SSG Prepaid Enhancements

Available Languages

Download Options

PDF (436.6 KB)
View with Adobe Reader on a variety of devices

Updated:November 11, 2003

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

SSG Prepaid Enhancements

Table Of Contents

SSG Prepaid Enhancements

Contents

Prerequisites for SSG Prepaid Enhancements

Restrictions for SSG Prepaid Enhancements

Information About SSG Prepaid Enhancements

Overview of Service Selection Gateway

How SSG Prepaid Works

Service Authorization

Service Reauthorization

Simultaneous Volume- and Time-Based Prepaid Billing

Prepaid Tariff Switching

Postpaid Tariff Switching

Cookie VSA

Benefits of SSG Prepaid and SSG Prepaid Enhancements

How to Configure SSG Prepaid Enhancements

Configuring Session ID and Time-Stamp Information

Specifying the AAA Server for SSG Prepaid Authorization

Prerequisites

Verifying SSG Prepaid Configuration

Monitoring and Maintaining SSG Prepaid Enhancements

Configuration Examples for SSG Prepaid Enhancements

SSG Prepaid Configuration: Example

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Command Reference

show ssg connection

ssg aaa group prepaid

Glossary

SSG Prepaid Enhancements

The Service Selection Gateway (SSG) prepaid enhancements described in this document add support for prepaid tariff switching, postpaid tariff switching, and simultaneous volume- and time-based prepaid billing to the existing SSG Prepaid feature. The SSG Prepaid feature allows SSG to check a subscriber's available credit to determine whether to connect the subscriber to a service and how long any such connection can last.

Release

Modification

12.2(16)B

This feature was introduced.

12.3(4)T

Support was added for prepaid tariff switching, postpaid tariff switching, and simultaneous volume- and time-based prepaid billing.

Feature History for the SSG Prepaid Enhancements Feature

Finding Support Information for Platforms and Cisco IOS Software Images

Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.

Contents

•Prerequisites for SSG Prepaid Enhancements

•Restrictions for SSG Prepaid Enhancements

•Information About SSG Prepaid Enhancements

•How to Configure SSG Prepaid Enhancements

•Configuration Examples for SSG Prepaid Enhancements

•Additional References

•Command Reference

•Glossary

Prerequisites for SSG Prepaid Enhancements

•SSG accounting must be enabled in order for the SSG Prepaid enhancements features to be used. SSG accounting is enabled by default. If it has been disabled, enable it by using the ssg accounting command in global configuration mode.

•The SSG Prepaid enhancements features require the authentication, authorization, and accounting (AAA) server to have prepaid billing support.

Restrictions for SSG Prepaid Enhancements

•The volume quota is for combined upstream and downstream traffic.

Information About SSG Prepaid Enhancements

Before you use the SSG Prepaid Enhancements feature, you should understand the following concepts:

•Overview of Service Selection Gateway

•How SSG Prepaid Works

•Cookie VSA

•Benefits of SSG Prepaid and SSG Prepaid Enhancements

Overview of Service Selection Gateway

The SSG is a switching solution for service providers that offer intranet, extranet, and Internet connections to subscribers that use broadband access technology such as digital subscriber lines, cable modems, or wireless networks to allow simultaneous access to network services.

SSG works in conjunction with the Cisco Service Selection Dashboard (SSD) or its successor product, the Cisco Subscriber Edge Services Manager (SESM). Together with the SESM or SSD, SSG provides subscriber authentication, service selection, and service connection capabilities to subscribers of Internet services. Subscribers interact with an SESM or SSD web application using a standard Internet browser.

How SSG Prepaid Works

The SSG Prepaid feature allows SSG to check a subscriber's available credit to determine whether to connect the subscriber to a service and, how long any connection can last. The subscriber's credit is administered by the billing server as a series of quotas representing either a duration of use (in seconds) or an allowable data volume (in bytes). A quota is an allotment of available credit.

To obtain the first quota for a connection, SSG submits an authorization request to the AAA server. The AAA server contacts the prepaid billing server, which forwards the quota values to SSG. SSG then monitors the connection to track the quota usage. When the quota runs out, SSG performs reauthorization. During reauthorization, the billing server may provide SSG with an additional quota if there is available credit. If no further quota is provided, SSG logs the user off. The following sections provide more detail about how the SSG prepaid feature and associated enhancements work.

•Service Authorization

•Service Reauthorization

•Simultaneous Volume- and Time-Based Prepaid Billing

•Prepaid Tariff Switching

•Postpaid Tariff Switching

•Cookie VSA

Service Authorization

SSG differentiates prepaid services from postpaid services by the presence of the Service Authorization vendor-specific attribute (VSA) in the service profile. The presence of this attribute in the service profile means that SSG must perform authorization before providing access to the service.

Table 1 lists the elements of the Service Authorization VSA.

Table 1 Service Authorization VSA Elements

Attribute ID

Vendor ID

Subattribute ID and Type

Attribute Name

Subattribute Data

26

9

251
Service-Info

Service Authorization

The value "Z" indicates that authorization is required.

Once a service has been identified as prepaid, SSG generates an Access-Request packet called a Service Authorization Request. The contents of this new type of Access-Request packet are listed in Table 2.

Table 2 Contents of Service Authorization Request Packet

Attribute ID

Attribute Name

Description

Notes

1

User-Name

Mobile Station (MS) subscriber name

—

2

PAP Password

Global service profile password

—

4

NAS IP Address

SSG IP address

—

6

Service-Type

Framed-user

—

26

Vendor-Specific

Name of service

Subattribute ID 251; code N.

31

Calling-Station-ID

Mobile Station ISDN Number (MSISDN)

The username may appear in this field if the access technology does not provide an MSISDN.

55

Time-Stamp

Time-stamp

44

Acct-Session-ID

Session ID

61

NAS-Port-Type

Asynchronous
(value = 0)

The prepaid billing server performs authorization based on the same key that was used for authentication. For example, for mobile wireless networks, where the unique key that is used for authentication is the Calling-Station-ID attribute (attribute 31), the quota authorization would also be performed using the Calling-Station-ID attribute.

The AAA server responds to the Service Authorization Request packet with an Access-Accept packet that defines the quota parameters for the connection. The Access-Accept packet for a Service Authorization Request is listed in Table 3. Authorization for a service is provided based on the presence and contents of the Quota VSA in the Access-Accept packet listed in Table 4.

Table 3 Content of Service Authorization Access-Accept Packet

Attribute Number

Attribute Name

Description

Notes

6

Service-Type

Framed-user

—

26

Vendor-Specific

Quota

Subattribute ID: 253. The value "Q" indicates that this is the Quota VSA.

Table 4 Quota VSA Elements

Attribute ID

Vendor ID

Subattribute ID and Type

Attribute Name

Subattribute Data

26

9

253
Control-Info

Quota

Q—Control-Info code for prepaid quota.

T or V—Quota subcode for time or volume.

Numeric string—Quota value.

If a nonzero quota is returned in the authorization response, SSG creates a connection to the service using the initial quota value in seconds for time and bytes for volume. A value of zero in a quota means the user has insufficient credit and is not authorized to use that service; no connection is made. If the Quota attribute is not present in the authorization response, SSG treats the connection as postpaid.

The SSG Prepaid Enhancements feature introduces support for simultaneous time- and volume-based prepaid billing. The service authorization response can contain both quota types (for time and volume). That is, the authorization response contains both "QT" and "QV" attributes. SSG starts a quota timer and continuously monitors the connection with respect to volume. When either the volume or quota tokens (a token is a unit of quota) runs out, SSG reauthorizes the connection. The next service authorization request contains the usage on both of these quota types in its response. Note that both of the quota parameters (volume and time) must be nonzero. The functionality can interwork with the prepaid idle-timeout functionality and volume threshold. Table 5 lists the attributes contained in a response to a service authorization request.

