-
Cisco IOS Service Selection Gateway Configuration Guide, Release 12.4T
-
Service Selection Gateway Features Roadmap
-
Overview of SSG
-
Implementing SSG: Initial Tasks
-
Configuring SSG to Serve as a RADIUS Proxy
-
Configuring SSG to Authenticate Web Logon Subscribers
-
Configuring SSG to Authenticate PPP Subscribers
-
Configuring SSG to Authenticate Subscribers with Transparent Autologon
-
Configuring SSG to Authenticate Subscribers Automatically in the Service Domain
-
Configuring SSG for On-Demand IP Address Renewal
-
Configuring SSG Support for Subnet-Based Authentication
-
Configuring SSG for MAC-Address-Based Authentication
-
Configuring SSG for Subscriber Services
-
Configuring SSG Subscriber Experience Features
-
Configuring SSG to Log Off Subscribers
-
Configuring Accounting for SSG
-
RADIUS Profiles and Attributes for SSG
-
SSG Mobile Wireless Enhancements
-
Feedback
Table Of Contents
Prerequisites for SSG Accounting
Information About SSG Accounting
RADIUS Accounting Records Used by SSG
SSG Accounting Update Interval per Service Feature
Accounting Records and Prepaid Billing
Simultaneous Volume- and Time-Based Prepaid Billing
SSG Prepaid Reauthorization Threshold
SSG Prepaid Redirection on Quota Exhaustion Feature
Default Quota for Prepaid Server Failure
Benefits of the SSG Prepaid Feature
Authorization and Reauthorization Behavior When Prepaid Tariff Switching Occurs
SSG Prepaid Tariff Switching VSAs
Interim Accounting Updates for SSG Prepaid Tariff Switching
Dual Quota and Idle-Timeout Prepaid Tariff Switching
Extended Prepaid Tariff Switching for SSG
Postpaid Tariff Switching for SSG
How to Configure SSG Accounting
Prerequisites for Configuring SSG Accounting
Configuring SSG Broadcast Accounting
Configuring SSG Prepaid Features
Configuring SSG Prepaid Features on the Router
Configuring RADIUS Service Profiles for the SSG Prepaid Support Feature
Redirecting TCP Traffic for SSG Prepaid Quota Refill
Verifying Configuration of the SSG Prepaid Feature
Configuring Postpaid Tariff Switching for SSG
Configuration Examples for SSG Accounting
Accounting Update Interval per Service in RADIUS: Example
Basic Prepaid Configuration: Examples
TCP Redirect for Prepaid Users: Example
Configuring Prepaid Threshold Value: Examples
Feature Information for Configuring SSG Accounting
Configuring SSG Accounting
First Published: May 2, 2005Last Updated: October 2, 2009
Note
Effective with Cisco IOS Release 15.0(1)M, this feature is not available in Cisco IOS software.
Cisco Service Selection Gateway (SSG) accounting features allow a service provider to decide how to configure billing and accounting for its users. This module describes how to configure SSG accounting features including per-host or per-service accounting, broadcast accounting, prepaid service support, and postpaid tariff switching.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Configuring SSG Accounting" section.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•
•
•
•
•
Prerequisites for SSG Accounting
SSG must be enabled before SSG accounting can be configured.
Information About SSG Accounting
Before you configure SSG accounting functionality, you should understand the following concepts:
•
•
•
RADIUS Accounting Records Used by SSG
SSG sends accounting records with the associated attributes to the RADIUS accounting server when the events described in the following sections occur:
Account Logon and Logoff
SSG sends an accounting-request record to the local RADIUS server when a user logs in or out. The Acct-Status-Type attribute included in the accounting-request record indicates whether the accounting-request record marks the start (commencement) of the user service or the stop (termination) of the service.
When a user logs in, SSG sends an accounting-start record to the RADIUS server. When a user logs out, SSG send an accounting-stop record to the RADIUS server.
Note
Example RADIUS Accounting-Start Record Sent by SSG When a User Logs In
This example shows the information contained in a RADIUS accounting-start record.
