Cisco IOS Software Releases 12.3 T

Table Of Contents

Configuring SSG Support for Subnet-Based Authentication

Contents

Prerequisites for SSG Support for Subnet-Based Authentication

Restrictions for SSG Support for Subnet-Based Authentication

Information About SSG Support for Subnet-Based Authentication

Identifying Subnet-Based Subscribers

Benefits of SSG Support for Subnet-Based Authentication

How to Configure SSG Support for Subnet-Based Authentication

Verifying SSG Support for Subnet-Based Authentication

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Command Reference

show ssg connection

show ssg host

Configuring SSG Support for Subnet-Based Authentication

---

The SSG Support for Subnet-Based Authentication feature allows a service provider to identify subscribers to services by their subnet, rather than by a subscriber's IP address. This module describes how the Cisco Service Selection Gateway (SSG) recognizes and manages subnet-based subscribers.

History for the Configuring SSG Support for Subnet-Based Authentication Feature

Release	Modification
12.3(14)T	This feature was introduced.

Finding Support Information for Platforms and Cisco IOS Software Images

Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.

Contents

•Prerequisites for SSG Support for Subnet-Based Authentication

•Restrictions for SSG Support for Subnet-Based Authentication

•Information About SSG Support for Subnet-Based Authentication

•How to Configure SSG Support for Subnet-Based Authentication

•Additional References

•Command Reference

Prerequisites for SSG Support for Subnet-Based Authentication

SSG must be enabled before subnet-based authentication for SSG can be configured.

Restrictions for SSG Support for Subnet-Based Authentication

•If the Port-Bundle Host Key (PBHK) feature is used with subscribers, the port bundle allocated to a subscriber will be shared for all IP addresses within the IP subnet.

•RADIUS proxy deployments do not support subnet-based subscribers.

•Subnet-based authentication is not supported for users with PPP-based access.

•Once a subscriber is identified as a subnet-based subscriber, all other individual subscribers on the same subnet will be tracked as part of the same subnet subscriber.

•Services that require Network Address Translation (NAT) are not supported.

Information About SSG Support for Subnet-Based Authentication

To configure the SSG Support for Subnet-Based Authentication feature, you should understand the following concepts:

•Identifying Subnet-Based Subscribers

•Benefits of SSG Support for Subnet-Based Authentication

Identifying Subnet-Based Subscribers

Subnet-based subscribers are identified whenever SSG receives a subnet mask along with an IP address from the authentication, authorization, and accounting (AAA) server. The IP address is found in the RADIUS Framed-IP (FIP) attribute (RADIUS attribute 8), and the IP subnet mask is found in the RADIUS-Framed-IP-Netmask (FIN) attribute (RADIUS attribute 9).

Benefits of SSG Support for Subnet-Based Authentication

Subnet-based authentication of subscribers gives service providers the option to provide services to their enterprise customers based on the IP subnet rather than on an individual IP address. This capability eliminates the need for each subscriber to self-identify and log in. Applications of subnet-based authentication include business internet services, video streaming, and pay-per-use Internet access for small office/home office (SOHO) customers.

How to Configure SSG Support for Subnet-Based Authentication

No configuration is required to identify subnet-based subscribers. Whenever SSG receives a subscriber's IP address and subnet mask from the AAA (RADIUS) server, SSG will treat that subscriber as a subnet-based subscriber.

This section contains the following task:

•Verifying SSG Support for Subnet-Based Authentication (optional)

Verifying SSG Support for Subnet-Based Authentication

This optional task explains how to verify subnet-based authentication for SSG. The commands contained in the task steps can be used in any sequence and may need to be repeated.

SUMMARY STEPS

1. enable

2. show ssg connection {ip-address | network-id subnet-mask} service-name [interface]

3. show ssg host [ip-address | count | username] [interface [username] [subnet-mask]]

DETAILED STEPS

---

Step 1 enable

Enables privileged EXEC mode. Enter your password if prompted.

Router> enable

Step 2 show ssg connection {ip-address | network-id subnet-mask} service-name [interface]

Displays the connections of a given SSG host and service name. To display the connections of the specified subnet-based subscribed host, enter the network ID and IP subnet mask.

