Table Of Contents
Configuring SSG to Authenticate Subscribers with Transparent Autologon
Prerequisites for SSG Transparent Autologon
Restrictions for SSG Transparent Autologon
Information About SSG Transparent Autologon
Overview of SSG Transparent Autologon
SSG Transparent Autologon User-to-Service Packet Flow
States of SSG Transparent Autologon Users
Transparent Pass-Through User (TP)
User Waiting for Authorization (WA)
Switching Between TP and Host User States
Benefits of SSG Transparent Autologon
How to Configure SSG Transparent Autologon
Configuring SSG Transparent Autologon
Configuring the AAA Subscriber Profile for SSG Transparent Autologon Subscribers
Monitoring and Maintaining SSG Transparent Autologon
Troubleshooting SSG Transparent Autologon
Configuration Examples for SSG Transparent Autologon
SSG Transparent Autologon Configuration: Example
AAA User Profile Configuration for Transparent Passthrough (TP) Users: Example
AAA User Profile Configuration for Users with Hosts: Example
Feature Information for Configuring SSG to Authenticate Subscribers with Transparent Autologon
Configuring SSG to Authenticate Subscribers with Transparent Autologon
First Published: May 2, 2005Last Updated: October 2, 2009
Note
Effective with Cisco IOS Release 15.0(1)M, this feature is not available in Cisco IOS software.
The SSG Transparent Autologon feature enables Service Selection Gateway (SSG) to authenticate and authorize a user on the basis of the source IP address of packets received from the user. This document describes the SSG Transparent Autologon feature and how to configure SSG to authenticate subscribers by using transparent autologon.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Configuring SSG to Authenticate Subscribers with Transparent Autologon" section.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•
•
•
•
•
•
Prerequisites for SSG Transparent Autologon
Before you can perform the tasks in this process, you must enable SSG. See the Cisco IOS Security Configuration Guide. Refer to Implementing SSG: Initial Tasks.
SSG authorizes the transparent autologon (TAL) user by using the IP address of the user in dotted notation as a string. Therefore, subscriber profiles must be configured with the IP addresses in dotted decimal notation as the username on the authentication, authorization, and accounting (AAA) server. Additionally, all of the subscriber profiles must all be configured with the same password.
Restrictions for SSG Transparent Autologon
•
•
For more information about the radius-server host command, see the Cisco IOS Security Configuration Guide, Release. Refer to "Configuring Authorization" section in the Part 1: Authentication, Authorization, and Accounting (AAA).
Information About SSG Transparent Autologon
Before you configure this feature, you should understand the following concepts:
•
•
•
•
•
Overview of SSG Transparent Autologon
The SSG Transparent Autologon feature enables SSG to authenticate subscribers on the basis of the source IP address of packets received on an SSG downlink interface. Depending on how the feature is deployed, SSG allows the coexistence of SSG transparent autologon with other logon methods such as Subscriber Edge Services Manager (SESM) authentication, RADIUS proxy, and PPP session termination.
When transparent autologon is configured, SSG first creates a temporary entry when it receives the first IP packet from the unauthenticated user. SSG then sends an authorization request to the AAA server with the username as the IP address in dotted string format, along with the MAC address (if available) as the calling-station-id (attribute 31) and the user's IP address in framed-ip (attribute 8). If the AAA server finds a valid entry for the user, it authenticates the user and sends an Access-Accept packet. On receiving the Access-Accept packet, SSG creates a user session on SSG. The functionality of this feature does not depend on any specific access technology.
Without this feature, SSG always creates a host object for an active user session. With this feature enabled, an active user in SSG can be of two types:
•
•
The type of user session created is determined by the Transparent Pass-Through User (TP) SSG Account-Info attribute in the subscriber's profile.
The new user session type (TP user) is useful in situations in which subscribers have a flat-rate access and there is no need of service selection, accounting, quality of service, prepaid, and so on. The user session representation of TP requires much less memory than a user session represented with the host object.
Note
SSG Transparent Autologon User-to-Service Packet Flow
When SSG Transparent Autologon is configured, a user will be in one of the following states:
•
•
•
•
•
These states are described in the following user-to-service packet flow description and in the "States of SSG Transparent Autologon Users" section.
Figure 1 is a diagram of the user-to-service packet flow when SSG Transparent Autologon is enabled. In this sample process, the following events occur:
1.
2.
3.
•
•
•
4.
