-
Cisco IOS Intelligent Service Gateway Configuration Guide, Release 12.2 SB
-
ISG Features Roadmap
-
Configuring ISG Control Policies
-
Configuring ISG Access for PPP Sessions
-
Configuring ISG Access for IP Subscriber Sessions
-
Configuring ISG Port-Bundle Host Key
-
Configuring ISG as a RADIUS Proxy
-
Configuring ISG Policies for Automatic Subscriber Logon
-
Enabling ISG to Interact with External Policy Servers
-
Configuring ISG Subscriber Services
-
Configuring ISG Network Forwarding Policies
-
Configuring ISG Accounting
-
Configuring ISG Support for Prepaid Billing
-
Configuring ISG Policies for Session Maintenance
-
Redirecting Subscriber Traffic with ISG Layer 4 Redirect
-
Configuring ISG Policies for Regulating Network Access
-
Troubleshooting ISG with Session Monitoring and Distributed Conditional Debugging
-
Configuring ISG Layer 3 Access (Cisco IOS Release 12.2(28)SB)
-
Managing ISG Subscriber IP Addresses (Cisco IOS Release 12.2(28)SB)
-
Configuring ISG VRF Transfer (Cisco IOS Release 12.2(28)SB)
-
Table Of Contents
Configuring ISG Policies for Automatic Subscriber Logon
Prerequisites for ISA Automatic Subscriber Logon
Restrictions for ISA Automatic Subscriber Logon
Information About ISA Automatic Subscriber Logon
Overview of ISA Automatic Subscriber Logon
Supported Identifiers for ISA Automatic Subscriber Logon
Authorization Based on Circuit ID and Remote ID
Accounting Behavior When ISA Automatic Subscriber Logon Is Configured
How to Configure ISA Policies for Automatic Subscriber Logon
Identifying Traffic for Automatic Logon in a Control Policy Class Map
Configuring an ISA Control Policy for Automatic Subscriber Logon
Enabling the Remote-ID to Be Sent as the Calling-Station-ID
Verifying ISA Automatic Subscriber Logon
Configuration Examples for ISA Automatic Subscriber Logon
Automatic Subscriber Logon Based on IP Address: Example
Feature Information for ISA Automatic Subscriber Logon
Configuring ISG Policies for Automatic Subscriber Logon
First Published: March 20, 2006Last Updated: March 20, 2006Intelligent Service Gateway (ISG) is a Cisco IOS software feature set that provides a structured framework in which edge devices can deliver flexible and scalable services to subscribers. This module contains information on how to configure ISA to use specified identifiers in place of the username in authorization requests, enabling a user profile to be downloaded from a AAA server as soon as packets are received from a subscriber.
Finding Feature Information in This Module
Your Cisco IOS software release may not support all features. To find information about feature support and configuration and platform requirements, use the "Feature Information for ISA Automatic Subscriber Logon" section.
Contents
•
Prerequisites for ISA Automatic Subscriber Logon
•
•
•
•
•
Prerequisites for ISA Automatic Subscriber Logon
For information about release and platform support, see the "Feature Information for ISA Automatic Subscriber Logon" section.
Depending on your AAA implementation, you may need to configure one of the following identifiers in the password field of the user profile: source IP address, MAC address, remote ID, circuit ID. You may also need to configure a global address in the password field.
To use circuit ID and remote ID for authorization for IP sessions, the DSLAM must insert the circuit ID and remote ID in the DHCP Option 82 information.
To use remote ID for authorization of PPPoE sessions, the PPPoE client must provide the remote ID information in the PPPoE Tag ID or line ID.
Restrictions for ISA Automatic Subscriber Logon
The username field in an authorization request has a limit of 253 characters.
Information About ISA Automatic Subscriber Logon
Before you configure ISA automatic subscriber logon, you should understand the following concepts:
•
•
•
•
Overview of ISA Automatic Subscriber Logon
Service providers commonly implement a policy at the start of IP sessions that redirects all subscriber packets to a logon portal for authentication. Following successful authentication, per-subscriber authorization data is typically returned from a AAA server. For some deployments, usually in subscriber networks that are well protected against spoofing and denial-of-service (DoS) attacks, service providers are willing to forgo authentication and trust subscriber identity. ISA automatic subscriber logon allows service providers to grant certain subscribers access to services without requiring the subscribers to log on.