Router# show ssg connection 10.0.1.1 255.255.255.0 passthru

------------------------ConnectionObject Content -----------------------

User Name: dev-user2

Owner Host: 10.0.1.1 (Mask : 255.255.255.0)

Associated Service: passthru1

Calling station id: 00d0.792f.8054

Connection State: 0 (UP)

Connection Started since: *17:44:59.000 GMT Sun Jul 6 2004

User last activity at: *17:44:59.000 GMT Sun Jul 6 2004

Connection Traffic Statistics:

        Input Bytes = 0, Input packets = 0

        Output Bytes = 0, Output packets = 0

Step 3 show ssg host [ip-address | count | username] [interface [username] [subnet-mask]]

Displays information about a subscriber and the subscriber's current connections. To display information about the specified subnet-based subscribed host, enter the IP subnet mask.

Router# show ssg host 10.0.0.0 255.255.255.0

------------------------ HostObject Content -----------------------

Activated: TRUE

Interface: 

User Name: user1

Host IP : 10.0.0.0

Mask : 255.255.255.0

Msg IP: 0.0.0.0 (0)

Host DNS IP: 0.0.0.0

Maximum Session Timeout: 0 seconds

Host Idle Timeout: 60000 seconds

Class Attr: NONE

User policing disabled

User logged on since: *05:59:46.000 UTC Fri May 3 2004

User last activity at: *05:59:52.000 UTC Fri May 3 2004

SMTP Forwarding: NO

Initial TCP captivate: NO

TCP Advertisement captivate: NO

Default Service: NONE

DNS Default Service: NONE

Active Services: NONE

AutoService: NONE

Subscribed Services: passthru1; proxynat1; tunnel1; proxy1

Subscribed Service Groups: NONE

---

Additional References

The following sections provide references related to the SSG Support for Subnet-Based Authentication feature.

Related Documents

Related Topic	Document Title
SSG commands	Cisco IOS Service Selection Gateway Command Reference, Release 12.3T
SESM	Cisco Subscriber Edge Services Manager documentation
RADIUS commands	Cisco IOS Security Command Reference, Release 12.3T
RADIUS configuration tasks	"Configuring RADIUS" chapter in the Cisco IOS Security Configuration Guide, Release 12.2

Standards

Standards	Title
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.	—

MIBs

MIBs	MIBs Link
No new or modified MIBs are supported by this feature, and support for existing MIBs has not been modified by this feature.	To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs

RFCs

RFCs	Title
No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.	—

Technical Assistance

Description	Link
Technical Assistance Center (TAC) home page, containing 30,000 pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.	http://www.cisco.com/public/support/tac/home.shtml

Command Reference

This section documents modified commands only.

•show ssg connection

•show ssg host

show ssg connection

To display the connections of a given Service Selection Gateway (SSG) host and a service name, use the show ssg connection command in privileged EXEC mode.

show ssg connection {ip-address | network-id subnet-mask} service-name [interface]

Syntax Description

ip-address	The IP address of an active SSG connection. This is always a subscribed host.
network-id	The IP network ID of an active SSG connection. This is always a subscribed host.
subnet-mask	The IP subnet mask of the subnet-based subscribed host.
service-name	Name of an active SSG connection.
interface	(Optional) IP address through which the host is connected.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.0(3)DC	This command was introduced on the Cisco 6400 node route processor.
12.2(2)B	The interface argument was added for the SSG Host Key feature.
12.2(4)B	This command was modified to display information about SSG prepaid billing.
12.2(8)T	This command was integrated into Cisco IOS Release 12.2(8)T.
12.2(13)T	The modifications from Release 12.2(4)B were integrated into Cisco IOS Release 12.2(13)T.
12.3(1a)BW	This command was modified to display the MSISDN (Calling Station ID) used for service logon.
12.3(3)B	The modifications from Release 12.3(1a)BW were integrated into Cisco IOS Release 12.3(3)B.
12.3(7)T	The modifications from Release 12.3(1a)BW were integrated into Cisco IOS Release 12.3(7)T.
12.3(14)T	The network-id and subnet-mask arguments were added.

