Downloads |
Table Of Contents
Information About PWLAN Access Router Features
Location Identification (DHCP Option 82)
Accounting Update Interval per Service
MAC Address in Accounting Records
MAC Address Check in Auto Logoff
RADIUS Proxy Enhancements for CHAP
SESM Web Proxy (Plug-and-Play)
Configuration Example for the Distributed PWLAN Deployment Model
PWLAN Access Routers
Cisco IOS release 12.3(7)T adds support for the combined Access Zone Router (AZR) and Service Selection Gateway (SSG) features, providing both centralized and distributed public wireless LAN (PWLAN) solutions.
Feature History for PWLAN Access Router Features
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
•
Information About PWLAN Access Router Features
Information About PWLAN Access Router Features
This section provides an overview of the PWLAN features.
Definition of Terms
The following are terms related to PWLAN features.
•
•
•
•
•
AZR Features
PWLAN access routers support AZR features in a range of Cisco routers and offers flexible solutions for the PWLAN.
Secure ARP
Secure Address Resolution Protocol (ARP), or IP spoofing prevention, synchronizes the database of the Dynamic Host Configuration Protocol (DHCP) server with the ARP table to avoid address hijacking. Secure ARP adds an entry to the ARP table for a client when an address is allocated that can be deleted by the Cisco IOS DHCP server only when a binding expires.
For more information on this feature, go to one of the following locations:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t15/ftdsiaa.htm
http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a00801543c8.html
DHCP Session Accounting
DHCP session accounting, or session termination, indicates whether a user should be deleted (logged off) or maintained in an environment such as a PWLAN where a user may not explicitly log off. Therefore, when the DHCP lease expires, the DHCP server sends a message to the SSG. The SSG, on receipt of this message, resets the host object or host state.
For more information on this feature, go to one of the following locations:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t15/ftdhcpac.htm
http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a00801543c7.html
Authorized ARP
When a router is used in a secured environment, it is sometimes desirable to allow only specific components to install ARP entries for certain network interfaces. Authorized ARP learning addresses this requirement. When authorized ARP learning is configured on an interface, dynamic ARP learning is automatically disabled on that interface. The IP/Mac mapping for that interface can be installed only by an authorized component such as DHCPD.
For more information on this feature, go to one of the following locations:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_4/gtautarp.htm
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801d2df4.html
Location Identification (DHCP Option 82)
In some instances of DHCP address allocation, the DHCP server cannot differentiate between two IP address ranges. To solve this problem, a relay agent residing at the switch must insert relay information to the port.
For more information on this feature, go to one of the following locations:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t2/ftrbeo82.htm
http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080087ad8.html
Static IP
Static IP allows hosts with static IP addresses to interact with the PWLAN provider.
Note
SSG Features
The SSG feature is a switching solution for service providers who offer intranet, extranet, and Internet connections to subscribers using broadband access technology such as xDSL, cable modems, or wireless to allow simultaneous access to network services. For links to additional SSG feature documentation indexes, refer to the "Additional References" section.
Accounting Update Interval per Service
The SSG Accounting Update Interval per Service feature enhances SSG accounting by allowing users to configure an interim accounting interval for a particular service. Without the SSG Accounting Update Interval per Service feature, all accounting information is sent simultaneously, and accounting information for a particular SSG service cannot be sent at a separate, independent interval.
SSG accounting sends information such as billing, auditing, and reporting. The SSG Accounting Update Interval Per Service feature allows for more granular interim accounting interval options for all these functions.
For more information on this feature, go to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ssg/ftaccu.htm
AutoDomain
When you configure the SSG AutoDomain feature, users can automatically connect to a service based on either Access Point Name (APN) or the domain part of the structured username specified in an access request. When SSG AutoDomain is configured, user authentication is not performed at the network access server (NAS), but instead at the service (for example, at an authentication, authorization, and accounting (AAA) server within a corporate network).
For more information on this feature, go to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ssg/ftauto.htm
Autologoff
When SSG automatic logoff (autologoff) is configured, the SSG checks the status of the connection with each host at configured intervals. If SSG finds that a host is not reachable, SSG automatically initiates the logoff of that host. SSG has two methods of checking the connectivity of hosts: ARP ping and ICMP ping.
