Table Of Contents
redirect captivate advertising default group
redirect captivate initial default group
redirect unauthenticated-user to
redirect unauthorized-service service to
redirect unauthorized-service to
show ssg auto-domain exclude-profile
show ssg dial-out exclude-list
show ssg multidomain ppp exclude-list
show ssg prepaid default-quota
show ssg user transparent authorizing
show ssg user transparent passthrough
show ssg user transparent suspect
show ssg user transparent unidentified
redirect access-list
To associate an access control list with a Service Selection Gateway (SSG) TCP redirect server group, use the redirect access-list command in SSG-redirect mode. To remove the association, use the no form of this command.
redirect access-list {number | name} [to groupname]
no redirect access-list {number | name} [to groupname]
Syntax Description
Defaults
An access control list is not associated with an SSG TCP redirect server group.
Command Modes
SSG-redirect
Command History
Usage Guidelines
Use this command to associate an access control list with a TCP redirect server group. By associating an access control list with a redirect group, you can limit the kind of traffic that is redirected on the basis of the source or destination IP address and TCP ports. It can also be used to redirect different sets of users to different dashboards for unauthenticated users and unauthorized service redirection.
If a port list and an access control list are both associated with a server group, the TCP packet must match the access control list and port list. Only one access control list can be associated with a server group. Either an access control list or a port or port list should be configured with server groups for unauthorized service redirection and captivation.
If a server group is not specified, the access control list is used for redirection to any server group that does not have an access control list associated with it.
The access control list can be a simple or extended access control list. It can also be a named or numbered access control list.
Examples
The following example redirects access control list 101 to server group "InitialCapt":
redirect access-list 101 to InitialCaptThe following example redirects access control list 50 to server group "SESM1":
redirect access-list 50 to SESM1Related Commands
redirect captivate advertising default group
To configure the default captive portal group, duration, and frequency for advertising captivation, use the redirect captivate advertising default group command in SSG-redirect configuration mode. To deselect a captive portal group as the default for advertising captivation, use the no form of this command.
redirect captivate advertising default group group-name duration seconds frequency frequency
no redirect captivate advertising default group group-name duration seconds frequency frequency
Syntax Description
Defaults
No default behavior or values
Command Modes
SSG-redirect configuration
Command History
12.2(4)B
This command was introduced.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
Usage Guidelines
Use this command to select the default captive portal group for advertising captivation of users upon Account Logon. Use the seconds argument to configure the duration, in seconds, of the advertising captivation. Any packets arriving from the user and marked for one of the TCP ports configured in the captive portal group group-name are redirected to one of the captive portals defined in that captive portal group for the duration configured by the seconds argument.
Use the frequency argument to configure how often Service Selection Gateway (SSG) attempts to forward packets from the user to the captive portal.
The parameters set by this command can be overridden by the RADIUS attributes set for a user.
Examples
The following example shows how to configure the captive portal group named "CaptivateServer" to forward packets from a user for 30 seconds at intervals of 3600 seconds:
server-group SSDserver 10.0.0.253 8080!redirect port-list WebPorts to SSD!redirect unauthenticated-user to RedirectServerredirect unauthorized-service to SSDredirect smtp group SMTPServer allredirect captivate initial default group CaptivateServer duration 10redirect captivate advertising default group CaptivateServer duration 30 frequency 3600Related Commands
redirect captivate initial default group
To select a default captive portal group and duration of the initial captivation of users on Account Logon, use the redirect captivate initial default group command in SSG-redirect configuration mode. To deselect a captive portal group as the default for initial captivation, use the no form of this command.
redirect captivate initial default group group-name duration seconds
no redirect captivate initial default group group-name duration seconds
Syntax Description
group-name
Name of the captive portal group.
duration seconds
Duration in seconds of the initial captivation. The valid range is from 1 to 65536 seconds.
Defaults
No default behavior or values
Command Modes
SSG-redirect configuration
Command History
12.2(4)B
This command was introduced.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
Usage Guidelines
Use this command to select the default captive portal group for initial captivation of users on Account Logon. Use the seconds argument to configure the duration, in seconds, of the initial captivation. Any packets arriving from the user and marked for one of the TCP ports configured in the captive portal group group-name are redirected to one of the captive portals defined in that captive portal group for the duration configured by the seconds argument.
The parameters set by this command can be overridden by the RADIUS attributes set for a user.
Examples
The following example shows that the captive portal group named "CaptivateServer" will be used to forward packets from a user for the first 10 seconds that the user is connected:
server-group SSDserver 10.0.0.253 8080!redirect port-list WebPorts to SSD!redirect unauthenticated-user to RedirectServerredirect unauthorized-service to SSDredirect smtp group SMTPServer allredirect captivate initial default group CaptivateServer duration 10redirect captivate advertising default group CaptivateServer duration 30 frequency 3600Related Commands
redirect permanent http to
To configure SSG with permanent TCP redirection for HTTP proxy server support, use the redirect permanent http to command in SSG-redirect configuration mode. To disable permanent TCP redirection, use the no form of this command.
redirect permanent http {authenticated | unauthenticated} to server-group
no redirect permanent http {authenticated | unauthenticated} to server-group
Syntax Description
Defaults
Permanent TCP redirection is not configured.
Command Modes
SSG-redirect configuration
Command History
12.3(3)B
This command was introduced.
12.3(7)T
This command was integrated into Cisco IOS Release 12.3(7)T.
Usage Guidelines
Permanent TCP redirection enables SSG to support users whose web browsers are configured with HTTP proxy servers.
Examples
The following example shows how to configure SSG to support permanent TCP redirection for authenticated and unauthenticated HTTP proxy users:
ssg tcp-redirectserver-group unauthen-groupserver 10.76.86.90 80!server-group auth_web_groupserver 9.2.36.253 80!server-group unauth_web_groupserver 9.2.76.12 80!redirect unauthenticated-user to unauthen-group!redirect permanent http unauthenticated to unauth_web_group!redirect permanent http authenticated to auth_web_groupRelated Commands
redirect prepaid-user to
To configure a captive portal group for redirection of prepaid user traffic, use the redirect prepaid-user to command in SSG-redirect configuration mode. To configure SSG not to redirect prepaid users to the specified captive portal group, use the no form of this command.
redirect prepaid-user to group-name
no redirect prepaid-user to group-name
Syntax Description
Defaults
If no redirect group is configured, prepaid traffic is dropped.
Command Modes
SSG-redirect
Command History
12.2(15)B
This command was introduced.
12.2(15)T
This command was integrated into Cisco IOS Release 12.2(15)T.
Usage Guidelines
Use this command to configure and name a captive portal group to which prepaid user traffic is redirected. When a user that is logged on to a prepaid service runs out of quota on the billing server, the user is redirected to the configured captive portal group if the service is not configured with any specific redirect server group. Once redirected to the captive portal group, the user can refill the quota on the billing server without being disconnected from the original prepaid service.
The captive portal group is the default group for all services that are not configured with a redirect group.
Examples
The following example shows how to configure a captive portal group called "DefaultRedirectGroup", add two servers to "DefaultRedirectGroup", and redirect prepaid users to the newly created captive portal:
ssg enablessg tcp-redirectserver-group DefaultRedirectGroupserver 10.0.0.1 8080server 10.0.0.20 80endredirect prepaid-user to DefaultRedirectGroupRelated Commands
redirect smtp group
To select a captive portal group for redirection of Simple Mail Transfer Protocol (SMTP) traffic, use the redirect smtp group command in SSG-redirect configuration mode. To stop redirecting SMTP traffic to a captive portal group, use the no form of this command.
redirect smtp group group-name [all | user]
no redirect smtp group group-name [all | user]
Syntax Description
group-name
Name of the captive portal group.
all
(Optional) Any SMTP packets are forwarded.
user
(Optional) SMTP packets from users that have SMTP forwarding permission are forwarded.
