Table Of Contents
SSG Mobile Wireless Enhancements
First Published: November 5, 2007Last Updated: November 5, 2007
The Service Selection Gateway (SSG) is a Cisco IOS software feature set, supported on multiple platforms, that works with the Cisco Subscriber Edge Services Manager (SESM) and other components to provide a subscriber edge services solution. It implements Layer 3 service selection through selective routing of IP packets to destination networks on a per subscriber basis. SSG authenticates users, who are accessing the SSG services, based on the RADIUS access request received from the SESM or from the downstream device such as a Gateway GPRS Support Node (GGSN) or Packet Data Serving Node (PDSN).
The SSG Mobile Wireless Enhancements feature describes additional functionality enhancements including accounting-on-off packet suppression, accounting-start ignore configuration, and Packet of Disconnect (PoD) forwarding to the Network Access Server (NAS).
Finding Feature Information in This Module
Your Cisco IOS software release may not support all of the features documented in this module. To reach links to specific feature documentation in this module and to see a list of the releases in which each feature is supported, use the "Feature Information for SSG Mobile Wireless Enhancements" section.
Finding Support Information for Platforms and Cisco IOS and Catalyst OS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for SSG Mobile Wireless Enhancements
•Before implementing SSG Mobile Wireless enhancements, SSG must be enabled by using the ssg enable command.
•This enhancement supports General Packet Radio Service/Extensible Authentication Protocol (GPRS/EAP) for the SSG. You should understand the following technologies:
–The Serving GPRS Support Node (SGSN) connects the radio access network (RAN) to the GPRS and the 3G Universal Mobile Telecommunication System (UMTS) core and tunnels user sessions to the GGSN. For more information, see Cisco GGSN Release 7.0 Configuration Guide.
–The SSG EAP Transparency feature enables the Cisco Service Selection Gateway (SSG) on a Cisco router to act as a RADIUS proxy during EAP authentication and to create the host. For more information, see the SSG EAP Transparency feature module.
–The Access Zone Router (AZR) provides connectivity, client address management, security services, and routing across a WAN from each access point to an operator's point of presence (POP) or data center. For more information, see the Public Wireless LAN for Service Providers Solutions document.
Restrictions for SSG Mobile Wireless Enhancements
SSG does not process multicast packets.
Information About SSG Mobile Wireless Enhancements
To implement SSG Mobile Wireless enhancements, you should understand the following concepts:
Accounting-On-Off Packet Suppression
While the Service Selection Gateway (SSG) is acting as a RADIUS proxy for the Gateway GPRS Support Node (GGSN), it also receives all accounting packets: accounting-on-off packets as well as accounting-start-stop packets. By default, only accounting-on-off packets are forwarded to the real authentication, authorization, and accounting (AAA) server.
The forward accounting-on-off command allows you to override this default behavior and to suppress transparent proxying of accounting packets.
SSG always proxies accounting-on-off packets received from client GGSNs. These packets are used to signal that the client GGSN has just rebooted (or is about to be rebooted). When SSG receives the packets, SSG destroys all host objects associated with the specified client GGSN before forwarding the packet. SSG uses the NAS IP address in the accounting-on-off packets to determine the affected GGSN. Determining the affected GGSN enables multiple tunnel interfaces to exist between the GGSN and SSG. Although there are multiple RADIUS clients configured at SSG, only a single accounting-on-off packet is generated by the GGSN. As part of the normal SSG functionality, SSG sends accounting-start-stop records for both the active host objects and for any services to which they are connected.
Consider the following scenario in a load-balancing environment. Assume that there are 10 GGSNs and 10 SSGs in the system. In this case, when the GGSN fails, there will be 10 accounting-off packets sent to the RADIUS load balancing (RLB) server farm. The RLB server farm replicates each accounting-off packet to the 10 SSGs. Each SSG in turn forwards these accounting-off packets to the AAA server. So there is a total of 100 accounting-off packets in a short period of time. For some customers the AAA server often has problems handling this high rate of accounting on and off packets, which increases the possibility of a system failure.
In a Cisco Mobile Exchange (CMX) solution, you can enable a server to stop forwarding the accounting-off packets in all the routers except for two or three routers. Enabling the server in this way ensures that the AAA server will not receive the accounting-off packets from every SSG in the system.
