Home | Skip to Content | Skip to Search | Skip to Navigation | Skip to Footer |
Worldwide [change] |Register |About Cisco
Guest

Hierarchical Navigation

Cisco IOS Software Releases 12.3 T

Configuring SSG Accounting

Downloads

Table Of Contents

Configuring SSG Accounting

Contents

Prerequisites for SSG Accounting

Information About SSG Accounting

RADIUS Accounting Records Used by SSG

Account Logon and Logoff

Service Logon and Logoff

Types of SSG Accounting

Interim Accounting

Per-Host Accounting

Per-Service Accounting

SSG Accounting Update Interval per Service Feature

Broadcast Accounting

SSG Prepaid Functionality

Service Authorization

Service Reauthorization

Accounting Records and Prepaid Billing

Simultaneous Volume- and Time-Based Prepaid Billing

SSG Prepaid Idle Timeout

SSG Prepaid Reauthorization Threshold

SSG Prepaid Redirection on Quota Exhaustion Feature

Default Quota for Prepaid Server Failure

Benefits of the SSG Prepaid Feature

Prepaid Tariff Switching

Authorization and Reauthorization Behavior When Prepaid Tariff Switching Occurs

SSG Prepaid Tariff Switching VSAs

Interim Accounting Updates for SSG Prepaid Tariff Switching

Dual Quota and Idle-Timeout Prepaid Tariff Switching

Extended Prepaid Tariff Switching for SSG

Postpaid Tariff Switching for SSG

How to Configure SSG Accounting

Configuring SSG Accounting

Prerequisites for Configuring SSG Accounting

Configuring SSG Broadcast Accounting

Configuring SSG Prepaid Features

Configuring SSG Prepaid Features on the Router

Configuring RADIUS Service Profiles for the SSG Prepaid Support Feature

Redirecting TCP Traffic for SSG Prepaid Quota Refill

Verifying Configuration of the SSG Prepaid Feature

Configuring Postpaid Tariff Switching for SSG

Post-Paid VSA

Examples

Configuration Examples for SSG Accounting

Accounting Update Interval per Service in RADIUS: Example

Basic Prepaid Configuration: Examples

TCP Redirect for Prepaid Users: Example

Configuring Prepaid Threshold Value: Examples

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance


Configuring SSG Accounting

Cisco Service Selection Gateway (SSG) accounting features allow a service provider to decide how to configure billing and accounting for its users. This module describes how to configure SSG accounting features including per-host or per-service accounting, broadcast accounting, prepaid service support, and postpaid tariff switching.

Feature History for the SSG Accounting Feature

Release
Modification

12.0(3)DC

SSG features were introduced on the Cisco 6400 series.

12.2(4)B

SSG features were integrated into Cisco IOS Release 12.2(4)B. Basic prepaid service was introduced.

12.2(11)T

SSG features were integrated into Cisco IOS Release 12.2(11)T, and support was added for the Cisco 7200 series.

12.2(16)B

Advanced prepaid service, prepaid tariff switching, postpaid tariff switching, simultaneous volume- and time-based prepaid billing, prepaid idle-timeout, redirection, and per-host and per-service accounting features were introduced.

12.3(4)T

SSG features were integrated into Cisco IOS Release 12.3(4)T.

12.3(14)T

The Extended Prepaid Tariff Switch with SSG feature was integrated into Cisco IOS Release 12.3(14)T.


Finding Support Information for Platforms and Cisco IOS Software Images

Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.

Contents

Prerequisites for SSG Accounting

Information About SSG Accounting

How to Configure SSG Accounting

Configuration Examples for SSG Accounting

Additional References

Additional References

Prerequisites for SSG Accounting

SSG must be enabled before SSG accounting can be configured.

Information About SSG Accounting

Before you configure SSG accounting functionality, you should understand the following concepts:

RADIUS Accounting Records Used by SSG

Types of SSG Accounting

SSG Prepaid Functionality

Prepaid Tariff Switching

Postpaid Tariff Switching for SSG

RADIUS Accounting Records Used by SSG

SSG sends accounting records with the associated attributes to the RADIUS accounting server when the events described in the following sections occur:

Account Logon and Logoff

Service Logon and Logoff

Account Logon and Logoff

SSG sends an accounting-request record to the local RADIUS server when a user logs in or out. The Acct-Status-Type attribute included in the accounting-request record indicates whether the accounting-request record marks the start (commencement) of the user service or the stop (termination) of the service.

When a user logs in, SSG sends an accounting-start record to the RADIUS server. When a user logs out, SSG send an accounting-stop record to the RADIUS server.

Note The Proxy-state attribute is not normally present in both the accounting-start and accounting-stop record. It is normally found in only one of them.

Example RADIUS Accounting-Start Record Sent by SSG When a User Logs In

This example shows the information contained in a RADIUS accounting-start record. 

User-Name = "user1"

Acct-Status-Type = Start

Acct-Authentic = RADIUS

Service-Type = Framed

Framed-Protocol = PPP

NAS-IP-Address = 192.168.0.0

NAS-Port-Type = Virtual

Acct-Session-Id = 00000011 ! The session ID number

Framed-IP-Address = 192.168.0.10 ! The user's IP address

Acct-Delay-Time = 0

Example RADIUS Accounting-Stop Record Sent by SSG When a User Logs Out

This example shows the information contained in a RADIUS accounting-stop record. 

