Cisco CNS Subscriber Edge Services Manager Troubleshooting Guide, 3.1.9
Introduction to SESM Solutions
Downloads: This chapterpdf (PDF - 209.0 KB) | Feedback

Introduction to SESM Solutions

Table Of Contents

Introduction to SESM Solutions

SESM Packages

Subscriber and Service Profiles

SESM Reference Network Diagram

SESM Application Management

SESM Documentation Map

Introduction to SESM Solutions

This chapter provides introductory information about the Cisco Subscriber Edge Services Manager (SESM) solution. Topics are:

SESM Packages

Subscriber and Service Profiles

SESM Reference Network Diagram

SESM Application Management

SESM Documentation Map

SESM Packages

The SESM software is available in the following packages.

SESM-SPE—This package integrates the Cisco Subscriber Policy Engine (SPE) product with the SESM product. SPE provides access to an LDAP compliant directory or relational database management system (RDBMS) for maintaining subscriber and service information. In addition, the SPE role-based access control (RBAC) model facilitates bulk administration of large subscriber populations.

SPE also provides self-care functionality for SESM web applications, including:

Subscriber account registration

Subscriber account self-care

Subscriber sub-account management

Subscriber self-subscription to services

Various proxy options available with the SESM RADIUS Data Proxy (RDP) component permit the integration of existing RADIUS infrastructure. Domain-based proxying can proxy to multiple servers, based on the IP domain in subscriber and service names.

SESM-RADIUS—This package installs SESM to obtain subscriber and service information using the RADIUS protocol.

This package does not support the self-care features listed above and firewall provisioning. To combine those features with existing RADIUS infrastructure, use a SESM-SPE package with proxy options.

Each package is available in versions appropriate for the Sun Solaris, Linux, or Windows platforms.

Subscriber and Service Profiles

SESM solutions require detailed data about subscribers and the services they are authorized to use. We refer to this data as profiles:

Subscriber profiles—Define authentication information, subscribed services, and information about connection and service options and preferences for each subscriber.

Service profiles—Define Connection information for the services that subscribers can subscribe and connect to.

The SESM solution integrates with any one or a combination of the following options to obtain subscriber and service data:

An AAA database managed and accessed by a RADIUS server.

An SPE database (an LDAP directory or RDBMS) accessed through the Cisco SPE application programming interface (API). In SESM deployments, the Cisco Distributed Administration Tool (CDAT) manages the subscriber and service profiles in the database.

A flat file in Merit format, accessed by an appropriately configured RDP application or SESM portals running in Demo mode.

SESM Reference Network Diagram

The following figure shows SESM applications in a hypothetical deployment. Actual deployments might not use all of the components shown.

Figure 1-1 SESM Network Diagram


Subscriber access media—SESM applications and solutions are independent of the access media.


Service Selection Gateway (SSG)— Most SESM solutions work with and require a Cisco gateway such as the SSG. The SSG is a feature in the Cisco IOS software running on a Cisco device. The SSG provides authentication, service connection, connection management, and SESM session capabilities. The SESM portals provide the subscriber's interface to SSG for those services.

Content Services Gateway (CSG)—An optional gateway that provides content billing services to the SESM solution.


Open gardens—The open garden is an SSG feature that allows subscriber access to preconfigured networks without authentication. Packets destined for open garden networks are not accounted for nor subject to access control by the SSG.


Default Network—The SESM applications must run on systems on the SSG default network. The default network (and open gardens, if configured) are always accessible to subscribers.


SESM web portals—Subscribers access the SESM portal using a web browser. The portal provides the following features: subscriber interface to SSG; one-stop access to services; location-based branding; firewall provisioning; access to the Cisco Subscriber Policy Engine (SPE) self-care features such as registration, service subscription, account maintenance, and subaccount management. The access provider (the SESM deployer) presents these features on personalized browser pages shaped by dimensions such as access device, language preference, and location. The SESM packages include three sample web portal applications: New World Service Provider (NWSP), Wireless Access Protocol (WAP), and Personal Digital Assistant (PDA). The captive portal applications are also SESM web portals.


