Guest

Networking Software (IOS & NX-OS)

Configuring Accounting for SSG

Hierarchical Navigation

Downloads

Table Of Contents

Configuring SSG Accounting

Finding Feature Information

Contents

Prerequisites for SSG Accounting

Information About SSG Accounting

RADIUS Accounting Records Used by SSG

Account Logon and Logoff

Service Logon and Logoff

Types of SSG Accounting

Interim Accounting

Per-Host Accounting

Per-Service Accounting

SSG Accounting Update Interval per Service Feature

Broadcast Accounting

SSG Prepaid Functionality

Service Authorization

Service Reauthorization

Accounting Records and Prepaid Billing

Simultaneous Volume- and Time-Based Prepaid Billing

SSG Prepaid Idle Timeout

SSG Prepaid Reauthorization Threshold

SSG Prepaid Redirection on Quota Exhaustion Feature

Default Quota for Prepaid Server Failure

Benefits of the SSG Prepaid Feature

Prepaid Tariff Switching

Authorization and Reauthorization Behavior When Prepaid Tariff Switching Occurs

SSG Prepaid Tariff Switching VSAs

Interim Accounting Updates for SSG Prepaid Tariff Switching

Dual Quota and Idle-Timeout Prepaid Tariff Switching

Extended Prepaid Tariff Switching for SSG

Postpaid Tariff Switching for SSG

How to Configure SSG Accounting

Configuring SSG Accounting

Prerequisites for Configuring SSG Accounting

Configuring SSG Broadcast Accounting

Configuring SSG Prepaid Features

Configuring SSG Prepaid Features on the Router

Configuring RADIUS Service Profiles for the SSG Prepaid Support Feature

Redirecting TCP Traffic for SSG Prepaid Quota Refill

Verifying Configuration of the SSG Prepaid Feature

Configuring Postpaid Tariff Switching for SSG

Post-Paid VSA

Examples

Configuration Examples for SSG Accounting

Accounting Update Interval per Service in RADIUS: Example

Basic Prepaid Configuration: Examples

TCP Redirect for Prepaid Users: Example

Configuring Prepaid Threshold Value: Examples

Additional References

Related Documents

Technical Assistance

Feature Information for Configuring SSG Accounting


Configuring SSG Accounting

First Published: May 2, 2005
Last Updated: October 2, 2009

Note Effective with Cisco IOS Release 15.0(1)M, this feature is not available in Cisco IOS software.

Cisco Service Selection Gateway (SSG) accounting features allow a service provider to decide how to configure billing and accounting for its users. This module describes how to configure SSG accounting features including per-host or per-service accounting, broadcast accounting, prepaid service support, and postpaid tariff switching.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Configuring SSG Accounting" section.

Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Contents

Prerequisites for SSG Accounting

Information About SSG Accounting

How to Configure SSG Accounting

Configuration Examples for SSG Accounting

Additional References

Feature Information for Configuring SSG Accounting

Prerequisites for SSG Accounting

SSG must be enabled before SSG accounting can be configured.

Information About SSG Accounting

Before you configure SSG accounting functionality, you should understand the following concepts:

RADIUS Accounting Records Used by SSG

Types of SSG Accounting

SSG Prepaid Functionality

Prepaid Tariff Switching

Extended Prepaid Tariff Switching for SSG

Postpaid Tariff Switching for SSG

RADIUS Accounting Records Used by SSG

SSG sends accounting records with the associated attributes to the RADIUS accounting server when the events described in the following sections occur:

Account Logon and Logoff

Service Logon and Logoff

Account Logon and Logoff

SSG sends an accounting-request record to the local RADIUS server when a user logs in or out. The Acct-Status-Type attribute included in the accounting-request record indicates whether the accounting-request record marks the start (commencement) of the user service or the stop (termination) of the service.

When a user logs in, SSG sends an accounting-start record to the RADIUS server. When a user logs out, SSG send an accounting-stop record to the RADIUS server.

Note The Proxy-state attribute is not normally present in both the accounting-start and accounting-stop record. It is normally found in only one of them.

Example RADIUS Accounting-Start Record Sent by SSG When a User Logs In

This example shows the information contained in a RADIUS accounting-start record. 

User-Name = "user1"

Acct-Status-Type = Start

Acct-Authentic = RADIUS

Service-Type = Framed

Framed-Protocol = PPP

NAS-IP-Address = 192.168.0.0

NAS-Port-Type = Virtual

Acct-Session-Id = 00000011 ! The session ID number

Framed-IP-Address = 192.168.0.10 ! The user's IP address

Acct-Delay-Time = 0

Example RADIUS Accounting-Stop Record Sent by SSG When a User Logs Out

This example shows the information contained in a RADIUS accounting-stop record. 

User-Name = "user1"

Acct-Status-Type = Stop

Acct-Authentic = RADIUS

Service-Type = Framed

Framed-Protocol = PPP

NAS-IP-Address = 192.168.0.0

NAS-Port-Type = Virtual

Acct-Session-Time = 77

Acct-Terminate-Cause = User-Request

Acct-Session-Id = 00000011 ! The session ID number

Framed-IP-Address = 192.168.0.10 ! The user's IP address

Acct-Input-Packets = 0 ! Downstream packet counts

Acct-Output-Packets = 0 ! Upstream packet counts

Acct-Input-Octets = 0 ! Downstream byte counts

Acct-Output-Octets = 0 ! Upstream byte counts

Acct-Delay-Time = 0

The Acct-Session-Time attribute indicates the length of session, expressed in seconds. The Acct-Terminate-Cause attribute indicates the reason for account termination, which can be due to the following events:

User-Request

Session-Timeout

Idle-Timeout

Lost-Carrier

Service Logon and Logoff

SSG sends an accounting-start record to the local RADIUS server when a user logs onto a service, and sends an accounting-stop record when a user terminates a service. The Acct-Status-Type attribute included in the accounting-request record indicates whether the accounting-request marks the start of the user service or the end of the service.

Accounting records are sent only to the local RADIUS server unless the service is a proxy service, in which case they are also sent to a remote RADIUS server.

Example RADIUS Accounting-Start Record for Service Access

This example shows the information contained in an accounting-start record for service access. 

User-Name = "user1"

Acct-Status-Type = Start

Acct-Authentic = RADIUS

Service-Type = Framed

Framed-Protocol = PPP

NAS-IP-Address = 192.168.2.48

NAS-Port-Type = Virtual

Acct-Session-Id = 00000012

Framed-IP-Address = 192.168.2.60 ! User's IP address

Service-Info = "NService1.com" ! servicename

Service-Info = "Uuser1" ! username-for-service

Service-Info = "TX"

Acct-Delay-Time = 0

Example RADIUS Accounting-Stop Record for Service Termination

This example shows the information contained in an accounting-stop record for service termination. 