User-Name = "user1"

Acct-Status-Type = Stop

Acct-Authentic = RADIUS

Service-Type = Framed

Framed-Protocol = PPP

NAS-IP-Address = 192.168.0.0

NAS-Port-Type = Virtual

Acct-Session-Time = 77

Acct-Terminate-Cause = User-Request

Acct-Session-Id = 00000011 ! The session ID number

Framed-IP-Address = 192.168.0.10 ! The user's IP address

Acct-Input-Packets = 0 ! Downstream packet counts

Acct-Output-Packets = 0 ! Upstream packet counts

Acct-Input-Octets = 0 ! Downstream byte counts

Acct-Output-Octets = 0 ! Upstream byte counts

Acct-Delay-Time = 0

The Acct-Session-Time attribute indicates the length of session, expressed in seconds. The Acct-Terminate-Cause attribute indicates the reason for account termination, which can be due to the following events:

User-Request

Session-Timeout

Idle-Timeout

Lost-Carrier

Service Logon and Logoff

SSG sends an accounting-start record to the local RADIUS server when a user logs onto a service, and sends an accounting-stop record when a user terminates a service. The Acct-Status-Type attribute included in the accounting-request record indicates whether the accounting-request marks the start of the user service or the end of the service.

Accounting records are sent only to the local RADIUS server unless the service is a proxy service, in which case they are also sent to a remote RADIUS server.

Example RADIUS Accounting-Start Record for Service Access

This example shows the information contained in an accounting-start record for service access. 

User-Name = "user1"

Acct-Status-Type = Start

Acct-Authentic = RADIUS

Service-Type = Framed

Framed-Protocol = PPP

NAS-IP-Address = 192.168.2.48

NAS-Port-Type = Virtual

Acct-Session-Id = 00000012

Framed-IP-Address = 192.168.2.60 ! User's IP address

Service-Info = "NService1.com" ! servicename

Service-Info = "Uuser1" ! username-for-service

Service-Info = "TX"

Acct-Delay-Time = 0

Example RADIUS Accounting-Stop Record for Service Termination

This example shows the information contained in an accounting-stop record for service termination. 

User-Name = "user1"

Acct-Status-Type = Stop

Acct-Authentic = RADIUS

Service-Type = Framed

Framed-Protocol = PPP

NAS-IP-Address = 192.168.2.48

NAS-Port = 0

NAS-Port-Type = Virtual

Acct-Session-Id = "00000002"

Acct-Terminate-Cause = User-Request

Acct-Session-Time = 84

Acct-Input-Octets = 0 ! Downstream packet counts

Acct-Output-Octets = 649 ! Upstream packet counts

Acct-Input-Packets = 0 ! Downstream byte counts

Acct-Output-Packets = 17 ! Upstream byte counts

Framed-IP-Address = 192.168.101.10 ! User's IP address

Control-Info = "I0;0" ! high_32_dnst_byte;low_32_dnst_byte

Control-Info = "O0;649" ! high_32_upst_byte;low_32_upst_byte

Service-Info = "NService1.com" ! servicename

Service-Info = "Uuser1" username-for-service

Service-Info = "TP"

Acct-Delay-Time = 0

Types of SSG Accounting

This section provides information about RADIUS accounting for SSG and includes the following topics:

Interim Accounting

Per-Host Accounting

Per-Service Accounting

SSG Accounting Update Interval per Service Feature

Broadcast Accounting

Interim Accounting

The SSG supports interim (intermittent) RADIUS accounting updates between the time that SSG sends accounting-start and accounting-stop records. The interim accounting records are sent at a configurable interval, and are valid for both hosts and service connections.

Per-Host Accounting

Per-host accounting is the aggregate of all the connection traffic for a host. SSG does not account for the following types of traffic:

Between the host and the default-network.

To open gardens.

Redirected by the TCP Redirect feature.

Permitted by pass-through filters.

Per-host accounting records all other traffic.

By default, SSG sends host and service accounting records. A service provider only interested in host records can disable service (per-connection) accounting with the ssg accounting per-host command.

The per-host accounting records are sent to the local authentication, authorization, and accounting (AAA) server configured with the radius-server host command.

Per-Service Accounting

By default, SSG sends host and service accounting records. A service provider only interested in service records can disable host accounting with the ssg accounting per-host command. Service Accounting-Stop records can be throttled by using the ssg accounting stop rate-limit command.

SSG Accounting Update Interval per Service Feature

The SSG Accounting Update Interval Per Service feature allows the service provider to configure different accounting intervals for different services. Without the SSG Accounting Update Interval Per Service feature, accounting records of all services would be sent at the configured global interval. When enabled, the SSG Accounting Update Interval Per Service feature has the following effects:

When SSG accounting is enabled on a router with the ssg accounting command, the accounting interval parameters configured in a service profile take precedence.

When service accounting is configured using the ssg accounting command on the router but service profile accounting is disabled, then the per-service accounting records will not be sent for that service.

When service accounting is disabled on the router using the ssg accounting per-host command but in a service profile where accounting is enabled, then the per-service accounting records will be sent for that service.