•
•
•
•
–
•
–
Figure 1 User-to-Service Packet Flow
States of SSG Transparent Autologon Users
The following sections describe the SSG transparent autologon user states:
•
•
User with Host
When the SSG Transparent Autologon feature is configured, the host object user can be logged on in one of two ways:
1.
2.
Transparent Pass-Through User (TP)
An Access-Accept packet is received from the AAA server for the TAL authorization request and the user profile response has the Transparent Pass-Through (TP) attribute configured. In this case, SSG does not create hosts; instead, SSG adds the user to the TP user table.
For TP users, SSG honors only idle timeout and session timeout attributes from the user-profile. If other attributes are present, SSG ignores them.
The TP user model is useful for flat-rate users, where no accounting or differentiated services are required. Accounting records are not sent for the transparent pass-through users, even if accounting is enabled on the SSG. Traffic is forwarded to the service network on the basis of global routing table.
For TP users, idle timeouts and session timeouts can be configured either in the user profiles or globally though the CLI. The idle timeout and session timeout values configured in the user profile take precedence over the values configured globally.
User Waiting for Authorization (WA)
While SSG is waiting for the AAA server's response to the TAL request, the user is treated in a state known as waiting for authorization (WA). If a user is marked as WA, packets received from the user are dropped or forwarded, depending on the CLI configuration. By default, packets are forwarded.
The number of WA users increases if the AAA server response is very slow or the rate of authorization is high.
If the number of WA users exceeds a configured value, no new WA users are added, and any packet that causes SSG to send an authorization request is dropped in the Cisco Express Forwarding (CEF) path. This also means that any new user will not undergo transparent autologon unless the number of WA users falls below the configured threshold.
To protect the AAA server from processing too many requests per second, SSG can be configured to throttle the number of access requests per second. If the maximum throttle rate is reached, a syslog message is generated.
Suspect User (SP)
If an Access-Reject packet is received from the AAA server for the TAL authorization request, that user is marked as a suspect user (SP). Packets received from an SP user are TCP-redirected or dropped (if TCP-redirection is not enabled). The user remains marked as SP for a configurable length of time (one hour by default).
Too many SP users can cause SSG to consume all of its memory in maintaining the SP cache. To counter this situation, SSG provides a CLI command to configure the maximum number of SP users maintained by SSG. If the SP user count exceeds this maximum value, a syslog message is generated and SSG does not add any new SP users.
Unidentified User (NR)
If there is no response from the AAA server for the TAL authorization request and the request times out, the user's state is changed from WA to no response (NR). SSG logs a syslog message when there is no response from the AAA server.
Packets received from NR users are either TCP-redirected or forwarded using global routing table, or dropped depending on the CLI configuration. By default, packets received from NR users are TCP-redirected and/or dropped (if TCP-redirection is not configured).
Switching Between TP and Host User States
A TP (flat-rate) user can log on through SESM or some external device. When this occurs, SSG creates the host object for this user and removes the entry from the TP user list.
In the event that an external device sends an account logoff request to SSG, SSG will log the user as a transparent pass-through user when SSG receives the next IP packet from this user.
Benefits of SSG Transparent Autologon
With the SSG Transparent Autologon feature, SSG provides the following functionality:
•
•
How to Configure SSG Transparent Autologon
This section contains the following tasks:
•
•
•
•
Configuring SSG Transparent Autologon
Perform this task to configure SSG Transparent Autologon.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
DETAILED STEPS
Configuring the AAA Subscriber Profile for SSG Transparent Autologon Subscribers
User-profiles for all the users that need to be authorized using TAL needs to be configured with username equal to the IP address as a doted-notation in string format. This is true if there is no script running on the AAA server to change the usernames.
User profiles for flat-rate users must include the Transparent Passthrough User (TP) attribute.