Defaults
all
Command Modes
SSG-redirect configuration
Command History
12.2(4)B
This command was introduced.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
Usage Guidelines
Use this command to select a captive portal group for redirection of SMTP traffic. If you select the all keyword, all SMTP packets (TCP port 25) from authorized users are redirected to one of the servers in the captive portal group specified by the group-name argument. If you select the user keyword, only SMTP packets from authorized users that have SMTP forwarding permission set through a RADIUS attribute are redirected. If you do not select a keyword, the default is the all keyword.
Examples
The following example shows how to configure all SMTP packets from authorized users to be redirected to the captive portal group named "SMTPServer":
server-group SSDserver 10.0.0.253 8080!redirect port-list WebPorts to SSD!redirect unauthenticated-user to RedirectServerredirect unauthorized-service to SSDredirect smtp group SMTPServer allredirect captivate initial default group CaptivateServer duration 10redirect captivate advertising default group CaptivateServer duration 30 frequency 3600The following example shows how to configure SMTP packets from any authorized user with the SMTP forwarding permission set through a RADIUS attribute to be redirected to the captive portal group named "SMTPServer":
redirect smtp group SMTPServer userRelated Commands
redirect to
To configure a TCP port or named TCP port list for Service Selection Gateway (SSG) TCP Redirect for Services, use the redirect to command in SSG-redirect configuration mode. To disable SSG TCP Redirect for Services on a TCP port or named TCP port list, use the no form of this command.
redirect {port-list port-listname | port port-number} to group-name
no redirect {port-list port-listname | port port-number} to group-name
Syntax Description
Defaults
No default behavior or values
Command Modes
SSG-redirect configuration
Command History
12.2(4)B
This command was introduced.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
Usage Guidelines
Use this command to mark a TCP port or a named TCP port list for SSG TCP Redirect for Services. Define a named TCP port list using the port-list command and add TCP ports to the named TCP port list using the port (ssg-redirect) command. Packets arriving from an authorized user, or from an authorized user attempting to access an unauthorized service at a marked TCP port or named TCP port list can be redirected to a captive portal group that presents the user with an appropriate response, such as a logon screen.
Note
You can associate only one port or port list with a portal group.
You must enable SSG using the ssg enable command and SSG TCP Redirect for Services using the ssg tcp-redirect command before you can define a TCP port or named TCP port list for SSG TCP redirection.
Note
Examples
The following example marks TCP port 8080 for SSG TCP redirection. Packets with a destination port of 8080 are redirected to the captive portal group named "RedirectServer":
server-group RedirectServerserver 10.2.36.253 8080!redirect port 8080 to RedirectServerredirect unauthorized-service destination network-list RedirectNw to RedirectServerThe following example marks the named TCP port "WebPorts" for SSG TCP redirection. Packets with a destination port that is one of the ports in the port list "WebPorts" are redirected to the captive portal group named "RedirectServer":
server-group SSDserver 10.0.0.253 8080!redirect port-list WebPorts to RedirectServer!Related Commands
redirect unauthenticated-user to
To redirect TCP traffic from unauthenticated users to a specified captive portal group, use the redirect unauthenticated-user to command in Service Selection Gateway SSG-redirect configuration mode. To stop redirecting traffic from unauthenticated users to the specified captive portal group, use the no form of this command.
redirect unauthenticated-user to group-name
no redirect unauthenticated-user to group-name
Syntax Description
Defaults
No default behavior or values
Command Modes
SSG-redirect configuration
Command History
12.2(4)B
This command was introduced.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
Usage Guidelines
Use this command to redirect traffic from unauthenticated users to a specified captive portal group.
Note
Examples
The following example sets redirection of traffic from unauthenticated users to the captive portal group named "RedirectServer":
server-group SSDserver 10.0.0.253 8080!redirect port-list WebPorts to SSD!redirect unauthenticated-user to RedirectServerredirect unauthorized-service to SSDredirect smtp group SMTPServer allredirect captivate initial default group CaptivateServer duration 10redirect captivate advertising default group CaptivateServer duration 30 frequency 3600Related Commands
redirect unauthorized-service service to
To redirect traffic that is destined for an unauthorized service to a specified server group, use the redirect unauthorized-service service to command in SSG TCP-redirect configuration mode. To remove this redirection, use the no form of this command.
redirect unauthorized-service service service-name to server-group
no redirect unauthorized-service service service-name to server-group
Syntax Description
service-name
Name of the unauthorized service.
server-group
Name of the server group to which traffic will be forwarded.
Defaults
Users trying to access a service that they are unauthorized to accesss will not be redirected.
Command Modes
SSG TCP-redirect configuration
Command History
12.2(16)B
This command was introduced.
12.3(4)T
This command was integrated into Cisco IOS Release 12.3(4)T.
Usage Guidelines
The redirect unauthorized-service service to command causes SSG to download the service profile from the authentication, authorization, and accounting (AAA) server and create mappings for the networks associated with the service. If traffic is received for the specified service while the service profile is being downloaded, the traffic either will be dropped or will be forwarded if Internet service is available to the user.
Examples
In the following example, users who are trying to access the service "test_service" but are unauthorized for that service will be forwarded to the server group "test_group":
ssg tcp-redirectServer-group test_groupServer 10.10.10.1 90!!Port-list test_portsPort 777!!redirect port-list test_ports to test_group!redirect unauthorized-service service test_service to test_group
redirect unauthorized-service to
To set a list of destination IP networks that can be redirected by a specified, named captive portal group, use the redirect unauthorized-service to command in SSG-redirect configuration mode. To remove the list of IP networks that can be redirected by a specified named captive portal group, use the no form of this command.
redirect unauthorized-service [destination network-list network-listname] to group-name
no redirect unauthorized-service [destination network-list network-listname] to group-name
Syntax Description
Defaults
No default behavior or values
Command Modes
SSG-redirect configuration
Command History
12.2(4)B
This command was introduced.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
Usage Guidelines
Use this command to set a list of destination IP networks that can be redirected by the named captive portal group specified by the group-name argument. Incoming packets from authenticated hosts to networks that they are not authorized to access are checked against the destination IP network list to determine if they need redirection. If you do not specify a destination IP network by configuring the optional destination network-list keywords, the captive portal group specified in the group-name argument is used as the default group for unauthorized service redirection when the IP address of the unauthorized packet does not fall into any network list associated with any captive portal group.
You can associate only one destination IP network list with a captive portal group. You can associate a destination IP network list with multiple captive portal groups.
When you associate a destination IP network list with a captive portal group, packets arriving marked with a destination IP network that matches an IP network list may be redirected via SSG TCP redirection. The incoming destination TCP port also determines whether a packet is a candidate for SSG TCP redirection.