For more information on this feature, go to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ssg/ftssgalt.htm
Autologon Using Proxy RADIUS
The SSG AutoLogon Using Proxy RADIUS feature enables SSG to act as a Remote Authentication Dial-In User Service (RADIUS) proxy for clients other than signed service description (SSD) clients whose access requests do not contain vendor-specific attributes (VSAs). Non-SSD access requests must originate from configured, trusted, downstream network access server (NAS) IP addresses that share a RADIUS secret key with the SSG. This shared secret key is different from the one shared between SSG and the SSD. You must configure the IP addresses for each router for which SSG is acting as a RADIUS proxy. Packets received from unrecognized sources are discarded.
For more information on this feature, go to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ssg/ftprxy.htm
Hierarchical Policing
Traffic policing is the concept of limiting the transmission rate of traffic entering or leaving a node. In SSG, traffic policing can be used to allocate bandwidth between subscribers per-user policing and between services to a particular subscriber per-user policing to ensure all types of services are allocated a proper amount of bandwidth. Because these policing techniques are hierarchical in nature (bandwidth can be first policed between users and then policed again between services to a particular user), this complete feature is called SSG Hierarchical Policing.
For more information on this feature, go to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ssg/fthier.htm
MAC Address in Accounting Records
This feature adds the MAC address of the host to accounting records to determine when multiple users authenticate with the same username and password.
For more information on this feature, go to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122relnt/7000/rn7000b.htm#233799
Open Garden
An open garden is a collection of Web sites or networks that subscribers can access as long as they have physical access to the network. Subscribers do not have to provide authentication information before accessing the Web sites in an open garden. In contrast, a walled garden refers to a collection of websites or networks that subscribers can access after providing minimal authentication information.
For more information on this feature, go to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ssg/ftssgogt.htm
Port-Bundle Host Key
With the SSG Port-Bundle Host Key feature, SSG performs port address translation (PAT) and network address translation (NAT) on the HTTP traffic between the subscriber and the SESM server. When a subscriber sends an HTTP packet to the SESM server, SSG creates a port map that changes the source IP address to a configured SSG source IP address and changes the source TCP port to a port allocated by SSG. SSG assigns a bundle of ports to each subscriber, because one subscriber can have several simultaneous TCP sessions when accessing a web page. The assigned host key, or combination of port bundle and SSG source IP address, uniquely identifies each subscriber. The host key is carried in RADIUS packets sent between the SESM server and SSG in the Subscriber IP vendor-specific attribute (VSA).
For more information on this feature, go to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ssg/ftssgket.htm
Prepaid
The SSG Prepaid feature allows SSG to check a subscriber's available credit to determine whether to connect the subscriber to a service and how long the connection can last. The subscriber's credit is administered by the billing server as a series of quotas representing either a duration of use (in seconds) or an allowable data volume (in bytes). A quota is an allotment of available credit.
For more information on this feature, go to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ssg/ftssgpb.htm
TCP Redirect for Services
The SSG TCP Redirect for Services feature redirects certain packets, which would otherwise be dropped, to captive portals that can handle the packets in a suitable manner. For example, packets sent upstream by unauthorized users are forwarded to a captive portal that can redirect the users to a logon page. Similarly, if users try to access a service to which they have not logged on, the packets are redirected to a captive portal that can provide a service logon screen.
For more information on this feature, go to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ssg/fthttpr.htm
3-Key Authentication
Uses the "phone number" (OF WHAT? EXPOUND) in addition to the existing 2-key authentication (which consists of a userID and password) to perform end-user identification.
For more information on this feature, go to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122relnt/7000/rn7000b.htm#73871
AAA Nonblocking API
SSG uses authentication, authorization, and accounting (AAA) client APIs to send and receive AAA information to AAA server. The AAA nonblocking API maintains the SSG process when performing calls to an AAA module to increase the number of requests that SSG can maintain.
For more information on this feature, go to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122relnt/7000/rn7000b.htm#185019
Cached Service Profiles
Cached service profiles store logon information that the system previously downloaded at each instance of a logon.