Examples

Prepaid Service Based on Volume: Example

The following example displays the SSG connection for a prepaid service that uses a volume-based quota:

Router# show ssg connection 10.10.1.1 InstMsg 

------------------------ConnectionObject Content ----------------------- 

User Name:

Owner Host:10.10.1.1 

Associated Service:InstMsg 

Connection State:0 (UP) 

Connection Started since:*00:25:58.000 UTC Tue Oct 23 2001 

User last activity at:*00:25:59.000 UTC Tue Oct 23 2001

Connection Traffic Statistics:

          Input Bytes = 0, Input packets = 0 

          Output Bytes = 0, Output packets = 0 

          Quota Type = 'VOLUME', Quota Value = 100 

Session policing disabled 

Prepaid Service Based on Time: Example

The following example displays the SSG connection for a prepaid service that uses a time-based quota:

Router# show ssg connection 10.10.1.2 Prepaid-internet 

------------------------ConnectionObject Content ----------------------- 

User Name:Host 

Owner Host:10.10.1.2 

Associated Service:Prepaid-internet 

Connection State:0 (UP) 

Connection Started since:*00:34:06.000 UTC Tue Oct 23 2001 

User last activity at:*00:34:07.000 UTC Tue Oct 23 2001

Connection Traffic Statistics:

            Input Bytes = 0, Input packets = 0 

            Output Bytes = 0, Output packets = 0 

            Quota Type = 'TIME', Quota Value = 100 

Session policing disabled 

Autologin Service: Example

The following example shows the service connection for the autologon service to host 10.3.6.1:

Router# show ssg connection 10.3.6.1 autologin

------------------------ ConnectionObject Content -----------------------

User Name:autologin

Owner Host:10.3.6.1

Associated Service:autologin

Connection State:0 (UP)

Connection Started since:

*20:41:26.000 UTC Fri Jul 27 2001

User last activity at:*20:41:26.000 UTC Fri Jul 27 2001

Connection Traffic Statistics:

        Input Bytes = 0 (HI = 0), Input packets = 0

        Output Bytes = 0 (HI = 0), Output packets = 0

MSISDN: Example

The following sample output for the show ssg connection command shows the MSISDN that is used for service logon:

Router# show ssg connection 10.0.1.1 proxy2

------------------------ConnectionObject Content -----------------------

User Name: dev-user2

Owner Host: 10.0.1.1

Associated Service: proxy2

Calling station id: 12345

Connection State: 0 (UP)

Connection Started since: *17:44:59.000 GMT Sun Jul 6 2003

User last activity at: *17:44:59.000 GMT Sun Jul 6 2003

Connection Traffic Statistics:

        Input Bytes = 0, Input packets = 0

        Output Bytes = 0, Output packets = 0

Session policing disabled

Subnet-Based Subscriber: Example

The following sample output for the show ssg connection command shows the subnet mask of the subscribed host:

Router# show ssg connection 10.0.1.1 255.255.255.0 passthru

------------------------ConnectionObject Content -----------------------

User Name: dev-user2

Owner Host: 10.0.1.1 (Mask : 255.255.255.0)

Associated Service: passthru1

Calling station id: 00d0.792f.8054

Connection State: 0 (UP)

Connection Started since: *17:44:59.000 GMT Sun Jul 6 2004

User last activity at: *17:44:59.000 GMT Sun Jul 6 2004

Connection Traffic Statistics:

        Input Bytes = 0, Input packets = 0

        Output Bytes = 0, Output packets = 0

Table 1 describes the significant fields shown in the displays.

Table 1 show ssg connection Field Descriptions 

Field	Description
User Name	Subscriber name supplied at authentication.
Owner Host	IP address and subnet mask of the subscribed host.
Associated Service	Service name of the connected service.
Calling station id	MSISDN used for service logon.
Connection State	State of activation (active or inactive).
Connection Started since	Time of host connection to the associated service.
User last activity at	Time of last data packet sent over this connection.
Input Bytes	Number of bytes received on this connection.
Input packets	Number of packets received on this connection.
Output Bytes	Number of bytes sent on this connection.
Output packets	Number of packets sent on this connection.
Quota Type	Form in which the quota value is expressed (time or volume).
Quota Value	Value of the quota (in bytes for volume or seconds for time).

Related Commands

Command	Description
clear ssg connection	Removes the connections of a given host and a service name.

show ssg host

To display information about a Service Selection Gateway (SSG) subscriber and the current connections of the subscriber, use the show ssg host command in privileged EXEC mode. The command syntax of the show ssg host command depends on whether the SSG Port-Bundle Host Key feature is enabled.

When SSG Port-Bundle Host Key Is Not Enabled

show ssg host [ip-address | count | username [subnet-mask]]

When SSG Port-Bundle Host Key Is Enabled

show ssg host [ip-address | count | username] [interface [username] [subnet-mask]]

Syntax Description

ip-address	(Optional) Host IP address.
count	(Optional) Displays host object count, including inactive hosts.
username	(Optional) Displays all host usernames and IP addresses.
interface	(Optional) Downlink interface through which the host or subscriber is connected, such as ATM, Fast Ethernet, or Virtual-Access. For more information, use the question mark (?) online help function.
subnet-mask	(Optional) The IP subnet mask of the subnet-based subscribed host.