User-Name = "user1"

Acct-Status-Type = Stop

Acct-Authentic = RADIUS

Service-Type = Framed

Framed-Protocol = PPP

NAS-IP-Address = 192.168.2.48

NAS-Port = 0

NAS-Port-Type = Virtual

Acct-Session-Id = "00000002"

Acct-Terminate-Cause = User-Request

Acct-Session-Time = 84

Acct-Input-Octets = 0 ! Downstream packet counts

Acct-Output-Octets = 649 ! Upstream packet counts

Acct-Input-Packets = 0 ! Downstream byte counts

Acct-Output-Packets = 17 ! Upstream byte counts

Framed-IP-Address = 192.168.101.10 ! User's IP address

Control-Info = "I0;0" ! high_32_dnst_byte;low_32_dnst_byte

Control-Info = "O0;649" ! high_32_upst_byte;low_32_upst_byte

Service-Info = "NService1.com" ! servicename

Service-Info = "Uuser1" username-for-service

Service-Info = "TP"

Acct-Delay-Time = 0

Types of SSG Accounting

This section provides information about RADIUS accounting for SSG and includes the following topics:

Interim Accounting

Per-Host Accounting

Per-Service Accounting

SSG Accounting Update Interval per Service Feature

Broadcast Accounting

Interim Accounting

The SSG supports interim (intermittent) RADIUS accounting updates between the time that SSG sends accounting-start and accounting-stop records. The interim accounting records are sent at a configurable interval, and are valid for both hosts and service connections.

Per-Host Accounting

Per-host accounting is the aggregate of all the connection traffic for a host. SSG does not account for the following types of traffic:

Between the host and the default-network.

To open gardens.

Redirected by the TCP Redirect feature.

Permitted by pass-through filters.

Per-host accounting records all other traffic.

By default, SSG sends host and service accounting records. A service provider only interested in host records can disable service (per-connection) accounting with the ssg accounting per-host command.

The per-host accounting records are sent to the local authentication, authorization, and accounting (AAA) server configured with the radius-server host command.

Per-Service Accounting

By default, SSG sends host and service accounting records. A service provider only interested in service records can disable host accounting with the ssg accounting per-host command. Service Accounting-Stop records can be throttled by using the ssg accounting stop rate-limit command.

SSG Accounting Update Interval per Service Feature

The SSG Accounting Update Interval Per Service feature allows the service provider to configure different accounting intervals for different services. Without the SSG Accounting Update Interval Per Service feature, accounting records of all services would be sent at the configured global interval. When enabled, the SSG Accounting Update Interval Per Service feature has the following effects:

When SSG accounting is enabled on a router with the ssg accounting command, the accounting interval parameters configured in a service profile take precedence.

When service accounting is configured using the ssg accounting command on the router but service profile accounting is disabled, then the per-service accounting records will not be sent for that service.

When service accounting is disabled on the router using the ssg accounting per-host command but in a service profile where accounting is enabled, then the per-service accounting records will be sent for that service.

Interim accounting records can be disabled by setting the interim accounting interval value to 0.

Broadcast Accounting

SSG supports broadcast accounting, which is the ability to send user accounting records to multiple RADIUS servers. The SSG broadcast accounting feature provides service providers with geographical redundancy for RADIUS servers, and provides accounting records to partners in wholesale models.

Note Broadcast accounting is not the same as RADIUS server failover: It requires that clones of host accounting packets are always forwarded to each of the configured servers, not only when the primary server fails.

SSG Prepaid Functionality

The SSG Prepaid feature allows SSG to immediately check a user's available credit to allow or disallow access to certain services. The user's credit is administered by the billing server as a series of quotas representing either a duration of use (in seconds) or an allowable data volume (in bytes). A quota is an allotment of available credit.

SSG differentiates prepaid services from postpaid services by the presence of the Service Authorization vendor-specific attribute (VSA) in the service profile.

Table 1 describes the elements of the Service Authorization VSA.

Table 1 Service Authorization VSA Elements

Attribute ID
Vendor ID
Subattribute ID and Type
Attribute Name
Subattribute Data

26

9

251
Service-Info

Service Authorization

The value "Z" indicates that authorization is required.


To obtain the first quota for a connection, SSG submits an authorization request to the AAA server. The AAA server contacts the prepaid billing server, which returns the quota values to SSG. SSG then monitors the connection to track the quota usage. When the quota runs out, SSG performs reauthorization. During reauthorization, the billing server may provide SSG with an additional quota if there is available credit. If no further quota is provided, SSG logs the user off from the service that has run out of quota.

This section contains the following topics:

Service Authorization

Service Reauthorization

Accounting Records and Prepaid Billing

Simultaneous Volume- and Time-Based Prepaid Billing

SSG Prepaid Idle Timeout

SSG Prepaid Reauthorization Threshold

SSG Prepaid Redirection on Quota Exhaustion Feature

Default Quota for Prepaid Server Failure

Benefits of the SSG Prepaid Feature

Service Authorization

When a user tries to access a service, SSG downloads the service profile. The presence of the "Z" value in the service profile indicates that this particular service needs to be prepaid, and that SSG must perform authorization before providing access.

Once a service has been identified as prepaid, SSG generates an Access-Request packet called a Service Authorization Request. The contents of this type of Access-Request packet are described in Table 2.

Table 2 Contents of Service Authorization Request Packet 

Attribute ID
Attribute Name
Description
Notes

1

User-Name

Mobile Station (MS) user name

2

PAP Password

Global service profile password

4

NAS IP Address

SSG IP address

6

Service-Type

Framed-user

26

Vendor-Specific

Name of service

Subattribute ID 251; code N (the service-name).

31

Calling-Station-ID

Mobile Station ISDN Number (MSISDN)

The username or MAC address may appear in this field if the access technology does not provide an MSISDN.

44

Acct-Session-ID

Session ID

55

Time-Stamp

Time-stamp

61

NAS-Port-Type

Asynchronous
(value = 0)


The prepaid billing server generally performs quota authorization based on the same key that was used for authentication. For example, for mobile wireless networks, where the unique key that is used for authentication is the Calling-Station-ID attribute (attribute 31), the quota authorization would also be performed using the Calling-Station-ID attribute.

The prepaid billing server responds to the Service Authorization Request packet with an Access-Accept packet (the Service Authorization Response) that defines the quota parameters for the connection. The Service Authorization Response is listed in Table 3. Access to the service is provided based on the presence and contents of the Quota VSA in the Access-Accept packet listed in Table 4.

Table 3 Content of Service Authorization Access-Accept Packet

Attribute ID
Attribute Name
Description
Notes

6

Service-Type

Framed-user

26

Vendor-Specific

Quota

Subattribute ID: 253. The value "Q" indicates that this is the Quota VSA.


Table 4 Quota VSA Elements

Attribute ID
Vendor ID
Subattribute ID and Type
Attribute Name
Subattribute Data

26

9

253
Control-Info

Quota

Q—Control-Info code for prepaid quota.

T or V—Quota subcode for time or volume.

Numeric string—Quota value.


Based on the presence and value of quota attributes in the authorization response, SSG will take the following actions:

If a nonzero quota is returned in the authorization response, SSG creates a connection to the service using the initial quota value in seconds for time and bytes for volume.

If a value of zero in a quota is returned in the authorization response, then the user has insufficient credit and is not authorized to use that service.

If the quota attribute is not present in the authorization response, SSG treats the connection as postpaid.

In the case of volume quota, instead of SSG using a single token, two quota tokens can be allocated to accommodate the tariff switching functionality.

Service Reauthorization

When the quota for the connection reaches zero, SSG issues a Service Reauthorization Request to the billing server. For volume-based billing, SSG decrements the volume-based quota until it runs out. For time-based billing, the connection is allowed to proceed for the quota duration. The Service Reauthorization Request includes an SSG VSA called Quota Used, which has the same format as the Quota VSA described in Table 4. The content of the Service Reauthorization Request is described in Table 5.