For more information on this feature, go to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122relnt/7000/rn7000b.htm#185110
L2TP Dial Out
The SSG L2TP Dial Out feature enhances SSG tunnel services and provides a dial-out facility to users. Many small office home offices (SOHOs) use the public switched telephone network (PSTN) to access their intranet. SSG L2TP provides mobile users with a way to securely connect to their SOHO through the PSTN.
To provide the SSG L2TP Dial Out feature, SSG requires a digital number identification service (DNIS) number for the SOHO to which the user wants to connect, the address of the L2TP access concentrator (LAC) closest to the SOHO, and configured tunnel parameters to establish a tunnel to the LAC.
Users can access the SSG L2TP Dial Out feature by selecting the dial out service using Cisco Subscriber Edge Services Manager (SESM) from the list of subscribed services or by using a structured username. The user must provide the DNIS number when using either method of connecting to the dial out service.
For more information on this feature, go to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122limit/122b/122b_15/12b_dia.htm
MAC Address Check in Auto Logoff
SSG checks the MAC address of the host each time that it performs an ARP ping and if it finds that the MAC address has changed, it performs an automatic logoff of the host to prevent IP address spoofing and DHCP IP address reassignment.
For more information on this feature, go to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122relnt/7000/rn7000b.htm#185022
PDSN Interworking
The packet data serving node (PDSN) Internetworking feature enables Service Selection in CDMA2000 networks through enhancements to the SSG Proxy functionality
For more information on this feature, go to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122relnt/7000/rn7000b.htm#184988
Prepaid Idle Timeout
The SSG Prepaid feature allows SSG to check a subscriber's available credit to determine whether to connect the subscriber to a service and how long the connection can last. The subscriber's credit is administered by the billing server as a series of quotas representing either a duration of use (in seconds) or an allowable data volume (in bytes). A quota is an allotment of available credit.
To obtain the first quota for a connection, SSG submits an authorization request to the authentication, authorization, and accounting (AAA) server. The AAA server contacts the prepaid billing server, which forwards the quota values to SSG. SSG then monitors the connection to track the quota usage. When the quota runs out, SSG performs reauthorization. During reauthorization, the billing server may provide SSG with an additional quota if there is available credit. If no further quota is provided, SSG logs off the user.
For more information on this feature, go to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122limit/122b/122b_15/12b_pre.htm
For additional information, go to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122relnt/7000/rn7000b.htm#185046
PTA-MD Exclusion List
SSG parses the structured user names (in the format "user@domain") for PPP users and tries to search domains for SSG services. The PTA-MD Exclusion List feature inhibits certain (or all) domains to default behavior.
For more information on this feature, go to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122relnt/7000/rn7000b.htm#185105
RADIUS Proxy Enhancements for CHAP
The RADIUS proxy enhancements for CHAP feature provides CHAP authentication support for SSG VPDN service in autodomain mode.
For more information on this feature, go to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122relnt/7000/rn7000b.htm#185063
SESM Web Proxy (Plug-and-Play)
The SSG Web proxy feature provides transparent support for Web clients configured for Web proxy in PWLAN scenarios. Cisco SSG directs unresolved DNS requests to the SESM DNS proxy, which inserts a local Web proxy address so that HTTP requests can be properly handled.
For more information on this feature, go to the following URL:
http://www.cisco.com/univercd/cc/td/doc/solution/sesm/sesm_320/plugplay/intro.htm
SSG EAP Transparency
The SSG EAP Transparency feature allows the SSG on a Cisco router to act as a RADIUS proxy during Extensible Authentication Protocol (EAP) authentication and to create the host. This feature also prevents of the use of previously valid IP addresses after an AZR reboot and allows EAP users who have logged out to reconnect through Subscriber Edge Services Manager (SESM).
For more information on this feature, go to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122limit/122b/122b_16/shorteap.htm
Unconfig
The SSG Unconfig feature enhances your ability to disable SSG at any time and releases the data structures and system resources created by SSG when SSG is unconfigured. The SSG Unconfig feature enhances several Cisco IOS commands to delete all host objects or delete a range of host objects. You can also delete all service objects or connection objects.
