Guest

Cisco IOS Software Releases 12.2 Special and Early Deployments

SSG Prepaid Idle Timeout

  • Viewing Options

  • PDF (382.8 KB)
  • Feedback
SSG Prepaid Idle Timeout

Table Of Contents

SSG Prepaid Idle Timeout

Feature Overview

Benefits

Restrictions

Related Features and Technologies

Related Documents

Supported Platforms

Supported Standards, MIBs, and RFCs

Prerequisites

Configuration Tasks

Configuring SSG Prepaid

Configuring TCP Redirect

Configuring Service-Specific TCP Redirect

Configuring a Threshold Value

Configuring Traffic Status During Reauthorization

Verifying SSG Prepaid Idle Timeout

Troubleshooting Tips

Monitoring and Maintaining SSG Prepaid Idle Timeout

Configuration Examples

Configuring SSG Prepaid Example

Configuring TCP Redirect Example

Configuring Service-Specific TCP Redirect Example

Configuring a Threshold Value Examples

Configuring Traffic Status During Reauthorization Example

Command Reference

redirect prepaid-user to

ssg prepaid reauthorization drop-packet

ssg prepaid threshold

Glossary


SSG Prepaid Idle Timeout


Feature History

Release
Modification

12.2(15)B

This feature was introduced.

12.3(4)T

This feature was integrated into Cisco IOS Release 12.3(4)T.


This document describes the SSG Prepaid Idle Timeout feature and includes the following sections:

Feature Overview

Supported Platforms

Supported Standards, MIBs, and RFCs

Prerequisites

Configuration Tasks

Monitoring and Maintaining SSG Prepaid Idle Timeout

Configuration Examples

Command Reference

Glossary

Feature Overview

SSG

Service Selection Gateway (SSG) is a switching solution for service providers who offer intranet, extranet, and Internet connections to subscribers using broadband access technology such as xDSL, cable modems, or wireless to allow simultaneous access to network services.

For more information about SSG, refer to the Service Selection Gateway document.

SSG Prepaid

The SSG Prepaid feature allows SSG to check a subscriber's available credit to determine whether to connect the subscriber to a service and how long the connection can last. The subscriber's credit is administered by the billing server as a series of quotas representing either a duration of use (in seconds) or an allowable data volume (in bytes). A quota is an allotment of available credit.

To obtain the first quota for a connection, SSG submits an authorization request to the authentication, authorization, and accounting (AAA) server. The AAA server contacts the prepaid billing server, which forwards the quota values to SSG. SSG then monitors the connection to track the quota usage. When the quota runs out, SSG performs reauthorization. During reauthorization, the billing server may provide SSG with an additional quota if there is available credit. If no further quota is provided, SSG logs the user off.

SSG Prepaid Idle Timeout

The SSG Prepaid Idle Timeout feature enhances the SSG Prepaid feature by enabling SSG to return residual quota to the billing server from services that a user is logged into but not actively using. The quota that is returned to the billing center can be applied to the quota for the services that the user is actively using.

When SSG is configured for SSG Prepaid Idle Timeout, a user's connection to services can be open even when the billing server returns a zero quota, but the connection's status is dependent on the combination of the quota and the idle timeout value returned. Depending on the connection service, SSG requests the quota for a connection from the billing server once the user starts using a particular service, when the user runs out of quota, or after the configured idle timeout value has expired.

The SSG Prepaid Idle Timeout feature enhances handling of a returned zero quota from the billing server. If a billing server returns a zero quota and a nonzero idle timeout, this indicates that a user has run out of credit for a service. When a user runs out of credit for a service, the user is redirected to the billing server to replenish the quota. When the user is redirected to the billing server, the user's connection to the original service or services is retained. Although the connection remains up, any traffic passing through the connection is dropped. This enables a user to replenish quota on the billing server without losing connections to services or having to perform additional service logons.

Using the SSG Prepaid Idle Timeout feature, you can configure SSG to reauthorize a user before the user completely consumes the allocated quota. You can also configure SSG to drop traffic during reauthorization. This prevents revenue leaks in the event that the billing server returns a zero quota for the user. Without the SSG Prepaid Idle Timeout feature, traffic passed during reauthorization represents a revenue leak if the billing server returns a zero quota for the user. You can prevent this type of revenue leak by configuring a threshold value, causing SSG to reauthorize a user's connection before the user completely consumes the allocated quota for a service.