Interim accounting records can be disabled by setting the interim accounting interval value to 0.

Broadcast Accounting

SSG supports broadcast accounting, which is the ability to send user accounting records to multiple RADIUS servers. The SSG broadcast accounting feature provides service providers with geographical redundancy for RADIUS servers, and provides accounting records to partners in wholesale models.

Note Broadcast accounting is not the same as RADIUS server failover: It requires that clones of host accounting packets are always forwarded to each of the configured servers, not only when the primary server fails.

SSG Prepaid Functionality

The SSG Prepaid feature allows SSG to immediately check a user's available credit to allow or disallow access to certain services. The user's credit is administered by the billing server as a series of quotas representing either a duration of use (in seconds) or an allowable data volume (in bytes). A quota is an allotment of available credit.

SSG differentiates prepaid services from postpaid services by the presence of the Service Authorization vendor-specific attribute (VSA) in the service profile.

Table 1 describes the elements of the Service Authorization VSA.

Table 1 Service Authorization VSA Elements

Attribute ID
Vendor ID
Subattribute ID and Type
Attribute Name
Subattribute Data

26

9

251
Service-Info

Service Authorization

The value "Z" indicates that authorization is required.


To obtain the first quota for a connection, SSG submits an authorization request to the AAA server. The AAA server contacts the prepaid billing server, which returns the quota values to SSG. SSG then monitors the connection to track the quota usage. When the quota runs out, SSG performs reauthorization. During reauthorization, the billing server may provide SSG with an additional quota if there is available credit. If no further quota is provided, SSG logs the user off from the service that has run out of quota.

This section contains the following topics:

Service Authorization

Service Reauthorization

Accounting Records and Prepaid Billing

Simultaneous Volume- and Time-Based Prepaid Billing

SSG Prepaid Idle Timeout

SSG Prepaid Reauthorization Threshold

SSG Prepaid Redirection on Quota Exhaustion Feature

Default Quota for Prepaid Server Failure

Benefits of the SSG Prepaid Feature

Service Authorization

When a user tries to access a service, SSG downloads the service profile. The presence of the "Z" value in the service profile indicates that this particular service needs to be prepaid, and that SSG must perform authorization before providing access.

Once a service has been identified as prepaid, SSG generates an Access-Request packet called a Service Authorization Request. The contents of this type of Access-Request packet are described in Table 2.

Table 2 Contents of Service Authorization Request Packet

Attribute ID
Attribute Name
Description
Notes

1

User-Name

Mobile Station (MS) user name

2

PAP Password

Global service profile password

4

NAS IP Address

SSG IP address

6

Service-Type

Framed-user

26

Vendor-Specific

Name of service

Subattribute ID 251; code N (the service-name).

31

Calling-Station-ID

Mobile Station ISDN Number (MSISDN)

The username or MAC address may appear in this field if the access technology does not provide an MSISDN.

44

Acct-Session-ID

Session ID

55

Time-Stamp

Time-stamp

61

NAS-Port-Type

Asynchronous
(value = 0)


The prepaid billing server generally performs quota authorization based on the same key that was used for authentication. For example, for mobile wireless networks, where the unique key that is used for authentication is the Calling-Station-ID attribute (attribute 31), the quota authorization would also be performed using the Calling-Station-ID attribute.

The prepaid billing server responds to the Service Authorization Request packet with an Access-Accept packet (the Service Authorization Response) that defines the quota parameters for the connection. The Service Authorization Response is listed in Table 3. Access to the service is provided based on the presence and contents of the Quota VSA in the Access-Accept packet listed in Table 4.

Table 3 Content of Service Authorization Access-Accept Packet

Attribute ID
Attribute Name
Description
Notes

6

Service-Type

Framed-user

26

Vendor-Specific

Quota

Subattribute ID: 253. The value "Q" indicates that this is the Quota VSA.


Table 4 Quota VSA Elements

Attribute ID
Vendor ID
Subattribute ID and Type
Attribute Name
Subattribute Data

26

9

253
Control-Info

Quota

Q—Control-Info code for prepaid quota.

T or V—Quota subcode for time or volume.

Numeric string—Quota value.


Based on the presence and value of quota attributes in the authorization response, SSG will take the following actions:

If a nonzero quota is returned in the authorization response, SSG creates a connection to the service using the initial quota value in seconds for time and bytes for volume.

If a value of zero in a quota is returned in the authorization response, then the user has insufficient credit and is not authorized to use that service.

If the quota attribute is not present in the authorization response, SSG treats the connection as postpaid.

In the case of volume quota, instead of SSG using a single token, two quota tokens can be allocated to accommodate the tariff switching functionality.

Service Reauthorization

When the quota for the connection reaches zero, SSG issues a Service Reauthorization Request to the billing server. For volume-based billing, SSG decrements the volume-based quota until it runs out. For time-based billing, the connection is allowed to proceed for the quota duration. The Service Reauthorization Request includes an SSG VSA called Quota Used, which has the same format as the Quota VSA described in Table 4. The content of the Service Reauthorization Request is described in Table 5.