Table 5 Contents of Service Reauthorization Request

Attribute ID
Attribute Name
Description
Notes

1

User-Name

MS user name

2

PAP Password

Global service profile password

4

NAS IP Address

SSG IP address

6

Service-Type

Framed-user

26

Vendor-Specific

Name of service

Subattribute ID 251; code N (the service-name).

26

Vendor-Specific

Quota

Subattribute ID 253.

The Quota Used VSA has the same format as the Quota VSA.

26

Vendor-Specific

Upstream traffic bytes

Subattribute ID 253; code 0.

26

Vendor-Specific

Downstream traffic bytes

Subattribute ID 253; code 1.

31

Calling-Station-ID

MSISDN

44

Acct-Session-ID

Session ID

55

Time-Stamp

Time-stamp

61

NAS-Port-Type

Asynchronous (value=0)


Accounting Records and Prepaid Billing

SSG and the prepaid billing server use start, stop, and interim accounting records to manage a user's prepaid services, as described in the following sequence:

1. When the user tries to connect to the service, SSG sends an authorization request to the prepaid billing server to download the quota.

2. If SSG gets some valid quota, SSG activates the connection and sends an Accounting-Start record.

3. If quota is exhausted during the usage of the connection, SSG sends reauthorization requests.

4. After a configurable period of time, the interim accounting records are sent to the prepaid billing server.

5. When the user logs out of the service, SSG sends an accounting stop to the prepaid billing server to indicate that the session has ended. Based on the usage data in the Accounting-Stop record, the unused quota is sent back to the user's account by the billing server.

Simultaneous Volume- and Time-Based Prepaid Billing

The Simultaneous Volume- and Time-Based Prepaid Billing feature allows SSG to provide volume- and time-based tracking on the same connection.

The prepaid billing server allocates quotas in both time and volume. That is, the authorization response contains both "QT" and "QV" attributes, and SSG is able to monitor the connection on both types. SSG performs a reauthorization whenever either of these quota types is exhausted. The next Service-Authorization response packet contains the usage on both of these quota types.

Note Both the time and volume quota parameters must be nonzero.

The simultaneous volume- and time-based prepaid billing feature can interwork with the prepaid idle-timeout functionality and volume threshold. Table 6 describes the attributes contained in a Service-Authorization response packet.

Table 6 Contents of Service-Authorization Response Packet

Attribute ID
Vendor ID
Subattribute ID
Attribute Name
Type
Value

26

9

253

Quota

ASCII string

"QT seconds"

26

9

253

Quota

ASCII string

"QV bytes"


SSG Prepaid Idle Timeout

The SSG Prepaid Idle Timeout feature enables SSG to return residual quota to the billing server from services that a user is logged into but not actively using. The quota that is returned to the billing server can be applied to other services that the user is actively using.

The SSG Prepaid Idle Timeout feature enables the services described in the following sections:

Residual Quota Return

SSG returns residual quota to the prepaid billing server from services that a user is logged in to but not actively using. When the inactivity on the service is equal to the idle-timeout value sent in the response, the unused quota is returned to the prepaid billing server. This unused quota can be applied to the quota for the services that the user is actively using.

Open a Connection with Zero Quota

When SSG is configured to use the SSG Prepaid Idle Timeout feature, a user's connection to services can be open even when the billing server returns a zero quota, but the connection's status is dependent on the combination of the quota and the idle timeout value returned. Depending on the connection service, SSG requests the quota for a connection from the billing server once the user starts using a particular service, when the user runs out of quota, or after the configured idle timeout value expires.

Portal Page Redirection

A billing server returns a zero quota and a nonzero idle timeout when a user has run out of credit for a service. The user is then redirected to the portal page to replenish the quota. While the user's connection to the original service is retained, any traffic passing through the connection is dropped. This enables a user to replenish quota without losing connections to services or having to perform additional service logins.

SSG returns the quota in a reauthorization request and adds a VSA called the Reauthorization Reason attribute, which verifies that the reauthorization request is to return the quota to the user, and not to query for more quota. The content of the Reauthorization Reason attribute is described in Table 7.

Table 7 Reauthorization Reason Attributes

Reauthorization Reason Attribute
Description

Not present

No Reauthorization Reason attribute is sent if reauthorization is performed because of quota expiry (time or volume), except for the special case "QR0."

QR0

A reauthorization reason QR0 is sent if reauthorization is performed because of quota expiry (time) but the user is idle; that is, no user traffic has been received since the reception of the preceding Access-Accept packet.

This applies if the preceding Access-Accept packet for service reauthorization contained:

The Idle-Timeout attribute with value "0"

The Volume-Quota (QV or QX) attribute with value "0"

The Time-Quota attribute with value ">0"

Reauthorization reason QR0 indicates to the prepaid server that no new (volume) quota needs to be allocated; that is, there is no ongoing user traffic.

QR1

Reauthorization is performed because of idle timer expiry; that is, no user traffic received was for the time specified in the Idle-Timeout attribute.


The interworking of idle-timeout and dual-quota functionality with the existing prepaid features is shown in Table 8.

Table 8 Interworking of Idle-Timeout and Dual-Quota Functionality

QT
QV
Idle-Timeout
SSG Action

SSG opens the connection and considers postpay connection. No reauthorization is performed.

0

0

0

SSG opens the connection. Reauthorization occurs when user traffic comes in.

0

0

SSG closes or does not open the connection.

0

0

>0

SSG opens the connection but blocks user traffic (drops or redirects). Reauthorization occurs after a time interval equal to the idle-timeout value.

0

>0

SSG opens the connection but blocks user traffic (drops or redirects). Reauthorization occurs after a time interval equal to the idle-timeout value.

0

>0

0

SSG closes or does not open the connection.

0

>0

>0

SSG opens the connection. Reauthorization occurs when QT or QV is exhausted, or no user traffic for a time interval that is equal to the idle-timeout value.

>0

>0

>0

SSG opens the connection. Reauthorization occurs when QT or QV is exhausted, or no user traffic for a time interval that is equal to the idle-timeout value.

>0

>0

SSG opens the connection. Reauthorization occurs when QT or QV is exhausted.

>0

>0

0

SSG opens the connection. Reauthorization occurs when QT or QV is exhausted.

>0

0

>0

SSG opens the connection but blocks user traffic (drops or redirects). Reauthorization occurs when QT is exhausted or after a time interval equal to the idle-timeout value.

>0

0

0

SSG opens the connection. Reauthorization occurs when QT is exhausted or when user traffic comes in.


SSG Prepaid Reauthorization Threshold

Using the SSG Prepaid Reauthorization Threshold feature, you can configure SSG to reauthorize for more quota when the quota allocated to SSG falls below a configurable minimum threshold value. You can also configure SSG to drop traffic when it is reauthorizing for the connection. This prevents revenue leaks in the event that the billing server returns a zero quota for the connection.

When the SSG Prepaid Reauthorization Threshold feature is not configured, traffic passed during reauthorization represents a revenue leak if the billing server returns a zero quota for the user. You can prevent this type of revenue leak by configuring a threshold value, causing SSG to reauthorize a user's connection before the user completely consumes the allocated quota for a service.

If you configure SSG to drop traffic during reauthorization and configure a threshold value, user traffic continues until the user exhausts the allotted quota. When the allotted quota is used, the traffic is dropped until SSG receives a reauthorization response.