Monitoring and Maintaining SSG Transparent Autologon
Perform this task to monitor and maintain SSG Transparent Autologon. Step 1 is required. Steps 2 through 10 are optional and need not be performed in any particular order.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
DETAILED STEPS
Example
The following examples show sample output for commands that can be used to monitor SSG transparent autologon:
show ssg user transparent Output: Example
The following is sample output from the show ssg user transparent command:
Router# show ssg user transparent10.10.10.10 Passthrough11.11.11.11 Suspect120.120.120.120 Authorizing### Total number of transparent users: 3show ssg user transparent authorizing Output: Example
The following is sample output from the show ssg user transparent authorizing command with the count keyword:
Router# show ssg user transparent authorizing count### Total number of WA users: 1show ssg user transparent passthrough Output: Example
The following is sample output from the show ssg user transparent passthrough command for the user having IP address 10.10.10.10:
Router# show ssg user transparent passthrough 10.10.10.10User IP Address: 10.10.10.10Session Timeout: 200 (seconds)Idle Timeout: 100 (seconds)User logged on since: *16:33:57.000 GMT Mon May 19 2003User last activity at: *16:33:57.000 GMT Mon May 19 2003Current Time: *16:35:17.000 GMT Mon May 19 2003show ssg user transparent suspect Output: Example
The following is sample output from the show ssg user transparent suspect command with and without the count keyword:
Router# show ssg user transparent suspect count### Total number of SP users: 1Router# show ssg user transparent suspect94.0.0.1### Total number of SP users: 1show ssg user transparent unidentified Output: Example
The following is sample output from the show ssg user transparent unidentified command with and without the count keyword:
Router# show ssg user transparent unidentified count### Total number of NR (Unidentified) users: 1Router# show ssg user transparent unidentified93.0.0.1### Total number of NR (Unidentified) users: 1Troubleshooting SSG Transparent Autologon
Perform this task to display logon control events or errors.
SUMMARY STEPS
1.
DETAILED STEPS
Step 1
debug ssg transparent login {errors | events} [ipaddress]
Example:Router# debug ssg transparent login
Displays transparent logon control events or errors.
Example
The following examples show sample output for the debug ssg transparent logon command. The output is self-explanatory.
Unidentified (NR) User: Example
*Jan 15 12:34:47.847:SSG-TAL-EVN:100.0.0.2:Added entry successfully*Jan 15 12:34:47.847:SSG-TAL-EVN:100.0.0.2:Attempting authorization*Jan 15 12:34:47.847:SSG-TAL-EVN:100.0.0.2:Attempting to send authorization request*Jan 15 12:35:09.711:SSG-TAL-EVN:100.0.0.2:Authorization response received*Jan 15 12:35:09.711:SSG-TAL-EVN:100.0.0.2:Authorization timedout. User statechanged tounidentified*Jan 15 12:35:09.711:%SSG-5-SSG_TAL_NR:SSG TAL:No response from AAA server. AAA servermight be down or overloaded.*Jan 15 12:35:09.711:SSG-TAL-EVN:100.0.0.2:Start SP/NR entry timeout timer for 10 minsTransparent Pass-Through (TP) User: Example
*Jan 15 12:40:39.875:SSG-TAL-EVN:100.0.0.2:Added entry successfully*Jan 15 12:40:39.875:SSG-TAL-EVN:100.0.0.2:Attempting authorization*Jan 15 12:40:39.875:SSG-TAL-EVN:100.0.0.2:Attempting to send authorization request*Jan 15 12:40:39.879:SSG-TAL-EVN:100.0.0.2:Authorization response received*Jan 15 12:40:39.879:SSG-TAL-EVN:100.0.0.2:Parsing profile for TP attribute*Jan 15 12:40:39.879:SSG-TAL-EVN:100.0.0.2:TP attribute found - Transparent user*Jan 15 12:40:39.879:SSG-TAL-EVN:100.0.0.2:Stop SP/NR timer*Jan 15 12:40:39.879:SSG-TAL-EVN:100.0.0.2:Idle timer started for 0 secs*Jan. 15 12:40:39.879:SSG-TAL-EVN:100.0.0.2:Session timer started for 0 secsSuspect User (SP): Example
*Jan 15 12:43:25.363:SSG-TAL-EVN:10.10.10.10:Added entry successfully*Jan 15 12:43:25.363:SSG-TAL-EVN:10.10.10.10:Attempting authorization*Jan 15 12:43:25.363:SSG-TAL-EVN:10.10.10.10:Attempting to send authorization request*Jan 15 12:43:25.939:SSG-TAL-EVN:10.10.10.10:Authorization response received*Jan 15 12:43:25.939:SSG-TAL-EVN:10.10.10.10:Access reject from AAA server. Userstatechanged to suspect*Jan 15 12:43:25.939:SSG-TAL-EVN:10.10.10.10:Start SP/NR entry timeout timer for 60 minsClear All Users: Example
The following is sample output for the debug ssg transparent login command when it is used after all transparent autologon users have been cleared by using the clear ssg user transparent all command.
