-
Cisco IOS Service Selection Gateway Configuration Guide, Release 12.4
-
Service Selection Gateway Features Roadmap
-
Overview of SSG
-
Implementing SSG: Initial Tasks
-
Configuring SSG to Serve as a RADIUS Proxy
-
Configuring SSG to Authenticate Web Logon Subscribers
-
Configuring SSG to Authenticate PPP Subscribers
-
Configuring SSG to Authenticate Subscribers with Transparent Autologon
-
Configuring SSG to Authenticate Subscribers Automatically in the Service Domain
-
Configuring SSG for On-Demand IP Address Renewal
-
Configuring SSG Support for Subnet-Based Authentication
-
Configuring SSG for MAC-Address-Based Authentication
-
Configuring SSG for Subscriber Services
-
Configuring SSG Subscriber Experience Features
-
Configuring SSG to Log Off Subscribers
-
Configuring Accounting for SSG
-
RADIUS Profiles and Attributes for SSG
-
Table Of Contents
Configuring SSG to Authenticate PPP Subscribers
Information About SSG Authentication of PPP Subscribers
PPP Termination Aggregation (PTA)
Single Sign-on for PPP Subscribers
VPI/VCI Indexing to Service Profiles
How to Configure SSG to Authenticate PPP Subscribers
Configuring SSG Support for PPP Subscribers
Configuring a PTA-MD Exclusion List
Configuring VPI/VCI Indexing to Services
Configuring Single Sign-on for PPP Subscribers
Configuration Examples for SSG Authentication of PPP Subscribers
Adding Domains to an Existing PTA-MD Exclusion List: Examples
Disabling Parsing of PPP Structured Usernames: Example
Service-Name-to-VC Mapping: Example
Configuring the Virtual Template to Support PPP Subscribers: Example
Basic PPPoA and PPPoE Configuration: Examples
Feature Information for Configuring SSG to Authenticate PPP Subscribers
Configuring SSG to Authenticate PPP Subscribers
First Published: May 2, 2005Last Updated: October 2, 2009
Note
Effective with Cisco IOS Release 15.0(1)M, this feature is not available in Cisco IOS software.
Service Selection Gateway (SSG) supports PPP as a subscriber access protocol. PPP provides router-to-router and host-to-network connections over both synchronous and asynchronous circuits. This document provides information about how to configure SSG to support PPP subscribers, including information about PPP Termination Aggregation-multidomain (PTA-MD), virtual-circuit (VC)-to-service-name mapping, and single sign-on for PPP users.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Configuring SSG to Authenticate PPP Subscribers" section.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•
•
•
•
Prerequisites
Before you can perform the tasks in this module, SSG must be enabled. See the "Enabling SSG" section in the Implementing SSG: Initial Tasks module for more information.
If Cisco Subscriber Edge Services Manager (SESM) is part of your SSG network, SESM and the RADIUS server must be configured to support the subscriber logon method. See the Cisco Subscriber Edge Services Manager documentation for information about how to configure SESM.
If SSG is configured to work with SESM in RADIUS mode, service profiles, subscriber profiles, and control profiles must be configured on the authentication, authorization, and accounting (AAA) server before SSG will work. See the RADIUS Profiles and Attributes for SSG document for information about RADIUS profiles and vendor-specific attributes (VSAs) for SSG.
Restrictions
•
•
For more information about the radius-server host command, see the Cisco IOS Security Configuration Guide, Release 12.4. Refer to "Configuring Authorization" section in the Part 1: Authentication, Authorization, and Accounting (AAA).
Information About SSG Authentication of PPP Subscribers
Before you configure SSG to authenticate PPP subscribers, you should understand the following concepts:
•
•
•
PPP Subscriber Access
SSG implements Layer 3 service selection through selective routing of IP packets to destination networks on a per-subscriber basis. SSG uses the concept of interface direction (uplink or downlink) to help determine the forwarding path of an incoming packet. An uplink interface is an interface to services; a downlink interface is an interface to subscribers.
