single control policy called “RULEA” has been defined to override the ISG prepaid default behavior by forwarding subscriber packets after a quota-depleted event and redirecting subscriber packets after a credit-exhausted event:

                  !class-map type traffic match-any CLASS-ALL
                  !
                  policy-map type control RULEA
                   class type control always event quota-depleted
                    1 set-param drop-traffic false
                   class type control always event credit-exhausted
                    1 service-policy type service name l4redirect
                  !
                  policy-map type service l4redirect
                   class type traffic CLASS-ALL
                    redirect to group SESM
                  !
                  subscriber feature prepaid conf-prepaid
                   threshold time 100
                   threshold volume 1000 bytes
                   method-list author prepaidlist
                   method-list accounting default
                   password cisco

                  Example: Configuring Prepaid Support for Simple IP Dual Stack Sessions

                  #-------------------
                  # AAA Configuration
                  #-------------------
                  aaa group server radius PREPAID_V4
                  server-private 6.6.6.1
                  !
                  aaa group server radius PREPAID_V6
                  server-private 8.8.8.1
                  !
                  aaa group server radius SERVER_GROUP1
                  server name RAD1
                  !
                  aaa authorization network PREPAID_V4 group PREPAID_V4
                  aaa authorization network PREPAID_V6 group PREPAID_V6
                  aaa authorization subscriber-service default local group SERVER_GROUP1
                  #---------------------------
                  # Prepaid Service Definition
                  #---------------------------
                  subscriber feature prepaid V4_PREPAID
                  threshold time 100 seconds
                  threshold volume 1000 bytes
                  interim-interval 2 minutes
                  method-list author PREPAID
                  method-list accounting List3
                  password cisco
                  !
                  subscriber feature prepaid V6_PREPAID
                  threshold time 0 seconds
                  threshold volume 0 bytes
                  interim-interval 2 minutes
                  method-list author PREPAID_V6
                  method-list accounting List1
                  password cisco
                  #------------------------------
                  # Redirect Portal Configuration
                  #------------------------------
                  redirect server-group IPv6_PORTAL
                  server ip 3001::2 port 23
                  !
                  redirect server-group IPv4_PORTAL
                  server ip 4.4.4.1 port 23
                  #----------------------------
                  # Traffic Class Configuration
                  #----------------------------
                  class-map type traffic match-any IPv4_L4R
                  match access-group input name ipv4_l4r_in
                  match access-group output name ipv4_l4r_out
                  !
                  class-map type traffic match-any IPv6_L4R
                  match access-group input name ipv6_l4r_in
                  match access-group output name ipv6_l4r_out
                  
                  class-map type traffic match-any IPv4_PRE
                  match access-group input name ipv4_in
                  match access-group output name ipv4_out
                  !
                  class-map type traffic match-any IPv6_PRE
                  match access-group input name ipv6_in
                  match access-group output name ipv6_out
                  
                  class-map type control match-all PRE_V4
                  match service-name PREPAID_V4_SERVICE
                  !
                  class-map type control match-all PRE_V6
                  match service-name PREPAID_V6_SERVICE
                  #--------------------------------------------
                  # IPv4 and IPv6 Prepaid Service Configuration
                  #--------------------------------------------
                  policy-map type service PREPAID_V4_SERVICE
                  10 class type traffic IPv4_PRE
                    prepaid config V4_PREPAID
                  !
                  class type traffic default in-out
                    drop
                  !
                  policy-map type service PREPAID_V6_SERVICE
                  10 class type traffic IPv6_PRE
                    prepaid config V6_PREPAID
                  !
                  class type traffic default in-out
                    drop
                  !
                  #-------------------------------------
                  # IPv4 and IPv6 L4R Service Definition
                  #-------------------------------------
                  policy-map type service L4REDIRECT_SERVICE_V4
                  5 class type traffic IPv4_L4R
                    redirect to group DASHBOARD
                  !
                  class type traffic default in-out
                    drop
                  !
                  policy-map type service L4REDIRECT_SERVICE_V6
                  5 class type traffic IPv6_L4R
                    redirect to group IPv6_PORTAL
                  !
                  class type traffic default in-out
                    drop
                  #-----------------------------
                  # Service Policy Configuration
                  #-----------------------------
                  policy-map type control TAL
                  class type control PRE_V4 event credit-exhausted
                    1 service-policy type service name L4REDIRECT_SERVICE_V4
                  !
                  class type control PRE_V6 event credit-exhausted
                    1 service-policy type service name L4REDIRECT_SERVICE_V6
                  !
                  class type control always event session-start
                    9 authorize identifier mac-address
                  !
                  class type control always event quota-depleted
                    1 set-param drop-traffic TRUE
                  !
                  #-----------------------------------------
                  # IPv4 and IPv6 Access Lists Configuration
                  #-----------------------------------------
                  ip access-list extended ipv4_in
                  permit ip any 4.4.4.0 0.0.0.255
                  !
                  ip access-list extended ipv4_out
                  permit ip 4.4.4.0 0.0.0.255 any
                  !
                  ip access-list extended ipv4_l4r_in
                  permit tcp any any
                  permit udp any any
                  !
                  ip access-list extended ipv4_l4r_out
                  permit tcp any any
                  permit udp any any
                  !
                  ipv6 access-list ipv6_in
                  permit ipv6 any 3001::/64
                  !
                  ipv6 access-list ipv6_out
                  permit ipv6 3001::/64 any
                  !
                  ipv6 access-list ipv6_l4r_in
                  permit tcp any any
                  permit udp any any
                  !
                  ipv6 access-list ipv6_l4r_out
                  permit udp any any
                  permit tcp any any
                  !
                  #----------------------------
                  # RADIUS Server Configuration
                  #----------------------------
                  radius-server host 6.6.6.1
                  radius-server host 8.8.8.1
                  !
                  radius server RAD1
                  address ipv4 4.4.4.1 auth-port 1645 acct-port 1646
                  

                  Additional References

                  Related Documents

                  Related Topic

                  Document Title

                  AAA configuration tasks

                  The “Authentication, Authorization, and Accounting (AAA)�? section in the Security Configuration Guide

                  AAA commands

                  Cisco IOS Security Command Reference

                  Cisco IOS commands

                  Cisco IOS Master Commands List, All Releases

                  ISG commands

                  Cisco IOS Intelligent Services Gateway Command Reference

                  Standards

                  Standard

                  Title

                  No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.

                  --

                  MIBs

                  MIB

                  MIBs Link

                  No new or modified MIBs are supported by this feature, and support for existing MIBs has not been modified by this feature.

                  To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

                  http:/​/​www.cisco.com/​go/​mibs

                  RFCs

                  RFC

                  Title

                  None

                  --

                  Technical Assistance

                  Description

                  Link

                  The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

                  To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

                  Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

                  http:/​/​www.cisco.com/​cisco/​web/​support/​index.html

                  Feature Information for ISG Support for Prepaid Billing

                  The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

                  Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

                  Table 1 Feature Information for ISG Support for Prepaid Billing

                  Feature Name

                  Releases

                  Feature Configuration Information

                  ISG: Accounting: Prepaid

                  Cisco IOS XE Release 2.5.0

                  ISG prepaid billing support allows ISG to check a subscriber’s available credit to determine whether to allow the subscriber access to a service and how long the access can last. ISG supports volume-based and time-based prepaid billing.

                  Prepaid Support for Dual-Stack Sessions

                  Cisco IOS XE Release 3.13S

                  ISG prepaid billing support is extended to dual-stack sessions.