SSG Prepaid Redirection on Quota Exhaustion Feature

The SSG Prepaid Redirection on Quota Exhaustion feature gives users the opportunity to replenish prepaid quota while maintaining the current connection. When the prepaid billing server returns a quota value of 0 and a positive idle-timeout value, SSG redirects the user to a portal page where additional quota can be purchased. If the user purchases additional quota, the prepaid billing server returns a positive quota value to SSG, which allows the connection to continue.

Note When SSG redirects a user to a portal page, it maintains the user's connection to the original service, although any traffic passing through the connection is dropped. This enables the user to replenish quota without requiring a subsequent service login, provided that the reauthorization timeout has not been exceeded.

Default Quota for Prepaid Server Failure

SSG can be configured to allocate a default quota when the prepaid server fails to respond to an authorization request. The default quota for a service is specified in the service profile. SSG stores the value when the service profile is downloaded from the AAA server. If the prepaid server is not accessible during initial authorization, SSG allocates the default quota and activates the connection, thus allowing the prepaid user to connect to the service.

When a default quota expires, SSG attempts to reauthorize the user. If the prepaid server still does not respond, SSG will allocate another default quota. SSG will allocate multiple default quotas up to a configured maximum. Once SSG has allocated the configured maximum number of default quotas, no further default quota allocations will be made, and the user's connection to the service will be terminated.

SSG will also allocate default quotas when the prepaid server fails during the reauthorization of existing connections. Allocation of a default quota for the reauthorization of an existing connection prevents the connection from being terminated because of the unavailability of the prepaid server. Table 9 describes the Prepaid Default Quota VSA.

Table 9 Prepaid Default Quota VSA

Attribute ID
Vendor ID
Subattribute ID and Type
Attribute Name
Subattribute Data

26

9

251 Service-Info

Prepaid Default Quota

PZQT seconds—sets a default time quota.

or

PZQVbytes—sets a default volume quota.


Benefits of the SSG Prepaid Feature

Concurrent Prepaid Service Access

The SSG Prepaid feature can support concurrent prepaid service access while maintaining the same pool of quota at the prepaid billing server. SSG services can be configured for concurrent or sequential access. Concurrent access allows users to log in to a service while connected to other services.

Real-Time Billing

The SSG Prepaid feature allows for real-time billing with maximum flexibility, regardless of the type of service and billing scheme. Users can be billed on a flat rate, air-time, or volume basis.

Redirection Upon Exhaustion of Quota

When a user runs out of quota, SSG can redirect the user to a portal where the user can replenish the quota without being disconnected from the service.

Returning Residual Quota

The SSG Prepaid Idle Timeout feature enables SSG to return residual quota to the billing server from services that a user is logged in to but not actively using. The quota that is returned to the billing server can be applied to other services that the user is actively using.

Threshold Values

The SSG Prepaid Reauthorization Threshold feature can prevent revenue leaks by enabling the user to configure a threshold value. Configuring a threshold value causes user connections to be reauthorized before the user completely consumes the allotted quota for a service.

Traffic Status During Reauthorization

Revenue leaks can be prevented by configuring SSG to drop connected traffic during reauthorization of a service. The user remains connected to the service and need not log in again to the service, but no traffic is forwarded during the reauthorization process. This prevents users from continuing to use a service for which they have run out of quota while SSG sends a reauthorization request to the billing server.

Simultaneous Volume- and Time-Based Prepaid Billing

SSG supports rating on both time and volume simultaneously for prepaid services. The prepaid billing server may allocate quotas in both time and volume, and SSG monitors the connection for either type. SSG performs a reauthorization whenever either of these quota types is exhausted.

Prepaid Tariff Switching

Prepaid tariff switching allows changes in tariffs during the lifetime of a connection. This feature applies to volume-based prepaid connections where the tariff changes at certain times of the day.

Typically, a service provider uses prepaid tariff switching to offer different tariffs to a user during an active connection; for example, changing a user to a less expensive tariff during off-peak hours.

When SSG is monitoring the prepaid connection based on volume, at the tariff switching time, SSG can switch to the new charging rate. This feature will interoperate with all existing prepaid functionality, including the idle-timeout feature.

Note SSG is not involved in computing the billing rate changes that occur at tariff switch points. Billing rate change computations are performed by the prepaid billing server.

SSG supports prepaid tariff switching by using two quota tokens that correspond to the pretariff switch time period and posttariff switch time period.

In the authorization response, the prepaid billing server specifies the tariff change time and the tokens for post-switch and pre-switch periods in its authorization response to SSG.

Note The tariff change time denotes the delay, in seconds, between the authorization and the tariff switch.

SSG uses the prepaid tariff switch quota until the tariff switch occurs. Upon tariff switch, SSG performs a token switch and starts using the postpaid tariff quota for prepaid connection monitoring. Reauthorization occurs only when either of these tokens is exhausted, not when a tariff change occurs.

Authorization and Reauthorization Behavior When Prepaid Tariff Switching Occurs

Table 10 describes the behavior of SSG in the various events that occur when prepaid tariff switching takes place.

Table 10 Authorization and Reauthorization Behavior

Event
Action

An authorization response is received containing the dual-quota token tariff switch attribute.

Tariff switching is enabled on SSG for a given prepaid connection.

During data forwarding, the quota runs out before the tariff switch occurs.

SSG performs a reauthorization in the same way as in a no tariff switching case. The prepaid billing server may recalculate the tariff switch time and send the response again. Note that tariff switch attributes are not included in the reauthorization response.

During data forwarding, the tariff switch time elapses after the last authorization.

SSG switches from the current quota token to the second quota token. The new quota token is now used for real-time accounting.

During data forwarding, the quota runs out after the tariff switch.

SSG will send the quota usage in pre- and posttariff periods back to the prepaid server in the authorization response.

The user logs out of the service after the tariff switch.

SSG will report the quota usage in the pre- and posttariff switch periods in the Accounting Stop packet.

The user logs out of the service before the tariff switch.

SSG sends a normal Accounting-Stop packet, as in the nontariff switching case.

Interim accounting

If the connection is in the posttariff switch period, SSG will report quota usage in the pre- or posttariff switching periods in the interim accounting packet.


SSG Prepaid Tariff Switching VSAs

The VSA shown in Table 11 is used in authorization and reauthorization responses to send quota tokens and the tariff switch time. Table 11 describes the VSA content.

Table 11 Content of VSA Used in Authorization/Reauthorization Response Packets

Attribute ID
Vendor ID
Subattribute ID and Type
Attribute Name
Subattribute Data

26

9

253
Control-Info

Quota

Q—Control-Info code for prepaid quota.

X—Tariff switch code for prepaid quota.

time;—Tariff switch time, in seconds.

volume;—Preswitch quota volume token, in bytes.

volume— Postswitch quota volume token, in bytes.


The VSA shown in Table 12 is used in reauthorization requests and accounting packets. This VSA is used in addition to the usual Quota Volume attribute that indicates the total volume usage in a connection. Table 12 describes the VSA content.

Table 12 Content of VSA Used in Reauthorization Requests and Accounting Packets

Attribute ID
Vendor ID
Subattribute ID and Type
Attribute Name
Subattribute Data

26

9

253
Control-Info

Quota

Q—Control-Info code for prepaid quota.

B;—Tariff switch code for denoting the total volume used after the last tariff switch.

volume—Total volume of traffic in that connection (since start) after the last tariff switch, in bytes.

time—Tariff switch time in the UNIX time stamp. This is used only in postpaid service accounting records.