User-Name = "user1"Acct-Status-Type = StartAcct-Authentic = RADIUSService-Type = FramedFramed-Protocol = PPPNAS-IP-Address = 192.168.0.0NAS-Port-Type = VirtualAcct-Session-Id = 00000011 ! The session ID numberFramed-IP-Address = 192.168.0.10 ! The user's IP addressAcct-Delay-Time = 0Example RADIUS Accounting-Stop Record Sent by SSG When a User Logs Out
This example shows the information contained in a RADIUS accounting-stop record.
User-Name = "user1"Acct-Status-Type = StopAcct-Authentic = RADIUSService-Type = FramedFramed-Protocol = PPPNAS-IP-Address = 192.168.0.0NAS-Port-Type = VirtualAcct-Session-Time = 77Acct-Terminate-Cause = User-RequestAcct-Session-Id = 00000011 ! The session ID numberFramed-IP-Address = 192.168.0.10 ! The user's IP addressAcct-Input-Packets = 0 ! Downstream packet countsAcct-Output-Packets = 0 ! Upstream packet countsAcct-Input-Octets = 0 ! Downstream byte countsAcct-Output-Octets = 0 ! Upstream byte countsAcct-Delay-Time = 0The Acct-Session-Time attribute indicates the length of session, expressed in seconds. The Acct-Terminate-Cause attribute indicates the reason for account termination, which can be due to the following events:
•
•
•
•
Service Logon and Logoff
SSG sends an accounting-start record to the local RADIUS server when a user logs onto a service, and sends an accounting-stop record when a user terminates a service. The Acct-Status-Type attribute included in the accounting-request record indicates whether the accounting-request marks the start of the user service or the end of the service.
Accounting records are sent only to the local RADIUS server unless the service is a proxy service, in which case they are also sent to a remote RADIUS server.
Example RADIUS Accounting-Start Record for Service Access
This example shows the information contained in an accounting-start record for service access.
User-Name = "user1"Acct-Status-Type = StartAcct-Authentic = RADIUSService-Type = FramedFramed-Protocol = PPPNAS-IP-Address = 192.168.2.48NAS-Port-Type = VirtualAcct-Session-Id = 00000012Framed-IP-Address = 192.168.2.60 ! User's IP addressService-Info = "NService1.com" ! servicenameService-Info = "Uuser1" ! username-for-serviceService-Info = "TX"Acct-Delay-Time = 0Example RADIUS Accounting-Stop Record for Service Termination
This example shows the information contained in an accounting-stop record for service termination.
User-Name = "user1"Acct-Status-Type = StopAcct-Authentic = RADIUSService-Type = FramedFramed-Protocol = PPPNAS-IP-Address = 192.168.2.48NAS-Port = 0NAS-Port-Type = VirtualAcct-Session-Id = "00000002"Acct-Terminate-Cause = User-RequestAcct-Session-Time = 84Acct-Input-Octets = 0 ! Downstream packet countsAcct-Output-Octets = 649 ! Upstream packet countsAcct-Input-Packets = 0 ! Downstream byte countsAcct-Output-Packets = 17 ! Upstream byte countsFramed-IP-Address = 192.168.101.10 ! User's IP addressControl-Info = "I0;0" ! high_32_dnst_byte;low_32_dnst_byteControl-Info = "O0;649" ! high_32_upst_byte;low_32_upst_byteService-Info = "NService1.com" ! servicenameService-Info = "Uuser1" username-for-serviceService-Info = "TP"Acct-Delay-Time = 0Types of SSG Accounting
This section provides information about RADIUS accounting for SSG and includes the following topics:
•
Interim Accounting
The SSG supports interim (intermittent) RADIUS accounting updates between the time that SSG sends accounting-start and accounting-stop records. The interim accounting records are sent at a configurable interval, and are valid for both hosts and service connections.
Per-Host Accounting
Per-host accounting is the aggregate of all the connection traffic for a host. SSG does not account for the following types of traffic:
•
•
•
•
Per-host accounting records all other traffic.
By default, SSG sends host and service accounting records. A service provider only interested in host records can disable service (per-connection) accounting with the ssg accounting per-host command.
The per-host accounting records are sent to the local authentication, authorization, and accounting (AAA) server configured with the radius-server host command.