There are two types of access-side interfaces in SSG, SSG-enabled interfaces and interfaces on which SSG is not enabled. For PPP users, virtual-access interfaces are created and destroyed dynamically, so for SSG functionality to be applied to traffic on a virtual access interface, SSG must be enabled on the interface dynamically. The following methods allow SSG to be enabled on an interface dynamically:
•
•
•
Note that user authentication can be based on a simple username (such as "user") or structured username (such as "user@domain.com"). The structured username may be used in the following situations:
•
•
PPP Termination Aggregation (PTA)
PPP Termination Aggregation (PTA) is a PPP method of aggregating IP traffic by terminating PPP sessions and aggregating the IP traffic into a single routing domain. PTA service selection is based on a structured name (for example, username@service.com). Users can access only one service.
The following is a high-level description of the process for user authentication in a PTA scenario:
1.
2.
3.
4.
5.
PTA-Multidomain
Whereas PTA terminates the PPP session into a single routing domain, PTA-MD terminates the PPP sessions into multiple IP routing domains, thus supporting a wholesale virtual private network (VPN) model in which each domain is isolated from the others and has the capability to support overlapping IP addresses.
PTA-MD Exclusion Lists
The PTA-MD exclusion list allows you to create a set of domains that you want to exclude from normal SSG structured username processing. When a PPP user attempts to establish a PPP session using a domain that is part of the exclusion list, the traffic is treated as a simple username and hence the domain or service part in the structured username is ignored by SSG. SSG will treat the user as an SSG user if the user profile has SSG attributes or the corresponding virtual template is configured with SSG.
The PTA-MD exclusion list can be configured on the AAA server or directly on the router by using the command-line interface (CLI).
Single Sign-on for PPP Subscribers
SSG creates a host after a successful PPP authentication, but SESM has no knowledge of this host. SSG user profile caching makes the user profile available to SESM through status queries, providing support for single sign-on functionality and for failover from one SESM to another. User profile caching allows SSG to cache the user profiles for users. The feature is enabled by default.
In order to use single sign-on for PPP subscribers, you must also enable the single sign-on feature in SESM.
VPI/VCI Indexing to Service Profiles
Note
SSG supports VPI/VCI closed user groups by allowing VPI/VCIs to be bound to a given service. All users accessing SSG through the VPI/VCI or a range of VPI/VCIs will be able to access the configured service. You can specify whether users are allowed to access only the bound service or other additional services to which they subscribe. A closed user group service can be selected only through the VPI/VCI and not by entering the domain name in the username of a PPP session.
How to Configure SSG to Authenticate PPP Subscribers
To configure SSG to authenticate PPPoA, PPP over Ethernet (PPPoE) and PPP over Layer 2 Tunneling Protocol (PPPoL2TP) subscribers, perform the following tasks:
•
•
•
•
Configuring SSG Support for PPP Subscribers
Perform this task to configure SSG support for PPP subscribers. Configuring SSG to authenticate PPP users will create hosts when one of the conditions outlined in the "PPP Subscriber Access" section, are met.
For PPP subscribers, the virtual template must be configured as the downlink interface. Configuring the virtual template as a downlink interface is particularly important when SSG users are coming through CPE and the CPE establishes a PPP session with SSG. In order for the users coming through the CPE to be treated as SSG users, the PPP interface must be marked as downlink, by configuring the virtual template as downlink.
All configuration commands that apply to serial interfaces can also be applied to virtual template interfaces, except shutdown and dialer commands. For further information on virtual templates and how to configure them, refer to the following URL: http://www.cisco.com/en/US/docs/ios/dial/configuration/guide/dia_virtual_temp_ifs.html
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
Configuring a PTA-MD Exclusion List
A PTA-MD exclusion list is used to eliminate parsing of PPP structured usernames during authentication. A PTA-MD exclusion list can be configured directly on the AAA server or through the use of the router CLI. Perform this task to configure a PTA-MD exclusion list locally on the router.
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
Configuring VPI/VCI Indexing to Services
To configure VPI/VCI closed user groups, you must map VPI/VCIs to a given service. Perform this task to map VCs to service names.