You can associate different server groups with overlapping IP network addresses. You must configure the captive portal group associated with a more specific network group first. For example, you must configure
redirect 10.1.0.0/255.255.0.0 to IPTVGroupbefore you can configure
redirect 10.0.0.0/255.0.0.0 to ISPGroupExamples
The following example shows how to set the captive portal group called "RedirectServer" as a possible candidate for redirection when the destination of a packet matches one of the networks in the destination IP network list named "RedirectNW":
server-group RedirectServerserver 10.2.36.253 8080!redirect port 80 to RedirectServerredirect unauthorized-service destination network-list RedirectNw to RedirectServerThe following example shows how to set the captive portal group called "DefaultRedirectServer" as a possible candidate for redirection when the destination of a packet does not match any of the networks defined in any destination IP network list:
redirect unauthorized-service to DefaultRedirectServerRelated Commands
remove vsa
To allow all Third Generation Partnership Project 2 (3GPP2) vendor-specific attributes (VSAs) or all Cisco VSAs from Access-Accept packets proxied from a authentication, authorization, and accounting (AAA) server to a RADIUS client to be removed, use the remove vsa command in SSG-radius-proxy-client mode. To enable all 3GPP2 VSAs or Cisco VSAs to be passed transparently, use the no form of this command.
remove vsa {3gpp2 | cisco}
no remove vsa {3gpp2 | cisco}
Syntax Description
Defaults
By default, Service Selection Gateway (SSG) removes all Cisco VSAs from Access-Accept packets proxied from the AAA server to the client device. All 3GPP2 VSAs are, by default, passed transparently.
Command Modes
SSG-radius-proxy-client
Command History
12.2(15)B
This command was introduced.
12.3(4)T
This command was integrated into Cisco IOS Release 12.3(4)T.
Usage Guidelines
Use this command to remove all 3GPP2 VSAs or Cisco VSAs from a RADIUS client.
By default, SSG removes all Cisco VSAs from Access-Accept packets proxied from the AAA server to the client device. This is because the client device is unlikely to understand the VSAs, and their presence may cause interoperation difficulties. The no remove vsa cisco command may be used to allow these attributes to be passed transparently.
You can use this command to remove all 3GPP2 VSAs in addition to Cisco VSAs by using the 3gpp2 keyword. 3GPP2 VSAs are not filtered by default, whereas Cisco VSAs are filtered by default. SSG VSAs (a subset of Cisco VSAs) are always removed, irrespective of any configuration.
Examples
The following example shows how to remove all 3GPP2 VSAs from an Accept-Accept packet proxied from the AAA server to the client device:
remove vsa 3gpp2The following example shows how to transparently pass all Cisco VSAs in an Accept-Accept packet proxied from the AAA server to the client device:
remove vsa ciscono remove vsa ciscoRelated Commands
client-address
Configures a RADIUS client to proxy requests from the specified IP address to a RADIUS server and enters SSG-radius-proxy-client mode.
select
To override the default Autodomain selection algorithm, use the select command in SSG-auto-domain mode. To reenable the default algorithm for selecting the Autodomain, use the no form of this command.
select {username | called-station-id}
no select {username | called-station-id}
Syntax Description
username
Configures the algorithm to use only the username to select the Autodomain.
called-station-id
Configures the algorithm to use only the Access Point Name (APN) Called-Station-ID.
Defaults
The algorithm attempts to find a valid Autodomain based on the APN Called-Station-ID and then by username.
Command Modes
SSG-auto-domain
Command History
12.2(4)B
This command was introduced.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
Usage Guidelines
Use the select command to override the default algorithm for selecting the Autodomain. By default, the algorithm attempts to find a valid Autodomain based on APN Called-Station-ID and then by username. Using this command, you can configure the algorithm to use only the APN or only the username.
Note
Examples
The following example shows how to configure the algorithm to search for a valid Autodomain based only on the username:
ssg enablessg auto-domainmode extendedselect usernameexclude apn motorolaexclude domain ciscodownload exclude-profile abc password1nat user-addressThe following example shows how to configure the algorithm to search for a valid Autodomain based only on the APN:
select called-station-idRelated Commands
server (SSG)
To add a server to a captive portal group, use the server command in SSG-redirect-group configuration mode. To remove a server from a captive portal group, use the no form of this command.
server ip-address port
no server ip-address port
Syntax Description
ip-address
IP address of the server to be added to the captive portal group.
port
TCP port of the server to be added to the captive portal group.
Defaults
No default behavior or values
Command Modes
SSG-redirect-group configuration
Command History
12.2(4)B
This command was introduced.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
Usage Guidelines
Use the server command in SSG-redirect-group configuration mode to add a server, defined by its IP address and TCP port, to a captive portal group.
Service Selection Gateway (SSG) TCP Redirect for Services provides nonauthorized users access to controlled services within an SSG. Packets sent upstream from an unauthenticated user are forwarded to the captive portal that deals with the packets in a suitable manner, such as routing them to a logon page. You can also use captive portals to handle requests from authorized users who request access to services into which they are not logged.
You must enable SSG using the ssg enable command and SSG TCP Redirect for Services using the ssg tcp-redirect command before you can define a captive portal group. Use the server-group command in SSG-redirect configuration mode to create and name a captive portal group before using the server command to add servers to the captive portal group.
Examples
The following example adds a server at IP address 10.0.0.0 and TCP port 8080 and a server at IP address 10.1.2.3 and TCP port 8081 to a captive portal group named "RedirectServer":
ssg enablessg tcp-redirectserver-group RedirectServerserver 10.0.0.0 8080server 10.1.2.3 8081Related Commands
server-group
To define a group of one or more servers that make up a named captive portal group and enter SSG-redirect-group configuration mode, use the server-group command in SSG-redirect configuration mode. To remove a captive portal group and any servers configured within that portal group, use the no form of this command.
server-group group-name
no server-group group-name
Syntax Description
Defaults
No default behavior or values
Command Modes
SSG-redirect configuration
Command History
12.2(4)B
This command was introduced.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
Usage Guidelines
Use this command to define and name a captive portal group. Service Selection Gateway (SSG) TCP Redirect for Services provides nonauthorized users access to controlled services within an SSG. Packets sent upstream from an unauthenticated user are forwarded to the captive portal that deals with the packets in a suitable manner, such as routing them to a logon page. You can also use captive portals to handle requests from authorized users who request access to services into which they are not logged.
After defining a captive portal group with the server-group command, identify individual servers for inclusion in the captive portal group using the server ip-address port command in SSG-redirect-group configuration mode.
You must enable SSG using the ssg enable command and SSG TCP Redirect for Services using the ssg tcp-redirect command before you can define a captive portal group.
Note
Examples
The following example defines a captive portal group named "RedirectServer":
ssg enablessg tcp-redirectserver-group RedirectServerRelated Commands
server-port
To configure the ports on which Service Selection Gateway (SSG) listens for RADIUS-requests from configured RADIUS clients, use the server-port command in SSG-radius-proxy configuration mode. To stop SSG from listening for RADIUS requests from configured RADIUS clients on a port, use the no form of this command.
server-port [auth auth-port] [acct acct-port]
no server-port [auth auth-port] [acct acct-port]
Syntax Description
Defaults
Port 1645 is the default RADIUS authentication port.
Port 1646 is the default RADIUS accounting port.Command Modes
SSG-radius-proxy configuration
Command History
12.2(4)B
This command was introduced.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
Usage Guidelines
Use this command to configure the authentication and accounting ports for the SSG Autologon Using Proxy RADIUS feature. Ports configured with this command are global parameters that apply to all proxy clients in the SSG.