ISA automatic subcriber logon enables a specified identifier to be used in place of the username in authorization requests. Enabling the AAA server to authorize subscribers on the basis of a specified identifier allows subscriber profiles to be downloaded from the AAA server as soon as packets are received from subscribers.
The event that triggers automatic subscriber logon is session-start. For IP sessions, session-start occurs when a DHCP DISCOVER request is received or when an unrecognized source IP address is detected. For PPPoE sessions, session-start occurs when a client attempts to initiate a session by sending a PPPoE Active Discovery Initiation (PADI) packet.
Supported Identifiers for ISA Automatic Subscriber Logon
For IP sessions, an ISG can be configured to use the following identifiers in place of the username in authorization requests: IP address, MAC address, circuit ID, remote ID, or a combination of the circuit ID and remote ID.
For PPPoE sessions, an ISG can be configured to use the remote ID in place of the username in authorization requests.
Authorization Based on Circuit ID and Remote ID
The circuit ID and remote ID fields are part of the DHCP relay agent information option (also referred to as Option 82) and the PPPoE Tag VSA. These fields are inserted into DHCP and PPPoE messages by a DSLAM. An ISG can be configured to use the circuit ID, remote ID, or a combination of circuit ID:remote ID as the username in authorization requests.
By default, the ISG will use the circuit ID and remote ID that are provided by the Layer 2 edge access device for authorization. If the ip dhcp relay information option command is configured, the ISG will use the circuit ID and remote ID that are received in a DHCP message.
Accounting Behavior When ISA Automatic Subscriber Logon Is Configured
Accounting Behavior for MAC-Address-Based Authorization
If the MAC address is sent as the username in authorization requests, the MAC address will also be sent as the Calling Station ID in accounting records.
Accounting Behavior for Remote-ID- and Circuit-ID-Based Authorization
For IP sessions that use DHCP Option 82 authorization, accounting messages are sent to the AAA server with the Circuit ID and Remote ID Cisco VSAs. Although you can configure a combination of circuit ID and remote ID as the username for authorization, the attributes are sent individually in accounting records. You can also configure the circuit ID and remote ID to be sent together in accounting records as the NAS Port ID.
For PPPoE sessions, the Remote ID VSA is sent in accounting records, and the remote ID is also sent as the NAS Port ID.
If the radius-server attribute 31 remote-id command is configured, the remote ID is sent in accounting records as the Calling Station ID.
How to Configure ISA Policies for Automatic Subscriber Logon
To configure ISA policies to automatically log on subscribers, perform the following tasks:
•
•
•
•
Identifying Traffic for Automatic Logon in a Control Policy Class Map
Perform this task to configure a control policy class map that specifies the traffic to which ISA automatic subscriber logon will apply.
SUMMARY STEPS
1.
2.
3.
4.
or
match nas-port circuit-id name
or
match nas-port remote-id name
5.
DETAILED STEPS
Configuring an ISA Control Policy for Automatic Subscriber Logon
Perform this task to configure an ISA control policy that initiates subscriber authorization and inserts a specified identifier into the username field of the authorization request.
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
Step 1
enable
Example:Router> enable
Enables privileged EXEC mode.
•
Step 2
configure terminal
Example:Router# configure terminal
Enters global configuration mode.
Step 3
policy-map type control policy-map-name
Example:Router(config)# policy-map type control TAL
Creates or modifies a control policy map, which is used to define a control policy.
Step 4
class type control {class-map-name | always} event session-start
Example:Router(config-control-policymap)# class type control TAL-subscribers event session-start
Specifies a control class, which defines the conditions that must be met in order for an associated set of actions to be executed.
•
Step 5
action-number authorize [aaa list {list-name | default}] [password password] identifier {auto-detect | circuit-id [plus remote-id]| mac-address | source-ip-address | remote-id [plus circuit-id]}
Example:Router(config-control-policymap-class-control)# 1 authorize aaa list TAL_LIST password cisco identifier source-ip-address
Inserts the specified identifier into the username field of authorization requests.
•
•
What to Do Next
You must apply the control policy to a context by using the service-policy type control command. For information about applying control policies, see the module "Configuring ISG Control Policies."
You may want to configure policies to determine what should happen for autologon subscribers whose IP address or MAC address authorization fails; for example, you may want to redirect the subscriber to the policy server for authentication.
Enabling the Remote-ID to Be Sent as the Calling-Station-ID
Perform this task to enable the ISG to send the remote ID in the Calling-Station-ID (attribute 31) field of accounting records and access requests.
