Worldwide [change] |Account |Register |About Cisco
Guest

Hierarchical Navigation

Cisco IOS Software Releases 12.1 Special and Early Deployments

NRP-SSG Enhancements IV

Downloads

Table Of Contents

Node Route Processor—Service Selection Gateway Enhancements IV

Feature Overview

Benefits

Restrictions

Related Documents

Supported Platforms

Supported Standards, MIBs, and RFCs

Prerequisites

Configuring the Proxy RADIUS Enhancements

NRP-SSG Vendor-Specific Attributes

Service-Info Attributes

Service-Defined Cookie

Full Username Attribute

Verifying the Proxy RADIUS Enhancements

Troubleshooting Tips

Configuration Examples

Command Reference

show ssg service

Glossary


Node Route Processor—Service Selection Gateway Enhancements IV

This feature module describes further enhancements to the Node Route Processor—Service Selection Gateway (NRP-SSG) feature. It includes information on the benefits of the enhancements, supported platforms, related documents, and configuration.

This document includes the following sections:

Feature Overview

Supported Platforms

Supported Standards, MIBs, and RFCs

Prerequisites

Configuring the Proxy RADIUS Enhancements

Verifying the Proxy RADIUS Enhancements

Troubleshooting Tips

Configuration Examples

Command Reference

Glossary

Feature Overview

The enhancements described in this document are included in Cisco IOS Release 12.1(3) DC. The NRP-SSG feature was first released in Cisco IOS Release 12.0(3) DC, and enhancements were added in Cisco IOS Releases 12.0(5) DC, 12.0(7) DC, and 12.1(1)DC.

The NRP-SSG is a switching solution for service providers who offer intranet, extranet, and Internet connections to subscribers using high-speed data circuit equipment (DCE) such as asymmetric digital subscriber line (ADSL) to allow simultaneous access to network services. The NRP-SSG with Web Selection works in conjunction with the Cisco Service Selection Dashboard (SSD), an open source web-based server application that allows users to select from multiple passthrough and proxy services through a standard web browser.

Benefits

NRP-SSG Single Host Logon

Prior to this release, PPP-based NRP-SSG subscribers had to perform three logon sessions to log on to a service through Cisco SSD:

PPP session logon

NRP-SSG host logon

NRP-SSG service selection logon

Now subscribers only perform two logon sessions to log on to a service through Cisco SSD:

PPP session logon

NRP-SSG service selection logon

Proxy RADIUS Enhancements

Two new Service-Info vendor-specific attributes (VSAs) are available for proxy RADIUS service profiles:

Service-Defined Cookie—A configurable VSA that allows user-defined information to be included in the RADIUS authentication and accounting requests.

Full Username RADIUS Attribute—Enables usage of the full username (user@service) in the RADIUS authentication and accounting requests

Restrictions

For the proxy RADIUS enhancements, the sizes of the user-defined string and full username are limited to the smaller of the following values:

246 bytes (10 bytes less than the standard RADIUS protocol limitation)

Max - 10 bytes, where Max is the maximum size of the RADIUS attribute supported by your proxy RADIUS server

Related Documents

Cisco 6400 Software Configuration Guide and Command Reference 

Node Route Processor—Service Selection Gateway feature module

Node Route Processor—Service Selection Gateway Enhancements feature module

Node Route Processor—Service Selection Gateway Enhancements II feature module

Node Route Processor—Service Selection Gateway Enhancements III feature module

Cisco Service Selection Dashboard  documentation

Supported Platforms

Node Route Processor—Service Selection Gateway Enhancements IV are supported on the Cisco 6400 node route processor (NRP).

Supported Standards, MIBs, and RFCs

Standards

None

MIBs

None

RFCs

No new or modified RFCs are supported by these feature enhancements.

Prerequisites

In order to use the Single Host Logon feature, you must install and configure Cisco SSD version 2.5 or higher.

Configuring the Proxy RADIUS Enhancements

To configure the proxy RADIUS enhancements, enter one or both of the following Service-Info vendor-specific attributes (VSAs) in the proxy RADIUS service profile:

Service-Defined Cookie

Full Username Attribute

For general information on configuring RADIUS profiles for NRP-SSG, see the "Configuring RADIUS Profiles" section in the Node Route Processor—Service Selection Gateway feature module.

NRP-SSG Vendor-Specific Attributes

The NRP-SSG uses vendor-specific RADIUS attributes. If using the NRP-SSG with Cisco User Control Point (UCP) software, specify settings that allow processing of the NRP-SSG attributes while configuring the CiscoSecure Access Control Server (ACS) component. If using another AAA server, you must customize that server's RADIUS dictionary to incorporate the NRP-SSG vendor-specific attributes.

Table 1 lists vendor-specific attributes used by the NRP-SSG to support the proxy RADIUS enhancements. The vendor ID for all of the Cisco-specific attributes is 9.

Table 1 VSAs Related to NRP-SSG Support of the Proxy RADIUS Server

AttrID
Vendor ID
SubAttrID
SubAttrName
SubAttrDataType

26

9

251

Service-Info

String


Service-Info Attributes

This section defines the Service-Defined Cookie and the Full Username Attribute, for use in the proxy RADIUS service profile.