Per-Service Accounting
By default, SSG sends host and service accounting records. A service provider only interested in service records can disable host accounting with the ssg accounting per-host command. Service Accounting-Stop records can be throttled by using the ssg accounting stop rate-limit command.
SSG Accounting Update Interval per Service Feature
The SSG Accounting Update Interval Per Service feature allows the service provider to configure different accounting intervals for different services. Without the SSG Accounting Update Interval Per Service feature, accounting records of all services would be sent at the configured global interval. When enabled, the SSG Accounting Update Interval Per Service feature has the following effects:
•
•
•
•
Broadcast Accounting
SSG supports broadcast accounting, which is the ability to send user accounting records to multiple RADIUS servers. The SSG broadcast accounting feature provides service providers with geographical redundancy for RADIUS servers, and provides accounting records to partners in wholesale models.
Note
SSG Prepaid Functionality
The SSG Prepaid feature allows SSG to immediately check a user's available credit to allow or disallow access to certain services. The user's credit is administered by the billing server as a series of quotas representing either a duration of use (in seconds) or an allowable data volume (in bytes). A quota is an allotment of available credit.
SSG differentiates prepaid services from postpaid services by the presence of the Service Authorization vendor-specific attribute (VSA) in the service profile.
Table 1 describes the elements of the Service Authorization VSA.
To obtain the first quota for a connection, SSG submits an authorization request to the AAA server. The AAA server contacts the prepaid billing server, which returns the quota values to SSG. SSG then monitors the connection to track the quota usage. When the quota runs out, SSG performs reauthorization. During reauthorization, the billing server may provide SSG with an additional quota if there is available credit. If no further quota is provided, SSG logs the user off from the service that has run out of quota.
This section contains the following topics:
•
•
•
•
•
•
Service Authorization
When a user tries to access a service, SSG downloads the service profile. The presence of the "Z" value in the service profile indicates that this particular service needs to be prepaid, and that SSG must perform authorization before providing access.
Once a service has been identified as prepaid, SSG generates an Access-Request packet called a Service Authorization Request. The contents of this type of Access-Request packet are described in Table 2.
The prepaid billing server generally performs quota authorization based on the same key that was used for authentication. For example, for mobile wireless networks, where the unique key that is used for authentication is the Calling-Station-ID attribute (attribute 31), the quota authorization would also be performed using the Calling-Station-ID attribute.
The prepaid billing server responds to the Service Authorization Request packet with an Access-Accept packet (the Service Authorization Response) that defines the quota parameters for the connection. The Service Authorization Response is listed in Table 3. Access to the service is provided based on the presence and contents of the Quota VSA in the Access-Accept packet listed in Table 4.
Based on the presence and value of quota attributes in the authorization response, SSG will take the following actions:
•
•
•
In the case of volume quota, instead of SSG using a single token, two quota tokens can be allocated to accommodate the tariff switching functionality.
Service Reauthorization
When the quota for the connection reaches zero, SSG issues a Service Reauthorization Request to the billing server. For volume-based billing, SSG decrements the volume-based quota until it runs out. For time-based billing, the connection is allowed to proceed for the quota duration. The Service Reauthorization Request includes an SSG VSA called Quota Used, which has the same format as the Quota VSA described in Table 4. The content of the Service Reauthorization Request is described in Table 5.
Accounting Records and Prepaid Billing
SSG and the prepaid billing server use start, stop, and interim accounting records to manage a user's prepaid services, as described in the following sequence:
1.
2.
3.
4.
5.
Simultaneous Volume- and Time-Based Prepaid Billing
The Simultaneous Volume- and Time-Based Prepaid Billing feature allows SSG to provide volume- and time-based tracking on the same connection.
The prepaid billing server allocates quotas in both time and volume. That is, the authorization response contains both "QT" and "QV" attributes, and SSG is able to monitor the connection on both types. SSG performs a reauthorization whenever either of these quota types is exhausted. The next Service-Authorization response packet contains the usage on both of these quota types.
Note
The simultaneous volume- and time-based prepaid billing feature can interwork with the prepaid idle-timeout functionality and volume threshold. Table 6 describes the attributes contained in a Service-Authorization response packet.