Examples
The following example shows how to configure port 23 as the RADIUS authentication port and port 45 as the RADIUS accounting port:
server-port auth 23 acct 45Related Commands
session-identifier
To override Service Selection Gateway (SSG) automatic RADIUS client session identification and to configure SSG to identify the specified client session by a specific type of ID attribute, use the session-identifier command in SSG-radius-proxy-client mode. To configure SSG to perform user identification only by the username without using a session identification, use the no form of this command.
session-identifier [auto | msid | correlation-id | acct-sess-id]
no session-identifier [auto | msid | correlation-id | acct-sess-id]
Syntax Description
Defaults
SSG selects the attribute used for session identification according to the type of client device.
Command Modes
SSG-radius-proxy-client
Command History
12.2(15)B
This command was introduced.
12.3(4)T
This command was integrated into Cisco IOS Release 12.3(4)T.
Usage Guidelines
By default, SSG automatically selects the attribute to use for session identificationaccording to the type of RADIUS client device. This attribute is used in the SSG Proxy RADIUS logon table. SSG assigns the following vendor-specific attributes (VSAs) to identify client sessions:
•
•
•
Use the session-identifier command to override the automatic session identification. Use the auto keyword to return to automatic session identification.
Examples
The following example shows how to configure SSG to use the Correlation-ID to identify the specified client session:
session-identifier correlation-idThe following example shows how to configure the RADIUS client to proxy all requests from IP address 172.16.0.0 to the RADIUS server, to assign the shared secret "cisco" to the client, and to use the Accounting-Session-ID attribute to identify the specified client session:
client-address 172.16.0.0key ciscosession-identifier acct-session-idRelated Commands
sessions auto cleanup
To configure an aggregation device to attempt to recover PPP over Ethernet (PPPoE) sessions that failed after reload by notifying customer premises equipment (CPE) devices about the PPPoE session failures, use the sessions auto cleanup command in BBA group configuration mode. To disable PPPoE session recovery after reload, use the no form of this command.
sessions auto cleanup
no sessions auto cleanup
Syntax Description
This command has no arguments or keywords.
Defaults
PPPoE session recovery after reload is not enabled.
Command Modes
BBA group configuration
Command History
Usage Guidelines
If the PPP keepalive mechanism is disabled on a CPE device, the CPE device has no way to detect link or peer device failures over PPPoE connections. When an aggregation device that serves as the PPPoE session endpoint reloads, the CPE will assume that the link is up and will continue to send traffic to the aggregation device. The aggregation device will drop the traffic for the failed PPPoE session.
The sessions auto cleanup command enables an aggregation device to attempt to recover PPPoE sessions that existed before a reload. When the aggregation device detects a PPPoE packet for a "half-active" PPPoE session (a PPPoE session that is active on the CPE end only), the device notifies the CPE of the PPPoE session failure by sending a PPPoE active discovery terminate (PADT) packet. The CPE device is expected to respond to the PADT packet by taking failure recovery action.
The sessions auto cleanup command must be configured in a PPPoE profile. This command enables PPPoE session recovery after reload on all ingress ports that use the PPPoE profile.
Examples
In the following example, PPPoE session recovery after reload is configured in PPPoE profile "group1".
bba-group pppoe group1virtual-template 1sessions auto cleanupRelated Commands
show ssg auto-domain exclude-profile
To display the contents of an Autodomain exclude profile downloaded from the AAA server, use the show ssg auto-domain exclude-profile command in global configuration mode.
show ssg auto-domain exclude-profile
Syntax Description
This command has no arguments or keywords.
Command Modes
Global configuration
Command History
12.2(4)B
This command was introduced.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
Usage Guidelines
Use this command in global configuration mode to display the contents of an Autodomain exclude-profile downloaded from the AAA server. If any exclude entries downloaded from the AAA server are removed by the no exclude {apn | domain} name command, these entries will not be displayed by the show ssg auto-domain exclude-profile command.
Examples
The following sample displays the contents of an Autodomain exclude profile downloaded from the AAA server. The report is self-explanatory.
Router# show ssg auto-domain exclude-profileExclude APN Entries Downloaded:apn1.gprs apr2.comExclude Domain Entries Downloaded:cisco.com abcd.comRelated Commands
show ssg binding
To display service names that have been bound to interfaces and the IP addresses to which they have been bound, use the show ssg binding command in privileged EXEC mode.
show ssg binding [begin expression | exclude expression | include expression]
Syntax Description
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use this command to display services and the interfaces to which they have been bound.
Examples
The following example shows all service names that have been bound to interfaces:
Router# show ssg bindingWhipitNet -> 192.168.1.1 (NHT)Service1.com -> 192.168.1.2 (NHT)Service2.com -> 192.168.1.3 (NHT)Service3.com -> 192.168.1.4 (NHT)GoodNet -> 192.168.2.1Perftest -> 192.168.1.6Related Commands
clear ssg service
Removes a service.
show ssg service
Displays the information for a service.
ssg bind service
Specifies the interface for a service.
show ssg connection
To display the connections of a given Service Selection Gateway (SSG) host and a service name, use the show ssg connection command in privileged EXEC mode.
show ssg connection {ip-address | network-id subnet-mask} service-name [interface]
Syntax Description
Command Modes
Privileged EXEC
Command History
Examples
Prepaid Service Based on Volume: Example
The following example displays the SSG connection for a prepaid service that uses a volume-based quota:
Router# show ssg connection 10.10.1.1 InstMsg------------------------ConnectionObject Content -----------------------User Name:Owner Host:10.10.1.1Associated Service:InstMsgConnection State:0 (UP)Connection Started since:*00:25:58.000 UTC Tue Oct 23 2001User last activity at:*00:25:59.000 UTC Tue Oct 23 2001Connection Traffic Statistics:Input Bytes = 0, Input packets = 0Output Bytes = 0, Output packets = 0Quota Type = 'VOLUME', Quota Value = 100Session policing disabledPrepaid Service Based on Time: Example
The following example displays the SSG connection for a prepaid service that uses a time-based quota:
Router# show ssg connection 10.10.1.2 Prepaid-internet------------------------ConnectionObject Content -----------------------User Name:HostOwner Host:10.10.1.2Associated Service:Prepaid-internetConnection State:0 (UP)Connection Started since:*00:34:06.000 UTC Tue Oct 23 2001User last activity at:*00:34:07.000 UTC Tue Oct 23 2001Connection Traffic Statistics:Input Bytes = 0, Input packets = 0Output Bytes = 0, Output packets = 0Quota Type = 'TIME', Quota Value = 100Session policing disabledAutologin Service: Example
The following example shows the service connection for the autologon service to host 10.3.6.1:
Router# show ssg connection 10.3.6.1 autologin------------------------ ConnectionObject Content -----------------------User Name:autologinOwner Host:10.3.6.1Associated Service:autologinConnection State:0 (UP)Connection Started since:*20:41:26.000 UTC Fri Jul 27 2001User last activity at:*20:41:26.000 UTC Fri Jul 27 2001Connection Traffic Statistics:Input Bytes = 0 (HI = 0), Input packets = 0Output Bytes = 0 (HI = 0), Output packets = 0MSISDN: Example
The following sample output for the show ssg connection command shows the MSISDN that is used for service logon:
Router# show ssg connection 10.0.1.1 proxy2------------------------ConnectionObject Content -----------------------User Name: dev-user2Owner Host: 10.0.1.1Associated Service: proxy2Calling station id: 12345Connection State: 0 (UP)Connection Started since: *17:44:59.000 GMT Sun Jul 6 2003User last activity at: *17:44:59.000 GMT Sun Jul 6 2003Connection Traffic Statistics:Input Bytes = 0, Input packets = 0Output Bytes = 0, Output packets = 0Session policing disabledSubnet-Based Subscriber: Example
The following sample output for the show ssg connection command shows the subnet mask of the subscribed host:
Router# show ssg connection 10.0.1.1 255.255.255.0 passthru------------------------ConnectionObject Content -----------------------User Name: dev-user2Owner Host: 10.0.1.1 (Mask : 255.255.255.0)Associated Service: passthru1Calling station id: 00d0.792f.8054Connection State: 0 (UP)Connection Started since: *17:44:59.000 GMT Sun Jul 6 2004User last activity at: *17:44:59.000 GMT Sun Jul 6 2004Connection Traffic Statistics:Input Bytes = 0, Input packets = 0Output Bytes = 0, Output packets = 0Table 2 describes the significant fields shown in the displays.