SSG Prepaid Idle Timeout enhances SSG to inform the billing server upon any connection failure. This enables the billing server to free quota that was reserved for the connection that failed and to apply this quota immediately to some other active connection.

Service Authorization

SSG sends a service authorization request to the billing server upon initial service authorization. Explicit service authorization is required whenever a user attempts to connect to a prepaid service to ensure that the user has sufficient credit to connect to that service. The billing server responds with the available quota to SSG. If the returned available quota is greater than zero (or not present), SSG allows the user to connect to the service and begins metering using the allotted quota. For this service authorization, an Access-Request packet is generated once the service is identified as a prepaid service. The Access-Request is generated for service authorization regardless of the service type (pass-through, proxy, tunnel, or virtual private dial-up network [VPDN]). Table 1 describes this Access-Request.

Table 1 Contents of Service Authorization Access-Request 

Attribute Number
Attribute Name
Description
Notes

1

User-Name1

MS subscriber name

 

2

PAP Password

Global service profile password

 

4

NAS IP Address

SSG IP address

 

6

Service-Type

Framed-user

 

7

Framed Protocol

Framed protocol

 

26

Vendor-Specific

Name of service

Subattribute ID 251; code N.

31

Calling-Station-ID

MSISDN2

 

44

Acct-Session-ID

Session ID

 

61

NAS-Port-Type

Async (value=0)

 

1 The User-Name is the name of the subscriber and not the name of the service. The name of the service is indicated by the Service Name VSA.

2 The Calling-Station-ID attribute is for additional user identification and is optional. This attribute is present only if the corresponding host object on SSG contains this information. The Calling-Station-ID attribute is used for hosts in mobile wireless environments and SESM 3-Key users.


The billing server responds to the service authorization Access-Request packet with an Access-Accept packet that defines the quota parameters for the connection. Table 2 describes the Access-Accept for a service authorization request. Authorization for a service is provided according to the presence and content of the Quota (Attribute 26) and the Idle Timeout (Attribute 28) vendor-specific attributes (VSAs) in the Access-Accept.

Table 2 Content of Service Authorization Access-Accept 

Attribute Number
Attribute Name
Description
Notes

6

Service-Type

Framed-user

 

26

Vendor-Specific

Quota

Subattribute ID: 253. The value "Q" indicates that this is the Quota VSA.

28

Idle Timeout

Prepaid idle timeout

 

The Quota VSA in the service profile has been enhanced to inform the billing server of the reason for the reauthorization request. Table 3 describes the enhanced Quota VSA.

Table 3 Prepaid Idle Timeout and Quota VSA

Attribute ID
Vendor ID
Subattribute ID and Type
Attribute Name
Subattribute Data

26

9

253

SSG Control-Info

Quota

Q [T/V] numeric string—Control-Info code for prepaid quota.

T or V—Quota subcode for time or volume.

numeric string—Quota value. Time in seconds and volume in bytes.

QR[0/1]

R—Quota subcode for reauthorization reason.

0—Reauthorization reason is quota consumed.

1—Reauthorization reason is idle timer expired.


Table 4 and Table 5 summarize the action performed by SSG as a result of the attributes included in the billing server's answer to the service authorization or service reauthorization request.

Table 4 SSG Responses to the Prepaid Idle Timeout and Volume Quota VSA 

Quota
Idle-Timeout
SSG Action

0

-

SSG does not open or close the connection.

>0

-

SSG opens the connection and traffic is allowed.

>0

>0

SSG opens the connection but returns quota back if connection is idle for the number of seconds configured in the timeout.

0

>0

SSG opens the connection but drops user traffic and issues a service reauthorization after the idle timeout expires. If TCP Redirection is configured, TCP traffic is redirected as configured.

0

0

SSG opens or continues the connection and issues a new service reauthorization request when the user resumes actively using this service.


Table 5 SSG Responses to the Prepaid Idle Timeout and Time Quota VSA 

Quota
Idle-Timeout
SSG Action

0

-

SSG does not open or close the connection.

>0

-

SSG opens the connection and traffic is allowed.

0

>0

SSG opens the connection but drops user traffic and issues a service reauthorization after the idle timeout expires. When TCP Redirection is configured, TCP traffic is redirected as configured.