Interim Accounting Updates for SSG Prepaid Tariff Switching

The interim accounting records contain the cumulative usage information (since start of connection) and the amount of usage after the last tariff switch time. The Accounting-Stop record contains the total usage information and the volume of traffic sent after the last tariff switch.

Note Only one interim accounting record in every tariff switching interval plus an Accounting-Stop record is required for the billing server to reconstruct the usage information before and after the switching time.

The following example illustrates how the accounting interim updates would look in various tariff switch periods and how the billing server has to interpret the records to obtain the individual usages in the various intervals.

Consider a user logged in to the connection at time T0. The tariff switch points in that week are Tx, Ty, and Tz. The user logs off at T1.

Accounting records A1 through A5 were sent in the various tariff switching intervals. All interim accounting records contain the total volume of traffic sent in the connection from start until that point in time. This volume of traffic value is available in the standard accounting attributes and the SSG Accounting VSAs. For records sent after a tariff switch, the tariff switch VSA indicates usage since the last tariff switch point.

Accounting record A1 does not contain any tariff switch VSAs. Accounting record A2 contains a tariff switch VSA to indicate the usage since the last tariff switch point (Tx). Note that more than one interim accounting record can be sent in the interval, depending on the accounting interval configured. It is possible to derive the usage in the various intervals even if only one accounting record in an interval was successfully sent. The following sequence shows how the billing server calculates usage in the interval between Tx and Ty.

Record A2 contains total volume (V2) and usage since the last tariff switch point Tx (T2). The amount of usage in interval (T0,Tx) is represented as V(0,x) = V2 - T2.

Record A3 contains total volume (V3) since start of connection, and the last tariff switch point Ty (T3). The amount of usage in interval (T0,Ty) is represented as V(0,y) = V3 - T3. The amount of usage in interval (Tx,Ty) is represented as V(x,y) = V(0,y) - V(0,x).

Note Accounting-Stop record A5 also contains only the total volume and the usage since the last tariff switch point, and not the usage in the various intervals.

The information in these interim accounting records enables the service provider to derive the accounting information in the various tariff switching intervals.

Dual Quota and Idle-Timeout Prepaid Tariff Switching

The dual quota functionality also interworks with the tariff switching functionality. Instead of the QV and QT attributes being present in the authorization response, QX and QT attributes can be present together in the authorization response. In this case, reauthorization is done whenever the time quota runs out and either of the two volume quota tokens runs out in its respective period. Table 13 describes the attributes contained in a response to a service reauthorization request.

Table 13 Contents of Service Reauthorization Response Packet

Attribute
ID
Vendor
ID
Subattribute
ID
Status
Attribute Name
Type
Subattribute Data

28

   

Optional

Idle-Timeout

Integer

Idle Timeout

26

9

253

Optional

Quota

ASCII string

QT seconds

26

9

253

Mandatory

Quota-for-Tariff Switching

ASCII string

QX seconds;
bytes; bytes


Tariff quota is considered to be exhausted when prepaid tariff quota (PRE) is exhausted before tariff switching, or when the postpaid tariff (POST) quota is exhausted after tariff switch. The interworking of dual quota functionality with tariff switching and idle-timeout is shown in Table 14.

Note In Table 14, QT represents time-based quota, and QX represents quota for prepaid and postpaid tariff switching. TS denotes time of tariff switch, PRE denotes prepaid switch quota, and POST denotes postpaid switch quota. QXTS;PRE;POST represents QX time-of-tariff-switch; prepaid-switch-quota; postpaid-switch-quota.

Table 14 Interworking of Dual-Quota Functionality with Idle-Timeout

QT
QXTS;PRE;POST
Idle-Timeout
SSG Action

0

>0;0;0

0

SSG opens the connection. Reauthorization occurs when user traffic comes in.

0

>0;0;0

>0

SSG opens the connection but blocks user traffic (drop or redirect). Reauthorization occurs after a time interval equal to the idle timeout value.

0

Any combination not covered by idle-timeout equal to or greater than 0

0 or >0

SSG closes or does not open the connection.

>0

>0;>0;>0

>0

SSG opens the connection. Reauthorization occurs when the time-based quota (QT) or the prepaid quota (PRE) is exhausted before tariff switching, or when the prepaid (PRE) and postpaid (POST) quotas are exhausted, or when no user traffic occurs for a time interval equal to the idle-timeout value.

>0

>0;>0;0

>0

SSG opens the connection. Reauthorization occurs when QT or PRE is exhausted before tariff switching when tariff switching occurs, or when no user traffic occurs for a time interval equal to the idle-timeout value.

>0

>0;>0;>0

0

SSG opens the connection. Reauthorization occurs when QT is exhausted or PRE is exhausted before tariff switching, or when the sum of PRE and POST tariff is exhausted.

>0

>0;>0;0

0

SSG opens the connection. Reauthorization occurs when QT is exhausted or when tariff quota is exhausted.

>0

>0;0;0

0

SSG opens the connection. Reauthorization occurs when QT is exhausted or when user traffic comes in.


If dual quota was allotted in the earlier authorization, the reauthorization request contains both the volume and time attributes. The volume attributes may include the quota for tariff switching (QB) or the volume-based quota (QV) when the connection is made in the post-tariff switch period. The reauthorization reason attribute may be present in the reauthorization request. Table 7 describes the reasons.

Extended Prepaid Tariff Switching for SSG

The Extended Prepaid Tariff Switch for SSG feature is used to measure the usage of specific services at various times, even when the monetary value of the volume quota does not change at the time of tariff switching. In such a scenario, the remaining amount of a user's prepaid tariff switch quota continues as postpaid tariff switch quota. Information can be collected about how much quota was used before a particular time and how much was used after, providing a usage profile of specific services at various times.

For instance, say that gaming and stock trading services are offered. Using the Extended Prepaid Tariff Switch feature, the user could purchase quota that could be used for each service at the same flat rate. Gaming traffic may be higher in the evenings, for example, while stock trading may be in more demand during business hours. The resulting usage profile can help you decide whether to charge a premium for specific services at specific times.

Postpaid Tariff Switching for SSG

The Postpaid Tariff Switching for SSG feature allows changes in tariffs during the lifetime of a connection. This feature applies to volume-based postpaid connections where the tariff changes at certain times of the day.

Typically, a service provider uses postpaid tariff switching to offer different tariffs to a user during an active connection; for example, changing a user to a less expensive tariff during off-peak hours.

To handle tariff switches for postpaid connections, the accounting packets log the usage information during the various tariff switch intervals. The service profile contains a weekly tariff switch plan detailing the times of day at which tariff changes occur. SSG monitors the usage at every tariff switch point and records this information in the interim accounting records. The billing server monitors all accounting interim updates and obtains the information about the volume of traffic sent at each tariff rate.

Note Tariff switching is not required for time-based billing services. Because the billing server knows the service login time stamp and logout time stamp, it can calculate the different tariffs that apply during that time.

How to Configure SSG Accounting

This section describes how to configure SSG accounting features and contains the following tasks:

Configuring SSG Accounting

Configuring SSG Broadcast Accounting

Configuring SSG Prepaid Features

Configuring Postpaid Tariff Switching for SSG

Configuring SSG Accounting

Perform this task to enable SSG accounting.