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Configuring Single Sign-on for PPP Subscribers
SSG user-profile caching allows SESM to recover the user profiles of PPP users from SSG, which enables functionality such as single sign-on. This feature is enabled by default.
Note
Perform this task to enable SSG user-profile caching.
SUMMARY STEPS
1.
DETAILED STEPS
Step 1
ssg profile-cache
Example:Router(config)# ssg profile-cache
Enables the caching of user profiles for non-PPP users.
Configuration Examples for SSG Authentication of PPP Subscribers
This section contains the following configuration examples:
•
•
•
•
•
Adding Domains to an Existing PTA-MD Exclusion List: Examples
In the following example, a PTA-MD exclusion list that already includes the domain names of cisco, motorola, nokia, and voice-stream is downloaded from the AAA server. After the exclusion list is downloaded, the microsoft and sun domain names are added to the exclusion list.
The exclusion list currently on the AAA server includes cisco, motorola, nokia, and voice-stream. This exclusion list is in the ACS format.
user = pta_md{profile_id = 119profile_cycle = 2member = SSG-DEVradius=6510-SSG-v1.1 {check_items= {2=password}reply_attributes= {9,253="XPcisco"9,253="XPmotorola"9,253="XPnokia"9,253="XPvoice-stream"In the following example, the PTA-MD exclusion list is downloaded to the router from the AAA server. The password to download the exclusion list is cisco. After downloading the PTA-MD exclusion list, microsoft and sun are added to the list using the router CLI.
ssg multidomain pppdownload exclude-profile pta_md ciscoexclude domain microsoftexclude domain sunThe enhancements to the exclusion list are then verified.
Router# show ssg multidomain ppp exclude-listProfile name :pta_md1 cisco2 motorola3 nokia4 voice-streamDomains added via CLI :1 microsoft2 sunDisabling Parsing of PPP Structured Usernames: Example
In the following example, parsing of PPP structured usernames is disabled:
exclude all-domainsService-Name-to-VC Mapping: Example
The following example shows the service name "public" mapped to a VC:
ssg vc-service-map public interface atm3/0 1/37 non-exclusiveThe following example shows the service name "public" mapped to a range of VCs:
ssg vc-service-map public interface atm3/0 1/37 1/82 non-exclusiveConfiguring the Virtual Template to Support PPP Subscribers: Example
The following example shows a virtual template configured as a downlink interface. Any PPP connection to SSG that uses this template will be marked as a downlink interface.
interface Virtual-Template1description PPPoE v-interfacemtu 1492ip unnumbered Loopback0ip nat insidessg direction downlinkppp authentication pap chap!Basic PPPoA and PPPoE Configuration: Examples
The following configuration examples show how to establish basic PPPoA and PPPoE user connections:
PPPoA Users: Example
Configure AAA authentication through the RADIUS mechanism.
aaa authentication ppp default group radiusaaa authorization network default group radiusradius-server host 10.76.86.90 auth-port 1812 acct-port 1813 key ciscoradius-server vsa send accountingradius-server vsa send authenticationConfigure the PPP IP address on the aggregation side.
interface Loopback1ip address 21.6.6.1 255.255.255.0Configure the IP address pool if SSG is going to assign IP addresses.
ip local pool ppp-pool 21.9.9.2 21.9.9.10Configure the virtual template.
interface Virtual-Template1description "PPP virtual-template for PPP host"ip unnumbered Loopback1peer default ip address pool ppp-poolppp authentication pap chapConfigure the ATM interface on which PPPoA user comes in.
interface ATM4/0.21 point-to-pointdescription "Connected to 36/7 for PPP user"pvc 21/40encapsulation aal5mux ppp Virtual-Template1!PPPoEoA Users: Example
Configure AAA authentication through the RADIUS mechanism.
aaa authentication ppp default group radiusaaa authorization network default group radiusradius-server host 10.76.86.90 auth-port 1812 acct-port 1813 key ciscoradius-server vsa send accountingradius-server vsa send authenticationConfigure the PPP IP address on the aggregation side.