Related Commands
clear ssg connection
Removes the connections of a given host and a service name.
show ssg dial-out exclude-list
To display information about the Dialed Number Identification Service (DNIS) prefix profile and the DNIS exclusion list, use the show ssg dial-out exclude-list command in privileged EXEC mode.
show ssg dial-out exclude-list
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
12.2(15)B
This command was introduced.
12.2(15)T
This command was integrated into Cisco IOS Release 12.2(15)T.
Usage Guidelines
Use this command to display the DNIS profile name and all DNIS entries configured via CLI or downloaded from a authentication, authorization, and accounting (AAA) server.
Examples
The following example shows sample output for the show ssg dial-out exclude-list command:
Router# show ssg dial-out exclude-listExclude DNIS prefixes downloaded from profile exclude_dnis_aaaRelated Commands
show ssg direction
To display the direction of all interfaces for which a direction has been specified, use the show ssg direction command in privileged EXEC mode.
show ssg direction [begin expression | exclude expression | include expression]
Syntax Description
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use this command to show all interfaces that have been specified as uplinks or downlinks.
Examples
The following example shows the direction of all interfaces that have been specified as uplinks or downlinks.
Router# show ssg directionATM0/0/0.10: UplinkBVI1: DownlinkFastEthernet0/0/0: UplinkRelated Commands
show ssg host
To display information about a Service Selection Gateway (SSG) subscriber and the current connections of the subscriber, use the show ssg host command in privileged EXEC mode. The command syntax of the show ssg host command depends on whether the SSG Port-Bundle Host Key feature is enabled.
When SSG Port-Bundle Host Key Is Not Enabled
show ssg host [ip-address | count | username [subnet-mask]]
When SSG Port-Bundle Host Key Is Enabled
show ssg host [ip-address | count | username] [interface [username] [subnet-mask]]
Syntax Description
Defaults
If no argument is provided, all current connections are displayed.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
You can specify the Service Selection Gateway (SSG) downlink interface only when the SSG Port-Bundle Host Key feature is enabled. To enable the host key, enter the ssg port-map command in global configuration mode. To disable the host key, enter the no ssg port-map command.
Examples
Display All Active Hosts: Example
The following example shows all active hosts:
Router# show ssg host1:10.3.1.1 [Host-Key 70.13.60.3:64]2:10.3.6.1 [Host-Key 70.13.60.3:65]### Active HostObject Count:2Simple IP Host: Example
The following example shows information about a simple IP host with an IP address of 10.0.0.0:
Router# show ssg host 10.0.0.0------------------------ HostObject Content -----------------------Activated: TRUEInterface:User Name: user1Owner Host: 10.0.0.0Msg IP: 0.0.0.0 (0)Host DNS IP: 0.0.0.0Proxy logon from client IP: 10.0.48.3Device: PDSN (Simple IP)NASIP : 10.0.48.3SessID: 12345678APN :MSID : 5551000Timer : NoneMaximum Session Timeout: 0 secondsHost Idle Timeout: 60000 secondsClass Attr: NONEUser policing disabledUser logged on since: *05:59:46.000 UTC Fri May 3 2002User last activity at: *05:59:52.000 UTC Fri May 3 2002SMTP Forwarding: NOInitial TCP captivate: NOTCP Advertisement captivate: NODefault Service: NONEDNS Default Service: NONEActive Services: internet-blue;AutoService: internet-blue;Subscribed Services: internet-blue; iptv; games; distlearn; corporate; shop; banking; vidconf;Subscribed Service Groups: NONEMobile IP Host: Example
The following example shows information about a mobile IP host with an IP address of 10.0.0.0:
Router# show ssg host 10.0.0.0------------------------ HostObject Content -----------------------Activated: TRUEInterface:User Name: user1Owner Host: 10.0.0.0Msg IP: 0.0.0.0 (0)Host DNS IP: 0.0.0.0Proxy logon from client IP: 10.0.48.4Device: HANASIP : 10.0.48.4SessID: 44444445APN :MSID : 5551001Timer : NoneMaximum Session Timeout: 0 secondsHost Idle Timeout: 60000 secondsClass Attr: NONEUser policing disabledUser logged on since: *06:01:02.000 UTC Fri May 3 2002User last activity at: *06:01:09.000 UTC Fri May 3 2002SMTP Forwarding: NOInitial TCP captivate: NOTCP Advertisement captivate: NODefault Service: NONEDNS Default Service: NONEActive Services: internet-blue;AutoService: internet-blue;Subscribed Services: internet-blue; iptv; games; distlearn; corporate; shop; banking; vidconf;Subscribed Service Groups: NONETwo Hosts with the Same IP Address: Examples
The following example shows two host objects with the same IP address:
Router# show ssg host 10.3.1.1SSG:Overlapping hosts for IP 10.3.1.1 at interfaces:FastEthernet0/0/0Virtual-Access1In this case, use the interface argument to uniquely identify the host:
Router# show ssg host 10.3.1.1 FastEthernet0/0/0...
Note
The following example shows the usernames logged in to the active hosts:
Router# show ssg host username1:10.3.1.1 (active) Host name:pppoauser2:10.3.6.1 (active) Host name:ssguser2### Total HostObject Count(including inactive hosts):2Host Associated with a VRF: Example
The following sample output for the show ssg host command shows a VRF called "BLUE" associated with a host that has the IP address 10.0.0.2:
Router# show ssg host 10.0.0.2------------------------ HostObject Content ----------------------Activated: TRUEInterface: Ethernet1/0 VRF Name: BLUEUser Name: prep-user1Owner Host: 10.0.0.2Subnet-Based Subscriber: Example
The following example shows information about a subnet-based subscriber with an IP address of 10.0.0.0 and a subnet mask of 255.255.255.0:
Router# show ssg host 10.0.0.0 255.255.255.0------------------------ HostObject Content -----------------------Activated: TRUEInterface:User Name: user1Host IP : 10.0.0.0Mask : 255.255.255.0Msg IP: 0.0.0.0 (0)Host DNS IP: 0.0.0.0Maximum Session Timeout: 0 secondsHost Idle Timeout: 60000 secondsClass Attr: NONEUser policing disabledUser logged on since: *05:59:46.000 UTC Fri May 3 2004User last activity at: *05:59:52.000 UTC Fri May 3 2004SMTP Forwarding: NOInitial TCP captivate: NOTCP Advertisement captivate: NODefault Service: NONEDNS Default Service: NONEActive Services: NONEAutoService: NONESubscribed Services: passthru1; proxynat1; tunnel1; proxy1Subscribed Service Groups: NONETable 3 describes the significant fields shown in the displays.
