Guest

Networking Software (IOS & NX-OS)

Configuring ISG Integration with SCE

Hierarchical Navigation

Downloads

Table Of Contents

Configuring ISG Integration with SCE

Finding Feature Information

Contents

Prerequisites for Configuring ISG Integration with SCE

Hardware Requirements

Software Requirements

Restrictions for Configuring ISG Integration with SCE

Information About Configuring ISG Integration with SCE

Overview of ISG-SCE Integration

ISG and SCE Roles in Subscriber Management

How to Configure ISG Integration with SCE

Configuring Communication Between SCE and ISG

Configuring SCE Connection Parameter on ISG

Configuring Control Policy on the Policy Manager

Configuring Control Policy on the ISG

Configuring Auto Service on the AAA Server

Configuring Services

Configuring Services on ISG

Configuring Services on the AAA Server

Troubleshooting Tips

Examples

Configuration Examples for ISG Integration with SCE

ISG Control Bus Configuration: Example

ISG Integration with SCE: Example

SCE Control Bus Configuration: Examples

Additional References

Related Documents

Technical Assistance

Feature Information for Configuring ISG Integration with SCE


Configuring ISG Integration with SCE

First Published: February 22, 2008
Last Updated: September 15, 2010

Intelligent Services Gateway (ISG) is a Cisco IOS software feature set that provides a structured framework in which edge devices can deliver flexible and scalable services to subscribers. This module describes how to configure ISG and Cisco Service Control Engine (SCE) to function as a single policy enforcement point for subscriber sessions.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Configuring ISG Integration with SCE" section.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Contents

Prerequisites for Configuring ISG Integration with SCE

Restrictions for Configuring ISG Integration with SCE

Information About Configuring ISG Integration with SCE

How to Configure ISG Integration with SCE

Configuration Examples for ISG Integration with SCE

Additional References

Feature Information for Configuring ISG Integration with SCE

Prerequisites for Configuring ISG Integration with SCE

The following prerequisites apply to the configuration of ISG integration with SCE.

Hardware Requirements

An ISG platform, which can be any of the following (beginning in Cisco IOS Release 12.2(33)SRC):

Cisco 7200 router

Cisco 7301 router

Cisco 7600 router

An SCE platform

Two connections between the ISG device and the SCE:

A control path, through which the ISG device and SCE can exchange policy information

A data path that carries the subscriber traffic

A policy server configured to communicate with the ISG platform. The ISG-SCE integration removes any need for a communication layer between the policy server and the SCE.

Software Requirements

Cisco IOS Release 12.2(33)SRC or later on the ISG

Cisco Software Release 3.1.0 or later on the SCE

Restrictions for Configuring ISG Integration with SCE

The following restrictions apply to the integration of the ISG and an SCE:

When an SCE policy is deactivated, the policy is removed from the session on the SCE, and the session policy reverts to the default SCE policy.

Only one SCE policy at a time may be applied to a session. Applying additional policies will override the policy previously applied on the SCE.

This feature requires a control bus communication protocol, which runs over RADIUS and RADIUS extensions (as specified in RFC 3576), operating in two modes; PUSH and PULL.

In PULL mode the ISG device waits for a query from the SCE.

In PUSH mode the download of an external feature is initiated by the ISG device as soon as an external service is activated on the subscriber session.

To work with the SCE for subscriber management, the control bus protocol must do the following:

Support pushing a session and make relevant changes to a session to the SCE.

Allow a session, its relevant identity, and the SCE policy profile to be pulled from the ISG device by using an identity-based query.

Support accounting events, including the following:

Accepting SCE initiated accounting events asynchronously.

Correlating SCE accounting data to the appropriate ISG session.

Parsing the SCE accounting data to perform protocol translation.

The per-user IP subnet assigned to Point-to-Point Protocol (PPP) users during login is not communicated to SCE. A per-user static route is downloaded to PPP users through the framed-route RADIUS attribute during login. ISG does not send the per-user subnet address for a PPP session to SCE in the CoA provision session (ProvSess) attribute.