Defaults

If no argument is provided, all current connections are displayed.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.0(3)DC	This command was introduced on the Cisco 6400 Node Route Processor (NRP).
12.2(2)B	The interface argument was added.
12.2(8)T	This command was integrated into Cisco IOS Release 12.2(8)T.
12.2(15)B	This command was modified as follows: •Introduced syntax dependence on SSG host key. •Introduced count keyword. •Added fields to the output to display additional information about the status of hosts.
12.2(15)T	The modifications made in Cisco IOS Release 12.2(15)B were integrated into Cisco IOS Release 12.2(15)T.
12.3(11)T	The output was enhanced to show information about the VPN routing/forwarding instance (VRF) that is associated with a host.
12.3(14)T	The subnet-mask argument was added.

Usage Guidelines

You can specify the Service Selection Gateway (SSG) downlink interface only when the SSG Port-Bundle Host Key feature is enabled. To enable the host key, enter the ssg port-map command in global configuration mode. To disable the host key, enter the no ssg port-map command.

Examples

Display All Active Hosts: Example

The following example shows all active hosts:

Router# show ssg host 

1:10.3.1.1         [Host-Key 70.13.60.3:64]

2:10.3.6.1         [Host-Key 70.13.60.3:65] 

### Active HostObject Count:2

Simple IP Host: Example

The following example shows information about a simple IP host with an IP address of 10.0.0.0:

Router# show ssg host 10.0.0.0

------------------------ HostObject Content -----------------------

Activated: TRUE

Interface: 

User Name: user1

Owner Host: 10.0.0.0

Msg IP: 0.0.0.0 (0)

Host DNS IP: 0.0.0.0

Proxy logon from client IP: 10.0.48.3

    Device: PDSN (Simple IP)

    NASIP : 10.0.48.3

    SessID: 12345678

    APN   : 

    MSID  : 5551000

    Timer : None

Maximum Session Timeout: 0 seconds

Host Idle Timeout: 60000 seconds

Class Attr: NONE

User policing disabled

User logged on since: *05:59:46.000 UTC Fri May 3 2002

User last activity at: *05:59:52.000 UTC Fri May 3 2002

SMTP Forwarding: NO

Initial TCP captivate: NO

TCP Advertisement captivate: NO

Default Service: NONE

DNS Default Service: NONE

Active Services: internet-blue; 

AutoService: internet-blue; 

Subscribed Services: internet-blue; iptv; games; distlearn; corporate; shop; banking; 
vidconf; 

Subscribed Service Groups: NONE

Mobile IP Host: Example

The following example shows information about a mobile IP host with an IP address of 10.0.0.0:

Router# show ssg host 10.0.0.0

------------------------ HostObject Content -----------------------

Activated: TRUE

Interface: 

User Name: user1

Owner Host: 10.0.0.0

Msg IP: 0.0.0.0 (0)

Host DNS IP: 0.0.0.0

Proxy logon from client IP: 10.0.48.4

    Device: HA

    NASIP : 10.0.48.4

    SessID: 44444445

    APN   : 

    MSID  : 5551001

    Timer : None

Maximum Session Timeout: 0 seconds

Host Idle Timeout: 60000 seconds

Class Attr: NONE

User policing disabled

User logged on since: *06:01:02.000 UTC Fri May 3 2002

User last activity at: *06:01:09.000 UTC Fri May 3 2002

SMTP Forwarding: NO

Initial TCP captivate: NO

TCP Advertisement captivate: NO

Default Service: NONE

DNS Default Service: NONE

Active Services: internet-blue; 

AutoService: internet-blue; 

Subscribed Services: internet-blue; iptv; games; distlearn; corporate; shop; banking; 
vidconf; 

Subscribed Service Groups: NONE

Two Hosts with the Same IP Address: Examples

The following example shows two host objects with the same IP address:

Router# show ssg host 10.3.1.1 

SSG:Overlapping hosts for IP 10.3.1.1 at interfaces:FastEthernet0/0/0

Virtual-Access1

In this case, use the interface argument to uniquely identify the host:

Router# show ssg host 10.3.1.1 FastEthernet0/0/0 

.

.

.

---

Note Note that the output produced by this command is the same as that produced by the command without the interface argument. The interface argument is used to uniquely identify a host only when there are overlapping host IP addresses.