Related Commands
clear ssg host
Removes a host object or a range of host objects.
ssg port-map
Enables the SSG port-bundle host key.
show ssg interface
To display information about Service Selection Gateway (SSG) interfaces, use the show ssg interface command in user EXEC or privileged EXEC mode.
show ssg interface [interface | brief]
Syntax Description
interface
(Optional) Specific interface for which to display information.
brief
(Optional) Gives brief information about each of the SSG interfaces and their usage.
Command Modes
User EXEC
Privileged EXECCommand History
12.2(16)B
This command was introduced.
12.3(4)T
This command was integrated into Cisco IOS Release 12.3(4)T.
Usage Guidelines
Use this command without any keywords or arguments to display information about all SSG interfaces.
Examples
The following example shows the show ssg interface brief command:
Router# show ssg interface briefInterface Direction bindingtype StatusATM3/0.1 Uplink Dynamic UpATM3/0.2 Downlink Static DownRelated Commands
show ssg multidomain ppp exclude-list
To display the contents of a PPP Termination Aggregation-Multidomain (PTA-MD) exclusion list, use the show ssg multidomain ppp exclude-list command in privileged EXEC mode.
show ssg multidomain ppp exclude-list
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
12.2(15)B
This command was introduced.
12.2(15)T
This command was integrated into Cisco IOS Release 12.2(15)T.
Usage Guidelines
This command is used to verify the contents of a PTA-MD exclusion list.
Examples
Adding Domains to an Existing PTA-MD Exclusion List
In the following example, a PTA-MD exclusion list that already includes "cisco", "motorola", "nokia", and "voice-stream" is downloaded from the authentication, authorization, and accounting (AAA) server. After the exclusion list is downloaded, "microsoft" and "sun" are added to the exclusion list.
The exclusion list currently on the AAA server includes "cisco", "motorola", "nokia", and "voice-stream":
user = pta_md{
profile_id = 119
profile_cycle = 2
member = SSG-DEV
radius=6510-SSG-v1.1 {
check_items= {
2=cisco
}
reply_attributes= {
9,253="XPcisco"
9,253="XPmotorola"
9,253="XPnokia"
9,253="XPvoice-stream"
In the following example, the PTA-MD exclusion list is downloaded to the router from the AAA server. The password to download the exclusion list is "cisco". After the PTA-MD exclusion list is downloaded, "microsoft" and "sun" are added to the list using the router command-line interface (CLI).
ssg multidomain pppdownload exclude-profile pta_md ciscoexclude domain microsoftexclude domain sunThe enhancements to the exclusion list are then verified:
Router# show ssg multidomain ppp exclude-listProfile name :pta_md1 cisco2 motorola3 nokia4 voice-streamDomains added via CLI :1 microsoft2 sunRelated Commands
show ssg next-hop
To display the next-hop table, use the show ssg next-hop command in privileged EXEC mode.
show ssg next-hop [begin expression | exclude expression | include expression]
Syntax Description
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use this command to display all next-hop IP addresses.
Examples
The following example shows the next-hop table:
Router# show ssg next-hopNext hop table loaded from profile prof-nhg:WhipitNet -> 192.168.1.6Service1.com -> 192.168.1.3Service2.com -> 192.168.1.2Service3.com -> 192.168.1.1GoodNet -> 192.168.1.2Perftest -> 192.168.1.5End of next hop table.Related Commands
clear ssg next-hop
Removes the next-hop table.
ssg next-hop download
Downloads the next-hop table from a RADIUS server.
show ssg open-garden
To display a list of all configured open garden services, use the show ssg open-garden command in privileged EXEC mode.
show ssg open-garden
Syntax Description
This command has no keywords or arguments.
Command Modes
Privileged EXEC
Command History
Examples
In the following example, all configured open garden services are displayed:
Router# show ssg open-gardennrp1-nrp2_og1nrp1-nrp2_og2nrp1-nrp2_og3nrp1-nrp2_og4Related Commands
show ssg pass-through-filter
To display the downloaded filter for transparent pass-through, use the show ssg pass-through-filter command in privileged EXEC mode.
show ssg pass-through-filter [begin expression | exclude expression | include expression]
Syntax Description
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use this command to display the downloaded transparent pass-through filter. The filter prevents pass-through traffic from accessing the specified IP address and subnet mask combinations. The filter is set using the ssg pass-through command.
To display a filter defined on the command line, use the show running-config command.
Examples
The following example shows the pass-through filter:
Router# show ssg pass-through-filterService name: filter01Password: ciscoDirection: UplinkExtended IP access list (SSG ACL)permit tcp 172.16.6.0 0.0.0.255 any eq telnetpermit tcp 172.16.6.0 0.0.0.255 192.168.250.0 0.0.0.255 eq ftpRelated Commands
clear ssg pass-through-filter
Removes the downloaded filter for transparent pass-through.
ssg pass-through
Enables transparent pass-through.
show ssg pending-command
To display current pending commands, such as next-hop or filters, use the show ssg pending-command command in privileged EXEC mode.
show ssg pending-command
Syntax Description
This command has no keywords or arguments.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use this command to display the current pending commands.
Examples
The following example shows the pending commands:
Router# show ssg pending-commandSSG pending command list:ssg bind service Service1.com 192.168.103.1ssg bind service Perftest206 192.168.104.5Related Commands
show ssg port-map ip
To display information about a particular port bundle, use the show ssg port-map ip command in privileged EXEC mode.
show ssg port-map ip ip-address port port-number
Syntax Description
ip-address
IP address used to identify the port bundle.
port port-number
TCP port number used to identify the port bundle.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
This command displays the following information about a port bundle:
•
•
•
•
Examples
The following is sample output for the show ssg port-map ip command:
Router# show ssg port-map ip 25.0.0.1 port 64State = RESERVEDSubscriber Address = 10.1.1.1Downlink Interface = Ethernet1/0Downlink VRF = BLUEPort-mappings:-Subscriber Port: 1 Mapped Port: 1039Table 4 describes the significant fields shown in the display.
Related Commands
show ssg port-map status
To display information on port bundles, use the show ssg port-map status command in privileged EXEC mode.
show ssg port-map status [free | reserved | inuse]
Syntax Description
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Entered without any keywords, the command displays a summary of all port-bundle groups, including the following information:
•
•
•
Examples
Display All Bundles Example
The following example shows output for the show ssg port-map status command with no keywords:
Router# show ssg port-map statusBundle-length = 4Bundle-groups:-IP Address Free Bundles Reserved Bundles In-use Bundles10.13.60.2 4032 0 0Table 5 describes the significant fields shown in the display.
Display In-Use Bundles Example
The following example shows output for the show ssg port-map status command with the inuse keyword:
Router# show ssg port-map status inuseBundle-group 70.13.60.2 has the following in-use port-bundles:-Port-bundle Subscriber Address Interface64 10.10.3.1 Virtual-Access2Table 6 describes the significant fields shown in the display.
Related Commands
show ssg prepaid default-quota
To display the values of the Service Selection Gateway (SSG) prepaid default quota counters, use the show ssg prepaid default-quota command in privileged EXEC mode.
show ssg prepaid default-quota
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
SSG maintains two counters to keep track of the number of times the SSG prepaid default quota has been allotted. One counter is for the total number of default quotas allotted by SSG (irrespective of how many times the prepaid server has become available and unavailable). The other counter keeps track of the number of default quotas allotted by SSG during the latest instance of prepaid server unavailability.