In time-based quotas, if the traffic on a connection is dropped during reauthorization because the ssg prepaid reauthorization drop-packet command is configured, the time used during the reauthorization is not accounted to that connection. The reauthorization times are deducted from the total session duration while SSG sends the Account Session Time (Attribute 46) in the Accounting Stop and Update packets.

If the billing server responds with a time-based connection to redirect traffic, TCP traffic is redirected. The duration of the TCP redirection is also not accounted to the user's connection.

Service Reauthorization

SSG sends a service reauthorization request to the billing server when a prepaid user's quota is consumed, after the configured idle timeout expires, or when the user's remaining quota reaches the configured threshold value.

Using SSG Prepaid Idle Timeout, service providers can configure how traffic is handled during reauthorization. By default, traffic continues during reauthorization. If the billing sever returns a zero quota in the reauthorization response, the connection is terminated, but the data that was in progress during the reauthorization goes through and is not accounted. You can configure SSG to either drop or forward traffic during reauthorization. You can also configure a threshold value, which configures SSG to reauthorize a connection with the billing server before a prepaid user's allocated quota is completely consumed.

Table 6 describes the contents of a service reauthorization request.

Table 6 Content of Service Reauthorization Request 

Attribute Number
Attribute Name
Description
Notes

1

User-Name

MS subscriber name

 

2

PAP Password

Global service profile password

 

4

NAS IP Address

SSG IP address

 

6

Service-Type

Framed-user

 

7

Framed-Protocol

Framed protocol

 

26

Vendor-Specific

Name of service

Subattribute ID 251; code N.

26

Vendor-Specific

Quota used

Subattribute ID 253. The Quota Used VSA has the same format as the Quota VSA-Q[T/V] numeric string.

26

Vendor-Specific

Reauthorization reason

Subattribute ID 253; QR[0/1]

31

Calling-Station-ID

MSISDN

 

44

Acct-Session-ID

Session ID

 

61

NAS-Port-Type

Async (value=0)

 

The reauthorization request for SSG Prepaid Idle Timeout is similar to the reauthorization request for SSG Prepaid. The SSG Prepaid Idle Timeout reauthorization request contains an additional attribute, Reauthorization Reason. If this attribute is not present, the billing server assumes that the reason for the reauthorization request is Primary Quota Consumed. The value of the Reauthorization Reason attribute can be Quota Consumed (QR0) or Idle Timer Expired (QR1).

Benefits

Concurrent Service Access

The SSG Prepaid solution is capable of supporting concurrent service access. SSG services can be configured for concurrent or sequential access. Concurrent access allows users to log on to a service while simultaneously connected to other services. Sequential access requires that the user log off from all other services before accessing a service.

Real-Time Billing

The SSG Prepaid feature allows for real-time billing with maximum flexibility, regardless of the type of service and billing scheme. Users can be billed on a flat rate, air-time, or volume basis.

Redirection Upon Exhaustion of Quota

When a user runs out of quota, SSG can redirect the user to a portal where the user can replenish the quota without being disconnected from the service.

Returning Residual Quota

The SSG Prepaid Idle Timeout feature enhances the SSG Prepaid feature by enabling SSG to return residual quota to the billing server from services that a user is logged into but not actively using. The quota that is returned to the billing server can be applied to the quota for the services that the user is actively using.

Threshold Values

The SSG Prepaid Idle Timeout feature can prevent revenue leaks by enabling you to configure a threshold value. Configuring a threshold value causes user connections to be reauthorized before the user completely consumes the allotted quota for a service.

Traffic Status During Reauthorization

You can prevent revenue leaks by configuring SSG to drop connected traffic during reauthorization of a service. The user remains connected to the service and does not need to log back onto the service, but no traffic is forwarded during the reauthorization process. This prevents a user from continuing to use a service for which they have run out of quota while the SSG sends a reauthorization request to the billing server. If you configure SSG to drop traffic during reauthorization and configure a threshold value, user traffic continues until the user exhausts the allotted quota. When the allotted quota is used, the traffic is dropped until SSG receives a reauthorization response.

Restrictions

Quotas are measured in seconds for time or bytes for volume. There is no way to change the unit of measure.

The volume quota is for combined upstream and downstream traffic.

Simultaneous time and volume quotas for the same service connection are not supported.

Returning quota when the connection is idle is supported only for volume-based connections and is not supported for time-based connections.