Table 5 Contents of Service Reauthorization Request

Attribute ID
Attribute Name
Description
Notes

1

User-Name

MS user name

2

PAP Password

Global service profile password

4

NAS IP Address

SSG IP address

6

Service-Type

Framed-user

26

Vendor-Specific

Name of service

Subattribute ID 251; code N (the service-name).

26

Vendor-Specific

Quota

Subattribute ID 253.

The Quota Used VSA has the same format as the Quota VSA.

31

Calling-Station-ID

MSISDN

44

Acct-Session-ID

Session ID

55

Time-Stamp

Time-stamp

61

NAS-Port-Type

Asynchronous (value=0)


Accounting Records and Prepaid Billing

SSG and the prepaid billing server use start, stop, and interim accounting records to manage a user's prepaid services, as described in the following sequence:

1. When the user tries to connect to the service, SSG sends an authorization request to the prepaid billing server to download the quota.

2. If SSG gets some valid quota, SSG activates the connection and sends an Accounting-Start record.

3. If quota is exhausted during the usage of the connection, SSG sends reauthorization requests.

4. After a configurable period of time, the interim accounting records are sent to the prepaid billing server.

5. When the user logs out of the service, SSG sends an accounting stop to the prepaid billing server to indicate that the session has ended. Based on the usage data in the Accounting-Stop record, the unused quota is sent back to the user's account by the billing server.

Simultaneous Volume- and Time-Based Prepaid Billing

The Simultaneous Volume- and Time-Based Prepaid Billing feature allows SSG to provide volume- and time-based tracking on the same connection.

The prepaid billing server allocates quotas in both time and volume. That is, the authorization response contains both "QT" and "QV" attributes, and SSG is able to monitor the connection on both types. SSG performs a reauthorization whenever either of these quota types is exhausted. The next Service-Authorization response packet contains the usage on both of these quota types.

Note Both the time and volume quota parameters must be nonzero.

The simultaneous volume- and time-based prepaid billing feature can interwork with the prepaid idle-timeout functionality and volume threshold. Table 6 describes the attributes contained in a Service-Authorization response packet.

Table 6 Contents of Service-Authorization Response Packet

Attribute ID
Vendor ID
Subattribute ID
Attribute Name
Type
Value

26

9

253

Quota

ASCII string

"QT seconds"

26

9

253

Quota

ASCII string

"QV bytes"


SSG Prepaid Idle Timeout

The SSG Prepaid Idle Timeout feature enables SSG to return residual quota to the billing server from services that a user is logged into but not actively using. The quota that is returned to the billing server can be applied to other services that the user is actively using.

The SSG Prepaid Idle Timeout feature enables the services described in the following sections:

Residual Quota Return

SSG returns residual quota to the prepaid billing server from services that a user is logged in to but not actively using. When the inactivity on the service is equal to the idle-timeout value sent in the response, the unused quota is returned to the prepaid billing server. This unused quota can be applied to the quota for the services that the user is actively using.

Open a Connection with Zero Quota

When SSG is configured to use the SSG Prepaid Idle Timeout feature, a user's connection to services can be open even when the billing server returns a zero quota, but the connection's status is dependent on the combination of the quota and the idle timeout value returned. Depending on the connection service, SSG requests the quota for a connection from the billing server once the user starts using a particular service, when the user runs out of quota, or after the configured idle timeout value expires.

Portal Page Redirection

A billing server returns a zero quota and a nonzero idle timeout when a user has run out of credit for a service. The user is then redirected to the portal page to replenish the quota. While the user's connection to the original service is retained, any traffic passing through the connection is dropped. This enables a user to replenish quota without losing connections to services or having to perform additional service logins.

SSG returns the quota in a reauthorization request and adds a VSA called the Reauthorization Reason attribute, which verifies that the reauthorization request is to return the quota to the user, and not to query for more quota. The content of the Reauthorization Reason attribute is described in Table 7.

Table 7 Reauthorization Reason Attributes

Reauthorization Reason Attribute
Description

Not present

No Reauthorization Reason attribute is sent if reauthorization is performed because of quota expiry (time or volume), except for the special case "QR0."

QR0

A reauthorization reason QR0 is sent if reauthorization is performed because of quota expiry (time) but the user is idle; that is, no user traffic has been received since the reception of the preceding Access-Accept packet.

This applies if the preceding Access-Accept packet for service reauthorization contained:

The Idle-Timeout attribute with value "0"

The Volume-Quota (QV or QX) attribute with value "0"

The Time-Quota attribute with value ">0"

Reauthorization reason QR0 indicates to the prepaid server that no new (volume) quota needs to be allocated; that is, there is no ongoing user traffic.

QR1

Reauthorization is performed because of idle timer expiry; that is, no user traffic received was for the time specified in the Idle-Timeout attribute.


The interworking of idle-timeout and dual-quota functionality with the existing prepaid features is shown in Table 8.

Table 8 Interworking of Idle-Timeout and Dual-Quota Functionality

QT
QV
Idle-Timeout
SSG Action

SSG opens the connection and considers postpay connection. No reauthorization is performed.

0

0

0

SSG opens the connection. Reauthorization occurs when user traffic comes in.

0

0

SSG closes or does not open the connection.