Note that the value of the counter for currently allocated default quotas will be zero when the prepaid billing server is available. The counter for currently allocated default quotas restarts at 1 each time the prepaid billing server becomes unavailable.
The clear ssg prepaid default-quota command clears the SSG default quota counters.
Examples
The following example shows sample output for the show ssg prepaid default-quota command:
Router# show ssg prepaid default-quota### Total default quotas allocated since this counter was last cleared:10Default Quota Threshold:100Currently allocated Default Quotas:4Table 7 describes the significant fields shown in the display.
Related Commands
clear ssg prepaid default-quota
Clears the SSG prepaid default quota counters.
ssg prepaid threshold
Configures an SSG prepaid threshold value.
show ssg radius-proxy
To display a list of all RADIUS proxy clients, details of a particular RADIUS proxy client, or the pool of IP addresses configured for a router or for a specific domain, use the show ssg radius-proxy command in privileged EXEC mode.
show ssg radius-proxy [ip-address [vrf vrf-name]] | [address-pool [domain domain-name] [free | inuse]]
Syntax Description
Defaults
Displays a list of RADIUS proxy clients.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use the show ssg radius-proxy command without any keywords or arguments to display a list of RADIUS proxy clients. This command also displays the IP addresses, device types, timers, and the number of proxy users for each proxy client. Use the ip-address argument to display the full list of proxy users for the specified RADIUS proxy client.
Use the address-pool keyword to display the IP address pools configured for a router or for a specific domain. You can also display which IP addresses are available or are in use.
Examples
The following example shows how to display a list of RADIUS proxy clients:
Router# show ssg radius-proxy::::: SSG RADIUS CLIENT TABLE :::::Client IP VRF Device type Users100.0.0.2 Global PDSN 210.1.1.1 BLUE HA 1The following example shows how to display details about the RADIUS proxy client at IP address 172.16.0.0:
Router# show ssg radius-proxy 172.16.0.0::::: SSG RADIUS PROXY LOGON TABLE :::::User SessionID Host IP Timer IP Techuser1 12345678 50.0.0.100 None Simpleuser1 12345679 (no host) None MobileThe following example shows how to display information for IP addresses in the IP address pool:
Router# show ssg radius-proxy address-poolGlobal Pool: Free Addresses= 10234 Inuse Addresses= 0The following example shows how to display information about the IP addresses in the IP address pool in the domain called "ssg.com":
Router# show ssg radius-proxy address-pool domain ssg.comDomain Pool(ssg.com): Free Addresses= 20 Inuse Addresses= 10The following example shows how to display information about the IP addresses in the IP address pool for the domain called "ssg.com" that are currently in use:
Router# show ssg radius-proxy address-pool domain ssg.com inuseInuse Addresses in Domain Pool(ssg.com):1019.1.5.119.1.5.219.1.5.319.1.5.419.1.5.519.1.5.619.1.5.719.1.5.819.1.5.919.1.5.10The following example shows how to display information about the IP addresses in the IP address pool for the domain called "ssg.com" that are currently available:Router# show ssg radius-proxy address-pool domain ssg.com freeFree Addresses in Domain Pool(ssg.com):2019.1.5.1119.1.5.1219.1.5.1319.1.5.1419.1.5.1519.1.5.1619.1.5.1719.1.5.1819.1.5.1919.1.5.2019.1.5.2119.1.5.2219.1.5.2319.1.5.2419.1.5.2519.1.5.2619.1.5.2719.1.5.2819.1.5.2919.1.5.30Table 8 describes significant fields shown in the displays.
Related Commands
show ssg service
To display the information for a Service Selection Gateway (SSG) service, use the show ssg service command in privileged EXEC mode.
show ssg service [service-name [begin expression | exclude expression | include expression]]
Syntax Description
Defaults
If no service name is provided, the command displays information for all services.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use this command to display connection information for a service.
Examples
Open Garden Service: Example
The following example show output for the show ssg service command for an open garden service called "dnsB-service":
Router# show ssg service dnsB-service------------------------ ServiceInfo Content -----------------------Uplink IDB: ATM3/0.10Name: dnsB-serviceBinding:ATM3/0.10 gw: 10.11.11.2 distance: 0Type: PASS-THROUGHMode: CONCURRENTDHCP pool name :Service Session Timeout: 0 secondsService Idle Timeout: 0 secondsService refresh timeleft: 48 minutesNo Prepaid Authorization RequiredAuthentication Type: NONESession policing disabledReference Count: 1DNS Server(s): Primary: 10.0.0.2 (Backup: 10.0.0.2 )IP 10.0.0.2 : req=0 rep=0 (UP)IP 10.0.0.2 : req=0 rep=0 (UP)No Radius server group created. No remote Radius servers.ConnectionCount 0Full User Name not usedDomain List: ssg;OpenGarden Service:Input Bytes = 0, Input packets = 0Output Bytes = 0, Output packets = 0Included Network Segments:10.0.0.0/255.0.0.0Active Connections:------------------------ End of ServiceInfo Content ----------------L2TP Tunnel Service: Example
The following example shows the information for the L2TP tunnel service called "tunnel1". The attribute filter that is set in the service profile can be seen in the output.
Router# show ssg service tunnel1------------------------ ServiceInfo Content -----------------------Uplink IDB: gw: 0.0.0.0Name: tunnel1Type: TUNNELMode: CONCURRENTService Session Timeout: 0 secondsService Idle Timeout: 0 secondsService refresh timeleft: 99 minutesNo Authorization RequiredAuthentication Type: CHAPAttribute Filter: 31Session policing disabledReference Count: 1DNS Server(s):No Radius server group created. No remote Radius servers.TunnelId: ssg1TunnelPassword: ciscoHomeGateway Addresses: 172.0.0.1ConnectionCount 1Full User Name not usedDomain List: Included Network Segments:0.0.0.0/0.0.0.0Active Connections:1 : RealIP=172.0.1.1, Subscriber=10.0.1.1------------------------ End of ServiceInfo Content ----------------Proxy Service: Example
The following example shows information for the proxy service called "serv1-proxy":
Router# show ssg service serv1-proxy------------------------ ServiceInfo Content -----------------------Uplink IDB:Name:serv1-proxyType:PROXYMode:CONCURRENTService Session Timeout:0 secondsService Idle Timeout:0 secondsClass Attr:NONEAuthentication Type:CHAPReference Count:1Next Hop Gateway Key:my-keyDNS Server(s):Primary:10.13.1.5Radius Server:IP=10.13.1.2, authPort=1645, acctPort=1646, secret=my-secretIncluded Network Segments:10.13.0.0/255.255.0.0Excluded Network Segments:Full User Name UsedService Defined Cookie existDomain List:service1.com;Active Connections:1 :Virtual=255.255.255.255, Subscriber=10.20.10.2------------------------ End of ServiceInfo Content ----------------Table 9 describes the significant fields shown in the display.
Related Commands
show ssg summary
To display a summary of the Service Selection Gateway (SSG) configuration, use the show ssg summary command in user EXEC or privileged EXEC mode.
show ssg summary
Syntax Description
This command has no arguments or keywords.
Command Modes
User EXEC
Privileged EXECCommand History
12.2(16)B
This command was introduced.
12.3(4)T
This command was integrated into Cisco IOS Release 12.3(4)T.