Table 5 Contents of Service Authorization Response Packet

Attribute ID

Vendor ID

Subattribute ID

Attribute Name

Type

Value

26

9

253

Quota

ASCII string

"QT<seconds>"

26

9

253

Quota

ASCII string

"QV<bytes>"

28

—

—

Idle-timeout

—

—

In the case of volume quota, instead of the SSG using a single token, two quota tokens can be allocated to accommodate the tariff switching functionality. The dual quota functionality also interworks with the tariff switching functionality. Instead of the presence of QV and QT attributes in the authorization response, QX and QT attributes can be present together in the authorization response. In this case, reauthorization is done whenever the time quota runs out and either of the two volume quota tokens runs out in its respective period. Table 6 lists the attributes contained in a response to a service reauthorization request.

Table 6 Contents of Service Reauthorization Response Packet

Attribute
ID

Vendor
ID

Subattribute
ID

Status

Attribute Name

Type

Value

28

Optional

Idle-Timeout

Integer

Idle Timeout

26

9

253

Optional

Quota

ASCII string

"QT<seconds> "

26

9

253

Mandatory

Quota-for-Tariff Switching

ASCII string

"QX<seconds>;
<bytes>;<bytes>"

The interworking of idle-timeout and dual-quota functionality with the existing prepaid features is shown in Table 7.

Table 7 Interworking of Idle-Timeout and Dual-Quota Functionality

QT

QV

Idle-Timeout

SSG Action

—

—

—

SSG opens the connection. No reauthorization is performed.

0

0

0

SSG opens the connection. Reauthorization occurs when user traffic comes in.

0

0

—

SSG closes or does not open the connection.

0

0

>0

SSG opens the connection but blocks user traffic (drops or redirects). Reauthorization occurs after a time interval equal to the idle-timeout value.

—

0

>0

SSG opens the connection but blocks user traffic (drops or redirects). Reauthorization occurs after a time interval equal to the idle-timeout value.

0

>0

0

SSG closes or does not open the connection.

0

>0

>0

SSG closes or does not open the connection.

>0

>0

>0

SSG opens the connection. Reauthorization occurs when QT or QV is exhausted, or no user traffic for a time interval is equal to the idle-timeout value.

>0

>0

—

SSG opens the connection. Reauthorization occurs when QT or QV is exhausted.

>0

>0

0

SSG opens the connection. Reauthorization occurs when QT or QV is exhausted.

>0

0

>0

SSG opens the connection but blocks user traffic (drops or redirects). Reauthorization occurs when QT is exhausted or after a time interval equal to the idle-timeout value.

>0

0

0

SSG opens the connection. Reauthorization occurs when QT is exhausted or when user traffic comes in.

The interworking of dual-quota functionality with tariff switching and idle-timeout is shown in Table 8.

Note In Table 8, QT represents time-based quota, and QX represents quota for prepaid and postpaid tariff switching. TS denotes time of tariff switch, PRE denotes prepaid switch quota, and POST denotes postpaid switch quota. QXTS;PRE;POST represents QX<time of tariff switch>;<prepaid switch quota>;postpaid switch quota>.

Table 8 Interworking of Dual-Quota Functionality with Idle-Timeout

QT

QXTS;PRE;POST

Idle-Timeout

SSG Action

0

>0;0;0

0

SSG opens the connection. Reauthorization occurs when user traffic comes in.

0

>0;0;0

>0

SSG opens the connection but blocks user traffic (drop or redirect). Reauthorization occurs after a time interval equal to the idle timeout value.

0

Any combination not covered by idle-timeout equal to or greater than 0.

0 or >0

SSG closes or does not open the connection.

>0

>0;>0;>0

>0

SSG opens the connection. Reauthorization occurs when the time based quota (QT) or the prepaid quota (PRE) is exhausted before tariff switching, or when the prepaid (PRE) and postpaid (POST) quotas are exhausted, or when no user traffic occurs for a time interval equal to the idle-timeout value.

>0

>0;>0;0

>0

SSG opens the connection. Reauthorization occurs when QT or PRE is exhausted before tariff switching when tariff switching occurs, or if there is no user traffic occurs for a time interval equal to the idle-timeout value.

>0

>0;>0;>0

0

SSG opens the connection. Reauthorization occurs when QT is exhausted or PRE is exhausted before tariff switching, or when PRE+POST are exhausted.

>0

>0;>0;0

0

SSG opens the connection. Reauthorization occurs when QT is exhausted or PRE is exhausted before tariff switching, or when Tariff Switching occurs.

>0

>0;0;0

0

SSG opens the connection. Reauthorization occurs when QT is exhausted or when user traffic comes in.

If dual quota was allotted in the earlier authorization, the reauthorization request contains both the volume and time attributes. The volume attributes may include the quota for tariff switching (QB) in addition to the volume-based quota (QV) when the connection is made in the post-tariff switch period. The reauthorization reason attribute may be present in the reauthorization request. Table 9 describes the reasons.

Table 9 Reauthorization Reason Attributes

Reauthorization Reason

Description

Not present

No reauthorization reason attribute is sent if reauthorization is performed because of quota expiry (time or volume), except for the special case "QR0".

QR0

A reauthorization reason QR0 is sent if reauthorization is performed because of quota expiry (time) but the user is idle; that is, no user traffic has been received since the reception of the preceding Access-Accept packet.

This applies if the preceding Access-Accept packet for service reauthorization contained:

•The idle-timeout attribute with value "0"

•The volume-quota (QV or QX) attribute with value "0"

•The time-quota attribute with value ">0"

Reauthorization reason QR0 indicates to the prepaid server that no new (volume) quota needs to be allocated; that is, there is no ongoing user traffic.

QR1

Reauthorization is performed because of idle timer expiry; that is, no user traffic received was for the time specified in the idle-timeout attribute.

Service Reauthorization

During a connection, SSG decrements a volume-based quota until it runs out. If the quota is based on time, the connection is allowed to proceed for the quota duration. When the quota reaches zero, SSG issues a Service Reauthorization Request to the billing server. The Service Reauthorization Request includes an SSG VSA called Quota Used. The Quota Used VSA has the same format as the Quota VSA described in Table 4. The content of the Service Reauthorization Request is listed in Table 10.

Table 10 Contents of Service Reauthorization Request

Attribute ID

Attribute Name

Description

Notes

1

User-Name

MS subscriber name

—

2

PAP Password

Global service profile password

—

4

NAS IP Address

SSG IP address

—

6

Service-Type

Framed-user

—

26

Vendor-Specific

Name of service

Subattribute ID 251; code N.

26

Vendor-Specific

Quota

Subattribute ID 253.

The Quota Used VSA has the same format as the Quota VSA.

31

Calling-Station-ID

MSISDN

—

55

Time-Stamp

Time-stamp

—

44

Acct-Session-ID

Session ID

—

61

NAS-Port-Type

Async (value=0)

—

If service reauthorization is unsuccessful, the billing server will respond to the Service Reauthorization Request with an Access-Accept packet containing a quota of zero. SSG will terminate the connection to the service at this point. If service reauthorization is successful, the billing server will return another quota to SSG, and the connection will be allowed to continue.

Simultaneous Volume- and Time-Based Prepaid Billing

The simultaneous volume- and time-based prepaid billing feature allows the SSG to provide volume- and time-based prepaid billing on the same service.

Typically this feature is used in a prepaid environment such as a Public Wireless LAN (PWLAN) in an airport lounge or coffee shop.

With simultaneous volume- and time-based prepaid billing, the service provider can bill the subscriber based on volume and time used, and hence be able to charge for any use of the same service. Before this feature was available, a subscriber on a single volume-based service could have a connection open for any length of time without incurring any charge.