When a user has run out of quota and replenished the quota at the billing server, SSG receives the updated quota and resumes the connection only after the next reauthorization.

Related Features and Technologies

Mobile wireless

RADIUS

Service Selection Gateway (SSG)

SSG Prepaid

Related Documents

Cisco Subscriber Edge Services Manager and Subscriber Policy Engine Installation and Configuration Guide 

The "Configuring RADIUS" chapter in the Cisco IOS Security Configuration Guide

Cisco IOS Security Command Reference, Release 12.3 T

Service Selection Gateway 

SSG Autodomain 

SSG AutoLogon Using Proxy Radius 

SSG Autologoff 

SSG Accounting Update Interval per Service 

SSG Hierarchical Policing 

SSG Open Garden 

SSG Port-Bundle Host Key 

SSG Prepaid 

SSG TCP Redirect for Services 

Supported Platforms

Finding Support Information for Platforms and Cisco IOS Software Images

Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.

Supported Standards, MIBs, and RFCs

Standards

No new or modified standards are supported by this feature.

MIBs

No new or modified MIBs are supported by this feature.

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs

RFCs

No new or modified RFCs are supported by this feature.

Prerequisites

You must enable SSG accounting in order for the SSG Prepaid feature to be used. SSG accounting is enabled by default. If it has been disabled, reenable it by using the ssg accounting command in global configuration mode.

The SSG Prepaid feature requires the AAA server to have prepaid billing support.

You must configure SSG to send Attribute 55 in accounting requests.

Configuration Tasks

See the following sections for configuration tasks for the SSG Prepaid Idle Timeout feature. Each task in the list is identified as either required or optional.

Configuring SSG Prepaid (required)

Configuring TCP Redirect (required)

Configuring Service-Specific TCP Redirect (optional)

Configuring a Threshold Value (optional)

Configuring Traffic Status During Reauthorization (optional)

Configuring SSG Prepaid

To configure SSG to provide the prepaid billing server with session ID and time-stamp information, use the following commands in global configuration mode:

Command
Purpose

Router(config)# radius-server attribute 44 include-in-access-req

Sends RADIUS attribute 44 (Acct-Session-ID) in Access-Request packets before performing user authentication (including requests for preauthentication).

Router(config)# radius-server attribute 55 include-in-acct-req

Sends RADIUS attribute 55 (Time-Stamp) in accounting packets.


Configuring TCP Redirect

To configure SSG to redirect a user's TCP traffic to a prepaid portal when the user runs out of quota on the billing server, use the following commands beginning in global configuration mode:

 
Command
Purpose

Step 1 

Router(config)# ssg enable

Enables SSG.

Step 2 

Router(config)# ssg tcp-redirect

Enables SSG TCP redirect.

Step 3 

Router(config-ssg-redirect)# server-group group-name

Defines the group of one or more servers that make up a named captive portal group and enters SSG-redirect-group configuration mode.

group-name—Name of the captive portal group.

Step 4 

Router(config-ssg-redirect-group)# server ip-address port

Adds a server to a captive portal group.

ip-address—IP address of the server to add to the captive portal group.

port—TCP port of the server to add to the captive portal group.

Step 5 

Repeat Step 4 to add servers to the captive portal group.

Step 6 

Router(config-ssg-redirect-group)# end

Exits SSG-redirect-group configuration mode.

Step 7 

Router(config-ssg-redirect)# redirect 
prepaid-user to group-name

Configures a captive portal group for redirection of prepaid user traffic.

group-name—Name of the captive portal group.

Configuring Service-Specific TCP Redirect

To redirect all prepaid users that are connected to a particular service to a specific port, enter the following commands beginning in global configuration mode:

 
Command
Purpose

Step 1 

Router(config)# ssg enable

Enables SSG.

Step 2 

Router(config)# ssg tcp-redirect

Enables SSG TCP redirect.

Step 3 

Router(config-ssg-redirect)# server-group group-name

Defines the group of one or more servers that make up a named captive portal group and enters SSG-redirect-group configuration mode.

group-name—Name of the captive portal group.

Step 4 

Router(config-ssg-redirect-group)# server ip-address port

Adds a server to a captive portal group.

ip-address—IP address of the server to add to the captive portal group.

port—TCP port of the server to add to the captive portal group.

Step 5 

Repeat Step 4 to add servers to the captive portal group.