Information About Configuring ISG Integration with SCE

Overview of ISG-SCE Integration

ISG and SCE Roles in Subscriber Management

Overview of ISG-SCE Integration

The ISG Integration with SCE feature integrates ISG and SCE at the policy plane level so that for purposes of subscriber provisioning, ISG and SCE function as a single logical entity. The ISG device and SCE communicate to manage subscriber sessions jointly, minimizing the requirements for coordination with additional external components. ISG handles subscriber management at Layer 4 and below. SCE is primarily focused at Layer 4 and above. When ISG and SCE are configured to work together, they provide tools for these functions:

Subscriber mapping—Subscriber awareness is distributed between ISG and the SCE. The shared subscriber session is referenced by both devices using a unique session identifier allocated by the ISG. Identity keys such as IP Address, IP Subnet, network access server (NAS) identifier, and NAS port are also associated to the session. SCE policies that should be enabled on the session are identified by their policy names.

Subscriber policy updates—Change subscriber policies in real time.

ISG and SCE Roles in Subscriber Management

Table 1 shows the specific roles of ISG and SCE in subscriber management.

Table 1 ISG and SCE Roles in Subscriber Management

Provided by ISG
Provided by SCE

Subscriber aggregation (broadband remote access service—BRAS)

Subscriber authorization or authentication

Policy management

Policy enforcement for:

Quality of service (QoS)

Multiprotocol label switching (MPLS) virtual private network (VPN)

Redirection

Session termination

Prepaid1 and postpaid billing

Policy enforcement for

Application-aware services

Redirection and application-based policy management

Service security

Behavioral classification

URL caching and filtering

Value-added services

Parental controls

Usage and content billing (prepaid and postpaid)

1 Prepaid billing is not supported when a Cisco 7600 router is configured as the ISG device.


ISG pushes policies (or external services) to the SCE for a given subscriber session, in the form of RADIUS change of authorization (CoA) messages. External service activation can be triggered by the policy manager component inside the ISG or by an external authentication, authorization, and accounting (AAA) server. The SCE sees the ISG as the policy manager. ISG serves as a proxy for service activation requests from the external AAA server to the SCE. The SCE sends accounting records to the ISG. The ISG, if configured to do so, serves as a proxy that sends the accounting records to an external AAA server. SCE can also query the ISG about session information for unprovisioned sessions. ISG informs SCE when a session terminates by means of a RADIUS Packet of Disconnect (PoD).

How to Configure ISG Integration with SCE

Before configuring ISG and SCE integration, verify that you have configured ISG for control and access policies, accounting, session maintenance, and network access regulation. Details on all these configurations are found in the Cisco IOS Intelligent Services Gateway Configuration Guide.

It is also necessary to have the SCE configured appropriately. Instructions for configuring the SCE are in the Cisco Service Control Engine (SCE) Software Configuration Guide, Release 3.1.

Perform the following tasks to configure ISG integration with SCE:

Configuring Communication Between SCE and ISG

Configuring SCE Connection Parameter on ISG

Configuring Control Policy on the Policy Manager

Configuring Services

Configuring Communication Between SCE and ISG

Communication between the SCE and the ISG device is managed by an external policy delegation (EPD) handler module in Cisco IOS software. The EPD implements the control bus on the ISG and handles all messaging between the ISG device and SCE. Details of communications between the ISG and AAA servers are found in the Cisco IOS Intelligent Services Gateway Configuration Guide. This task is necessary to establish the parameters for the communication between the ISG device and the SCE, including the following:

Port to which CoA messages are sent from the ISG device and SCE

Port on which ISG should receive access, accounting, and connection management requests from SCE

Shared secret between the ISG device and SCE

To configure communication between SCE and the ISG device, enter the following commands on the ISG device.

SUMMARY STEPS

1. enable

2. configure terminal

3. aaa server radius {sesm | proxy | policy-device}

4. client ipaddress [port coa destination port] [key shared secret]

5. authentication port port number

6. accounting port port number

7. key shared secret

8. exit

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

aaa server radius {sesm | proxy | policy-device}

Example:

Router(config)# aaa server radius policy-device

Enters RADIUS server configuration mode and configures the RADIUS profile.