Captive portals—Captive portal applications are specialized SESM web portals that work with the SSG and other SESM web portals to capture, analyze, and redirect packets for various purposes, including messaging, advertising, or displaying logon pages in response to unauthenticated access attempts and unconnected service requests.


Profiles—SESM solutions are based on subscriber and service data stored in RADIUS or SPE databases.


SESM RADIUS Data Proxy (RDP)—The RDP application is a RADIUS server compliant with RFC 2865 and is the required RADIUS server for SESM SPE-mode deployments. RDP provides access to profiles on the SPE database. Deployers can configure RDP to proxy requests to other RADIUS servers or flat files. Domain-based proxying forwards requests to multiple RADIUS servers based on the IP domain in subscriber and service names.


Cisco Distributed Administration Tool (CDAT)—CDAT is a web-based GUI tool for managing the SPE extensions in an LDAP directory. CDAT provides the means for creating and maintaining user (subscriber) and service profiles, user groups, service groups, roles, and policy rules for the RBAC model.

Application Manager—The Application Manager is a web-based GUI for remotely managing SESM applications in a distributed deployment. The managed applications can be SESM web portals, captive portals, RDP, CDAT, WSG, and the Application Manager itself. Administrators use the Application Manager to access the configuration attributes in the Java Management Extensions (JMX) MBeans used by these SESM applications.


Web Services Gateway (WSG)—The SESM WSG application provides a Simple Objects Access Protocol (SOAP)-based interface enabling third-party web portals and subscriber management systems to integrate with the SESM and SSG solution. Any client application can interface with SSG through the WSG using SOAP over HTTP communication.


Billing Server—A third-party billing server is required if the SSG Pre-Paid feature is included in the solution.


Services—SESM applications work in conjunction with the Cisco gateway components to provide a one-stop interface for activating multiple services. SESM can provide the activation interface for any service type supported by the gateway component. Service information exists in the service profiles.

SESM Application Management

SESM uses the Java Management Extensions (JMX) specification and its related JMX MBean standards for application configuration. For descriptions of these standards, go to:

A brief introduction to JMX terminology and its relationship to SESM application management follows:

JMX manageable resources—Java objects instrumented to allow spontaneous management by any JMX compliant agent. Each SESM application contains JMX manageable resources.

JMX agent— A management entity implemented in accordance with the JMX Agent Specification. For SESM, the agent is the Cisco ConfigAgent.

Managed beans (MBeans)—Java objects that represent a JMX manageable resource. MBeans for each SESM application are specified in XML files installed in the application's config directory under the SESM installation directory.

JMX server ( also called the MBean server)—A registry for objects that are exposed to management operations by an agent. Any object that is registered with the JMX server becomes visible to the agent. In SESM applications, MBeans are registered by the ConfigAgent or by other MBeans.

Administrators can change SESM application configuration by changing the attribute values in MBeans. In SESM Release 3.1(9), use any of these ways to change MBean attribute values:

Use the Application Manager, a web-based GUI tool. This is the preferred way to manage running SESM applications. The tool includes:

Operational scenarios that present the most-used attributes for quick access and adjustments.

Advanced screens that present all attributes.

A bulk upload feature for importing large mappings of subscriber subnets to SSGs.

Manually edit the XML files associated with the application. XML files are located in the application's config directory (for example, nwsp/config/nwsp.xml). If you use this method, you must stop and restart the application before the changes take effect.

Use the SESM Agent View, a web-based view of managed resources and associated MBeans. The Agent View is an adaptation of the Management Console provided by the HTML adaptor server, which is included with the Sun example JMX server. The Cisco adaptations add persistence features to the server.

Note The Application Manager replaces the SESM Agent View. The Agent View is included in SESM Release 3.1(9) to provide convenience and continuity during migrations from previous releases.

SESM Documentation Map

Figure 1-2 can help you to locate information in the SESM documentation set. Go to the following URL to access the online version of the SESM documentation:

Figure 1-2 SESM Documentation Map