Accounting-Start Packet Discards to Retain a Host with Varying IP Addresses
Before Cisco IOS Release 12.4(15)T, the default behavior of the session-identifier msid command for SSG is to disconnect a host object if a second accounting-start packet is received for a Mobile Station Identifier (MSID) address with a different IP address. However, this behavior can cause a problem especially in the Public Wireless Local Area Network (PWLAN) space for clients with multiple interfaces (that is, wireless and Ethernet interfaces), which can result in packets sent from a single interface with multiple source IP addresses.
This enhancement to the session-identifier msid unique ip command instructs SSG to discard the subsequent accounting-start records with the same MSID but a different IP address.
PoD to NAS Forwarding
When SSG, acting as a RADIUS proxy, receives the Packet of Disconnect (PoD) from a RADIUS server, it cleans up the corresponding host object but does not forward the PoD to NAS. As a result, the NAS is not informed about the RADIUS server's decision to disconnect the user session.
This enhancement disconnects the host object when the PoD is received from the AAA server and also forwards it to a downstream device. When SSG forwards the PoD to the downstream NAS, the NAS will send a PoD-ACK/NAK back to SSG. Previously, SSG would have deleted the host object for that particular user at this point. Therefore, this enhancement ensures that SSG ignores the PoD-ACK/NAKs and accounting-stop packets sent by the NAS in response to the forwarded PoD.
On receiving the POD request with radius code 40, SSG disconnects the user by deleting all host-related information maintained by SSG. The following points summarize the PoD support by SSG:
•The host is identified by the following properties:
–Attribute 8: framed IP address
–SSG account-info VSA: port bundle information present with S subattribute
•On finding the host, SSG deletes the host and connections made by the host.
•For a transparent autologon (TAL) user with no host object (a Transparent Passthrough [TP] user), the TP entry will be deleted.
•Inactive hosts will not be deleted.
•In radius-proxy mode, SSG deletes the host object, but PoD will not be forwarded to the downstream device. To clean up the session throughout the network, the AAA server will now send the PoD to downstream devices.
How to Configure SSG Mobile Wireless Enhancements
This section contains the following procedures:
•Suppressing Accounting On-Off Packets (optional)
Suppressing Accounting On-Off Packets
Perform this task to configure SSG to suppress accounting-on-off packets.
2. configure terminal
3. ssg enable
4. ssg radius-proxy
5. no forward accounting-on-off
Retaining a Host with Varying IP Addresses by Ignoring Accounting-Start Packets
Perform this task to configure SSG to enable client devices with multiple IP addresses to access the host.
2. configure terminal
3. ssg enable
4. ssg radius-proxy
5. client-address ip-address
6. key secret
7. session-identifier msid unique ip
Configuration Examples for SSG Mobile Wireless Enhancements
This section provides the following configuration examples:
Suppressing Accounting On-Off Packets: Example
The following example shows how to suppress packet forwarding from the RADIUS client to the AAA server:enableconfigure terminalssg enablessg radius-proxyno forward accounting-on-off
Retaining a Host with Varying IP Addresses by Ignoring Accounting-Start Packets: Example
The following example shows how to configure SSG to identify the specified client session based on the IP address associated with the MSID:enableconfigure terminalssg enablessg radius-proxyclient-address 172.16.1.1key ciscosession-identifier msid unique ip
The following sections provide references related to the SSG Mobile Wireless Enhancements feature.
Related Topic Document Title
Selection Gateway commands: complete command syntax, command mode, command history, defaults, usage guidelines, and example
SSG configuration tasks
SSG EAP Transparency feature module, Release 12.3(4)T
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.
PPP Extensible Authentication Protocol (EAP)
Remote Authentication Dial-In User Services (RADIUS)
RADIUS Delegated-IPv6-Prefix Attribute
Microsoft Vendor-Specific RADIUS Attributes
This section documents new and modified commands only.
To allow forwarding of accounting-on-off packets generated by any RADIUS clients to the authentication, authorization, and accounting (AAA) server, use the forward accounting-on-off command in SSG radius-proxy mode. To suppress forwarding of accounting-on-off packets, use the no form of this command.
no forward accounting-on-off
This command has no arguments or keywords.
Accounting-on-off packets generated by RADIUS clients are not sent to the AAA server.
The following example shows how to allow packet forwarding from the RADIUS client to the AAA server:Router(config)# ssg enableRouter(config)# ssg radius-proxyRouter(config-radius-proxy)# forward accounting-on-off
Allows accounting start, stop, and update packets generated by any RADIUS clients to the AAA server.