The prepaid billing server can now allocate quotas in both time and volume, and SSG is able to monitor the connection on both types. The SSG performs a reauthorization whenever either of these quota types is exhausted.

Prepaid Tariff Switching

Prepaid tariff switching enhances the SSG prepaid capability by allowing changes in tariffs during the lifetime of a connection, thus providing greater flexibility. This feature applies to volume-based prepaid connections where the tariff changes at certain times of the day.

Typically, a service provider would use prepaid tariff switching because they want to be able to offer different tariffs to an end user during the time they are still connected; for example, changing a user to a less expensive tariff during off-peak hours.

When the SSG is monitoring the prepaid connection based on volume, at the tariff switching time, the SSG can switch to the new charging rate. This feature will not affect any existing prepaid functionality, including the idle-timeout feature.

Note The SSG is not involved in computing the billing rate changes that occur at tariff switch points. Billing rate change computations are performed by the prepaid billing server.

SSG supports prepaid tariff switching by using dual quota tokens that correspond to the pretariff switch time period and posttariff switch time-period. The appropriate token is used by SSG during the period in which the service is active.

In order to allow for time-of-day rating changes, the prepaid billing server specifies the tariff change time and the tokens for postswitch and preswitch periods in its authorization response to the SSG.

Note The tariff change time is specified in seconds denoting the number of seconds from the authorization time when a tariff switch needs to happen for prepaid billing.

At the point of tariff switch, SSG does a token switch and starts using the second token for its prepaid connection monitoring purpose. Re-authorization will happen only when either of these tokens gets exhausted and not when a tariff change occurs.

Authorization and Reauthorization Behavior When Prepaid Tariff Switching Occurs

Table 11 describes the behavior of SSG in the various events that occur when prepaid tariff switching takes place.

Table 11 Authorization and Reauthorization Behavior

Event

Action

An authorization response is received containing the dual-quota token tariff switch attribute.

Tariff switching is enabled on the SSG for a given prepaid connection.

During data forwarding, the quota runs out before the tariff switch occurs.

SSG performs a reauthorization in the same way as if there was still quota remaining, but no tariff switch attributes are included in the reauthorization response.

During data forwarding, the tariff switch time elapses after the last authorization.

SSG switches from the current quota token to the next quota token. The new token retains the same amount of usage of the original token. The new quota token is now used for real-time accounting.

During data forwarding, the quota runs out after the tariff switch.

SSG will send the quota usage in pre- and posttariff periods back to the prepaid server in the authorization response.

The user logs off the service after the tariff switch.

SSG will report the quota usage in the pre- and posttariff switch periods in the Accounting Stop packet.

The user logs off the service before the tariff switch.

SSG sends a normal Accounting Stop packet, no different from the nontariff-switching case.

Interim accounting

If the connection is in the posttariff switch period, SSG will report quota usage in the pre- or posttariff switching periods in the Accounting Stop packet.

SSG Prepaid Tariff-Switching VSAs

The VSA shown in Table 12 is used in authorization and reauthorization responses to send quota tokens and the tariff switch time. Table 12 lists the VSA content.

Table 12 VSA Content

Attribute ID

Vendor ID

Subattribute ID and Type

Attribute Name

Subattribute Data

26

9

253
Control-Info

Quota

Q—Control-Info code for prepaid quota.

X—Tariff-switch code for prepaid quota.

<time>;—Tariff switch time, in seconds.

<volume>;—Preswitch quota volume token, in bytes.

<volume>— Postswitch quota volume token, in bytes.

The VSA shown in Table 13 is used in reauthorization requests and accounting packets. This VSA is used in addition to the usual quota volume attribute that indicates the total volume usage in a connection. Table 13 lists the VSA content.

Table 13 Content of VSA used in Reauthorization Requests and Accounting Packet

Attribute ID

Vendor ID

Subattribute ID and Type

Attribute Name

Subattribute Data

26

9

253
Control-Info

Quota

Q—Control-Info code for prepaid quota.

B;—Tariff-switch code for denoting the total volume used after the last tariff switch.

<volume>;—Total volume of traffic in that connection (since start) after the last tariff switch, in bytes.

<time>—Tariff switch time in the UNIX time stamp. This is used only in postpaid service accounting records.

Postpaid Tariff Switching

Postpaid tariff switching enhances the SSG postpaid capability by allowing changes in tariffs during lifetime of a connection, thus providing greater flexibility. This feature applies to volume based postpaid connections where the tariff changes at certain times of the day.

Typically, a service provider would use postpaid tariff switching because they want to be able to offer different tariffs to a subscriber while they are still connected; For example, changing a user to a less expensive tariff during off-peak hours.

To handle tariff switches for postpaid connections, the accounting packets log the usage information during the various tariffs switch intervals. The service profile contains a weekly tariff-switch plan detailing the times of day at which tariff changes occur. The SSG monitors the usage at every tariff-switch point and records this information in the interim accounting records. The billing server monitors all accounting interim updates and obtains the information about the volume of traffic sent at each tariff rate.

Service Profile Definition VSA

The service profile definition is used in the service profile to specify the tariff-switch points. Table 14 lists the VSA content.

Table 14 VSA Content

Attribute ID

Vendor ID

Subattribute ID and Type

Attribute Name

Subattribute Data

26

9

251
Service-Info

post-paid

P—Service-Info code for postpaid service.

W—Service-info code for weekly tariff-switch plan.

<weekly time>—Weekly tariff-switch time in hh:mm:ss:d format

•hh = hour of day <0—23>

•mm = minutes <0—59>

•ss = seconds <0—59>

•d = bitmap format for the days of week. Each weekday is represented by one bit, as follows:

–00000001 = Monday

–00000010 = Tuesday

–00000100 = Wednesday

–00001000 = Thursday

–00010000 = Friday

–00100000 = Saturday

–01000000 = Sunday

The following example shows the configuration of the Service Profile Definition VSA to support a daily fee. The tariff switch will occur each midnight.
SSG Service-Info = "PPW00:00:00:12" 
The following example show the configuration of the Service Profile Definition VSA to support an off-peak tariff in which a tariff switch occurs Monday through Friday at 8:00 p.m.:
SSG Service-Info = "PPW20:00:00:31" 
The following example shows the configuration of the Service Profile Definition VSA to support an on-peak tariff in which a tariff switch occurs Monday through Friday at 6:00 a.m.:
SSG Service-Info = "PPW06:00:00:31" 
The Service Profile Definition VSA is used in accounting packets sent for postpaid connections. This VSA has the same format as the VSA used for prepaid connections involving tariff switching. See Table 13 for details of the SSG prepaid tariff-switching VSA.

Interim Accounting Updates

The interim accounting records contain the cumulative usage information (since start of connection) and the amount of usage after the last tariff-switch time. The accounting stop record contains the total usage information and the volume of traffic sent after the last tariff switch.

Note All accounting interim updates and the accounting stop packets must be processed by the billing server to retrieve the information of usage in the various intervals due to the tariff switch. So the accounting interim update interval must be less than the tariff-switch interval.

The following example illustrates how the accounting interim updates would look in various tariff switch periods and how the billing server has to interpret the records to obtain the individual usages in the various intervals.

Let us consider that a user logged in to the connection at time T0. Let the tariff-switch points in that week be Tx, Ty, and Tz. Let us say that the user logs out at T1.

Accounting records A1 through A5 were sent in the various tariff-switching intervals. All interim accounting records contain the total volume of traffic sent in the connection from start until that point in time. This volume of traffic value is available in the standard accounting attributes and the SSG Accounting VSAs. For records sent after a tariff switch, the tariff-switch VSA indicates usage since the last tariff-switch point.

