-
Intelligent Services Gateway Configuration Guide, Cisco IOS XE Release 3S
-
Overview of ISG
-
Configuring ISG Control Policies
-
Configuring ISG Access for PPP Sessions
-
Configuring ISG Access for IP Subscriber Sessions
-
Configuring ISG IPv6 Support
-
Configuring MQC Support for IP Sessions
-
Configuring ISG Port-Bundle Host Key
-
Configuring ISG as a RADIUS Proxy
-
ISG RADIUS Proxy Support for Mobile Users: Hotspot Roaming and Accounting Start Filtering
-
Walk-By User Support for PWLANs in ISG
-
Configuring RADIUS-Based Policing
-
Configuring Ambiguous VLAN support for IP sessions over ISG
-
Configuring ISG Policies for Automatic Subscriber Logon
-
Configuring DHCP Option 60 and Option 82 with VPN-ID Support for Transparent Automatic Logon
-
Enabling ISG to Interact with External Policy Servers
-
Configuring ISG Subscriber Services
-
Configuring ISG Network Forwarding Policies
-
Configuring ISG Accounting
-
Configuring ISG Support for Prepaid Billing
-
Configuring ISG Policies for Session Maintenance
-
Redirecting Subscriber Traffic Using ISG Layer 4 Redirect
-
Configuring Layer 4 Redirect Logging
-
Configuring ISG Policies for Regulating Network Access
-
Configuring ISG Integration with SCE
-
Service Gateway Interface
-
ISG MIB
-
ISG SSO and ISSU Support
-
Troubleshooting ISG with Session Monitoring and Distributed Conditional Debugging
-
Configuring ISG Troubleshooting Enhancements
-
Feedback
Contents
- Walk-By User Support for PWLANs in ISG
- Finding Feature Information
- Prerequisites for Walk-By User Support for PWLANs in ISG
- Restrictions for Walk-By User Support for PWLANs in ISG
- Information About Walk-By User Support for PWLANs in ISG
- Default Sessions
- Lite Sessions or Walk-By Sessions
- Dedicated Sessions
- How to Configure Walk-By User Support for PWLANs in ISG
- Creating and Enabling a Default Policy for a Default Session
- Configuration Examples for Walk-By User Support for PWLANs in ISG
- Example: Creating and Enabling a Default Policy for a Default Session
- Additional References
- Feature Information for Walk-By User Support for PWLANs in ISG
Walk-By User Support for PWLANs in ISG
The Walk-By User Support for PWLANs in ISG feature enables the Intelligent Services Gateway (ISG) that is configured as a RADIUS proxy to handle unauthenticated sessions from wireless devices that do not use the public wireless LAN (PWLAN) service. These sessions are called walk-by sessions or lite sessions, and users that use these sessions are called walk-by users.
With the implementation of this feature, unauthenticated users are assigned lite sessions based on the default session. These lite sessions optimize resource usage because they enable the walk-by user to use only session start services mentioned in the default policy configured for the default session.
This module describes how to create and apply a default policy for default sessions to enable the Walk-By User Support for PWLANs in ISG feature.
- Finding Feature Information
- Prerequisites for Walk-By User Support for PWLANs in ISG
- Restrictions for Walk-By User Support for PWLANs in ISG
- Information About Walk-By User Support for PWLANs in ISG
- How to Configure Walk-By User Support for PWLANs in ISG
- Configuration Examples for Walk-By User Support for PWLANs in ISG
- Additional References
- Feature Information for Walk-By User Support for PWLANs in ISG
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Restrictions for Walk-By User Support for PWLANs in ISG
- Lite sessions are supported on all Cisco ASR 1000 Series Aggregation Services Routers images except ipbase images.
- IPv6 sessions are not supported.
- Only Layer 4 Redirect (L4R), Port-Bundle Host Key (PBHK), and service virtual routing and forwarding (VRF) features are supported. The L4R feature for walk-by session supports only 16 translation entries.
- Lite sessions do not support prepaid, accounting, quality of service (QoS), timers, or RADIUS-timeout features.
Information About Walk-By User Support for PWLANs in ISG
Default Sessions
A default session is a template session that is used as a reference by lite sessions created for walk-by subscribers on a given interface. When an edge device connects to an open service set ID (SSID) in a public wireless LAN (PWLAN) environment a lite session is created on the Intelligent Services Gateway (ISG). Each lite session applies the session start services defined in the default policy configured for the default session. Only one default session can be configured on each device interface. The default policy defines the default session start services and features to be used as a template for the lite session.
Lite Sessions or Walk-By Sessions
In most public wireless LAN (PWLAN) setups, a high percentage of Intelligent Services Gateway (ISG) sessions are unauthenticated sessions from wireless devices that do not use the PWLAN service. These sessions are called walk-by sessions or lite sessions, and users that use these sessions are called walk-by users. Walk-by sessions consume a significant amount of CPU, memory and other physical resources of the ISG router. This resource utilization may lead to an increase in the number of ISG devices that are required for a given PWLAN deployment.