To override Service Selection Gateway (SSG) automatic RADIUS client session identification and to configure SSG to identify the specified client session by a specific type of ID attribute, use the session-identifier command in SSG radius-proxy client mode. To configure SSG to perform user identification only by the username without using a session identification, use the no form of this command.
session-identifier [acct-sess-id | auto | correlation-id | [msid [unique ip | username]]
no session-identifier [acct-sess-id | auto | correlation-id | [msid [unique ip | username]]
SSG selects the attribute used for session identification according to the type of client device.
SSG radius-proxy client
By default, SSG automatically selects the attribute to use for session identification according to the type of RADIUS client device. This attribute is used in the SSG Proxy RADIUS logon table. SSG assigns the following vendor-specific attributes (VSAs) to identify client sessions:
•3GPP2-Correlation-ID for Packet Data Serving Nodes (PDSNs)
•Accounting-Session-ID for Home Agents (HAs)
•Calling-Station-ID (MSID) for non-CDMA2000 devices such as a general packet radio system (GPRS)
Use the session-identifier command to override the automatic session identification. Use the auto keyword to return to automatic session identification.
The following example shows how to configure SSG to use the correlation ID to identify the specified client session:session-identifier correlation-id
The following example shows how to configure the RADIUS client to proxy all requests from IP address 172.16.1.1 to the RADIUS server, assign the shared secret "cisco" key to the client, and use the Accounting-Session-ID attribute to identify the specified client session:client-address 172.16.1.1key ciscosession-identifier acct-sess-id
The following example shows how to configure SSG to identify the specified client session based on the IP address associated with MSID:Router(config)# ssg enableRouter(config)# ssg radius-proxyRouter(config-radius-proxy)# client-address 172.16.1.1Router(config-radproxy-client)# key ciscoRouter(config-radproxy-client)# session-identifier msid unique ip
Feature Information for SSG Mobile Wireless Enhancements
Table 1 lists the release history for this feature.
Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note Table 1 lists only the Cisco IOS software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS software release train also support that feature.
AAA—authentication, authorization, and accounting. The network security service that provides the primary framework through which you set up access control on your router or access server.
CEF—Cisco Express Forwarding. An advanced Layer 3 IP switching technology.
CMX—Cisco Mobile Exchange. A standards-based framework that links the radio-access network (RAN) to IP networks and their value-added, content-based IP services.
EAP—Extensible Authentication Protocol. A framework for transporting authentication protocols. It can be used for authenticating dial-up and VPN connections, and also Local Area Network (LAN) ports in conjunction with IEEE 802.1X.
GGSN—Gateway GPRS Support Node. The General Packet Radio Service (GPRS) provides packet radio access for mobile Global System for Mobile Communications (GSM).
NAS—Network Access Server. Cisco platform (or collection of platforms, such as an AccessPath system) that interfaces between the packet world (for example, the Internet) and the circuit world (for example, the PSTN).
PDSN—Packet Data Serving Node. PDSN provides the primary wireless mobile data access to the Internet, intranets, and Wireless Application Protocol (WAP) servers for mobile stations utilizing a CDMA2000 Radio Access Network (RAN).
PoD—Packet of Disconnect. A RADIUS access-request packet that is intended to be used where the authenticating agent server wants to disconnect the user after the session has been accepted by the RADIUS access-accept packet.
PWLAN—Public Wireless Local Area Network. A network comprised of a public switched telephone network, a digital subscriber line access multiplexer, and at least one public telephone.
RADIUS—Remote Authentication Dial-In User Service. A distributed client/server system that secures networks against unauthorized access.
SESM—Subscriber Edge Services Manager. An extensible set of applications providing on-demand services and service management.
SSG—Service Selection Gateway.
TAL—Transparent autologin. This feature enables Service Selection Gateway (SSG) to authenticate and authorize a user on the basis of the source IP address of packets received from the user.
TP—Transparent passthrough user. This allows unauthenticated traffic to pass through an interface.
VSA—vendor specific attribute. VSAs allow vendors to support their own proprietary RADIUS attributes that are not included in RFCs 2865 and 2866.
CCVP, the Cisco logo, and Welcome to the Human Network are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, LightStream, Linksys, MeetingPlace, MGX, Networkers, Networking Academy, Network Registrar, PIX, ProConnect, ScriptShare, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0710R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2007 Cisco Systems, Inc. All rights reserved.