Subscriber Profile Support

The Subscriber Service Switch architecture in Cisco IOS Release 12.3(4)T offers a significant improvement in scalability by providing the ability to bypass PPP when forwarding a call. Instead, call service selection is decided entirely by a Subscriber Service Switch Manager. Client call processes that terminate subscriber lines or receive subscriber calls send their requests for service direction to the Subscriber Service Switch Manager, which determines service based on service keys collected by the Subscriber Service Switch client and a preestablished call service policy. Examples of service keys are a NAS Port ID (network access server port identifier) and an unauthenticated PPP name. Refer to the Subscriber Service Switch feature module for more information about service keys.

The Subscriber Profile Support feature introduces the subscriber profile command and its service subcommands, which support the Subscriber Service Switch policy for searching a subscriber profile database for authorization data and determining the services that will be granted to the requesting customer.

1.    enable

2.    configure terminal

3.    subscriber profile profile-name

4.    service vpdn group vpdn-group-name

5.    exit

• What to Do Next

1.    enable

2.    configure terminal

3.    subscriber profile profile-name

4.    service local

5.    exit

• What to Do Next

1.    enable

2.    configure terminal

3.    subscriber profile profile-name

4.    service deny

5.    exit

• What to Do Next

The Cisco AV pairs have been extended to include Subscriber Service Switch service configuration. Subscriber Service Switch values are prefixed with "sss:", as follows:

cisco-avpair = "sss:sss-service=vpdn" cisco-avpair = "sss:sss-service=local" cisco-avpair = "sss:sss-service=deny"

The following example provides VPDN service to users in the domain cisco.com, and uses VPDN group 1 to obtain VPDN configuration information:

!
subscriber profile cisco.com
 service vpdn group 1

The following example provides VPDN service to DNIS 1234567, and uses VPDN group 1 to obtain VPDN configuration information:

!
subscriber profile dnis:1234567
 service vpdn group 1

The following example provides VPDN service using a remote tunnel (used on the multihop node), and uses VPDN group 1 to obtain VPDN configuration information:

!
subscriber profile host:lac
 service vpdn group 1

The following example provides local termination service to users in the domain cisco.com:

!
subscriber profile cisco.com
 service local

The following example denies service to users in the domain cisco.com:

!
subscriber profile cisco.com
 service deny

The following examples show typical RADIUS AV pair scripts to enable VPDN service and to define the service keys that are collected:

# 
# Domain "cisco.com" users get VPDN service with the enclosed configuration.
# 
cisco.com Password = "cisco"
User-Service-Type = Outbound-User,
cisco-avpair = "sss:sss-service=vpdn",
cisco-avpair = "vpdn:tunnel-id=nas-provider",
cisco-avpair = "vpdn:ip-addresses=10.0.3.96",
cisco-avpair = "vpdn:nas-password=secret1",
cisco-avpair = "vpdn:gw-password=secret2"
#
# Users with DNIS 1234567 get VPDN service with the enclosed configuration.
#
dnis:1234567 Password = "cisco"
User-Service-Type = Outbound-User,
cisco-avpair = "sss:sss-service=vpdn",
cisco-avpair = "vpdn:tunnel-id=nas-provider",
cisco-avpair = "vpdn:ip-addresses=10.0.3.96",
cisco-avpair = "vpdn:nas-password=secret1",
cisco-avpair = "vpdn:gw-password=secret2"
#
# Users on the remote tunnel (LAC) get VPDN service with the enclosed configuration.
#
host:lac Password = "cisco"
User-Service-Type = Outbound-User,
cisco-avpair = "sss:sss-service=vpdn",
cisco-avpair = "vpdn:tunnel-id=nas-provider",
cisco-avpair = "vpdn:ip-addresses=10.0.3.96",
cisco-avpair = "vpdn:nas-password=secret1",
cisco-avpair = "vpdn:gw-password=secret2"