SSG Prepaid Idle Timeout
The SSG Prepaid Idle Timeout feature enables SSG to return residual quota to the billing server from services that a user is logged into but not actively using. The quota that is returned to the billing server can be applied to other services that the user is actively using.
The SSG Prepaid Idle Timeout feature enables the services described in the following sections:
Residual Quota Return
SSG returns residual quota to the prepaid billing server from services that a user is logged in to but not actively using. When the inactivity on the service is equal to the idle-timeout value sent in the response, the unused quota is returned to the prepaid billing server. This unused quota can be applied to the quota for the services that the user is actively using.
Open a Connection with Zero Quota
When SSG is configured to use the SSG Prepaid Idle Timeout feature, a user's connection to services can be open even when the billing server returns a zero quota, but the connection's status is dependent on the combination of the quota and the idle timeout value returned. Depending on the connection service, SSG requests the quota for a connection from the billing server once the user starts using a particular service, when the user runs out of quota, or after the configured idle timeout value expires.
Portal Page Redirection
A billing server returns a zero quota and a nonzero idle timeout when a user has run out of credit for a service. The user is then redirected to the portal page to replenish the quota. While the user's connection to the original service is retained, any traffic passing through the connection is dropped. This enables a user to replenish quota without losing connections to services or having to perform additional service logins.
SSG returns the quota in a reauthorization request and adds a VSA called the Reauthorization Reason attribute, which verifies that the reauthorization request is to return the quota to the user, and not to query for more quota. The content of the Reauthorization Reason attribute is described in Table 7.
The interworking of idle-timeout and dual-quota functionality with the existing prepaid features is shown in Table 8.
SSG Prepaid Reauthorization Threshold
Using the SSG Prepaid Reauthorization Threshold feature, you can configure SSG to reauthorize for more quota when the quota allocated to SSG falls below a configurable minimum threshold value. You can also configure SSG to drop traffic when it is reauthorizing for the connection. This prevents revenue leaks in the event that the billing server returns a zero quota for the connection.
When the SSG Prepaid Reauthorization Threshold feature is not configured, traffic passed during reauthorization represents a revenue leak if the billing server returns a zero quota for the user. You can prevent this type of revenue leak by configuring a threshold value, causing SSG to reauthorize a user's connection before the user completely consumes the allocated quota for a service.
If you configure SSG to drop traffic during reauthorization and configure a threshold value, user traffic continues until the user exhausts the allotted quota. When the allotted quota is used, the traffic is dropped until SSG receives a reauthorization response.
SSG Prepaid Redirection on Quota Exhaustion Feature
The SSG Prepaid Redirection on Quota Exhaustion feature gives users the opportunity to replenish prepaid quota while maintaining the current connection. When the prepaid billing server returns a quota value of 0 and a positive idle-timeout value, SSG redirects the user to a portal page where additional quota can be purchased. If the user purchases additional quota, the prepaid billing server returns a positive quota value to SSG, which allows the connection to continue.
Note
Default Quota for Prepaid Server Failure
SSG can be configured to allocate a default quota when the prepaid server fails to respond to an authorization request. The default quota for a service is specified in the service profile. SSG stores the value when the service profile is downloaded from the AAA server. If the prepaid server is not accessible during initial authorization, SSG allocates the default quota and activates the connection, thus allowing the prepaid user to connect to the service.
When a default quota expires, SSG attempts to reauthorize the user. If the prepaid server still does not respond, SSG will allocate another default quota. SSG will allocate multiple default quotas up to a configured maximum. Once SSG has allocated the configured maximum number of default quotas, no further default quota allocations will be made, and the user's connection to the service will be terminated.
SSG will also allocate default quotas when the prepaid server fails during the reauthorization of existing connections. Allocation of a default quota for the reauthorization of an existing connection prevents the connection from being terminated because of the unavailability of the prepaid server. Table 9 describes the Prepaid Default Quota VSA.
Benefits of the SSG Prepaid Feature
Concurrent Prepaid Service Access
The SSG Prepaid feature can support concurrent prepaid service access while maintaining the same pool of quota at the prepaid billing server. SSG services can be configured for concurrent or sequential access. Concurrent access allows users to log in to a service while connected to other services.