Accounting record A1 does not contain any tariff-switch VSAs. Accounting record A2 contains a tariff switch VSA to indicate the usage since the last tariff switch point. Note that more than one interim accounting record can be sent in the interval, depending on the accounting interval configured. It is possible to derive the usage in the various intervals even if only one accounting record in an interval was successfully sent. The following sequence shows how the billing server calculates usage in the interval between Tx and Ty.

Record A2 contains total volume (V2) and usage since the last tariff-switch point Tx (T2).

So amount of usage in interval (T0,Tx) represented as V(0,x) = V2 - T2

Record A3 contains total volume (V3) since start of connection, and the last tariff switch point Ty (T3).

So amount of usage in interval (T0,Ty) represented as V(0,y) = V3 - T3.

So amount of usage in interval (Tx,Ty) represented as V(x,y) = V(0,y) - V(0,x)

Note that accounting stop record A5 also contains only the total volume and the usage since the last tariff-switch point and not the usage in the various intervals.

Thus the information in these interim accounting records would enable the service provider to derive the accounting information in the various tariff-switching intervals.

Cookie VSA

The SSG Prepaid Enhancements features introduces the Cookie VSA. The Cookie VSA can be used in a user profile to facilitate both SSG prepaid billing and postpaid billing, or by the billing servers for correlation purposes. Whenever the Cookie VSA is present in a user profile, it is sent in all accounting transactions, including prepaid transactions such as authorization and reauthorization. Table 15 lists the elements in the Cookie VSA.

Table 15 Cookie VSA Elements

Attribute ID

Vendor ID

Subattribute ID and Type

Attribute Name

Subattribute Data

26

9

250
Account-Info

Cookie

V<user-defined cookie>.

Benefits of SSG Prepaid and SSG Prepaid Enhancements

Real-Time Billing

The SSG Prepaid Enhancements feature allows for real-time billing with maximum flexibility, regardless of the type of service and billing scheme. Users can be billed on a flat rate, air-time, or volume basis.

Concurrent Service Access

The SSG prepaid solution can support concurrent service access. SSG services can be configured for concurrent or sequential access. Concurrent access allows users to log in to a service while being connected to other services. Sequential access requires that the user log out from all other services before accessing a service.

Simultaneous Volume- and Time-Based Prepaid Billing

SSG supports rating on both time and volume simultaneously for prepaid services. The prepaid billing server may allocate quotas in both time and volume, and SSG monitors the connection on both these parameters. SSG performs a reauthorization whenever either of these quota types is exhausted.

Prepaid and Postpaid Tariff-Switching

SSG prepaid tariff-switching and postpaid tariff-switching introduce flexibility in SSG billing capabilities by supporting changes in tariffs during the lifetime of a connection.

How to Configure SSG Prepaid Enhancements

The following sections describe configuration, verification, and monitoring tasks for the SSG Prepaid Enhancements features:

•Configuring Session ID and Time-Stamp Information

•Specifying the AAA Server for SSG Prepaid Authorization

•Verifying SSG Prepaid Configuration

•Monitoring and Maintaining SSG Prepaid Enhancements

•SSG Prepaid Configuration: Example

Configuring Session ID and Time-Stamp Information

Perform this task to configure the session ID and time-stamp.

The session ID is configured using RADIUS attribute 44 (Accounting Session ID). The radius-server attribute 44 include-in-access-req command is used to send RADIUS attribute 44 in Access-Request packets before user authentication (including requests for preauthentication). The time-stamp is configured using RADIUS attribute 55 (Event-Timestamp). The radius-server attribute 55 include-in-acct-req command is used to send RADIUS attribute 55 (Event-Timestamp) in accounting packets.

This task configures SSG to provide the prepaid billing server with session ID and time-stamp information.

SUMMARY STEPS

1. enable

2. configure terminal

3. radius-server attribute 44 include-in-access-req

4. radius-server attribute 55 include-in-acct-req

DETAILED STEPS

Command or Action

Purpose

Step 1

enable

Example:

Router> enable

Enables privileged EXEC mode.

•Enter your password if prompted.

Step 2

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3

radius-server attribute 44 include-in-access-req

Example:

Router(config)# radius-server attribute 44 include-in-access-req

Sends RADIUS attribute 44 (Accounting Session ID) in Access-Request packets before user authentication (including requests for preauthentication).

Step 4

radius-server attribute 55 include-in-acct-req

Example:

Router(config)# radius-server attribute 55 include-in-acct-req

Sends RADIUS attribute 55 (Event-Timestamp) in accounting packets.

Specifying the AAA Server for SSG Prepaid Authorization

Perform this task to specify the AAA server group to be used for SSG prepaid authorization.

The AAA server group to be used for SSG prepaid authorization can be specified locally on the router or in the RADIUS service profile. To specify the SSG prepaid server in the RADIUS service profile, use the following attribute:

9,251 = "PZS<serverip addr>authport;acctport;secret;retransmit;timeout;deadtime"

To specify the interim accounting interval in the RADIUS service profile, use the following attribute.

9,251 = "PZI<value>"

This task specifies the SSG prepaid server by using the router's command-line interface (CLI).

Prerequisites

The AAA server group must be configured by the service provider using the aaa group server radius command.

SUMMARY STEPS

1. enable

2. configure terminal

3. ssg enable

4. ssg aaa group prepaid server group

DETAILED STEPS

Command or Action

Purpose

Step 1

enable

Example:

Router> enable

Enables privileged EXEC mode.

•Enter your password if prompted.

Step 2

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3

ssg enable

Example:

Router(config)# ssg enable

Enables SSG.

Step 4

ssg aaa group prepaid server-group

Example:

Router(config)# ssg aaa group prepaid ssg_prepaid

Specifies the server group to be used for SSG prepaid authorization.

Verifying SSG Prepaid Configuration

Perform this task to verify the SSG prepaid configuration.

Information about the host's connection to the specified service is displayed using the show ssg connection command. The content of the current configuration file is displayed using the show running-config command.

This task verifies the configuration of SSG prepaid functionality.

SUMMARY STEPS

1. enable

2. configure terminal

3. show ssg connection ip-address service-name [interface]

4. show running-config

DETAILED STEPS

Command or Action

Purpose

Step 1

enable

Example:

Router> enable

Enables privileged EXEC mode.

•Enter your password if prompted.

Step 2

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3

show ssg connection ip-address service-name ip-address

Example:

Router# show ssg connection 192.168.1.2 myservice 192.168.1.5

Displays information about the host's connection to the specified service, including quota information for prepaid connections.

Step 4

show running-config

Example:

Router# show running-config

Displays the contents of the currently running configuration file.

Monitoring and Maintaining SSG Prepaid Enhancements

Perform this task to display debug information about the RADIUS traffic, SSG control events, control packets, and SSG data path packets that can be used to monitor and maintain the SSG prepaid functionality.

This task monitors and maintains SSG prepaid functionality.

SUMMARY STEPS

1. enable

2. debug radius

3. debug ssg ctrl-events

4. debug ssg ctrl-packets

5. debug ssg data

DETAILED STEPS

Command or Action

Purpose

Step 1

enable

Example:

Router> enable

Enables privileged EXEC mode.

•Enter your password if prompted.

Step 2

debug radius

Example:

Router# debug radius

Displays information associated with RADIUS.

Step 3

debug ssg ctrl-events

Example:

Router# debug ssg ctrl-events

Displays all event messages for control modules.

Step 4

debug ssg ctrl-packets

Example:

Router# debug ssg ctrl-packets

Displays packet contents handled by control modules.

Step 5

debug ssg data

Example:

Router# debug ssg data

Displays all data path packets.