Step 6 

Router(config-ssg-redirect-group)# end

Exits SSG-redirect-group configuration mode.

Step 7 

26=9=251=Z group-name 

Configure the service profile with the group-name configured in Step 3 to redirect the service's prepaid traffic.

Configuring a Threshold Value

To configure SSG to reauthorize a prepaid user's connection before the user has completely consumed the allotted quota for a service, you can configure a threshold value. Configure either a time-based or a volume-based threshold value by entering the following commands in global configuration mode:

Command
Purpose

Router(config)# ssg prepaid threshold time seconds

Configures SSG to reauthorize a prepaid user's connection when the user's remaining quota reaches the threshold time value.

seconds—Threshold time, in seconds. Valid values are 0 to 6565656 seconds.

Router(config)# ssg prepaid threshold volume bytes

Configures SSG to reauthorize a prepaid user's connection when the user's remaining quota reaches the threshold volume value.

bytes—Threshold volume, in bytes. Valid values are 0 to 65535566 bytes.

Configuring Traffic Status During Reauthorization

To configure SSG to drop traffic during reauthorization if threshold values are not configured, use the following command in global configuration mode:

Command
Purpose

Router(config)# ssg prepaid reauthorization drop-packet

Configures SSG to drop traffic during reauthorization, when threshold values are not configured.


Note When threshold values are configured, traffic is dropped during reauthorization after a user completely exhausts the allotted quota and before SSG gets a reauthorization response from the billing server.


Verifying SSG Prepaid Idle Timeout

To verify the configuration of the SSG Prepaid Idle Timeout feature, use the following commands:


Step 1 Enter the show ssg connection command to display information about the host's connection to the specified service, including quota information for prepaid connections.

The following output is displayed for a user who fulfills the volume quota without any idle timeouts:

Router# show ssg connection 172.16.0.0 Internet


 ------------------------ConnectionObject Content -----------------------
User Name:quser
Owner Host:172.16.0.0
Associated Service:Internet
Connection State:0 (UP)
Connection Started since:*01:45:09.000 GMT Thu Oct 9 2003
User last activity at:*01:45:09.000 GMT Thu Oct 9 2003
Connection Traffic Statistics:
Prepaid quota:

Session policing disabled

The following output is displayed for a user who has a zero or nonzero volume quota with nonzero idle timeout:

Router# show ssg connection 172.16.0.0 Internet

------------------------ConnectionObject Content -----------------------
User Name:quser
Owner Host:172.16.0.0
Associated Service:Internet
Connection State:0 (UP)
Connection Started since:*02:29:09.000 GMT Thu Oct 9 2003
User last activity at:*02:30:14.000 GMT Thu Oct 9 2003
Connection Traffic Statistics:
         Input Bytes = 4000, Input packets = 40
         Output Bytes = 4000, Output packets = 40

Prepaid quota:
        Quota Type = 'VOLUME', Quota Value = 11200
        Timeout Value = 60

Session policing disabled

The following output is displayed for a user who has a zero volume quota with zero idle timeout:

Router# show ssg connection 172.16.0.0 Internet

------------------------ConnectionObject Content -----------------------
User Name:quser
Owner Host:172.16.0.0
Associated Service:Internet
Connection State:0 (UP)
Connection Started since:*02:29:09.000 GMT Thu Oct 9 2003
User last activity at:*02:31:11.000 GMT Thu Oct 9 2003
Connection Traffic Statistics:
           Input Bytes = 4800, Input packets = 48
           Output Bytes = 4900, Output packets = 49
Prepaid quota:
        Quota Type = 'VOLUME', Quota Value = 9700
        Timeout Value = 0

Session policing disabled

The following output is displayed when a user receives a time quota:


Router# show ssg connection 172.16.0.0 Internet

------------------------ConnectionObject Content -----------------------
User Name:quser
Owner Host:172.16.0.0
Associated Service:Internet
Connection State:0 (UP)
Connection Started since:*02:35:51.000 GMT Thu Oct 9 2003
User last activity at:*02:35:51.000 GMT Thu Oct 9 2003
Connection Traffic Statistics:
       Input Bytes = 0, Input packets = 0
       Output Bytes = 0, Output packets = 0
Prepaid quota:
        Quota Type = 'TIME', Quota Value = 30
Session policing disabled

The following output is displayed when a user receives a zero time quota with idle timeout:

Router# show ssg connection 172.16.0.0 Internet

------------------------ConnectionObject Content -----------------------
User Name:quser
Owner Host:172.16.0.0
Associated Service:Internet
Connection State:0 (UP)
Connection Started since:*02:38:20.000 GMT Thu Oct 9 2003
User last activity at:*02:38:20.000 GMT Thu Oct 9 2003
Connection Traffic Statistics:
         Input Bytes = 0, Input packets = 0
         Output Bytes = 0, Output packets = 0
Prepaid quota:
         Quota Type = 'TIME', Quota Value = 0
         Timeout Value = 60

Session policing disabled

Step 2 Enter the show ssg service command to display the redirect group configured for a service:

Router# show ssg service Internet

------------------------ ServiceInfo Content -----------------------
Uplink IDB: gw:10.0.0.0
Name:Internet
Type:PASS-THROUGH
Mode:CONCURRENT
Service Session Timeout:0 seconds
Service Idle Timeout:0 seconds
Service refresh timeleft:102 minutes
Authorization Required
Authorization Required
Authentication Type:CHAP
Reference Count:1

DNS Server(s):
No Radius server group created. No remote Radius servers.
Prepaid Redirect Service Group = InternetRedirectGroup  ! Service-specific redirect group

Included Network Segments:
       172.16.0.0/255.255.0.0
Excluded Network Segments:
ConnectionCount 1
Full User Name not used

Domain List:

Active Connections:
         1   :RealIP=10.0.0.0, Subscriber=172.18.0.2

------------------------ End of ServiceInfo Content ----------------

Step 3 Enter the show ssg tcp-redirect group command to display the configured redirect server groups. The output displayed shows two configured redirect groups. The redirect default group called "DefaultRedirectGroup" is used to redirect prepaid connections when a user runs out of quota, and the corresponding service is not configured with any service-specific redirect group:

Router# show ssg tcp-redirect group 

Current TCP redirect groups:
  InternetRedirectGroup
  DefaultRedirectGroup 
! The default redirect group is used to redirect prepaid connections when the user runs 
out of quota and the corresponding service is not configured with any service-specific 
redirect group.

Unauthenticated user redirect group:None Set
Default service redirect group:None Set
Prepaid user default redirect group:DefaultRedirectGroup
SMTP forwarding group:None Set
Default initial captivation group:None Set
Default advertising  captivation group:None Set


Step 4 Enter the show running-config command to display the contents of the current running configuration:

Router# show running-config

.
.
.
ssg prepaid reauthorization drop-packet
ssg prepaid threshold volume 2000
ssg prepaid threshold time 10
.
.
.
ssg tcp-redirect
  server-group InternetRedirectGroup
    server 9.2.36.253 8080
    server 9.2.36.100 80
!
  server-group DefaultRedirectGroup
    server 10.0.0.1 8080
    server 10.0.0.20 80
!
 redirect prepaid-user to DefaultRedirectGroup
.
.
.

Troubleshooting Tips

To display all debug TCP redirect information, use the debug ssg tcp-redirect command.

Monitoring and Maintaining SSG Prepaid Idle Timeout

To monitor and maintain SSG Prepaid Idle Timeout functionality, use the following commands in privileged EXEC mode:

Command
Purpose

Router# debug radius

Displays information associated with RADIUS.

Router# debug ssg ctrl-error

Displays all error messages for control modules.

Router# debug ssg ctrl-events

Displays all event messages for control modules.

Router# debug ssg ctrl-packets

Displays packet contents handled by control modules.

Router# debug ssg data

Displays all data path packets.

Router# debug ssg errors

Displays all error messages for the system modules.

Router# debug ssg tcp-redirect {error | event | packet}

Turns on debugging information for the SSG TCP Redirect for Services feature.

error—Displays any SSG TCP redirect errors.

event—Displays any major SSG TCP redirect events or state changes.

packet—Displays redirection information and any changes made to a packet when it is due for redirection.

Router# show ssg tcp-redirect group [group-name]

Lists all configured captive portal groups and indicates which group receives redirected packets from unauthorized users. If the group-name is specified, this command displays detailed information about that captive portal group.

Router# show tcp-redirect mappings [ip-address] [interface]

Displays the redirect mappings currently stored in SSG. If the host ip-address is provided, this command displays detailed redirect mapping information for the specified host. The TCP redirect mappings are removed automatically after the TCP session terminates or is idle for more than 60 seconds.