Usage Guidelines
Use this command to display information such as which SSG features are enabled, how many users are active, how many services are active, and what filters are active.
Examples
The following example shows the show ssg summary command:
Router# show ssg summarySSG Features Enabled:TCP Redirect: Unauthenticated, Service, Captive portal.QOS: User policing, Session Policing.Host Key: EnabledRelated Commands
show ssg tcp-redirect group
To display information about the captive portal groups and the networks associated with those portal groups, use the show ssg tcp-redirect group command in privileged EXEC mode.
show ssg tcp-redirect group [group-name]
Syntax Description
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use this command to display information about the captive portal groups and their associated networks as defined in your system.
If you omit the optional group-name argument, this command displays a list of all defined captive portal groups. If you specify the group-name argument, this command displays information about that group and its associated networks.
Examples
The following example shows how to display a list of all of the defined captive portal groups:
Router# show ssg tcp-redirect groupCurrent TCP redirect groups:SESM1SESM2Default access-list: 101Default unauthenticated user redirect group: None SetDefault service redirect group: None SetPrepaid user default redirect group: None SetSMTP forwarding group: None SetDefault initial captivation group: None SetDefault advertising captivation group: None SetTable 10 describes the significant fields shown in the display.
The following example shows how to display a detailed description of the captive portal group called "RedirectServer":
Router# show ssg tcp-redirect group RedirectServerTCP redirect group RedirectServer:Showing all TCP servers (Address, Port):10.2.36.253, 8080, FastEthernet0/0Networks to redirect to (network-list RedirectNw):172.16.10.0 /24172.20.0.0 /16TCP port to redirect:80Table 11 describes the significant fields shown in the display.
Related Commands
show ssg user transparent
To display a list of all the Service Selection Gateway (SSG) transparent autologon users, use the show ssg user transparent command in privileged EXEC mode.
show ssg user transparent
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use this command to display the IP addresses and the states of all transparent autologon users that are active on SSG. The transparent autologon user states are passthrough (TP), suspect (SP), unidentified (NR), and waiting for authorization (WA).
Examples
The following is sample output from the show ssg user transparent command:
Router# show ssg user transparent10.10.10.10 Passthrough11.11.11.11 Suspect120.120.120.120 Authorizing### Total number of transparent users: 3Related Commands
show ssg user transparent authorizing
To display a list of all Service Selection Gateway (SSG) transparent autologon users for whom authorization is in progress and who are waiting for authentication, authorization, and accounting (AAA) server response, use the show ssg user transparent authorizing command in privileged EXEC mode.
show ssg user transparent authorizing [count]
Syntax Description
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use this command to display all Service Selection Gateway (SSG) transparent autologon users that are waiting for authorization (WA).
Examples
The following is sample output from the show ssg user transparent authorizing command with the count keyword:
Router# show ssg user transparent authorizing count### Total number of WA users : 1Related Commands
show ssg user transparent passthrough
To display information about Service Selection Gateway (SSG) transparent autologon pass-through users, use the show ssg user transparent passthrough command in privileged EXEC mode.
show ssg user transparent passthrough [ip-address | count]
Syntax Description
ip-address
(Optional) Display details for specified user IP address.
count
(Optional) Displays the number of pass-through users.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use this command to display all SSG transparent autologon pass-through (TP) users that are active on SSG.
Examples
The following is sample output from the show ssg user transparent passthrough command for the user having IP address 10.10.10.10:
Router# show ssg user transparent passthrough 10.10.10.10User IP Address : 10.10.10.10Session Timeout : 200 (seconds)Idle Timeout : 100 (seconds)User logged on since : *16:33:57.000 GMT Mon May 19 2003User last activity at : *16:33:57.000 GMT Mon May 19 2003Current Time : *16:35:17.000 GMT Mon May 19 2003Related Commands
show ssg user transparent suspect
To display a list of all Service Selection Gateway (SSG) transparent autologon suspect (SP) user IP addresses, use the show ssg user transparent suspect command in privileged EXEC mode.
show ssg user transparent suspect [count]
Syntax Description
Command Modes
Privileged EXEC
Command History
Usage Guidelines
An SSG transparent autologon suspect user is a user whose authentication, authorization, and accounting (AAA) authorization resulted in an Access Reject.
Examples
The following is sample output from the show ssg user transparent suspect command with and without the count keyword:
Router# show ssg user transparent suspect count### Total number of SP users : 1Router# show ssg user transparent suspect94.0.0.1### Total number of SP users : 1Router#Related Commands
show ssg user transparent unidentified
To display a list of Service Selection Gateway (SSG) transparent autologon users for whom there is no response from the authentication, authorization, and accounting (AAA) server to an authorization request (unidentified users), use the show ssg user transparent unidentified command in privileged EXEC mode.
show ssg user transparent unidentified [count]
Syntax Description
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use this command to display all SSG transparent autologon unidentified (NR) users that are active on the SSG.
Examples
The following is sample output from the show ssg user transparent unidentified command with and without the count keyword:
Router# show ssg user transparent unidentified count### Total number of NR (Unidentified) users : 1Router# show ssg user transparent unidentified93.0.0.1### Total number of NR (Unidentified) users : 1Router#Related Commands
show ssg vc-service-map
To display virtual circuit (VC)-to-service-name mappings, use the show ssg vc-service-map command in privileged EXEC mode.
show ssg vc-service-map [vpi/vci | service service-name]
Syntax Description
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use this command to display VC-to-service-name mappings.
Examples
The following example shows the VCs mapped to the service name "Worldwide":
Router# show ssg vc-service-map service WorldwideInterface From To Service Name TypeAll 3 /33 None Worldwide non-exclusiveRelated Commands
source ip
To specify Service Selection Gateway (SSG) source IP addresses to which to map the destination IP addresses in subscriber traffic, use the source ip command in SSG portmap configuration mode. To remove this specification, use the no form of this command.
source ip {ip-address | interface}
no source ip {ip-address | interface}
Syntax Description
ip-address
SSG source IP address.
interface
Interface whose main IP address is used as the SSG source IP address.
Defaults
No default behavior or values.
Command Modes
SSG portmap configuration
Command History
12.2(16)B
This command was introduced. This command replaces the ssg port-map source ip command.
12.3(4)T
This command was integrated into Cisco IOS Release 12.3(4)T.
Usage Guidelines
With the SSG Port-Bundle Host Key feature, SSG maps the destination IP addresses in subscriber traffic to specified SSG source IP addresses.
All SSG source IP addresses configured with the source ip command must be routable in the management network where the Cisco Service Selection Dashboard (SSD) or Subscriber Edge Services Manager (SESM) resides.
If the interface for the source IP address is deleted, the port-map translations will not work correctly.
Because a subscriber can have several simultaneous TCP sessions when accessing a web page, SSG assigns a bundle of ports to each subscriber. Because the number of available port bundles is limited, you can assign multiple SSG source IP addresses (one for each group of port bundles). By default, each group has 4032 bundles, and each bundle has 16 ports. To modify the number of bundles per group and the number of ports per bundle, use the length command.
Examples
The following example shows the SSG source IP address specified with an IP address and with specific interfaces:
ssg port-mapsource ip 10.0.50.1source ip Ethernet 0/0/0ssg port-map source ip Loopback 1Related Commands
length (SSG)
Modifies the port-bundle length upon the next SSG reload.
ssg port-map
Enables the SSG port-bundle host key and enters SSG portmap configuration mode.