Configuration Examples for SSG Prepaid Enhancements

This section provides the following configuration example:

•SSG Prepaid Configuration: Example

SSG Prepaid Configuration: Example

The following example shows how to configure RADIUS attributes 44 and 55 to support SSG prepaid billing services:
radius-server attribute 44 include-in-access-req
radius-server attribute 55 include-in-acct-req
Additional References

The following sections provide references related to the SSG Prepaid Enhancements Feature.

Related Documents

Related Topic

Document Title

SSG

•Service Selection Gateway, Cisco IOS Release 12.2(4)B feature document

•Hierarchical Policing for Service Selection Gateway, Cisco IOS Release 12.2(4)B feature document

•SSG Autodomain, Cisco IOS Release 12.2(4)B feature document

•SSG AutoLogin Using Proxy Radius, Cisco IOS Release 12.2(4)B feature document

•SSG Autologoff, Cisco IOS Release 12.2(4)B feature document

•Service Selection Gateway Accounting Update Interval per Service, Cisco IOS Release 12.2(4)B

•SSG Open Garden, Cisco IOS Release 12.2(4)B feature document

•SSG Port-Bundle Host Key, Cisco IOS Release 12.2(4)B feature document

•SSG TCP Redirect for Services, Cisco IOS Release 12.2(4)B feature document

Configuring SSG and SESM

•Cisco Subscriber Edge Services Manager and Subscriber Policy Engine Installation Guide

•Cisco Service Selection Dashboard Installation and Configuration Guide

•Cisco Service Selection Dashboard Web Developer Guide

Configuring RADIUS

•The chapter "Configuring RADIUS" in the Cisco IOS Security Configuration Guide

•The chapter "RADIUS Commands" in the Cisco IOS Security Command Reference

Standards

Standards

Title

No new or modified standards are supported by this feature.

—

MIBs

MIBs

MIBs Link

No new or modified MIBs are supported by this feature.

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs

RFCs

RFCs

Title

No new or modified RFCs are supported by this feature.

—

Technical Assistance

Description

Link

Technical Assistance Center (TAC) home page, containing 30,000 pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.

http://www.cisco.com/public/support/tac/home.shtml

Command Reference

This section documents only new and modified commands.

•show ssg connection

•ssg aaa group prepaid

show ssg connection

To display the connections of a given host and a service name, use the show ssg connection command in privileged EXEC mode.

show ssg connection ip-address service-name [ip-address]

Syntax Description

ip-address

IP address of an active Service Selection Gateway (SSG) connection. This is always a subscribed host.

service-name

Name of an active SSG connection.

ip-address

(Optional) IP address through which the host is connected.

Defaults

No default behavior or values

Command Modes

Privileged EXEC

Command History

Release

Modification

12.0(3)DC

This command was introduced.

12.2(2)B

The interface argument was added.

12.2(4)B

This command was integrated into Cisco IOS Release 12.2(4)B.

12.2(8)T

This command was integrated into Cisco IOS Release 12.2(8)T.

12.2(16)B

This command was modified to display information about prepaid and postpaid tariff switching and simultaneous time- and volume-based prepaid billing.

12.3(4)T

The enhancements from Release 12.2(16)B were integrated into Cisco IOS Release 12.3(4)T.

Examples

Prepaid Service Based on Volume: Example

The following example displays the SSG connection for a prepaid service that uses a volume-based quota:
Router# show ssg connection 192.168.1.1 InstMsg
------------------------ConnectionObject Content -----------------------
User Name:
Owner Host:192.168.1.1
Associated Service:InstMsg
Connection State:0 (UP)
Connection Started since:*00:25:58.000 UTC Tue Oct 23 2001
User last activity at:*00:25:59.000 UTC Tue Oct 23 2001
Connection Traffic Statistics:
Input Bytes = 0, Input packets = 0
Output Bytes = 0, Output packets = 0
Quota Type = 'VOLUME', Quota Value = 100
Session policing disabled
Prepaid Service Based on Time: Example

The following example displays the SSG connection for a prepaid service that uses a time-based quota:
Router# show ssg connection 192.168.1.2 Prepaid-internet
------------------------ConnectionObject Content -----------------------
User Name:Host
Owner Host:192.168.1.2
Associated Service:Prepaid-internet
Connection State:0 (UP)
Connection Started since:*00:34:06.000 UTC Tue Oct 23 2001
User last activity at:*00:34:07.000 UTC Tue Oct 23 2001
Connection Traffic Statistics:
Input Bytes = 0, Input packets = 0
Output Bytes = 0, Output packets = 0
Quota Type = 'TIME', Quota Value = 100
Session policing disabled
Autologin Service: Example

The following example shows the service connection for the autologin service to host 10.3.6.1:
Router# show ssg connection 192.168.1.3 autologin 
------------------------ ConnectionObject Content -----------------------
User Name:autologin
Owner Host:192.168.1.3
Associated Service:autologin
Connection State:0 (UP)
Connection Started since:
*20:41:26.000 UTC Fri Jul 27 2001
User last activity at:*20:41:26.000 UTC Fri Jul 27 2001
Connection Traffic Statistics:
Input Bytes = 0 (HI = 0), Input packets = 0
Output Bytes = 0 (HI = 0), Output packets = 0
Prepaid Time Quota: Example

The following example displays the SSG connection for a prepaid service that uses a time-based quota:
Router# show ssg connection 192.168.1.4 Prepaid_tariff_svc
------------------------ConnectionObject Content -----------------------
User Name: Prepaid_tariff_host
Owner Host: 192.168.1.4
Associated Service: Prepaid_tariff_svc
Calling station id: 
Connection State: 0 (UP)
Connection Started since: *22:31:01.000 UTC Wed May 28 2003
User last activity at: *22:31:02.000 UTC Wed May 28 2003
Connection Traffic Statistics:
Input Bytes = 0, Input packets = 0
Output Bytes = 0, Output packets = 0
Prepaid quota:
Quota Type = 'TIME', Quota Value = 120
Current state in forwarding path = 'None' 
Session policing disabled
Prepaid Authorize on Traffic: Example

The following example displays the SSG connection for a prepaid service that is currently frozen; that is, the SSG will request reauthorization when it receives the first packet on this connection:
Router# show ssg connection 192.168.1.5 Prepaid_tariff_svc
------------------------ConnectionObject Content -----------------------
User Name: Prepaid_tariff_host
Owner Host: 192.168.1.5
Associated Service: Prepaid_tariff_svc
Calling station id: 
Connection State: 0 (UP)
Connection Started since: *22:36:54.000 UTC Wed May 28 2003
User last activity at: *22:36:55.000 UTC Wed May 28 2003
Connection Traffic Statistics:
Input Bytes = 0, Input packets = 0
Output Bytes = 0, Output packets = 0
Prepaid quota:
Quota Type = 'VOLUME', Quota Value = 0
Quota Type = 'TIME', Quota Value = 0
Timeout Value = 0
Current state in forwarding path = 'Wait (Reauthorize on traffic)' 
Session policing disabled
Prepaid Idle Timeout: Example

The following example displays the SSG connection for a prepaid service when the SSG has frozen the connection for a definite period of time (Timeout Value). The SSG will request reauthorization when the timeout value expires. Until then, the SSG either drops the packets or redirects them.
Router# show ssg connection 192.168.1.6 Prepaid_tariff_svc
------------------------ConnectionObject Content -----------------------
User Name: Prepaid_tariff_host
Owner Host: 192.168.1.6
Associated Service: Prepaid_tariff_svc
Calling station id: 
Connection State: 0 (UP)
Connection Started since: *22:39:10.000 UTC Wed May 28 2003
User last activity at: *22:39:10.000 UTC Wed May 28 2003
Connection Traffic Statistics:
Input Bytes = 0, Input packets = 0
Output Bytes = 0, Output packets = 0
Prepaid quota:
Quota Type = 'VOLUME', Quota Value = 0
Quota Type = 'TIME', Quota Value = 0
Timeout Value = 60
Current state in forwarding path = 'Drop or redirect traffic' 
Session policing disabled
(Prepaid Volume Quota: Example)