Configuration Examples

This section provides the following configuration examples:

Configuring SSG Prepaid Example

Configuring TCP Redirect Example

Configuring Service-Specific TCP Redirect Example

Configuring a Threshold Value Examples

Configuring Traffic Status During Reauthorization Example

Configuring SSG Prepaid Example

The following example shows how to configure SSG to provide the prepaid billing server with session ID and time-stamp information:

radius-server attribute 44 include-in-access-req
radius-server attribute 55 include-in-acct-req

Configuring TCP Redirect Example

The following example shows how to configure a captive portal group called "DefaultRedirectGroup", add two servers to "DefaultRedirectGroup", and redirect prepaid users to the newly created captive portal:

ssg enable
ssg tcp-redirect
 server-group DefaultRedirectGroup
  server 10.0.0.1 8080
  server 10.0.0.20 80
  end
 redirect prepaid-user to DefaultRedirectGroup

Configuring Service-Specific TCP Redirect Example

The following example shows how to redirect all prepaid service traffic to the captive portal group called "InternetRedirectGroup" and to configure the captive portal group as the server group used for redirecting prepaid traffic:

ssg enable
ssg tcp-redirect
 server-group InternetRedirectGroup
  server 10.0.0.1 8080
  server 10.0.0.20 80
  end

Service Profile for InternetRedirectGroup

ServiceInfo="Z"

Configuring a Threshold Value Examples

The following example shows how to configure a threshold time value of 10 seconds:

ssg prepaid threshold time 10

The following example shows how to configure a threshold volume value of 2000 bytes:

ssg prepaid threshold volume 2000

Configuring Traffic Status During Reauthorization Example

The following example shows how to configure SSG to drop traffic during reauthorization:

ssg prepaid reauthorization drop-packet

Command Reference

This section documents new commands. All other commands used with this feature are documented in the Cisco IOS Release 12.3 T command reference publications.

redirect prepaid-user to

ssg prepaid reauthorization drop-packet

ssg prepaid threshold

redirect prepaid-user to

To configure a captive portal group for redirection of prepaid user traffic, use the redirect prepaid-user to command in SSG-redirect configuration mode. To configure SSG not to redirect prepaid users to the specified captive portal group, use the no form of this command.

redirect prepaid-user to group-name

no redirect prepaid-user to group-name

Syntax Description

group-name

Name of the captive portal group


Defaults

If no redirect group is configured, prepaid traffic is dropped.

Command Modes

SSG-redirect

Command History

Release
Modification

12.2(15)B

This command was introduced.

12.3(4)T

This command was integrated into Cisco IOS Release 12.3(4)T.


Usage Guidelines

Use this command to configure and name a captive portal group to which prepaid user traffic is redirected. When a user that is logged on to a prepaid service runs out of quota on the billing server, the user is redirected to the configured captive portal group if the service is not configured with any specific redirect server group. Once redirected to the captive portal group, the user can refill the quota on the billing server without being disconnected from the original prepaid service.

The captive portal group is the default group for all services that are not configured with a redirect group.

Examples

The following example shows how to configure a captive portal group called "DefaultRedirectGroup", add two servers to "DefaultRedirectGroup", and redirect prepaid users to the newly created captive portal:

ssg enable
ssg tcp-redirect
 server-group DefaultRedirectGroup
  server 10.0.0.1 8080
  server 10.0.0.20 80
  end
 redirect prepaid-user to DefaultRedirectGroup

Related Commands

Command
Description

server

Adds a server to a captive portal group.

server-group

Defines the group of one or more servers that make up a named captive portal group and enters SSG-redirect-group configuration mode.

ssg tcp-redirect

Enables SSG TCP redirect and enters SSG-redirect mode.


ssg prepaid reauthorization drop-packet

To configure Service Selection Gateway (SSG) to drop prepaid traffic during reauthorization if threshold values are not configured, use the ssg prepaid reauthorization drop-packet command in global configuration mode. To configure SSG to forward traffic during reauthorization and not to drop traffic during reauthorization, use the no form of this command.

ssg prepaid reauthorization drop-packet

no ssg prepaid reauthorization drop-packet

Syntax Description

This command has no arguments or keywords.

Defaults

SSG forwards traffic during reauthorization by default.

Command Modes

Global configuration

Command History

Release
Modification

12.2(15)B

This command was introduced.