For more information on this feature, go to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122limit/122b/122b_15/12b_unc.htm
Deployment Models
PWLAN access routers support the following deployment models:
Centralized PWLAN Deployment
In a centralized PWLAN deployment, there is a centralized SSG in the service provider's data center that is used to authenticate, authorize, bill, and provide other services. The AAA servers and subscriber management data are often collocated with the SSG router. PWLAN access routers, with AZR functionality, provide the link between hotspots and the central SSG router.
Figure 1 shows an example of a centralized PWLAN deployment.
Figure 1 Centralized PWLAN Deployment
Distributed PWLAN Deployment
Distributed PWLAN deployment does not require a central SSG router. This model enables the use of Cisco 2600XM and 3700 series routers as AZRs with built-in subscriber access control capabilities (the SSG) integrated into a single system, without dedicated connections to the service provider's point of presence (POP). Figure 2 shows a distributed PWLAN deployment model.
The minimum Cisco IOS image for the distributed PWLAN model is the IPBASE image. The distributed PWLAN model is supported with the Advanced Enterprise Services feature set.
Figure 2 Distributed PWLAN Deployment Model
Configuration Example for the Distributed PWLAN Deployment Model
This section shows an example of the configuration for the distributed deployment model. Explanations of some of the configuration tasks are included.
!version 12.3service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname swiss-soln-3725!clock timezone PST -8!aaa new-model!aaa group server radius rad-carserver 1.4.11.10 auth-port 1812 acct-port 1813!The following lines show the configuration for SSG RADIUS proxy/DHCP session accounting.
aaa group server radius rad-proxyserver 20.2.1.1 auth-port 1812 acct-port 1813!The following lines show the prepaid RADIUS configuration.
aaa group server radius SSG-PREPAIDserver 1.3.27.60 auth-port 1812 acct-port 1813!The following line shows the system accounting configuration.
aaa authorization network default group radiusThe following lines show the configuration of the SSG RADIUS proxy.
aaa accounting network acc-ssg start-stop group rad-proxyaaa accounting system default start-stop group rad-caraaa session-id commonip subnet-zeroip cef!!ip tcp synwait-time 13The following lines show the definition of addresses that should not be assigned to DHCP clients. These are the addresses that will be used by provider owned devices such as the AZR and SSG.
ip dhcp excluded-address 20.1.1.1ip dhcp excluded-address 20.1.1.2ip dhcp excluded-address 20.2.1.1ip dhcp excluded-address 20.2.1.2!The following lines show the configuration of the AZR local DHCP pool with the open (no WEP) authentication option.
ip dhcp pool swiss-opennetwork 20.1.1.0 255.255.255.0default-router 20.1.1.1dns-server 1.3.27.1The following line shows the enabling of Secure ARP for each DHCP pool.
update arp!The following lines show the configuration of the AZR local DHCP pool for LEAP authentication.
ip dhcp pool swiss-leapnetwork 20.2.1.0 255.255.255.0default-router 20.2.1.1dns-server 1.3.27.1lease 0 0 1The following line shows the configuration of Secure ARP for each DHCP pool.
update arpThe following line shows the enabling of session termination for each DHCP pool for which this is required by referencing the AAA accounting list (SSG as RADIUS proxy).
accounting acc-ssg!ip name-server 1.3.27.1ip audit notify logip audit po max-events 100no ftp-server write-enable!ssg enableThe following line shows the access to the default SESM server.
ssg default-network 1.3.27.1 255.255.255.255The following line defines the password used to download the service from AAA server.
ssg service-password serviceciscoThe following line defines SESM as a RADIUS helper and specifies the port numbers to be used.
ssg radius-helper auth-port 1812 acct-port 1813The following line defines the key to use for SESM to secure communication.
ssg radius-helper key Ciscossg auto-logoff arp interval 240ssg prepaid reauthorization drop-packetssg prepaid threshold volume 2000ssg prepaid threshold time 10ssg aaa group prepaid SSG-PREPAIDThe following lines configure bind service to the uplink interface.