0

0

>0

SSG opens the connection but blocks user traffic (drops or redirects). Reauthorization occurs after a time interval equal to the idle-timeout value.

0

>0

SSG opens the connection but blocks user traffic (drops or redirects). Reauthorization occurs after a time interval equal to the idle-timeout value.

0

>0

0

SSG closes or does not open the connection.

0

>0

>0

SSG opens the connection. Reauthorization occurs when QT or QV is exhausted, or no user traffic for a time interval that is equal to the idle-timeout value.

>0

>0

>0

SSG opens the connection. Reauthorization occurs when QT or QV is exhausted, or no user traffic for a time interval that is equal to the idle-timeout value.

>0

>0

SSG opens the connection. Reauthorization occurs when QT or QV is exhausted.

>0

>0

0

SSG opens the connection. Reauthorization occurs when QT or QV is exhausted.

>0

0

>0

SSG opens the connection but blocks user traffic (drops or redirects). Reauthorization occurs when QT is exhausted or after a time interval equal to the idle-timeout value.

>0

0

0

SSG opens the connection. Reauthorization occurs when QT is exhausted or when user traffic comes in.


SSG Prepaid Reauthorization Threshold

Using the SSG Prepaid Reauthorization Threshold feature, you can configure SSG to reauthorize for more quota when the quota allopcated to SSG falls below a configurable minimum threshold value. You can also configure SSG to drop traffic when it is reauthorizing for the connection. This prevents revenue leaks in the event that the billing server returns a zero quota for the connection.

When the SSG Prepaid Reauthorization Threshold feature is not configured, traffic passed during reauthorization represents a revenue leak if the billing server returns a zero quota for the user. You can prevent this type of revenue leak by configuring a threshold value, causing SSG to reauthorize a user's connection before the user completely consumes the allocated quota for a service.

If you configure SSG to drop traffic during reauthorization and configure a threshold value, user traffic continues until the user exhausts the allotted quota. When the allotted quota is used, the traffic is dropped until SSG receives a reauthorization response.

SSG Prepaid Redirection on Quota Exhaustion Feature

The SSG Prepaid Redirection on Quota Exhaustion feature gives users the opportunity to replenish prepaid quota while maintaining the current connection. When the prepaid billing server returns a quota value of 0 and a positive idle-timeout value, SSG redirects the user to a portal page where additional quota can be purchased. If the user purchases additional quota, the prepaid billing server returns a positive quota value to SSG, which allows the connection to continue.

Note When SSG redirects a user to a portal page, it maintains the user's connection to the original service, although any traffic passing through the connection is dropped. This enables the user to replenish quota without requiring a subsequent service login, provided that the reauthorization timout has not been exceeded.

Default Quota for Prepaid Server Failure

SSG can be configured to allocate a default quota when the prepaid server fails to respond to an authorization request. The default quota for a service is specified in the service profile. SSG stores the value when the service profile is downloaded from the AAA server. If the prepaid server is not accessible during initial authorization, SSG allocates the default quota and activates the connection, thus allowing the prepaid user to connect to the service.

When a default quota expires, SSG attempts to reauthorize the user. If the prepaid server still does not respond, SSG will allocate another default quota. SSG will allocate multiple default quotas up to a configured maximum. Once SSG has allocated the configured maximum number of default quotas, no further default quota allocations will be made, and the user's connection to the service will be terminated.

SSG will also allocate default quotas when the prepaid server fails during the reauthorization of existing connections. Allocation of a default quota for the reauthorization of an existing connection prevents the connection from being terminated because of the unavailability of the prepaid server. Table 9 describes the Prepaid Default Quota VSA.

Table 9 Prepaid Default Quota VSA

Attribute ID
Vendor ID
Subattribute ID and Type
Attribute Name
Subattribute Data

26

9

251 Service-Info

Prepaid Default Quota

PZQT seconds—sets a default time quota.

or

PZQVbytes—sets a default volume quota.


Benefits of the SSG Prepaid Feature

Concurrent Prepaid Service Access

The SSG Prepaid feature can support concurrent prepaid service access while maintaining the same pool of quota at the prepaid billing server. SSG services can be configured for concurrent or sequential access. Concurrent access allows users to log in to a service while connected to other services.

Real-Time Billing

The SSG Prepaid feature allows for real-time billing with maximum flexibility, regardless of the type of service and billing scheme. Users can be billed on a flat rate, air-time, or volume basis.

Redirection Upon Exhaustion of Quota

When a user runs out of quota, SSG can redirect the user to a portal where the user can replenish the quota without being disconnected from the service.

Returning Residual Quota

The SSG Prepaid Idle Timeout feature enables SSG to return residual quota to the billing server from services that a user is logged in to but not actively using. The quota that is returned to the billing server can be applied to other services that the user is actively using.

Threshold Values

The SSG Prepaid Reauthorization Threshold feature can prevent revenue leaks by enabling the user to configure a threshold value. Configuring a threshold value causes user connections to be reauthorized before the user completely consumes the allotted quota for a service.

Traffic Status During Reauthorization

Revenue leaks can be prevented by configuring SSG to drop connected traffic during reauthorization of a service. The user remains connected to the service and need not log in again to the service, but no traffic is forwarded during the reauthorization process. This prevents users from continuing to use a service for which they have run out of quota while SSG sends a reauthorization request to the billing server.