Real-Time Billing
The SSG Prepaid feature allows for real-time billing with maximum flexibility, regardless of the type of service and billing scheme. Users can be billed on a flat rate, air-time, or volume basis.
Redirection Upon Exhaustion of Quota
When a user runs out of quota, SSG can redirect the user to a portal where the user can replenish the quota without being disconnected from the service.
Returning Residual Quota
The SSG Prepaid Idle Timeout feature enables SSG to return residual quota to the billing server from services that a user is logged in to but not actively using. The quota that is returned to the billing server can be applied to other services that the user is actively using.
Threshold Values
The SSG Prepaid Reauthorization Threshold feature can prevent revenue leaks by enabling the user to configure a threshold value. Configuring a threshold value causes user connections to be reauthorized before the user completely consumes the allotted quota for a service.
Traffic Status During Reauthorization
Revenue leaks can be prevented by configuring SSG to drop connected traffic during reauthorization of a service. The user remains connected to the service and need not log in again to the service, but no traffic is forwarded during the reauthorization process. This prevents users from continuing to use a service for which they have run out of quota while SSG sends a reauthorization request to the billing server.
Simultaneous Volume- and Time-Based Prepaid Billing
SSG supports rating on both time and volume simultaneously for prepaid services. The prepaid billing server may allocate quotas in both time and volume, and SSG monitors the connection for either type. SSG performs a reauthorization whenever either of these quota types is exhausted.
Prepaid Tariff Switching
Prepaid tariff switching allows changes in tariffs during the lifetime of a connection. This feature applies to volume-based prepaid connections where the tariff changes at certain times of the day.
Typically, a service provider uses prepaid tariff switching to offer different tariffs to a user during an active connection; for example, changing a user to a less expensive tariff during off-peak hours.
When SSG is monitoring the prepaid connection based on volume, at the tariff switching time, SSG can switch to the new charging rate. This feature will interoperate with all existing prepaid functionality, including the idle-timeout feature.
Note
SSG supports prepaid tariff switching by using two quota tokens that correspond to the pretariff switch time period and posttariff switch time period.
In the authorization response, the prepaid billing server specifies the tariff change time and the tokens for post-switch and pre-switch periods in its authorization response to SSG.
Note
SSG uses the prepaid tariff switch quota until the tariff switch occurs. Upon tariff switch, SSG performs a token switch and starts using the postpaid tariff quota for prepaid connection monitoring. Reauthorization occurs only when either of these tokens is exhausted, not when a tariff change occurs.
Authorization and Reauthorization Behavior When Prepaid Tariff Switching Occurs
Table 10 describes the behavior of SSG in the various events that occur when prepaid tariff switching takes place.
SSG Prepaid Tariff Switching VSAs
The VSA shown in Table 11 is used in authorization and reauthorization responses to send quota tokens and the tariff switch time. Table 11 describes the VSA content.
The VSA shown in Table 12 is used in reauthorization requests and accounting packets. This VSA is used in addition to the usual Quota Volume attribute that indicates the total volume usage in a connection. Table 12 describes the VSA content.
Interim Accounting Updates for SSG Prepaid Tariff Switching
The interim accounting records contain the cumulative usage information (since start of connection) and the amount of usage after the last tariff switch time. The Accounting-Stop record contains the total usage information and the volume of traffic sent after the last tariff switch.
Note
The following example illustrates how the accounting interim updates would look in various tariff switch periods and how the billing server has to interpret the records to obtain the individual usages in the various intervals.
Consider a user logged in to the connection at time T0. The tariff switch points in that week are Tx, Ty, and Tz. The user logs off at T1.
Accounting records A1 through A5 were sent in the various tariff switching intervals. All interim accounting records contain the total volume of traffic sent in the connection from start until that point in time. This volume of traffic value is available in the standard accounting attributes and the SSG Accounting VSAs. For records sent after a tariff switch, the tariff switch VSA indicates usage since the last tariff switch point.