*Jan 15 12:47:08.943:SSG-TAL-EVN:10.10.10.10:Entry removed*Jan 15 12:47:08.943:SSG-TAL-EVN:10.10.10.10:Stop SP/NR timer*Jan 15 12:47:08.943:SSG-TAL-EVN:10.10.10.10:Stop Idle timer*Jan 15 12:47:08.943:SSG-TAL-EVN:10.10.10.10:Stop session timer*Jan 15 12:47:08.943:SSG-TAL-EVN:10.11.11.11:Entry removed*Jan 15 12:47:08.943:SSG-TAL-EVN:10.11.11.11:Stop SP/NR timer*Jan 15 12:47:08.943:SSG-TAL-EVN:10.11.11.11:Stop Idle timer*Jan 15 12:47:08.943:SSG-TAL-EVN:10.11.11.11:Stop session timer*Jan 15 12:47:08.943:SSG-TAL-EVN:10.0.0.2:Entry removed*Jan 15 12:47:08.943:SSG-TAL-EVN:10.0.0.2:Stop SP/NR timer*Jan 15 12:47:08.943:SSG-TAL-EVN:10.0.0.2:Stop Idle timer*Jan 15 12:47:08.943:SSG-TAL-EVN:10.0.0.2:Stop session timerConfiguration Examples for SSG Transparent Autologon
This section provides the following configuration examples:
•
•
•
SSG Transparent Autologon Configuration: Example
The following example shows the how to enable and configure SSG Transparent Autologon.
!aaa new-model!! creates aaa-list for TAL authorizationaaa group server radius TAL_LISTserver 23.0.0.100 auth-port 1646 acct-port 1646!! The following commands configure SSG transparent autologon.ssg login transparentauthorization list TAL_LISTauthorization pending maximum 1200authorization rate-limit 100user suspect timeout 600user suspect maximum 1000user unidentified timeout 600user unidentified traffic permitpacket drop during-authorization!AAA User Profile Configuration for Transparent Passthrough (TP) Users: Example
The following example shows the configuration of the AAA user profile for a transparent pass-through user. Note that the username is the user's IP address.
10.0.0.1 Password = "servicecisco"Cisco-SSG-Account-Info = "TP",Idle-Timeout = 600Session-Timeout = 3600AAA User Profile Configuration for Users with Hosts: Example
The following example shows the configuration of the AAA user profile for a user with a host object (pay-per-use user). Note that the username is the user's IP address.
10.0.0.1 Password = "servicecisco"Cisco-SSG-Account-Info = "Ainternet-Service",Idle-Timeout = 600Session-Timeout = 3600Where to Go Next
To configure other methods of subscriber authentication, refer to the following modules:
•
•
•
•
•
To configure SSG to authenticate RADIUS Proxy subscribers, refer to Configuring SSG to Serve as a RADIUS Proxy
Additional References
The following sections provide references related to configuring SSG to authenticate TAL subscribers.
Related Documents
Configuring SESM
Cisco Subscriber Edge Services Manager documentation
RADIUS commands
RADIUS configuration tasks
"Configuring RADIUS" chapter in the Cisco IOS Security Configuration Guide
SSG commands
Technical Assistance
Feature Information for Configuring SSG to Authenticate Subscribers with Transparent Autologon
Table 1 lists the features in this module and provides links to specific configuration information.
For information on a feature in this technology that is not documented here, see the Service Selection Gateway Features Roadmap.
Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note
Table 1 Feature Information for Configuring SSG to Authenticate Subscribers with Transparent Autologon
Configuring SSG to Authenticate Subscribers with Transparent Autologon
12.3(1a)BW
12.3(3)B
12.3(7)T
12.4
15.0(1)M
The SSG Transparent Autologon feature enables Service Selection Gateway (SSG) to authenticate and authorize a user on the basis of the source IP address of packets received from the user.
The following sections provide information about this feature:
•
•
•
•
•
•
•
•
•
The following commands were introduced by this feature: clear ssg user transparent, show ssg user transparent, ssg login transparent
This feature was removed in Cisco IOS Release 15.0(1)M.
CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco Pulse, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, and Flip Gift Card are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Fast Step, Follow Me Browsing, FormShare, GainMaker, GigaDrive, HomeLink, iLYNX, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0908R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2005-2009 Cisco Systems, Inc. All rights reserved.