Simultaneous Volume- and Time-Based Prepaid Billing

SSG supports rating on both time and volume simultaneously for prepaid services. The prepaid billing server may allocate quotas in both time and volume, and SSG monitors the connection for either type. SSG performs a reauthorization whenever either of these quota types is exhausted.

Prepaid Tariff Switching

Prepaid tariff switching allows changes in tariffs during the lifetime of a connection. This feature applies to volume-based prepaid connections where the tariff changes at certain times of the day.

Typically, a service provider uses prepaid tariff switching to offer different tariffs to a user during an active connection; for example, changing a user to a less expensive tariff during off-peak hours.

When SSG is monitoring the prepaid connection based on volume, at the tariff switching time, SSG can switch to the new charging rate. This feature will interoperate with all existing prepaid functionality, including the idle-timeout feature.

Note SSG is not involved in computing the billing rate changes that occur at tariff switch points. Billing rate change computations are performed by the prepaid billing server.

SSG supports prepaid tariff switching by using two quota tokens that correspond to the pretariff switch time period and posttariff switch time period.

In the authorization response, the prepaid billing server specifies the tariff change time and the tokens for post-switch and pre-switch periods in its authorization response to SSG.

Note The tariff change time denotes the delay, in seconds, between the authorization and the tariff switch.

SSG uses the prepaid tariff switch quota until the tariff switch occurs. Upon tariff switch, SSG performs a token switch and starts using the postpaid tariff quota for prepaid connection monitoring. Reauthorization occurs only when either of these tokens is exhausted, not when a tariff change occurs.

This section contains the following topics:

Authorization and Reauthorization Behavior When Prepaid Tariff Switching Occurs

SSG Prepaid Tariff Switching VSAs

Interim Accounting Updates for SSG Prepaid Tariff Switching

Dual Quota and Idle-Timeout Prepaid Tariff Switching

Extended Prepaid Tariff Switching for SSG

Authorization and Reauthorization Behavior When Prepaid Tariff Switching Occurs

Table 10 describes the behavior of SSG in the various events that occur when prepaid tariff switching takes place.

Table 10 Authorization and Reauthorization Behavior

Event
Action

An authorization response is received containing the dual-quota token tariff switch attribute.

Tariff switching is enabled on SSG for a given prepaid connection.

During data forwarding, the quota runs out before the tariff switch occurs.

SSG performs a reauthorization in the same way as in a no tariff switching case. The prepaid billing server may recalculate the tariff switch time and send the response again. Note that tariff switch attributes are not included in the reauthorization response.

During data forwarding, the tariff switch time elapses after the last authorization.

SSG switches from the current quota token to the second quota token. The new quota token is now used for real-time accounting.

During data forwarding, the quota runs out after the tariff switch.

SSG will send the quota usage in pre- and posttariff periods back to the prepaid server in the authorization response.

The user logs out of the service after the tariff switch.

SSG will report the quota usage in the pre- and posttariff switch periods in the Accounting Stop packet.

The user logs out of the service before the tariff switch.

SSG sends a normal Accounting-Stop packet, as in the nontariff switching case.

Interim accounting

If the connection is in the posttariff switch period, SSG will report quota usage in the pre- or posttariff switching periods in the interim accounting packet.


SSG Prepaid Tariff Switching VSAs

The VSA shown in Table 11 is used in authorization and reauthorization responses to send quota tokens and the tariff switch time. Table 11 describes the VSA content.

Table 11 Content of VSA Used in Authorization/Reauthorization Response Packets

Attribute ID
Vendor ID
Subattribute ID and Type
Attribute Name
Subattribute Data

26

9

253
Control-Info

Quota

Q—Control-Info code for prepaid quota.

X—Tariff switch code for prepaid quota.

time;—Tariff switch time, in seconds.

volume;—Preswitch quota volume token, in bytes.

volume— Postswitch quota volume token, in bytes.


The VSA shown in Table 12 is used in reauthorization requests and accounting packets. This VSA is used in addition to the usual Quota Volume attribute that indicates the total volume usage in a connection. Table 12 describes the VSA content.

Table 12 Content of VSA Used in Reauthorization Requests and Accounting Packets

Attribute ID
Vendor ID
Subattribute ID and Type
Attribute Name
Subattribute Data

26

9

253
Control-Info

Quota

Q—Control-Info code for prepaid quota.

B;—Tariff switch code for denoting the total volume used after the last tariff switch.

volume—Total volume of traffic in that connection (since start) after the last tariff switch, in bytes.

time—Tariff switch time in the UNIX time stamp. This is used only in postpaid service accounting records.


Interim Accounting Updates for SSG Prepaid Tariff Switching

The interim accounting records contain the cumulative usage information (since start of connection) and the amount of usage after the last tariff switch time. The Accounting-Stop record contains the total usage information and the volume of traffic sent after the last tariff switch.

Note Only one interim accounting record in every tariff switching interval plus an Accounting-Stop record is required for the billing server to reconstruct the usage information before and after the switching time.

The following example illustrates how the accounting interim updates would look in various tariff switch periods and how the billing server has to interpret the records to obtain the individual usages in the various intervals.