Step 4 

client ipaddress [port coa destination port] [key shared secret]

Example:

Router(config-locsvr-radius)# client 10.10.10.1 key cisco port 1431

Configures client-specific details.

The IP address identifies the destination for CoA messages. If no port is configured, the default port (3799) is used. ISG sends CoA messages to the SCE to provision, update, or deactivate a session and activate or deactivate policies.

A shared secret configured for a specific client overrides the key configured using the key shared-secret command.

Step 5 

authentication port port-number

Example:

Router(config-locsvr-radius)# authentication port 1433

Specifies the port on which the EPD handler listens for session and identity query requests from SCE.

If no port is specified, the default port (1645) is used.

Step 6 

accounting port port-number

Example:

Router(config-locsvr-radius)# accounting port 1435

Specifies the port on which the EPD handler listens for accounting and peering requests and maintenance packets from SCE.

If no port is specified, the default port (1646) is used.

Step 7 

key shared-secret

Example:

Router(config-locsvr-radius)# key xxxxxxxxxx

Configures the secret shared between the EPD handler and SCE.

This key is used if no per-client shared secret is configured.

Step 8 

exit

Example:

Router(config-locsvr-rasius)# exit

Exits RADIUS server configuration mode.

Configuring SCE Connection Parameter on ISG

To configure the server connection management on either a per-server or a global basis, perform the steps in this section.

SUMMARY STEPS

1. enable

2. configure terminal

3. policy-peer address ip-address keepalive seconds

4. policy-peer keepalive seconds

5. exit

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

policy-peer address ip-address keepalive seconds

Example:

Router(config)# policy-peer address 10.10.10.1 keepalive 6

Configures the keepalive value, in seconds, for a specific policy defined by the given IP address.

Valid values are from 5 to 3600.

The default value is zero (0).

If the default value is in effect on the ISG device, the keepalive value proposed by the external policy device is used.

Step 4 

policy-peer keepalive seconds

Example:

Router(config)# policy-peer keepalive 10

Configures the keepalive value, in seconds, globally.

The range of valid values is from 5 to 3600.

The default value is zero (0).

If no per-server keepalive value is configured, the global value is used.

If different values are configured on the ISG device and the SCE, the lower value is used as the keepalive interval.

If neither a per-server nor a global value is configured, the default value of zero is used.

Step 5 

exit

Example:

Router(config)# exit

Exits global configuration mode.

Configuring Control Policy on the Policy Manager

To configure the policy manager to download a service, through rules configured by Cisco IOS commands, follow the steps in this section.

Configuring Control Policy on the ISG

To configure the control policy on the ISG device, perform the steps in this section.

SUMMARY STEPS

1. enable

2. configure terminal

3. policy-map type control policy-map-name

4. class type control {class-map-name | always} event session-start

5. action-number service-policy type service name service-name

6. exit

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

policy-map type control policy-map-name

Example:

Router(config)# policy-map type control GOLD_POLICY

Configures the specified policy-map on the ISG and enters policy map configuration mode.

Step 4 

class type control {class-map-name | always} event session-start

Example:

Router(config-control-policymap)# class type control always event acct-notification

Specifies to apply actions matching conditions defined by the class-map-name or always for an event type.

Event types include the following: account-logoff, account-logon, acct-notification, credit-exhausted, quota-depleted, service-failed, service-start, service-stop, session-default-service, session-restart, session-service-found, session-start, and timed-policy-expiry.

Step 5 

action-number service-policy type service name service-name

Example:

Router(config-control-policymap)# 1 service-policy type service name sce-service

Defines the list of actions to be performed when the control policy is matched.

Step 6 

exit

Example:

Router(config-control-policymap)# exit

Exits policy map configuration mode.

Configuring Auto Service on the AAA Server

To download a service to the ISG by means of auto service, perform the steps in this section.

SUMMARY STEPS

1. Cisco-Avpair="subscriber: auto-logon-service=sce-service"

DETAILED STEPS

Step 1 Cisco-Avpair="subscriber: auto-logon-service=sce-service"

Downloads a service name from the SCE to the ISG device.