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Verifying ISA Automatic Subscriber Logon
Perform this task to determine whether or not automatic subscriber logon was successful.
SUMMARY STEPS
1.
2.
DETAILED STEPS
Step 1
Enables privileged EXEC mode.
Step 2
Use the show subscriber session command to display information about ISA subscriber sessions. If the output shows that a session was brought up in the state "authen", automatic subscriber authorization was successful. If automatic subscriber authorization was not successful, the session will still be brought up, but in the state "unauthen".
The following sample output shows information for a session for which automatic subscriber authorization was successful:
Router# show subscriber session allCurrent Subscriber Information: Total sessions 1--------------------------------------------------Unique Session ID: 3Identifier: aabb.cc01.3000SIP subscriber access type(s): IPCurrent SIP options: Req Fwding/Req FwdedSession Up-time: 00:00:24, Last Changed: 00:00:21Policy information:Authentication status: authenRules, actions and conditions executed:subscriber rule-map DEFAULTcondition always event session-start1 authorize identifier mac-addressSession inbound features:Feature: IP Idle TimeoutTimeout value is 600Idle time is 00:00:21Configuration sources associated with this session:Interface: Ethernet0/0, Active Time = 00:00:24Configuration Examples for ISA Automatic Subscriber Logon
This section contains the following example:
•
Automatic Subscriber Logon Based on IP Address: Example
In the following example, if the client is from the 1.1.1.0 subnet, the ISG sends an authorization request to the list "TAL_LIST" with the subscriber's source IP address as the username. If the authorization request is successful, any automatic-activation services specified in the returned user profile are activated for the session, and the execution of rules within the control policy stops. If the authorization is not successful, the rule execution proceeds, and the subscriber is redirected to the policy server to log in. If the subscriber does not log in within five minutes, the session is disconnected.
ISA Configuration
interface Ethernet0/0service-policy type control RULEAaaa authentication login TAL_LIST group radiusaaa authentication login LOCAL localaccess-list 100 permit ip any anyclass-map type traffic match-any all-trafficmatch access-group input 100match access-group output 100policy-map type service redirectprofileclass type traffic all-trafficredirect to ip 10.0.0.148 port 8080class-map type control match-all CONDAmatch source-ip-address 10.1.1.0 255.255.255.0!class-map type control match-all CONDFmatch timer TIMERBmatch authen-status unauthenticatedpolicy-map type control RULEAclass type control CONDA event session-start1 authorize aaa list TAL_LIST password cisco identifier source-ip-address2 apply aaa list LOCAL service redirectprofile3 set-timer TIMERB 5 minutes!class type control CONDF event timed-policy-expiry1 service disconnectUser Profile Configuration
1.1.1.1 Password = "cisco"Service-Type = Outbound,Cisco:Account-Info = "AAuto-Internet;proxy-user;cisco"Service Profile Configuration
Auto-Internet Password = "cisco"Cisco:Service-Info = "IAuto-Internet",Cisco-Avpair = "traffic-class=input access-group 100"proxy-user Password = "cisco"Idle-Timeout = 5Additional References
The following sections provide references related to ISA automatic subscriber logon.
Related Documents
ISA commands
Cisco IOS Intelligent Service Architecture Command Reference
Technical Assistance
Feature Information for ISA Automatic Subscriber Logon
Table 11 lists the features in this module and provides links to specific configuration information. Only features that were introduced or modified in Cisco IOS Release 12.2(28)SB or later appear in the table.
Not all commands may be available in your Cisco IOS software release. For details on when support for specific commands was introduced, see the command reference documents.
If you are looking for information on a feature in this technology that is not documented here, see the "Intelligent Service Gateway Features Roadmap."
Cisco IOS software images are specific to a Cisco IOS software release, a feature set, and a platform. Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Note
Table 11 Feature Information for ISA Automatic Subscriber Logon
ISA: Session: Authentication (MAC, IP)
12.2(28)SB
ISA automatic subscriber logon enables an IP address or MAC address to be used in place of the username in authorization requests. This functionality allows subscriber profiles to be downloaded from the AAA server as soon as packets are received from subscribers.
This module provides information about this feature.
ISA: Authentication: DHCP Option 82 Line ID - AAA Authorization Support
12.2(28)SB
This feature enhances ISA automatic subscriber logon by providing support for authorization on the basis of the circuit-id and remote-id.
The following sections provide information about this feature:
•
•
•
•
Copyright © 2006 Cisco Systems, Inc. All rights reserved.