12.3(4)T

This command was integrated into Cisco IOS Release 12.3(4)T.


Usage Guidelines

SSG sends a service reauthorization request to the billing server when a prepaid user's quota is consumed or after the configured idle timeout expires. If the billing sever returns a zero quota in the reauthorization response, the connection is disconnected, but the data that was in progress during the reauthorization is not counted in the reauthorization.

Use this command to configure how traffic is handled during reauthorization. This command configures SSG to drop all prepaid user traffic during reauthorization when threshold values are not configured. If you configure SSG to drop traffic during reauthorization and a threshold value is configured, traffic is not dropped during reauthorization until the user exhausts the allotted quota. If a user exhausts the allotted quota, traffic gets dropped until SSG receives the reauthorization response. By default, traffic continues during reauthorization.

Use the no ssg prepaid reauthorization drop-packet command to configure SSG not to drop any traffic during reauthorization.

Examples

The following example shows how to configure SSG to drop traffic during reauthorization:

ssg prepaid reauthorization drop-packet

Related Commands

Command
Description

ssg prepaid threshold

Configures SSG to reauthorize a prepaid user's connection when the user's remaining quota reaches the configured threshold value.


ssg prepaid threshold

To configured a Service Selection Gateway (SSG) prepaid threshold value, use the ssg prepaid threshold command in global configuration mode. To disable the SSG prepaid threshold value, use the no form of this command.

ssg prepaid threshold {volume bytes | time seconds}

no ssg prepaid threshold {volume bytes | time seconds}

Syntax Description

volume

Prepaid threshold volume configuration.

bytes

Threshold volume, in bytes. Valid range is from 0 to 65535566 bytes.

time

Prepaid threshold time configuration.

seconds

Threshold time, in seconds. Valid range is from 0 to 6565656 seconds.


Defaults

No SSG prepaid threshold values are configured, and reauthorization happens only after a user has completely exhausted the allotted quota.

Command Modes

Global configuration

Command History

Release
Modification

12.2(15)B

This command was introduced.

12.3(4)T

This command was integrated into Cisco IOS Release 12.3(4)T.


Usage Guidelines

Use this command to configure an SSG prepaid threshold value. By default, SSG reauthorizes a prepaid user's connection only after the user's allotted quota has been consumed. When a prepaid threshold value is configured, SSG reauthorizes a prepaid user's connection before the user has completely consumed the allotted quota for a service.

For a prepaid threshold time configuration, the threshold time is in seconds and should be configured to be at least equal to the connection reauthorization time.

For a prepaid threshold volume configuration, the threshold volume is in bytes and should be at least equal to the user's bandwidth multiplied by the reauthorization time. Calculate the prepaid threshold volume value using the following formula:

TH >= BW * T

TH (bytes) = threshold value

BW (Bps) = user's bandwidth

T (seconds) = reauthorization time

Examples

The following example shows how to configure a threshold time value of 10 seconds:

ssg prepaid threshold time 10

The following example shows how to configure a threshold volume value of 2000 bytes:

ssg prepaid threshold volume 2000

Related Commands

Command
Description

ssg prepaid reauthorization drop-packet

Configures SSG to drop prepaid traffic during reauthorization.


Glossary

Access-Accept—Response packet from the RADIUS server notifying the access server that the user is authenticated. This packet contains the user profile, which defines the specific AAA functions assigned to the user.

Access-Request—Request packet sent to the RADIUS server by the access server requesting authentication of the user.

SESM—Subscriber Edge Services Manager. The SESM is part of a Cisco solution that allows subscribers of digital subscriber line (DSL), cable, wireless, and dial-up to simultaneously access multiple services provided by different Internet service providers, application service providers, and corporate access servers.

SSG—Service Selection Gateway.

VPDN—virtual private dial-up network. A VPDN is a network that extends remote access to a private network using a shared infrastructure. VPDNs use Layer 2 tunnel technologies (L2F, L2TP, and PPTP) to extend the Layer 2 and higher parts of the network connection from a remote user across an Internet service provider (ISP) network to a private network.

VSA—vendor-specific attribute. An attribute that has been implemented by a particular vendor. It uses the attribute Vendor-Specific to encapsulate the resulting attribute-value (AV) pair.


Note Refer to Internetworking Terms and Acronyms for terms not included in this glossary.