A lite session inherits the session start services applied for the default session. Lite sessions are created on ISG to support walk-by users and optimize resource usage. Each lite session is associated with an individual timer that specifies the duration for which the session can utilize PWLAN services while remaining unauthenticated. If these lite sessions remain unauthenticated even after the timer expires, these sessions are deleted from ISG.
Lite sessions are also created when dedicated sessions fail authentication.
Dedicated Sessions
A dedicated or regular session is a full-fledged Intelligent Services Gateway (ISG) subscriber session. All subscriber sessions that are authenticated cause the creation of dedicated sessions on ISG. The policy manager of ISG decides whether to create a complete session context (a dedicated session) or a minimal session context (a lite session).
All ISG sessions that are not lite sessions are dedicated sessions. However, on authorization failure, a dedicated session is converted to a lite session. Sometimes, ISG can neither convert lite sessions to dedicated sessions nor create dedicated sessions immediately on the First Sign of Life (FSoL). In this case, an authentication, authorization, and accounting (AAA) interaction is required based on which ISG decides whether to create a lite session or a dedicated session. ISG first creates a dedicated session for the subscriber, and then based on the AAA interaction, the subscriber continues with the dedicated ISG session or is moved to a lite session.
How to Configure Walk-By User Support for PWLANs in ISG
Creating and Enabling a Default Policy for a Default Session
Perform this task to create and enable a default policy for a default session on an interface. Each interface can have only one default policy.
A default session is set up to optimize the creation of Intelligent Services Gateway (ISG) sessions for walk-by users. The default session serves as a template that is used by lite sessions for walk-by users. The default policy contains session start services only to which all lite sessions refer. A default policy has the following two functions:
DETAILED STEPS
Configuration Examples for Walk-By User Support for PWLANs in ISG
Example: Creating and Enabling a Default Policy for a Default Session
The following example shows how to create and enable a default policy named DefRULE on the Gigabit Ethernet interface:
Device> enable Device# configure terminal Device(config)# policy-map type service PBHK Device(config-service-policymap)# service local Device(config-service-policymap)# ip portbundle Device(config-service-policymap)# exit Device(config)# class-map type traffic match-any ALLTRAFFIC Device(config-traffic-classmap)# match access-group input 100 Device(config-traffic-classmap)# exit Device(config)# policy-map type service L4R Device(config-service-policymap)# class type traffic ALLTRAFFIC Device(config-service-policymap-class-traffic)# redirect to group PORTAL Device(config-service-policymap-class-traffic)# exit Device(config-service-policymap)# exit Device(config)# policy-map type control DefRULE Device(config-control-policymap)# class type control always event session-start Device(config-control-policymap-class-control)# 10 service-policy type service name PBHK Device(config-control-policymap-class-control)# 20 service-policy type service name L4R Device(config-control-policymap-class-control)# 30 set-timer UNAUTH 1 Device(config-control-policymap-class-control)# exit Device(config-control-policymap)# exit Device(config)# interface GigabitEthernet 0/0/4 Device(config-if)# service-policy type control default DefRULE Device(config-if)# service-policy type control RegRULE Device(config-if)# end
The following sample output from the show running-config interface command displays the policies configured on the Gigabit Ethernet interface. The default policy configured for default sessions on the Gigabit Ethernet interface is DefRULE, and the regular policy configured for dedicated sessions on the Gigabit Ethernet interface is RegRULE.
Device# show running-config interface GigabitEthernet 0/0/4
Building configuration...
Current configuration : 318 bytes
!
interface GigabitEthernet0/0/4
ip address 192.0.2.1 255.255.255.0
negotiation auto
service-policy type control default DefRULE
service-policy type control RegRULE
ip subscriber routed
initiator unclassified ip-address
end
Additional References
Technical Assistance
| Description | Link |
|---|---|
|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
Feature Information for Walk-By User Support for PWLANs in ISG
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
| Table 1 | Feature Information for Walk-By User Support for PWLANs in ISG |
|
Feature Name |
Releases |
Feature Information |
|---|---|---|
|
Walk-By User Support for PWLANs in ISG |
Cisco IOS XE Release 3.7S |
The Walk-By User Support for PWLANs in ISG feature enables the Intelligent Services Gateway (ISG) that is configured as a RADIUS proxy to handle unauthenticated sessions from wireless devices that do not use the public wireless LAN (PWLAN) service. These sessions are called walk-by sessions. With the implementation of this feature, unauthenticated users are assigned lite sessions based on the default session. These lite sessions optimize resource usage because they enable the walk-by user to use only session start services mentioned in the default policy configured for the default session. The following commands were introduced or modified: clear subscriber lite-session, clear subscriber session, debug subscriber lite-session errors, debug subscriber lite-session events, service-policy type control, show subscriber default-session, and show subscriber statistics. |
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.