The following example displays the SSG connection for a prepaid service when the connection uses a volume-based quota type only:
Router# show ssg connection 192.168.1.7 Prepaid_tariff_svc
------------------------ConnectionObject Content -----------------------
User Name: Prepaid_tariff_host
Owner Host: 192.168.1.7
Associated Service: Prepaid_tariff_svc
Calling station id: 
Connection State: 0 (UP)
Connection Started since: *22:39:10.000 UTC Wed May 28 2003
User last activity at: *22:39:11.000 UTC Wed May 28 2003
Connection Traffic Statistics:
Input Bytes = 0, Input packets = 0
Output Bytes = 0, Output packets = 0
Prepaid quota:
Quota Type = 'VOLUME', Quota Value = 1000
Current state in forwarding path = 'Volume' 
Session policing disabled
Prepaid Dual Quota: Example

The following example displays the SSG connection for a prepaid service that has both time and volume quotas simultaneously:
Router# show ssg connection 192.168.1.8 Prepaid_tariff_svc
------------------------ConnectionObject Content -----------------------
User Name: Prepaid_tariff_host
Owner Host: 192.168.1.8
Associated Service: Prepaid_tariff_svc
Calling station id: 
Connection State: 0 (UP)
Connection Started since: *22:59:29.000 UTC Wed May 28 2003
User last activity at: *22:59:29.000 UTC Wed May 28 2003
Connection Traffic Statistics:
Input Bytes = 0, Input packets = 0
Output Bytes = 0, Output packets = 0
Prepaid quota:
Quota Type = 'VOLUME', Quota Value = 1100
Quota Type = 'TIME', Quota Value = 60
Timeout Value = 30
Current state in forwarding path = 'Volume' 
Session policing disabled
Prepaid Tariff-Switching Quota: Example

The following example displays the SSG connection for a prepaid service when it has tariff-switching quota available:
Router# show ssg connection 192.168.1.9 Prepaid_tariff_svc
------------------------ConnectionObject Content ----------------------- User Name: 
Prepaid_tariff_host Owner Host: 192.168.1.9 Associated Service: Prepaid_tariff_svc Calling 
station id: Connection State: 0 (UP) Connection Started since: *23:07:34.000 UTC Wed May 
28 2003 User last activity at: *23:07:34.000 UTC Wed May 28 2003 Connection Traffic 
Statistics:
Input Bytes = 0, Input packets = 0
Output Bytes = 0, Output packets = 0
Prepaid quota:
Quota Type = 'VOLUME', Quota Value = 2000
Tariff-switch time = 1054163314
Quota post tariff-switch  = 1500
Current state in forwarding path = 'Volume'
Session policing disabled
Prepaid Tariff-Switch Quota in Posttariff-Switch Period: Example

The following example displays the SSG connection for a prepaid service when the connection is in the posttariff-switch period.
Router# show ssg connection 192.168.1.10 Prepaid_tariff_svc
------------------------ConnectionObject Content ----------------------- User Name: 
Prepaid_tariff_host Owner Host: 192.168.1.10 Associated Service: Prepaid_tariff_svc 
Calling station id: Connection State: 0 (UP) Connection Started since: *23:07:34.000 UTC 
Wed May 28 2003 User last activity at: *23:08:07.000 UTC Wed May 28 2003 Connection 
Traffic Statistics:
Input Bytes = 1051, Input packets = 2
Output Bytes = 1051, Output packets = 2
Prepaid quota:
Quota Type = 'VOLUME', Quota Value = 3602
Tariff-switch time = 1054163336
Volume usage post tariff-switch  = 0
Current state in forwarding path = 'Volume'
Session policing disabled
Table 16 describes the significant fields shown in the displays.

Table 16 show ssg connection Field Descriptions

Field

Description

User Name

Subscriber name supplied at authentication.

Owner Host

IP address of the subscribed host.

Associated Service

Service name of the connected service.

Connection State

State of activation (up or 0).

Connection Started since

Time (in hh:mm:ss:d) of host connection to the associated service.

User last activity at

Time (in hh:mm:ss:d) of last data packet sent over this connection.

Input Bytes

Number of bytes received on this connection.

Input packets

Number of packets received on this connection.

Output Bytes

Number of bytes sent on this connection.

Output packets

Number of packets sent on this connection.

Quota Type

Form in which the quota value is expressed (time or volume).

Quota Value

Value of the quota (in bytes for volume or seconds for time).

Traffic-switch time

Displays the time stamp when the tariff-switch will occur.

Quota post tariff-switch

Displays the quota available after the tariff-switch occurs.

Volume usage post tariff-switch

Displays the amount of quota (volume) consumed after tariff-switch has taken place.

Current state in forwarding path

Defines the current state in the forwarding path as follows:

•If set to "None", there is no volume quota for the connection.

•If set to "Volume", traffic is forwarded on a volume quota.

•If set to "Wait", on the first packet sent on that connection, SSG will request reauthorization for the connection.

•If set to "Drop or redirect traffic", the traffic on that connection will be dropped, or redirected if TCP redirection for prepaid is configured.

Related Commands

Command

Description

clear ssg connection

Removes the connections of a given host and a service name.

ssg aaa group prepaid

To specify the server group to be used for SSG prepaid authorization, use the ssg aaa group prepaid command in global configuration mode. To remove this specification, use the no form of this command.

ssg aaa group prepaid server-group

no ssg aaa group prepaid server-group

Syntax Description

server-group

Name of the server group to be used for SSG prepaid authorization.

Defaults

If a server group is not specified by using the ssg aaa group prepaid command, the default RADIUS server configured on the router will be used for SSG prepaid authorization.

Command Modes

Global configuration

Command History

Release

Modification

12.2(16)B

This command was introduced.

12.3(4)T

This command was integrated into Cisco IOS Release 12.3(4)T.

Usage Guidelines

The ssg aaa group prepaid command allows you to configure a global server for SSG prepaid authorization. Configure the global server group by using the aaa group server radius command. Use the ssg aaa group prepaid command to attach the server group to SSG for SSG prepaid authorization.

Examples

The following example shows a configuration for a global SSG prepaid authorization server:
!
aaa group server radius ssg_prepaid
 server 10.2.3.4 auth-port 1645 acct-port 1646
.
.
.
ssg aaa group prepaid ssg_prepaid
!
Related Commands

Command

Description

aaa group server radius

Groups different RADIUS server hosts into distinct lists and distinct methods.

Glossary

AAA—Authentication, Authorization and Accounting.

Access-Accept—Response packet from the RADIUS server notifying the access server that the user is authenticated. This packet contains the user profile, which defines the specific AAA functions assigned to the user.

Access-Request—Request packet sent to the RADIUS server by the access server requesting authentication of the user.

MS—Mobile Station.

PS—Prepaid server.

PWLAN—Public Wireless LAN.

SESM—Subscriber Edge Services Manager. Successor product to the Cisco SSD. The SESM is part of a Cisco solution that allows subscribers of digital subscriber line (DSL), cable, wireless, and dialup to simultaneously access multiple services provided by different Internet service providers, application service providers, and corporate access servers.

SSD—The Service Selection Dashboard (SSD) server is a customizable Web-based application that works with the Cisco SSG to allow end customers to log into and disconnect from proxy and pass-through services through a standard Web browser.

SSG—Service Selection Gateway.