Service-Defined Cookie

This attribute enables you to include user defined information in the RADIUS authentication and accounting requests.

Service-Info = "Vstring"

Syntax Description

string

Information of your choice that you wish to include in the RADIUS authentication and accounting requests.


Example (RADIUS Freeware Format) 

Service-Info = "VserviceIDandAAA-ID"

Example (CiscoSecure ACS for UNIX) 

9,251="VserviceIDandAAA-ID"

Note NRP-SSG does not parse or interpret the value of the Service-Defined Cookie. You must configure the proxy RADIUS server to interpret this attribute.

Note NRP-SSG supports only one Service-Defined Cookie per RADIUS service profile.

Full Username Attribute

This attribute indicates that the RADIUS authentication and accounting requests use the full username (user@service).

Service-Info = "X"

Example (RADIUS Freeware Format) 

Service-Info = "X"

Example (CiscoSecure ACS for UNIX) 

9,251="X"

Verifying the Proxy RADIUS Enhancements

Step 1 To verify that the new Service-Info attributes exist in the proxy RADIUS service profile, use the show ssg service service-name command and check for the "Full User Name Used" and "Service Defined Cookie exist" statements in the output. 

Router# show ssg service serv1-proxy

------------------------ ServiceInfo Content -----------------------

Uplink IDB:

Name:serv1-proxy

Type:PROXY

Mode:CONCURRENT

Service Session Timeout:0 seconds

Service Idle Timeout:0 seconds

Class Attr:NONE

Authentication Type:CHAP

Reference Count:1


Next Hop Gateway Key:my-key


DNS Server(s):Primary:10.13.1.5


Radius Server:IP=10.13.1.2, authPort=1645, acctPort=1646, secret=my-secret


Included Network Segments:

         10.13.0.0/255.255.0.0

Excluded Network Segments:

Full User Name Used

Service Defined Cookie exist



Domain List:service1.com;


Active Connections:

         1   :Virtual=255.255.255.255, Subscriber=10.20.10.2




------------------------ End of ServiceInfo Content ----------------

Step 2 To check the content of the RADIUS profiles, refer to the user documentation for your RADIUS server.

Troubleshooting Tips

To troubleshoot communication between the RADIUS server and the NRP, use the debug radius command.

Configuration Examples

The following proxy RADIUS service profile contains a Service-Defined Cookie and a Full Username Attribute: 

user = serv1-proxy{

profile_id = 98

profile_cycle = 42

member = Single_Logon

radius=6510-SSG-v1.1a {

check_items= {

2=alex

}

reply_attributes= {

9,251="Oservice1.com"

9,251="R10.13.0.0;255.255.0.0"

9,251="TX"

9,251="D10.13.1.5"

9,251="S10.13.1.2;1645;1646;my-secret"

9,251="Gmy-key"

9,251="X"

9,251="Vproxy-service_at_X.X.X.X"

}

}


}

Command Reference

This section documents one modified command. All other commands used with this feature are documented in the Cisco IOS Release 12.1 command reference publications and Cisco 6400 feature modules. 

show ssg service

show ssg service

To display the information for a service, use the show ssg service privileged EXEC command.

show ssg service [service-name [{begin expression | exclude expression | include expression}]]

Syntax Description

service-name

(Optional) Name of an active NRP-SSG service.

begin

(Optional) Begin with the line that contains expression

exclude

(Optional) Exclude lines that contain expression.

include

(Optional) Include lines that contain expression.

expression

(Optional) Word or phrase used to determine what lines will be shown.


Defaults

If no service name is provided, the command displays information for all services.

Command Modes

Privileged EXEC

Command History

Release
Modification

12.0(3) DC

This command was introduced.

12.1(3) DC

The output of this command was modified to state when the following Service-Info Attributes exist in the proxy RADIUS service profile:

Service-Defined Cookie

Full Username Attribute


Usage Guidelines

Use this command to display connection information for a service.

Examples

The following example displays the information for the service called serv1-proxy: 

Router# show ssg service serv1-proxy

------------------------ ServiceInfo Content -----------------------

Uplink IDB:

Name:serv1-proxy

Type:PROXY

Mode:CONCURRENT

Service Session Timeout:0 seconds

Service Idle Timeout:0 seconds

Class Attr:NONE

Authentication Type:CHAP

Reference Count:1


Next Hop Gateway Key:my-key


DNS Server(s):Primary:10.13.1.5


Radius Server:IP=10.13.1.2, authPort=1645, acctPort=1646, secret=my-secret


Included Network Segments:

         10.13.0.0/255.255.0.0

Excluded Network Segments:

Full User Name Used

Service Defined Cookie exist



Domain List:service1.com;


Active Connections:

         1   :Virtual=255.255.255.255, Subscriber=10.20.10.2




------------------------ End of ServiceInfo Content ----------------

Related Commands

Command
Description

ssg bind service

Specifies the interface for a service.

show ssg binding

Displays service names that have been bound to interfaces and the interfaces to which they have been bound.

clear ssg service

Removes a service.


Glossary

AAA—Authentication, authorization, and accounting (pronounced "triple a").

RADIUS—Remote Access Dial-In User Service. Database for authenticating modem and ISDN connections and for tracking connection time.