Cisco IOS Service Selection Gateway Configuration Guide, Release 12.4
Configuring SSG Support for Subnet-Based Authentication
Downloads: This chapterpdf (PDF - 138.0KB) The complete bookPDF (PDF - 3.64MB) | Feedback

Configuring SSG Support for Subnet-Based Authentication

Table Of Contents

Configuring SSG Support for Subnet-Based Authentication

Finding Feature Information

Contents

Prerequisites for SSG Support for Subnet-Based Authentication

Restrictions for SSG Support for Subnet-Based Authentication

Information About SSG Support for Subnet-Based Authentication

Identifying Subnet-Based Subscribers

Benefits of SSG Support for Subnet-Based Authentication

How to Configure SSG Support for Subnet-Based Authentication

Verifying SSG Support for Subnet-Based Authentication

Additional References

Related Documents

Technical Assistance

Feature Information for SSG Support for Subnet-Based Authentication


Configuring SSG Support for Subnet-Based Authentication


First Published: May 2, 2005
Last Updated: October 2, 2009

Note Effective with Cisco IOS Release 15.0(1)M, this feature is not available in Cisco IOS software.


The SSG Support for Subnet-Based Authentication feature allows a service provider to identify subscribers to services by their subnet, rather than by a subscriber's IP address. This module describes how the Cisco Service Selection Gateway (SSG) recognizes and manages subnet-based subscribers.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for SSG Support for Subnet-Based Authentication" section.

Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Contents

Prerequisites for SSG Support for Subnet-Based Authentication

Restrictions for SSG Support for Subnet-Based Authentication

Information About SSG Support for Subnet-Based Authentication

How to Configure SSG Support for Subnet-Based Authentication

Additional References

Feature Information for SSG Support for Subnet-Based Authentication

Prerequisites for SSG Support for Subnet-Based Authentication

SSG must be enabled before subnet-based authentication for SSG can be configured.

Restrictions for SSG Support for Subnet-Based Authentication

If the Port-Bundle Host Key (PBHK) feature is used with subscribers, the port bundle allocated to a subscriber will be shared for all IP addresses within the IP subnet.

RADIUS proxy deployments do not support subnet-based subscribers.

Subnet-based authentication is not supported for users with PPP-based access.

Once a subscriber is identified as a subnet-based subscriber, all other individual subscribers on the same subnet will be tracked as part of the same subnet subscriber.

Services that require Network Address Translation (NAT) are not supported.

Information About SSG Support for Subnet-Based Authentication

To configure the SSG Support for Subnet-Based Authentication feature, you should understand the following concepts:

Identifying Subnet-Based Subscribers

Benefits of SSG Support for Subnet-Based Authentication

Identifying Subnet-Based Subscribers

Subnet-based subscribers are identified whenever SSG receives a subnet mask along with an IP address from the authentication, authorization, and accounting (AAA) server. The IP address is found in the RADIUS Framed-IP (FIP) attribute (RADIUS attribute 8), and the IP subnet mask is found in the RADIUS-Framed-IP-Netmask (FIN) attribute (RADIUS attribute 9).

Benefits of SSG Support for Subnet-Based Authentication

Subnet-based authentication of subscribers gives service providers the option to provide services to their enterprise customers based on the IP subnet rather than on an individual IP address. This capability eliminates the need for each subscriber to self-identify and log in. Applications of subnet-based authentication include business internet services, video streaming, and pay-per-use Internet access for small office/home office (SOHO) customers.

How to Configure SSG Support for Subnet-Based Authentication

No configuration is required to identify subnet-based subscribers. Whenever SSG receives a subscriber's IP address and subnet mask from the AAA (RADIUS) server, SSG will treat that subscriber as a subnet-based subscriber.

This section contains the following task:

Verifying SSG Support for Subnet-Based Authentication (optional)

Verifying SSG Support for Subnet-Based Authentication

This optional task explains how to verify subnet-based authentication for SSG. The commands contained in the task steps can be used in any sequence and may need to be repeated.