VSA—Vendor-Specific Attribute. An attribute that has been implemented by a particular vendor. It uses the attribute Vendor-Specific to encapsulate the resulting attribute-value (AV) pair.

Note Refer to Internetworking Terms and Acronyms for terms not included in this glossary.

Copyright © 2003 Cisco Systems, Inc. All rights reserved.

Release	Modification
12.2(16)B	This feature was introduced.
12.3(4)T	Support was added for prepaid tariff switching, postpaid tariff switching, and simultaneous volume- and time-based prepaid billing.

Table 1 Service Authorization VSA Elements
Attribute ID	Vendor ID	Subattribute ID and Type	Attribute Name	Subattribute Data
26	9	251 Service-Info	Service Authorization	The value "Z" indicates that authorization is required.

Table 2 Contents of Service Authorization Request Packet
Attribute ID	Attribute Name	Description	Notes
1	User-Name	Mobile Station (MS) subscriber name	—
2	PAP Password	Global service profile password	—
4	NAS IP Address	SSG IP address	—
6	Service-Type	Framed-user	—
26	Vendor-Specific	Name of service	Subattribute ID 251; code N.
31	Calling-Station-ID	Mobile Station ISDN Number (MSISDN)	The username may appear in this field if the access technology does not provide an MSISDN.
55	Time-Stamp	Time-stamp
44	Acct-Session-ID	Session ID
61	NAS-Port-Type	Asynchronous (value = 0)

Table 3 Content of Service Authorization Access-Accept Packet
Attribute Number	Attribute Name	Description	Notes
6	Service-Type	Framed-user	—
26	Vendor-Specific	Quota	Subattribute ID: 253. The value "Q" indicates that this is the Quota VSA.

Table 4 Quota VSA Elements
Attribute ID	Vendor ID	Subattribute ID and Type	Attribute Name	Subattribute Data
26	9	253 Control-Info	Quota	Q—Control-Info code for prepaid quota. T or V—Quota subcode for time or volume. Numeric string—Quota value.

Table 5 Contents of Service Authorization Response Packet
Attribute ID	Vendor ID	Subattribute ID	Attribute Name	Type	Value
26	9	253	Quota	ASCII string	"QT<seconds>"
26	9	253	Quota	ASCII string	"QV<bytes>"
28	—	—	Idle-timeout	—	—

Table 6 Contents of Service Reauthorization Response Packet
Attribute ID	Vendor ID	Subattribute ID	Status	Attribute Name	Type	Value
28			Optional	Idle-Timeout	Integer	Idle Timeout
26	9	253	Optional	Quota	ASCII string	"QT<seconds> "
26	9	253	Mandatory	Quota-for-Tariff Switching	ASCII string	"QX<seconds>; <bytes>;<bytes>"

Table 7 Interworking of Idle-Timeout and Dual-Quota Functionality
QT	QV	Idle-Timeout	SSG Action
—	—	—	SSG opens the connection. No reauthorization is performed.
0	0	0	SSG opens the connection. Reauthorization occurs when user traffic comes in.
0	0	—	SSG closes or does not open the connection.
0	0	>0	SSG opens the connection but blocks user traffic (drops or redirects). Reauthorization occurs after a time interval equal to the idle-timeout value.
—	0	>0	SSG opens the connection but blocks user traffic (drops or redirects). Reauthorization occurs after a time interval equal to the idle-timeout value.
0	>0	0	SSG closes or does not open the connection.
0	>0	>0	SSG closes or does not open the connection.
>0	>0	>0	SSG opens the connection. Reauthorization occurs when QT or QV is exhausted, or no user traffic for a time interval is equal to the idle-timeout value.
>0	>0	—	SSG opens the connection. Reauthorization occurs when QT or QV is exhausted.
>0	>0	0	SSG opens the connection. Reauthorization occurs when QT or QV is exhausted.
>0	0	>0	SSG opens the connection but blocks user traffic (drops or redirects). Reauthorization occurs when QT is exhausted or after a time interval equal to the idle-timeout value.
>0	0	0	SSG opens the connection. Reauthorization occurs when QT is exhausted or when user traffic comes in.

Table 8 Interworking of Dual-Quota Functionality with Idle-Timeout
QT	QXTS;PRE;POST	Idle-Timeout	SSG Action
0	>0;0;0	0	SSG opens the connection. Reauthorization occurs when user traffic comes in.
0	>0;0;0	>0	SSG opens the connection but blocks user traffic (drop or redirect). Reauthorization occurs after a time interval equal to the idle timeout value.
0	Any combination not covered by idle-timeout equal to or greater than 0.	0 or >0	SSG closes or does not open the connection.
>0	>0;>0;>0	>0	SSG opens the connection. Reauthorization occurs when the time based quota (QT) or the prepaid quota (PRE) is exhausted before tariff switching, or when the prepaid (PRE) and postpaid (POST) quotas are exhausted, or when no user traffic occurs for a time interval equal to the idle-timeout value.
>0	>0;>0;0	>0	SSG opens the connection. Reauthorization occurs when QT or PRE is exhausted before tariff switching when tariff switching occurs, or if there is no user traffic occurs for a time interval equal to the idle-timeout value.
>0	>0;>0;>0	0	SSG opens the connection. Reauthorization occurs when QT is exhausted or PRE is exhausted before tariff switching, or when PRE+POST are exhausted.
>0	>0;>0;0	0	SSG opens the connection. Reauthorization occurs when QT is exhausted or PRE is exhausted before tariff switching, or when Tariff Switching occurs.
>0	>0;0;0	0	SSG opens the connection. Reauthorization occurs when QT is exhausted or when user traffic comes in.

Table 9 Reauthorization Reason Attributes
Reauthorization Reason	Description
Not present	No reauthorization reason attribute is sent if reauthorization is performed because of quota expiry (time or volume), except for the special case "QR0".
QR0	A reauthorization reason QR0 is sent if reauthorization is performed because of quota expiry (time) but the user is idle; that is, no user traffic has been received since the reception of the preceding Access-Accept packet. This applies if the preceding Access-Accept packet for service reauthorization contained: •The idle-timeout attribute with value "0" •The volume-quota (QV or QX) attribute with value "0" •The time-quota attribute with value ">0" Reauthorization reason QR0 indicates to the prepaid server that no new (volume) quota needs to be allocated; that is, there is no ongoing user traffic.
QR1	Reauthorization is performed because of idle timer expiry; that is, no user traffic received was for the time specified in the idle-timeout attribute.

Table 10 Contents of Service Reauthorization Request
Attribute ID	Attribute Name	Description	Notes
1	User-Name	MS subscriber name	—
2	PAP Password	Global service profile password	—
4	NAS IP Address	SSG IP address	—
6	Service-Type	Framed-user	—
26	Vendor-Specific	Name of service	Subattribute ID 251; code N.
26	Vendor-Specific	Quota	Subattribute ID 253. The Quota Used VSA has the same format as the Quota VSA.
31	Calling-Station-ID	MSISDN	—
55	Time-Stamp	Time-stamp	—
44	Acct-Session-ID	Session ID	—
61	NAS-Port-Type	Async (value=0)	—

Table 11 Authorization and Reauthorization Behavior
Event	Action
An authorization response is received containing the dual-quota token tariff switch attribute.	Tariff switching is enabled on the SSG for a given prepaid connection.
During data forwarding, the quota runs out before the tariff switch occurs.	SSG performs a reauthorization in the same way as if there was still quota remaining, but no tariff switch attributes are included in the reauthorization response.
During data forwarding, the tariff switch time elapses after the last authorization.	SSG switches from the current quota token to the next quota token. The new token retains the same amount of usage of the original token. The new quota token is now used for real-time accounting.
During data forwarding, the quota runs out after the tariff switch.	SSG will send the quota usage in pre- and posttariff periods back to the prepaid server in the authorization response.
The user logs off the service after the tariff switch.	SSG will report the quota usage in the pre- and posttariff switch periods in the Accounting Stop packet.
The user logs off the service before the tariff switch.	SSG sends a normal Accounting Stop packet, no different from the nontariff-switching case.
Interim accounting	If the connection is in the posttariff switch period, SSG will report quota usage in the pre- or posttariff switching periods in the Accounting Stop packet.