interface Loopback1ip address 21.6.6.1 255.255.255.0Configure the IP address pool if SSG is going to assign IP addresses.
ip local pool ppp-pool 21.9.9.2 21.9.9.10Configure the PPPoE server using a VPDN group.
vpdn enablevpdn-group 3accept-dialinprotocol pppoevirtual-template 1Configure the virtual template.
interface Virtual-Template1description "PPP virtual-template for PPP host"ip unnumbered Loopback1peer default ip address pool ppp-poolppp authentication pap chapConfigure the ATM interface on which the PPPoEoA user comes in.
interface ATM4/0.23 point-to-pointdescription "Connected to 36/7 for PPPoE user"ip address 23.6.6.1 255.255.255.0pvc 23/40encapsulation aal5snapprotocol pppoePPPoEoE Users: Example
Configure AAA authentication through the RADIUS mechanism.
aaa authentication ppp default group radiusaaa authorization network default group radiusradius-server host 10.76.86.90 auth-port 1812 acct-port 1813 key ciscoradius-server vsa send accountingradius-server vsa send authenticationConfigure the PPP IP address on the aggregation side.
interface Loopback1ip address 21.6.6.1 255.255.255.0Configure the IP address pool if SSG is going to assign IP addresses.
ip local pool ppp-pool 21.9.9.2 21.9.9.10Configure the PPPoE server using a VPDN group.
vpdn enablevpdn-group 3accept-dialinprotocol pppoevirtual-template 1Configure the virtual template.
interface Virtual-Template1description "PPP virtual-template for PPP host"ip unnumbered Loopback1peer default ip address pool ppp-poolppp authentication pap chapConfigure the Ethernet interface on which the PPPoEoE user comes in.
interface fastethernet 1/0description "Interface for PPPoEoE user"ip address 23.8.8.1 255.255.255.0pppoe enableWhere to Go Next
To configure other methods of subscriber authentication, refer to the following modules:
•
•
•
•
•
Additional References
The following sections provide references related to configuring SSG to authenticate PPP subscribers.
Related Documents
SESM
Cisco Subscriber Edge Services Manager documentation
RADIUS commands
RADIUS configuration tasks
"Configuring RADIUS" chapter in the Cisco IOS Security Configuration Guide
Configuring L2TP
•
Technical Assistance
Feature Information for Configuring SSG to Authenticate PPP Subscribers
Table 3 lists the features in this module and provides links to specific configuration information. Only features that were introduced or modified in Cisco IOS Release 12.2(1) or a later release appear in the table.
Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.
For information on a feature in this technology that is not documented here, see the Service Selection Gateway Features Roadmap.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note
Table 3 Feature Information for Configuring SSG to Authenticate PPP Subscribers
PPP Subscriber Access
12.2(16)B
12.3(4)T
12.4The PPP subscriber access feature supports PPP as a subscriber access protocol.
The following sections provide information about this feature:
•
•
•
•
•
The following command was introduced by this feature: ssg direction downlink.
PTA-MD Exclusion List
12.2(15)B
12.3(4)T
12.4The PTA-MD Exclusion List feature allows you to create a set of domains that are excluded from normal SSG structured username processing.
The following sections provide information about this feature:
•
•
The following commands were introduced by this feature: download exclude-profile (PTA-MD), exclude (PTA-MD), show ssg multidomain, ppp exclude-list, ssg multidomain ppp.
Configuring SSG to Authenticate PPP Subscribers
15.0(1)M
This feature was removed in Cisco IOS Release 15.0(1)M.
CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Nurse Connect, Cisco Pulse, Cisco SensorBase, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, Flip Gift Card, and One Million Acts of Green are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Lumin, Cisco Nexus, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Follow Me Browsing, GainMaker, iLYNX, IOS, iPhone, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, SenderBase, SMARTnet, Spectrum Expert, StackWise, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0910R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2005-2009 Cisco Systems, Inc. All rights reserved.