SUMMARY STEPS

1. enable

2. show ssg connection {ip-address | network-id subnet-mask} service-name [interface]

3. show ssg host [ip-address | count | username] [interface [username] [subnet-mask]]

DETAILED STEPS


Step 1 enable

Enables privileged EXEC mode. Enter your password if prompted.

Router> enable

Step 2 show ssg connection {ip-address | network-id subnet-mask} service-name [interface]

Displays the connections of a given SSG host and service name. To display the connections of the specified subnet-based subscribed host, enter the network ID and IP subnet mask.

Router# show ssg connection 10.0.1.1 255.255.255.0 passthru

------------------------ConnectionObject Content -----------------------
User Name: dev-user2
Owner Host: 10.0.1.1 (Mask : 255.255.255.0)
Associated Service: passthru1
Calling station id: 00d0.792f.8054
Connection State: 0 (UP)
Connection Started since: *17:44:59.000 GMT Sun Jul 6 2004
User last activity at: *17:44:59.000 GMT Sun Jul 6 2004
Connection Traffic Statistics:
        Input Bytes = 0, Input packets = 0
        Output Bytes = 0, Output packets = 0

Step 3 show ssg host [ip-address | count | username] [interface [username] [subnet-mask]]

Displays information about a subscriber and the subscriber's current connections. To display information about the specified subnet-based subscribed host, enter the IP subnet mask.

Router# show ssg host 10.0.0.0 255.255.255.0

------------------------ HostObject Content -----------------------
Activated: TRUE
Interface: 
User Name: user1
Host IP : 10.0.0.0
Mask : 255.255.255.0
Msg IP: 0.0.0.0 (0)
Host DNS IP: 0.0.0.0
Maximum Session Timeout: 0 seconds
Host Idle Timeout: 60000 seconds
Class Attr: NONE
User policing disabled
User logged on since: *05:59:46.000 UTC Fri May 3 2004
User last activity at: *05:59:52.000 UTC Fri May 3 2004
SMTP Forwarding: NO
Initial TCP captivate: NO
TCP Advertisement captivate: NO
Default Service: NONE
DNS Default Service: NONE
Active Services: NONE
AutoService: NONE
Subscribed Services: passthru1; proxynat1; tunnel1; proxy1

Subscribed Service Groups: NONE


Additional References

The following sections provide references related to the SSG Support for Subnet-Based Authentication feature.

Related Documents

Related Topic
Document Title

SSG commands

Cisco IOS Service Selection Gateway Command Reference

SESM

Cisco Subscriber Edge Services Manager documentation.

RADIUS commands

Cisco IOS Security Command Reference

RADIUS configuration tasks

"Configuring RADIUS" chapter in the Cisco IOS Security Configuration Guide


Technical Assistance

Description
Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/techsupport


Feature Information for SSG Support for Subnet-Based Authentication

Table 1 lists the features in this module and provides links to specific configuration information. Only features that were introduced or modified in Cisco IOS Release 12.3(14)T or a later release appear in the table.

Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.

For information on a feature in this technology that is not documented here, see the Service Selection Gateway Features Roadmap.

Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.


Note Table 1 lists only the Cisco IOS software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS software release train also support that feature.


Table 1 Feature Information for SSG Support for Subnet-Based Authentication 

Feature Name
Releases
Feature Configuration Information

SSG Support for Subnet-Based Authentication

12.3(14)T
12.4
15.0(1)M

The SSG Support for Subnet-Based Authentication feature allows a service provider to identify subscribers to services by their subnet, rather than by a subscriber's IP address.

The following sections provide information about this feature:

Identifying Subnet-Based Subscribers

Benefits of SSG Support for Subnet-Based Authentication

Verifying SSG Support for Subnet-Based Authentication

The following commands were modified by this feature: show ssg connection, show ssg host.

This feature was removed in Cisco IOS Release 15.0(1)M.