Consider a user logged in to the connection at time T0. The tariff switch points in that week are Tx, Ty, and Tz. The user logs off at T1.

Accounting records A1 through A5 were sent in the various tariff switching intervals. All interim accounting records contain the total volume of traffic sent in the connection from start until that point in time. This volume of traffic value is available in the standard accounting attributes and the SSG Accounting VSAs. For records sent after a tariff switch, the tariff switch VSA indicates usage since the last tariff switch point.

Accounting record A1 does not contain any tariff switch VSAs. Accounting record A2 contains a tariff switch VSA to indicate the usage since the last tariff switch point (Tx). Note that more than one interim accounting record can be sent in the interval, depending on the accounting interval configured. It is possible to derive the usage in the various intervals even if only one accounting record in an interval was successfully sent. The following sequence shows how the billing server calculates usage in the interval between Tx and Ty.

Record A2 contains total volume (V2) and usage since the last tariff switch point Tx (T2). The amount of usage in interval (T0,Tx) is represented as V(0,x) = V2 - T2.

Record A3 contains total volume (V3) since start of connection, and the last tariff switch point Ty (T3). The amount of usage in interval (T0,Ty) is represented as V(0,y) = V3 - T3. The amount of usage in interval (Tx,Ty) is represented as V(x,y) = V(0,y) - V(0,x).

Note Accounting-Stop record A5 also contains only the total volume and the usage since the last tariff switch point, and not the usage in the various intervals.

The information in these interim accounting records enables the service provider to derive the accounting information in the various tariff switching intervals.

Dual Quota and Idle-Timeout Prepaid Tariff Switching

The dual quota functionality also interworks with the tariff switching functionality. Instead of the QV and QT attributes being present in the authorization response, QX and QT attributes can be present together in the authorization response. In this case, reauthorization is done whenever the time quota runs out and either of the two volume quota tokens runs out in its respective period. Table 13 describes the attributes contained in a response to a service reauthorization request.

Table 13 Contents of Service Reauthorization Response Packet

Attribute
ID
Vendor
ID
Subattribute
ID
Status
Attribute Name
Type
Subattribute Data

28

   

Optional

Idle-Timeout

Integer

Idle Timeout

26

9

253

Optional

Quota

ASCII string

QT seconds

26

9

253

Mandatory

Quota-for-Tariff Switching

ASCII string

QX seconds;
bytes; bytes


Tariff quota is considered to be exhausted when prepaid tariff quota (PRE) is exhausted before tariff switching, or when the postpaid tariff (POST) quota is exhausted after tariff switch. The interworking of dual quota functionality with tariff switching and idle-timeout is shown in Table 14.

Note In Table 14, QT represents time-based quota, and QX represents quota for prepaid and postpaid tariff switching. TS denotes time of tariff switch, PRE denotes prepaid switch quota, and POST denotes postpaid switch quota. QXTS;PRE;POST represents QX time-of-tariff-switch; prepaid-switch-quota; postpaid-switch-quota.

Table 14 Interworking of Dual-Quota Functionality with Idle-Timeout

QT
QXTS;PRE;POST
Idle-Timeout
SSG Action

0

>0;0;0

0

SSG opens the connection. Reauthorization occurs when user traffic comes in.

0

>0;0;0

>0

SSG opens the connection but blocks user traffic (drop or redirect). Reauthorization occurs after a time interval equal to the idle timeout value.

0

Any combination not covered by idle-timeout equal to or greater than 0

0 or >0

SSG closes or does not open the connection.

>0

>0;>0;>0

>0

SSG opens the connection. Reauthorization occurs when the time-based quota (QT) or the prepaid quota (PRE) is exhausted before tariff switching, or when the prepaid (PRE) and postpaid (POST) quotas are exhausted, or when no user traffic occurs for a time interval equal to the idle-timeout value.

>0

>0;>0;0

>0

SSG opens the connection. Reauthorization occurs when QT or PRE is exhausted before tariff switching when tariff switching occurs, or when no user traffic occurs for a time interval equal to the idle-timeout value.

>0

>0;>0;>0

0

SSG opens the connection. Reauthorization occurs when QT is exhausted or PRE is exhausted before tariff switching, or when the sum of PRE and POST tariff is exhausted.

>0

>0;>0;0

0

SSG opens the connection. Reauthorization occurs when QT is exhausted or when tariff quota is exhausted.

>0

>0;0;0

0

SSG opens the connection. Reauthorization occurs when QT is exhausted or when user traffic comes in.


If dual quota was allotted in the earlier authorization, the reauthorization request contains both the volume and time attributes. The volume attributes may include the quota for tariff switching (QB) or the volume-based quota (QV) when the connection is made in the post-tariff switch period. The reauthorization reason attribute may be present in the reauthorization request. Table 7 describes the reasons.

Extended Prepaid Tariff Switching for SSG

The Extended Prepaid Tariff Switch for SSG feature is used to measure the usage of specific services at various times, even when the monetary value of the volume quota does not change at the time of tariff switching. In such a scenario, the remaining amount of a user's prepaid tariff switch quota continues as postpaid tariff switch quota. Information can be collected about how much quota was used before a particular time and how much was used after, providing a usage profile of specific services at various times.