Table 12 VSA Content
Attribute ID	Vendor ID	Subattribute ID and Type	Attribute Name	Subattribute Data
26	9	253 Control-Info	Quota	Q—Control-Info code for prepaid quota. X—Tariff-switch code for prepaid quota. <time>;—Tariff switch time, in seconds. <volume>;—Preswitch quota volume token, in bytes. <volume>— Postswitch quota volume token, in bytes.

Table 13 Content of VSA used in Reauthorization Requests and Accounting Packet
Attribute ID	Vendor ID	Subattribute ID and Type	Attribute Name	Subattribute Data
26	9	253 Control-Info	Quota	Q—Control-Info code for prepaid quota. B;—Tariff-switch code for denoting the total volume used after the last tariff switch. <volume>;—Total volume of traffic in that connection (since start) after the last tariff switch, in bytes. <time>—Tariff switch time in the UNIX time stamp. This is used only in postpaid service accounting records.

Table 14 VSA Content
Attribute ID	Vendor ID	Subattribute ID and Type	Attribute Name	Subattribute Data
26	9	251 Service-Info	post-paid	P—Service-Info code for postpaid service. W—Service-info code for weekly tariff-switch plan. <weekly time>—Weekly tariff-switch time in hh:mm:ss:d format •hh = hour of day <0—23> •mm = minutes <0—59> •ss = seconds <0—59> •d = bitmap format for the days of week. Each weekday is represented by one bit, as follows: –00000001 = Monday –00000010 = Tuesday –00000100 = Wednesday –00001000 = Thursday –00010000 = Friday –00100000 = Saturday –01000000 = Sunday

Table 15 Cookie VSA Elements
Attribute ID	Vendor ID	Subattribute ID and Type	Attribute Name	Subattribute Data
26	9	250 Account-Info	Cookie	V<user-defined cookie>.

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	radius-server attribute 44 include-in-access-req Example: Router(config)# radius-server attribute 44 include-in-access-req	Sends RADIUS attribute 44 (Accounting Session ID) in Access-Request packets before user authentication (including requests for preauthentication).
Step 4	radius-server attribute 55 include-in-acct-req Example: Router(config)# radius-server attribute 55 include-in-acct-req	Sends RADIUS attribute 55 (Event-Timestamp) in accounting packets.

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	ssg enable Example: Router(config)# ssg enable	Enables SSG.
Step 4	ssg aaa group prepaid server-group Example: Router(config)# ssg aaa group prepaid ssg_prepaid	Specifies the server group to be used for SSG prepaid authorization.

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	show ssg connection ip-address service-name ip-address Example: Router# show ssg connection 192.168.1.2 myservice 192.168.1.5	Displays information about the host's connection to the specified service, including quota information for prepaid connections.
Step 4	show running-config Example: Router# show running-config	Displays the contents of the currently running configuration file.

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	debug radius Example: Router# debug radius	Displays information associated with RADIUS.
Step 3	debug ssg ctrl-events Example: Router# debug ssg ctrl-events	Displays all event messages for control modules.
Step 4	debug ssg ctrl-packets Example: Router# debug ssg ctrl-packets	Displays packet contents handled by control modules.
Step 5	debug ssg data Example: Router# debug ssg data	Displays all data path packets.

Related Topic	Document Title
SSG	•Service Selection Gateway, Cisco IOS Release 12.2(4)B feature document •Hierarchical Policing for Service Selection Gateway, Cisco IOS Release 12.2(4)B feature document •SSG Autodomain, Cisco IOS Release 12.2(4)B feature document •SSG AutoLogin Using Proxy Radius, Cisco IOS Release 12.2(4)B feature document •SSG Autologoff, Cisco IOS Release 12.2(4)B feature document •Service Selection Gateway Accounting Update Interval per Service, Cisco IOS Release 12.2(4)B •SSG Open Garden, Cisco IOS Release 12.2(4)B feature document •SSG Port-Bundle Host Key, Cisco IOS Release 12.2(4)B feature document •SSG TCP Redirect for Services, Cisco IOS Release 12.2(4)B feature document
Configuring SSG and SESM	•Cisco Subscriber Edge Services Manager and Subscriber Policy Engine Installation Guide •Cisco Service Selection Dashboard Installation and Configuration Guide •Cisco Service Selection Dashboard Web Developer Guide
Configuring RADIUS	•The chapter "Configuring RADIUS" in the Cisco IOS Security Configuration Guide •The chapter "RADIUS Commands" in the Cisco IOS Security Command Reference

Standards	Title
No new or modified standards are supported by this feature.	—

MIBs	MIBs Link
No new or modified MIBs are supported by this feature.	To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs

RFCs	Title
No new or modified RFCs are supported by this feature.	—

Description	Link
Technical Assistance Center (TAC) home page, containing 30,000 pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.	http://www.cisco.com/public/support/tac/home.shtml

ip-address	IP address of an active Service Selection Gateway (SSG) connection. This is always a subscribed host.
service-name	Name of an active SSG connection.
ip-address	(Optional) IP address through which the host is connected.

Release	Modification
12.0(3)DC	This command was introduced.
12.2(2)B	The interface argument was added.
12.2(4)B	This command was integrated into Cisco IOS Release 12.2(4)B.
12.2(8)T	This command was integrated into Cisco IOS Release 12.2(8)T.
12.2(16)B	This command was modified to display information about prepaid and postpaid tariff switching and simultaneous time- and volume-based prepaid billing.
12.3(4)T	The enhancements from Release 12.2(16)B were integrated into Cisco IOS Release 12.3(4)T.

Table 16 show ssg connection Field Descriptions
Field	Description
User Name	Subscriber name supplied at authentication.
Owner Host	IP address of the subscribed host.
Associated Service	Service name of the connected service.
Connection State	State of activation (up or 0).
Connection Started since	Time (in hh:mm:ss:d) of host connection to the associated service.
User last activity at	Time (in hh:mm:ss:d) of last data packet sent over this connection.
Input Bytes	Number of bytes received on this connection.
Input packets	Number of packets received on this connection.
Output Bytes	Number of bytes sent on this connection.
Output packets	Number of packets sent on this connection.
Quota Type	Form in which the quota value is expressed (time or volume).
Quota Value	Value of the quota (in bytes for volume or seconds for time).
Traffic-switch time	Displays the time stamp when the tariff-switch will occur.
Quota post tariff-switch	Displays the quota available after the tariff-switch occurs.
Volume usage post tariff-switch	Displays the amount of quota (volume) consumed after tariff-switch has taken place.
Current state in forwarding path	Defines the current state in the forwarding path as follows: •If set to "None", there is no volume quota for the connection. •If set to "Volume", traffic is forwarded on a volume quota. •If set to "Wait", on the first packet sent on that connection, SSG will request reauthorization for the connection. •If set to "Drop or redirect traffic", the traffic on that connection will be dropped, or redirected if TCP redirection for prepaid is configured.

Command	Description
clear ssg connection	Removes the connections of a given host and a service name.

server-group	Name of the server group to be used for SSG prepaid authorization.

Release	Modification
12.2(16)B	This command was introduced.
12.3(4)T	This command was integrated into Cisco IOS Release 12.3(4)T.

Command	Description
aaa group server radius	Groups different RADIUS server hosts into distinct lists and distinct methods.

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)