---

The following example shows the usernames logged in to the active hosts:

Router# show ssg host username 

   1:10.3.1.1        (active) Host name:pppoauser

   2:10.3.6.1        (active) Host name:ssguser2

### Total HostObject Count(including inactive hosts):2

Host Associated with a VRF: Example

The following sample output for the show ssg host command shows a VRF called "BLUE" associated with a host that has the IP address 10.0.0.2:

Router# show ssg host 10.0.0.2

------------------------ HostObject Content ----------------------

Activated: TRUE

Interface: Ethernet1/0   VRF Name: BLUE 

User Name: prep-user1

Owner Host: 10.0.0.2

Subnet-Based Subscriber: Example

The following example shows information about a subnet-based subscriber with an IP address of 10.0.0.0 and a subnet mask of 255.255.255.0:

Router# show ssg host 10.0.0.0 255.255.255.0

------------------------ HostObject Content -----------------------

Activated: TRUE

Interface: 

User Name: user1

Host IP : 10.0.0.0

Mask : 255.255.255.0

Msg IP: 0.0.0.0 (0)

Host DNS IP: 0.0.0.0

Maximum Session Timeout: 0 seconds

Host Idle Timeout: 60000 seconds

Class Attr: NONE

User policing disabled

User logged on since: *05:59:46.000 UTC Fri May 3 2004

User last activity at: *05:59:52.000 UTC Fri May 3 2004

SMTP Forwarding: NO

Initial TCP captivate: NO

TCP Advertisement captivate: NO

Default Service: NONE

DNS Default Service: NONE

Active Services: NONE

AutoService: NONE

Subscribed Services: passthru1; proxynat1; tunnel1; proxy1

Subscribed Service Groups: NONE

Table 2 describes the significant fields shown in the displays.

Table 2 show ssg host Field Descriptions 

Field	Description
Activated:	State of host object. Can be activated or inactivated. Activated—IP address has been assigned to the host, and the host object was created successfully Inactivated—A host is inactivated in the following situations: •When SSG, acting as a RADIUS proxy, is waiting for the IP address of the host, the host object is created, but the state is inactive. •If a host that is using PPP logs off from SSG, but the virtual-access interface of that PPP host is still up, SSG moves the host object to the inactivated state.
Interface:	The interface on the SSG device from which the SSG host is routable.
User Name:	Username that is used to authenticate the host at the authentication, authorization, and accounting (AAA) server.
VRF Name:	VRF associated with the interface for the host.
Owner Host:	IP address and subnet mask assigned to host object.
Msg IP:	IP address of the messaging server. SSG notifies the messaging server of events such as the logging off of a host, an idle-timeout expiration, and a session-timeout expiration. The default messaging server is Subscriber Edge Services Manager (SESM).
Host DNS IP:	IP address of the Domain Name System (DNS) server of the host. This server will be used only if DNS queries cannot be forwarded to a DNS server for the services that are subscribed to by the host.
Device:	Type of device. Device types can be a home agent (HA), Packet Data Serving Node (PDSN), or Generic (for non-CDMA2000 devices).
SessID:	A numeric string derived from the attribute specified as the Session-Identifier.
Timer:	Timer type can be None, Wait for IP, Hand-off, or Wait for MSID.
Maximum Session Timeout:	Session timeout value (RADIUS attribute 27) defined in the user profile. The session timeout value is the amount of time for which the user will stay active after logging on. After this timer expires, the host object is deleted.
Host Idle Timeout:	Maximum amount of time that a host can stay idle (not forwarding any traffic) before the host is deleted from SSG.
Class Attr:	Class attribute (RADIUS attribute 25) defined in the user profile. The class attribute is sent in all host accounting records. This attribute is used by some accounting servers.
User logged on since:	Time at which the user logged on to SSG.
User last activity at:	Last time the user forwarded traffic via SSG.
Default Service:	This field is not currently supported.
DNS Default Service:	This field is not currently supported.
Active Services:	List of services to which the host has logged on.
AutoService:	List of services to which the host logged on at the time of SSG host logon. These services are defined in the user profile, and the user can access these services after logging on to SSG.
Subscribed Services:	List of services to which the host is able to log on.

Related Commands

Command	Description
clear ssg host	Removes a host object or a range of host objects.
ssg port-map	Enables the SSG port-bundle host key.

Copyright © 2005 Cisco Systems, Inc. All rights reserved.