Configuring Services

To configure services, perform the steps in this section. You can configure this feature either on the ISG device, using the Cisco IOS command line interface (CLI) commands, or on the AAA server.

Configuring Services on ISG

To configure a service containing accounting features and to activate an external policy on the SCE device, follow the steps in this section.

SUMMARY STEPS

1. enable

2. configure terminal

3. policy-map type service service-map-name

4. class-map type traffic class-map-name

5. accounting aaa list listname

6. sg-service-type external-policy

7. policy-name name

8. service-monitor enable

9. exit

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

policy-map type service service-map-name

Example:

Router(config-traffic-classmap)# policy-map type service SVC

Creates a service and enters traffic class map configuration mode.

Step 4 

class-map type traffic class-map-name

Example:

Router(config-control-policymap-class-control)# class-map type traffic bar

Defines a traffic class and enters control policy-map class configuration mode.

Note You cannot configure a traffic class on the Cisco 7600 router.

Step 5 

accounting aaa list listname

Example:

Router(config-service-policymap)# accounting aaa list list1

Configures accounting for ISG and enters service policy map configuration mode.

Step 6 

sg-service-type external-policy

Example:

Router(config-control-policymap)# sg-service-type external-policy

Defines the service as an external policy and enters policy map configuration mode.

Step 7 

policy-name name

Example:

Router(config-control-policymap)# policy-name gold

Defines a corresponding external policy name on the SCE.

Step 8 

service-monitor enable

Example:

Router(config-control-policymap)# service-monitor enable

Enables service monitoring for the external policy device.

Step 9 

exit

Example:

Router(config-pol-map)# exit

Exits policy map configuration mode.

Configuring Services on the AAA Server

To configure a service on the external AAA server, perform the steps in this section.

SUMMARY STEPS

1. Cisco:Avpair="subscriber:sg-service-type=external-policy"

2. Cisco:Avpair="subscriber:policy-name=gold"

3. Cisco:Avpair="subscriber:service-monitor=1"

4. Cisco:Avpair="accounting-list=list1"

DETAILED STEPS

Step 1 Cisco:Avpair="subscriber:sg-service-type=external-policy"

Defines the service as an external policy.

Step 2 Cisco:Avpair="subscriber:policy-name=gold"

Defines a corresponding external policy name on the ISG.

Step 3 Cisco:Avpair="subscriber:service-monitor=1"

Enables service monitoring for the external policy device.

Step 4 Cisco:Avpair="accounting-list=list1"

Configures accounting for ISG.

Troubleshooting Tips

The following command can be used to troubleshoot the integration of ISG with SCE:

show subscriber policy peer {address ip-address | handle connection-handle | id | all}

Examples

This section contains sample output of the show subscriber policy peer command.

show subscriber policy peer all

The following example shows sample output of the command when the all keyword is used. 

Router# show subscriber policy peer all


Peer IP: 10.0.0.10 

Conn ID: 11 

Mode   : PULL 

State  : ACTIVE 

Version: 1.0 

Conn up time: 00:00:14 

Conf keepalive: 0 

Negotiated keepalive: 1000 

Time since last keepalive: 00:00:14 

Remove owner on pull: TRUE

show subscriber policy peer all detail

The following example shows sample output for the show subscriber policy peer command when the detail keyword is added. 

Router# show subscriber policy peer all detail


Peer IP: 10.0.0.10 

Conn ID: 11 

Mode   : PULL 

State  : ACTIVE 

Version: 1.0 

Conn up time: 00:04:00 

Conf keepalive: 0 

Negotiated keepalive: 1000 

Time since last keepalive: 00:04:00 

Remove owner on pull: TRUE 

Associated session details:

12.134.4.5session_guid_str 

12.34.4.5session_guid_str

Configuration Examples for ISG Integration with SCE

ISG Control Bus Configuration: Example

ISG Integration with SCE: Example

SCE Control Bus Configuration: Examples

ISG Control Bus Configuration: Example

The following example shows how to configure the ISG control bus with the SCE management IP address and shared authentication key: 

aaa server radius policy-device

 client 10.10.10.10

 key cisco

 message-authenticator ignore

!

policy-peer address 10.10.10.10 keepalive 60

!

interface FastEthernet5/1

 ip address 10.10.10.1 255.255.255.0

ISG Integration with SCE: Example

The following example shows how to configure two SCEs, each with the same authentication and accounting ports. ISG handles CoA messages on port 1700 for one SCE and on default port 3799 for the other SCE. Peering is maintained for each SCE with the ISG via different keepalive intervals.