Prerequisites for Configuring SSG Accounting

The RADIUS server must be configured and operational before you configure SSG accounting.

SUMMARY STEPS

1. ssg accounting [per-host] [per-service] [interval seconds]

2. ssg accounting stop rate-limit [records]

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

ssg accounting [per-host] [per-service] [interval seconds]

Example:

Router(config)# ssg accounting per-host interval 60

Enables SSG accounting and specifies the interval at which accounting updates are sent to the accounting server.

To enable the sending of per-host accounting records only, use the per-host keyword.

To enable the sending of per-service accounting records only, use the per-service keyword

Step 2 

ssg accounting stop rate-limit [records]

Example:

Router(config)# ssg accounting stop rate-limit 200

Limits the rate of accounting records sent per second.

The value can be set between 10 and 5000.

Configuring SSG Broadcast Accounting

SSG broadcast accounting requires the configuration of a broadcast group. Perform this task to send host accounting records to multiple servers.

Note This is not the same as RADIUS server failover. It clones accounting packets, which are then always forwarded to each of the configured servers, not only when the primary server fails.

SUMMARY STEPS

1. aaa group server radius group-name

2. server ip-address auth-port auth-port-number acct-port acct-port-number

3. aaa group server radius group-name

4. server ip-address auth-port auth-port-number acct-port acct-port-number

5. aaa accounting network accounting-list-name start-stop broadcast group group-name group group-name

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

aaa group server radius group-name

Example:

Router(config)# aaa group server radius BILLING

Defines the server group.

Step 2 

server ip-address auth-port auth-port-number acct-port acct-port-number

Example:

Router(config)# server 10.10.50.181 auth-port 1812 acct-port 1813

Configures a server in the selected server group.

Step 3 

aaa group server radius group-name

Example:

Router(config)# aaa group server radius HOTSTANDBY

Defines the server group.

Step 4 

server ip-address auth-port auth-port-number acct-port acct-port-number

Example:

Router(config-sg)# server 10.10.50.180 auth-port 1812 acct-port 1813

Configures a server in the selected server group.

Step 5 

aaa accounting network accounting-list-name start-stop broadcast group group-name group group-name

Example:

Router(config)# aaa accounting network ssg_broadcast_accounting start-stop broadcast group BILLING group HOTSTANDBY

Configures a broadcast accounting network list.

The accounting-list-name argument must be ssg_broadcast_accounting.

Configuring SSG Prepaid Features

This section contains the following tasks:

Configuring SSG Prepaid Features on the Router

Configuring RADIUS Service Profiles for the SSG Prepaid Support Feature

Redirecting TCP Traffic for SSG Prepaid Quota Refill

Verifying Configuration of the SSG Prepaid Feature

Configuring SSG Prepaid Features on the Router

Perform this task to configure SSG prepaid features on the router.

Prerequisites for SSG Prepaid Features

SSG accounting must be enabled in order for the SSG Prepaid features to be used. SSG accounting is enabled by default. If it has been disabled, enable it by using the ssg accounting command in global configuration mode.

Restrictions for SSG Prepaid Features

Quotas are measured in seconds for time or bytes for volume. There is no way to change the unit of measure.

The volume quota is for combined upstream and downstream traffic.

Returning quota when the connection is idle is supported only for volume-based connections. It is not supported for time-based connections.

SUMMARY STEPS

1. radius-server attribute 44 include-in-access-req

2. radius-server attribute 55 include-in-acct-req

3. ssg aaa group prepaid server-group

4. ssg prepaid threshold [time seconds]

5. ssg prepaid threshold [volume bytes]

6. ssg prepaid threshold default-quota [number-of-times]

7. ssg prepaid reauthorization drop-packet

8. radius-server vsa send authentication

9. radius-server vsa send accounting

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

radius-server attribute 44 include-in-access-req

Example:

Router(config)# radius-server attribute 44 include-in-access-req

Sends RADIUS attribute 44 (Accounting Session ID) in Access-Request packets for quota authorization, and enables the sending of this attribute in user authentication requests.

Step 2 

radius-server attribute 55 include-in-acct-req

Example:

Router(config)# radius-server attribute 55 include-in-acct-req

Sends RADIUS attribute 55 (Event-Timestamp) in accounting packets.

Step 3 

ssg aaa group prepaid server-group

Example:

Router(config)# ssg aaa group prepaid ssg_prepaid

(Optional) Specifies the server group to be used for SSG prepaid authorization.

If the server group is not configured, SSG will send prepaid requests to the local AAA server, which then parses the prepaid authorizations and reauthorizations.

Step 4 

ssg prepaid threshold [time seconds]

Example:

Router(config)# ssg prepaid threshold time 100

(Optional) Sets the prepaid threshold time in seconds.

SSG performs a reauthorization when a user's quota reaches this threshold.

Step 5 

ssg prepaid threshold [volume bytes]

Example:

Router(config)# ssg prepaid threshold volume 100

(Optional) Sets the prepaid threshold volume in bytes. SSG performs a reauthorization when a user's quota matches this byte value.

Step 6 

ssg prepaid threshold default-quota [number-of-times]

Example:

Router(config)# ssg prepaid threshold default-quota 26

(Optional) Specifies the number of times that SSG will allocate the default quota when the prepaid server is unreachable.

Step 7 

ssg prepaid reauthorization drop-packet

Example:

Router(config)# ssg prepaid reauthorization drop-packet

(Optional) Configures SSG to drop prepaid traffic during reauthorization if threshold values are not configured.

Note When threshold values are configured, traffic is dropped during reauthorization after a user completely exhausts the allotted quota and before SSG gets a reauthorization response from the billing server.

Step 8 

radius-server vsa send authentication

Example:

Router(config)# radius-server vsa send authentication

Configures the network access server to send VSAs in an authentication request to the RADIUS server.

Step 9 

radius-server vsa send accounting

Example:

Router(config)# radius-server vsa send accounting

Configures the network access server to send VSAs in an accounting request to the RADIUS server.

Configuring RADIUS Service Profiles for the SSG Prepaid Support Feature

To configure support of the SSG Prepaid feature, you must add the following vendor-specific attributes to RADIUS profiles:

Service Authorization (Z) attribute

Prepaid Server (PZS) attribute

Prepaid Accounting Interval (PZI) attribute

Redirecting TCP Traffic for SSG Prepaid Quota Refill

Perform this task to configure SSG to redirect a user's TCP traffic to a prepaid portal when the user runs out of quota on the billing server.

Prerequisites

The SESM Captive Portal feature must be configured on the appropriate port to listen for redirect requests.

SUMMARY STEPS

1. ssg tcp-redirect

2. server-group group-name

3. server ip-address port

4. Repeat Step 3 to add servers to the captive portal group.

5. end

6. redirect prepaid-user to server-group-name

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

ssg tcp-redirect

Example:

Router(config)# ssg tcp-redirect

Sets the server group and server used for quota refill redirection.

Step 2 

server-group group-name

Example:

Router(config-ssg-redirect)# server-group myserver group

Defines the group of one or more servers that make up a named captive portal group and enters SSG-redirect-group configuration mode.

group-name—Name of the captive portal group.

Step 3 

server ip-address port

Example: 
Router(config-ssg-redirect-group)# server 
192.168.10.10 port 1

Adds a server to a captive portal group.

ip-address—IP address of the server to add to the captive portal group.

port—TCP port of the server to add to the captive portal group.