For instance, say that gaming and stock trading services are offered. Using the Extended Prepaid Tariff Switch feature, the user could purchase quota that could be used for each service at the same flat rate. Gaming traffic may be higher in the evenings, for example, while stock trading may be in more demand during business hours. The resulting usage profile can help you decide whether to charge a premium for specific services at specific times.

Postpaid Tariff Switching for SSG

The Postpaid Tariff Switching for SSG feature allows changes in tariffs during the lifetime of a connection. This feature applies to volume-based postpaid connections where the tariff changes at certain times of the day.

Typically, a service provider uses postpaid tariff switching to offer different tariffs to a user during an active connection; for example, changing a user to a less expensive tariff during off-peak hours.

To handle tariff switches for postpaid connections, the accounting packets log the usage information during the various tariff switch intervals. The service profile contains a weekly tariff switch plan detailing the times of day at which tariff changes occur. SSG monitors the usage at every tariff switch point and records this information in the interim accounting records. The billing server monitors all accounting interim updates and obtains the information about the volume of traffic sent at each tariff rate.

Note Tariff switching is not required for time-based billing services. Because the billing server knows the service login time stamp and logout time stamp, it can calculate the different tariffs that apply during that time.

How to Configure SSG Accounting

This section describes how to configure SSG accounting features and contains the following tasks:

Configuring SSG Accounting

Configuring SSG Broadcast Accounting

Configuring SSG Prepaid Features

Configuring Postpaid Tariff Switching for SSG

Configuring SSG Accounting

Perform this task to enable enable SSG accounting.

Prerequisites for Configuring SSG Accounting

The RADIUS server must be configured and operational before you configure SSG accounting.

SUMMARY STEPS

1. ssg accounting [per-host] [per-service] [interval seconds]

2. ssg accounting stop rate-limit [records]

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

ssg accounting [per-host] [per-service] [interval seconds]

Example:

Router(config)# ssg accounting per-host interval 60

Enables SSG accounting and specifies the interval at which accounting updates are sent to the accounting server.

To enable the sending of per-host accounting records only, use the per-host keyword.

To enable the sending of per-service accounting records only, use the per-service keyword

Step 2 

ssg accounting stop rate-limit [records]

Example:

Router(config)# ssg accounting stop rate-limit 200

Limits the rate of accounting records sent per second.

The value can be set between 10 and 5000.

Configuring SSG Broadcast Accounting

SSG broadcast accounting requires the configuration of a broadcast group. Perform this task to send host accounting records to multiple servers.

Note This is not the same as RADIUS server failover. It clones accounting packets, which are then always forwarded to each of the configured servers, not only when the primary server fails.

SUMMARY STEPS

1. aaa group server radius group-name

2. server ip-address auth-port auth-port-number acct-port acct-port-number

3. aaa group server radius group-name

4. server ip-address auth-port auth-port-number acct-port acct-port-number

5. aaa accounting network accounting-list-name start-stop broadcast group group-name group group-name

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

aaa group server radius group-name

Example:

Router(config)# aaa group server radius BILLING

Defines the server group.

Step 2 

server ip-address auth-port auth-port-number acct-port acct-port-number

Example:

Router(config)# server 10.10.50.181 auth-port 1812 acct-port 1813

Configures a server in the selected server group.

Step 3 

aaa group server radius group-name

Example:

Router(config)# aaa group server radius HOTSTANDBY

Defines the server group.

Step 4 

server ip-address auth-port auth-port-number acct-port acct-port-number

Example:

Router(config-sg)# server 10.10.50.180 auth-port 1812 acct-port 1813

Configures a server in the selected server group.

Step 5 

aaa accounting network accounting-list-name start-stop broadcast group group-name group group-name

Example:

Router(config)# aaa accounting network ssg_broadcast_accounting start-stop broadcast group BILLING group HOTSTANDBY

Configures a broadcast accounting network list.

The accounting-list-name argument must be ssg_broadcast_accounting.

Configuring SSG Prepaid Features

This section contains the following tasks:

Configuring SSG Prepaid Features on the Router

Configuring RADIUS Service Profiles for the SSG Prepaid Support Feature

Redirecting TCP Traffic for SSG Prepaid Quota Refill

Verifying Configuration of the SSG Prepaid Feature

Configuring SSG Prepaid Features on the Router

Perform this task to configure SSG prepaid features on the router.

Prerequisites for SSG Prepaid Features

SSG accounting must be enabled in order for the SSG Prepaid features to be used. SSG accounting is enabled by default. If it has been disabled, enable it by using the ssg accounting command in global configuration mode.

Restrictions for SSG Prepaid Features

Quotas are measured in seconds for time or bytes for volume. There is no way to change the unit of measure.

The volume quota is for combined upstream and downstream traffic.

Returning quota when the connection is idle is supported only for volume-based connections. It is not supported for time-based connections.

SUMMARY STEPS

1. radius-server attribute 44 include-in-access-req

2. radius-server attribute 55 include-in-acct-req

3. ssg aaa group prepaid server-group

4. ssg prepaid threshold [time seconds]

5. ssg prepaid threshold [volume bytes]

6. ssg prepaid threshold default-quota [number-of-times