ssg bind service og1 FastEthernet0/0ssg bind service service2 FastEthernet0/0ssg bind service service3 FastEthernet0/0ssg bind service service1 FastEthernet0/0ssg bind service prepaid1 FastEthernet0/0ssg open-garden og1!The following lines configure the SSG port bundle host key.
ssg port-mapdestination access-list 101source ip FastEthernet0/0length 2!ssg radius-proxyserver-port auth 1812 acct 1813client-address 20.2.0.0 255.255.0.0key ciscono remove vsa cisco!The following lines show the configuration of the SSG TCP-redirect/captive portal.
ssg tcp-redirectport-list webport 80port 8080!server-group sesm-cpserver 1.3.27.1 8090!redirect port-list web to sesm-cpredirect unauthenticated-user to sesm-cp!server-group PrepaidRedirectGroupserver 1.3.27.1 8096!!redirect prepaid-user to PrepaidRedirectGroupssg service-search-order remote local!The following lines define the service profile for the profile "service1."
local-profile service1attribute 26 9 251 "R1.0.0.0;255.0.0.0"attribute 26 9 251 "D1.3.27.1"attribute 26 9 251 "O*"!!local-profile og1attribute 26 9 251 "O*"attribute 26 9 251 "R1.0.0.0;255.0.0.0"attribute 26 9 251 "D1.3.27.1"!!local-profile prepaid1attribute 26 9 251 "D1.3.27.1"attribute 26 9 251 "O*"attribute 26 9 251 "R1.0.0.0;255.0.0.0"attribute 26 9 253 "QX100;1;5"!!The following lines configure the upstream connectivity between the SSG and the core Network.
interface FastEthernet0/0ip address 1.3.27.51 255.255.0.0duplex autospeed autossg direction uplink!interface FastEthernet0/1no ip addressduplex autospeed auto!The following lines show the AZR 802.1Q baseline configuration.
interface FastEthernet0/1.1encapsulation dot1Q 1 nativeip address 20.1.1.1 255.255.0.0The following lines show the configuration of the downstream connectivity between the SSG and the hotspot.
ssg direction downlinkno cdp enableThe following lines enable authorized ARP on each interface and define the ARP timeout, indicating how long the ARP entry should remain valid in the ARP table.
arp authorizedarp timeout 120!The following lines show the AZR 802.1Q baseline configuration.
interface FastEthernet0/1.2encapsulation dot1Q 2ip address 20.2.1.1 255.255.0.0ssg direction downlinkarp authorizedarp timeout 120!interface FastEthernet0/1.3encapsulation dot1Q 3ip address 20.3.1.1 255.255.0.0arp timeout 120!ip classlessip route 0.0.0.0 0.0.0.0 1.3.0.1ip route 50.50.50.0 255.255.255.0 1.3.27.56ip route 223.255.254.254 255.255.255.255 1.3.0.1!no ip http serverno ip http secure-server!!SSG Port-Bundle HostKeyaccess-list 101 permit ip 20.0.0.0 0.255.255.255 1.0.0.0 0.255.255.255The following lines define a static ARP entry for each device that does not have its address assigned using DHCP and which exists on the downlink interface configured with the arp authorized command (for example, any access point).
arp 20.2.1.2 000d.bce4.6573 ARPAarp 20.1.1.2 000d.bce4.6573 ARPA!!The following lines show the SSG prepaid service configuration.
radius-server attribute 44 include-in-access-reqradius-server attribute 55 include-in-acct-reqThe following lines define RADIUS settings for each SSG within the server group.
radius-server host 1.4.11.10 auth-port 1812 acct-port 1813 key ciscoradius-server host 20.2.1.1 auth-port 1812 acct-port 1813 key ciscoradius-server host 1.3.27.60 auth-port 1812 acct-port 1813 timeout 5 retransmit 3 key ciscoradius-server retransmit 0radius-server vsa send accountingradius-server vsa send authentication!control-plane!!!no mgcp timer receive-rtcp!!!dial-peer cor custom!!!!!line con 0exec-timeout 0 0speed 115200line aux 0line vty 0 4!!endAdditional References
The following sections provide references related to PWLAN access routers.
Related Documents
MIBs
Technical Assistance
Copyright © 2004 Cisco Systems, Inc. All rights reserved.