Step 4 

Repeat Step 3 to add servers to the captive portal group.

Step 5 

end

Example:

Router(config-ssg-redirect-group)# end

Exits SSG-redirect-group configuration mode.

Step 6 

redirect prepaid-user to server-group-name

Example:

Router(config-ssg-redirect)# redirect prepaid-user to myserver

Configures a captive portal group for redirection of prepaid user traffic.

server-group-name—Name of the captive portal group.

Verifying Configuration of the SSG Prepaid Feature

This optional task explains how to verify the configuration and operation of the SSG Prepaid feature. The commands contained in the task steps can be used in any sequence and may need to be repeated.

SUMMARY STEPS

1. show ssg connection ip-address service-name [interface]

2. show ssg service [service-name [begin expression | exclude expression | include expression]]

3. show ssg tcp-redirect group [group-name]

4. show running-config

DETAILED STEPS

Step 1 Enter the show ssg connection command to display information about the host's connection to the specified service, including quota information for prepaid connections.

The following output is displayed for a user that has a nonzero volume quota with a nonzero idle timeout: 

Router# show ssg connection 172.16.0.0 Internet


 ------------------------ConnectionObject Content -----------------------

User Name:quser

Owner Host:172.16.0.0

Associated Service:Internet

Connection State:0 (UP)

Connection Started since:*01:45:09.000 GMT Thu Oct 9 2003

User last activity at:*01:45:09.000 GMT Thu Oct 9 2003

Connection Traffic Statistics:

	Input Bytes = 4000, Input packets = 40

	Output Bytes = 4000, Output packets = 40


Prepaid quota:

	Quota Type = `Volume', Quota Value = 11200

	Timeout Value = 60


Session policing disabled

The following output is displayed for a user that has a zero volume quota with zero idle timeout: 

Router# show ssg connection 172.16.0.0 Internet


------------------------ConnectionObject Content -----------------------

User Name:quser

Owner Host:172.16.0.0

Associated Service:Internet

Connection State:0 (UP)

Connection Started since:*02:29:09.000 GMT Thu Oct 9 2003

User last activity at:*02:30:14.000 GMT Thu Oct 9 2003

Connection Traffic Statistics:

         Input Bytes = 0, Input packets = 0

         Output Bytes = 0, Output packets = 0


Prepaid quota:

        Quota Type = 'VOLUME', Quota Value = 0

        Timeout Value = 0


Session policing disabled

The following output is displayed when a user receives a time quota: 


Router# show ssg connection 172.16.0.0 Internet


------------------------ConnectionObject Content -----------------------

User Name:quser

Owner Host:172.16.0.0

Associated Service:Internet

Connection State:0 (UP)

Connection Started since:*02:35:51.000 GMT Thu Oct 9 2003

User last activity at:*02:35:51.000 GMT Thu Oct 9 2003

Connection Traffic Statistics:

       Input Bytes = 0, Input packets = 0

       Output Bytes = 0, Output packets = 0

Prepaid quota:

        Quota Type = 'TIME', Quota Value = 30

Session policing disabled

The following output is displayed when a user receives a zero time quota with idle timeout: 

Router# show ssg connection 172.16.0.0 Internet


------------------------ConnectionObject Content -----------------------

User Name:quser

Owner Host:172.16.0.0

Associated Service:Internet

Connection State:0 (UP)

Connection Started since:*02:38:20.000 GMT Thu Oct 9 2003

User last activity at:*02:38:20.000 GMT Thu Oct 9 2003

Connection Traffic Statistics:

         Input Bytes = 0, Input packets = 0

         Output Bytes = 0, Output packets = 0

Prepaid quota:

         Quota Type = 'TIME', Quota Value = 0

         Timeout Value = 60


Session policing disabled

Step 2 Enter the show ssg service command to display the redirect group configured for a service: 

Router# show ssg service Internet


------------------------ ServiceInfo Content -----------------------

Uplink IDB: gw:10.0.0.0

Name:Internet

Type:PASS-THROUGH

Mode:CONCURRENT

Service Session Timeout:0 seconds

Service Idle Timeout:0 seconds

Service refresh timeleft:102 minutes

Authorization Required ! Indicates a prepaid service

Authentication Type:CHAP

Reference Count:1


DNS Server(s):

No Radius server group created. No remote Radius servers.

Prepaid Redirect Service Group = InternetRedirectGroup  !

Service-specific redirect group


Included Network Segments:

       172.16.0.0/255.255.0.0

Excluded Network Segments:

ConnectionCount 1

Full User Name not used


Domain List:


Active Connections:

         1   :RealIP=10.0.0.0, Subscriber=172.18.0.2


------------------------ End of ServiceInfo Content ----------------

Step 3 Enter the show ssg tcp-redirect group command to display the configured redirect server groups. The output displayed shows two configured redirect groups. The redirect default group called "DefaultRedirectGroup" is used to redirect prepaid connections when a user runs out of quota, and the corresponding service is not configured with any service-specific redirect group: 

Router# show ssg tcp-redirect group 


Current TCP redirect groups:

  InternetRedirectGroup

  DefaultRedirectGroup 

! The default redirect group is used to redirect prepaid connections when the user runs 
out of quota and the corresponding service is not configured with any service-specific 
redirect group.


Unauthenticated user redirect group:None Set

Default service redirect group:None Set

Prepaid user default redirect group:DefaultRedirectGroup

SMTP forwarding group:None Set

Default initial captivation group:None Set

Default advertising  captivation group:None Set


Step 4 Enter the show running-config command to display the contents of the current running configuration: 

Router# show running-config


.

.

.

ssg prepaid reauthorization drop-packet

ssg prepaid threshold volume 2000

ssg prepaid threshold time 10

.

.

.

ssg tcp-redirect

  server-group InternetRedirectGroup

    server 255.255.255.253 8080

    server 255.255.255.100 80

!

  server-group DefaultRedirectGroup

    server 10.0.0.1 8080

    server 10.0.0.20 80

!

 redirect prepaid-user to DefaultRedirectGroup

.

.

.

Configuring Postpaid Tariff Switching for SSG

Perform this task to configure the Postpaid Tariff Switching for SSG feature.

Post-Paid VSA

SSG uses VSA 26 in the service profile to specify the tariff switch points. Table 15 describes the contents of this VSA

.

Table 15 Post-Paid VSA Content

Attribute ID
Vendor ID
Subattribute ID and Type
Attribute Name
Subattribute Data

26

9

251
Service-Info

post-paid

P—Service-Info code for postpaid service.

W—Service-Info code for weekly tariff switch plan.

weekly time—Weekly tariff switch time in hh:mm:ss:d format.

hh = hour of day <0-23>

mm = minutes <0-59>

ss = seconds <0-59>

d = bitmap format for the days of the week. Each weekday is represented by one bit, as follows:

00000001 = Monday

00000010 = Tuesday

00000100 = Wednesday

00001000 = Thursday

00010000 = Friday

00100000 = Saturday

01000000 = Sunday


SUMMARY STEPS

1. Add the Post-Paid VSA (attribute 26) to the service profile using the parameters listed in Table 15.

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

Add the Post-Paid VSA (attribute 26) to the service profile using the parameters listed in Table 15.

Specifies the tariff switch points for postpaid tariff switching.

Examples

The following example shows the configuration of the Service Profile Definition to support a daily fee. The tariff switch will occur each midnight. 