When a user session starts, POLICY-LOCAL is applied. If the user's profile at the AAA server has auto-logon, the session will begin using the SCE-SERVICE-LOCAL service. This service has the SCE service-monitor facility enabled. If the user profile does not specify auto-logon to the SCE-SERVICE-LOCAL service, SCE will use its default values for the policy-name argument and the service-monitor command, which are configured at the SCE. 

aaa accounting network service_acct start-stop group radius

aaa accounting network session_acct start-stop group radius


aaa server radius policy-device

 authentication port 1343

 accounting port 1345

 message-authenticator ignore

 client 10.10.10.1 port 1341 key cisco


class-map type traffic match-any bar

 match access-group input 102


access-list 102 permit ip any any


policy-map type service sce_service

 class type traffic bar

  accounting aaa list service_acct

 sg-service-type external-policy

 policy-name gold

 service-monitor enable


policy-map type control sce_policy

 class type control always event session-start

   1 service-policy type service sce_service

 class type control always event acct-notification

  1 proxy aaa list session_acct

SCE Control Bus Configuration: Examples

SCE Control Bus Setup Configured in PUSH Mode

The following example shows how to configure the SCE control bus in PUSH mode: 

scmp

scmp name ISG radius 10.10.10.2 secret cisco auth 1433 acct 1435

scmp subscriber send-session-start

interface LineCard 0

 subscriber anonymous-group name all IP-range

  192.168.12.0:0xffffff00 scmp name ISG

SCE Control Bus Setup Configured in PULL Mode

The following example shows how to configure the SCE control bus in PULL mode: 

scmp

scmp name ISG radius 10.10.10.2 secret cisco auth 1433 acct 1435

interface LineCard 0

 subscriber anaonymous-group name all IP-range

  192.168.12.0:0xffffff00 scmp name ISG

Additional References

Related Documents

Related Topic
Document Title

ISG commands

Intelligent Services Gateway Command Reference

AAA configuration tasks

The "Authentication, Authorization, and Accounting (AAA)" section in the Cisco IOS Security Configuration Guide.

AAA commands

The "Authentication, Authorization, and Accounting (AAA)" section in the Cisco IOS Security Command Reference.

SCE configuration

Cisco Service Control Engine (SCE) Software Configuration Guide, Release 3.1


Technical Assistance

Description
Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/techsupport


Feature Information for Configuring ISG Integration with SCE

Table 2 lists the features in this module and provides links to specific configuration information.

Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Note Table 2 lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Table 2 Feature Information for ISG Integration with SCE

Feature Name
Releases
Feature Information

ISG: Policy Control: ISG-SCE Control Bus

12.2(33)SRC
12.2(33)SB
15.0(1)S

ISG accounting provides the means to bill for account or service usage. ISG accounting uses the RADIUS protocol to facilitate interaction between ISG and an external RADIUS-based AAA or mediation server.

The following sections provide information about this feature:

Information About Configuring ISG Integration with SCE

How to Configure ISG Integration with SCE

In Cisco IOS Release 12.2(33)SRC, support was added for the Cisco 7600 router.

Note The traffic class feature cannot be configured on the Cisco 7600 router.

In Cisco IOS Release 12.2(33)SB, support was added for the Cisco 10000 router.

The following commands were introduced or modified: aaa server radius policy-device, class type control, clear subscriber policy peer, clear subscriber policy peer session, policy-name, policy peer, proxy (ISG RADIUS proxy), service-monitor, sg-service-type external policy, show subscriber policy peer.


Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

© 2009-2010 Cisco Systems, Inc. All rights reserved.