SSG Service-Info = "PPW00:00:00:127"

The following example show the configuration of the Service Profile Definition to support an off-peak tariff in which a tariff switch occurs Monday through Friday at 8:00 p.m.: 

SSG Service-Info = "PPW20:00:00:31"

The following example shows the configuration of the Service Profile Definition to support an on-peak tariff in which a tariff switch occurs Monday through Friday at 6:00 a.m.: 

SSG Service-Info = "PPW06:00:00:31"

Configuration Examples for SSG Accounting

This section contains the following examples:

Accounting Update Interval per Service in RADIUS: Example

Basic Prepaid Configuration: Examples

TCP Redirect for Prepaid Users: Example

Configuring Prepaid Threshold Value: Examples

Accounting Update Interval per Service in RADIUS: Example

In the following example, the interim accounting interval for the RADIUS service profile named proxy_ser is set at 90 using the L90 attribute: 

user = proxy_ser{

radius=7200-SSG-v1.1 {

check_items= {

2=cisco

}

reply_attributes= {

9,251="TX"

9,251="R10.10.0.0;255.255.0.0"

9,251="S255.255.255.253;1645;1646;cisco;2;0"

9,251="L90"

28=600

}

}

}

In the following example, the local profile cisco.com is configured on the router to send an interim accounting update every 90 seconds: 

Router(config)# local-profile cisco.com

Router(config-prof)# attribute 26 9 1 "L90"

Basic Prepaid Configuration: Examples

The following example shows how to configure SSG to provide basic prepaid billing services: 

radius-server attribute 44 include-in-access-req

radius-server attribute 55 include-in-acct-req

The following example show a service profile configured to support a prepaid service: 

ExampleProfile Password = "servicecisco", Service-Type = Outbound

   Service-Info = "IVideo Jam",

   Service-Info = "R10.10.10.0;255.255.255.0",

   Service-Info = "D10.10.10.10",

   Service-Info = "Omy-video.net",

   Service-Info = "MS",

   Service-Info = "Z"

TCP Redirect for Prepaid Users: Example

The following example shows how to configure a captive portal group called PrepaidRedirectGroup, add two servers to PrepaidRedirectGroup, and redirect prepaid users to the newly created captive portal: 

ssg enable

ssg tcp-redirect

 server-group PrepaidRedirectGroup

  server 10.0.0.1 8080

  server 10.0.0.20 80

  end

 redirect prepaid-user to PrepaidRedirectGroup

Configuring Prepaid Threshold Value: Examples

The following example shows how to configure a threshold time value of 10 seconds: 

ssg prepaid threshold time 10

The following example shows how to configure a threshold volume value of 2000 bytes: 

ssg prepaid threshold volume 2000

The following example shows how to configure SSG to drop traffic during reauthorization: 

ssg prepaid reauthorization drop-packet

Additional References

The following sections provide references related to the SSG Accounting feature.

Related Documents

Related Topic
Document Title

Configuring SESM

Cisco Subscriber Edge Services Manager documentation

SSG commands

Cisco IOS Service Selection Gateway Command Reference

RADIUS commands

Cisco IOS Security Command Reference

RADIUS configuration tasks

"Configuring RADIUS" chapter in the Cisco IOS Security Configuration Guide

Configuring L2TP

Cisco IOS Dial Technologies Configuration Guide

Cisco IOS Dial Technologies Command Reference


Technical Assistance

Description
Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/techsupport


Feature Information for Configuring SSG Accounting

Table 16 lists the features in this module and provides links to specific configuration information.

Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.

For information on a feature in this technology that is not documented here, see the Service Selection Gateway Features Roadmap.

Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Note Table 16 lists only the Cisco IOS software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS software release train also support that feature.

Table 16 Feature Information for Configuring SSG Accounting 

Feature Name
Software Releases
Feature Configuration Information

Extended Prepaid Tariff Switching for SSG

12.3(14)T
12.4

The Extended Prepaid Tariff Switch for SSG feature is used to measure the usage of specific services at various times, even when the monetary value of the volume quota does not change at the time of tariff switching.

The following section provides information about this feature:

Extended Prepaid Tariff Switching for SSG

Postpaid Tariff Switching for SSG

12.2(16)B
12.3(4)T
12.3(14)T
12.4

The Postpaid Tariff Switching for SSG feature allows changes in tariffs during the lifetime of a connection.

The following section provides information about this feature:

Postpaid Tariff Switching for SSG

Configuring Postpaid Tariff Switching for SSG

SSG Accounting

12.0(3)DC
12.2(4)B
12.2(11)T
12.2(16)B
12.3(4)T
12.3(14)T
12.4

The SSG Accounting feature allows a service provider to decide how to configure billing and accounting for its users.

The following sections provide information about this feature:

RADIUS Accounting Records Used by SSG

Types of SSG Accounting

Configuring SSG Accounting

SSG Accounting Update Interval Per Service

12.2(13)T

The SSG Accounting Update Interval Per Service feature allows the service provider to configure different accounting intervals for different services.

The following sections provide information about this feature:

SSG Accounting Update Interval per Service Feature

Accounting Update Interval per Service in RADIUS: Example

SSG Default Quota for Prepaid Billing Server Failure

12.3(11)T

The SSG Default Quota for Prepaid Billing Server Failure feature enables SSG to be configured to allocate a default quota when the prepaid server fails to respond to an authorization request.

The following section provide information about this feature:

Default Quota for Prepaid Server Failure

Prepaid Tariff Switching

SSG Prepaid Enhancements

12.2(16)B
12.3(4)T
12.3(14)T
12.4

The SSG Prepaid Enhancements feature adds support for prepaid tariff switching, postpaid tariff switching, and simultaneous volume- and time-based prepaid billing to the existing SSG Prepaid feature.

The following sections provide information about this feature:

SSG Prepaid Functionality

Prepaid Tariff Switching

Configuring SSG Prepaid Features

Basic Prepaid Configuration: Examples

TCP Redirect for Prepaid Users: Example

Configuring Prepaid Threshold Value: Examples

SSG Prepaid Idle Timeout

12.2T
12.3(4)T

The SSG Prepaid Idle Timeout feature enables SSG to return residual quota to the billing server from services that a user is logged into but not actively using.

The following sections provide information about this feature:

SSG Prepaid Idle Timeout

SSG Prepaid Tariff Switching

12.2(4)B
12.2(11)T

The SSG Prepaid Tariff Switching feature allows changes in tariffs during the lifetime of a connection.

The following sections provide information about this feature:

SSG Prepaid Functionality

Prepaid Tariff Switching

Configuring SSG Prepaid Features

Basic Prepaid Configuration: Examples

TCP Redirect for Prepaid Users: Example

Configuring Prepaid Threshold Value: Examples

SSG Suppression of Unused Accounting Records

12.2T
12.3(4)T

The SSG Suppression of Unused Accounting Records feature allows you to turn off unneeded Service Selection Gateway (SSG) accounting records.

The following sections provide information about this feature:

Types of SSG Accounting

Configuring SSG Accounting

Configuring SSG Accounting

15.0(1)M

This feature was removed in Cisco IOS Release 15.0(1)M.


CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco Pulse, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, and Flip Gift Card are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco  IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Fast Step, Follow Me Browsing, FormShare, GainMaker, GigaDrive, HomeLink, iLYNX, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0908R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

© 2005-2009 Cisco Systems, Inc. All rights reserved.