Accounting record A1 does not contain any tariff switch VSAs. Accounting record A2 contains a tariff switch VSA to indicate the usage since the last tariff switch point (Tx). Note that more than one interim accounting record can be sent in the interval, depending on the accounting interval configured. It is possible to derive the usage in the various intervals even if only one accounting record in an interval was successfully sent. The following sequence shows how the billing server calculates usage in the interval between Tx and Ty.
Record A2 contains total volume (V2) and usage since the last tariff switch point Tx (T2). The amount of usage in interval (T0,Tx) is represented as V(0,x) = V2 - T2.
Record A3 contains total volume (V3) since start of connection, and the last tariff switch point Ty (T3). The amount of usage in interval (T0,Ty) is represented as V(0,y) = V3 - T3. The amount of usage in interval (Tx,Ty) is represented as V(x,y) = V(0,y) - V(0,x).
Note
The information in these interim accounting records enables the service provider to derive the accounting information in the various tariff switching intervals.
Dual Quota and Idle-Timeout Prepaid Tariff Switching
The dual quota functionality also interworks with the tariff switching functionality. Instead of the QV and QT attributes being present in the authorization response, QX and QT attributes can be present together in the authorization response. In this case, reauthorization is done whenever the time quota runs out and either of the two volume quota tokens runs out in its respective period. Table 13 describes the attributes contained in a response to a service reauthorization request.
Tariff quota is considered to be exhausted when prepaid tariff quota (PRE) is exhausted before tariff switching, or when the postpaid tariff (POST) quota is exhausted after tariff switch. The interworking of dual quota functionality with tariff switching and idle-timeout is shown in Table 14.
Note
If dual quota was allotted in the earlier authorization, the reauthorization request contains both the volume and time attributes. The volume attributes may include the quota for tariff switching (QB) or the volume-based quota (QV) when the connection is made in the post-tariff switch period. The reauthorization reason attribute may be present in the reauthorization request. Table 7 describes the reasons.
Extended Prepaid Tariff Switching for SSG
The Extended Prepaid Tariff Switch for SSG feature is used to measure the usage of specific services at various times, even when the monetary value of the volume quota does not change at the time of tariff switching. In such a scenario, the remaining amount of a user's prepaid tariff switch quota continues as postpaid tariff switch quota. Information can be collected about how much quota was used before a particular time and how much was used after, providing a usage profile of specific services at various times.
For instance, say that gaming and stock trading services are offered. Using the Extended Prepaid Tariff Switch feature, the user could purchase quota that could be used for each service at the same flat rate. Gaming traffic may be higher in the evenings, for example, while stock trading may be in more demand during business hours. The resulting usage profile can help you decide whether to charge a premium for specific services at specific times.
Postpaid Tariff Switching for SSG
The Postpaid Tariff Switching for SSG feature allows changes in tariffs during the lifetime of a connection. This feature applies to volume-based postpaid connections where the tariff changes at certain times of the day.
Typically, a service provider uses postpaid tariff switching to offer different tariffs to a user during an active connection; for example, changing a user to a less expensive tariff during off-peak hours.
To handle tariff switches for postpaid connections, the accounting packets log the usage information during the various tariff switch intervals. The service profile contains a weekly tariff switch plan detailing the times of day at which tariff changes occur. SSG monitors the usage at every tariff switch point and records this information in the interim accounting records. The billing server monitors all accounting interim updates and obtains the information about the volume of traffic sent at each tariff rate.
Note
How to Configure SSG Accounting
This section describes how to configure SSG accounting features and contains the following tasks:
•
•
•
Configuring SSG Accounting
Perform this task to enable SSG accounting.
Prerequisites for Configuring SSG Accounting
The RADIUS server must be configured and operational before you configure SSG accounting.
SUMMARY STEPS
1.
2.
DETAILED STEPS
Configuring SSG Broadcast Accounting
SSG broadcast accounting requires the configuration of a broadcast group. Perform this task to send host accounting records to multiple servers.
Note
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
Configuring SSG Prepaid Features
This section contains the following tasks:
•
•
•
•
Configuring SSG Prepaid Features on the Router
Perform this task to configure SSG prepaid features on the router.
Prerequisites for SSG Prepaid Features
SSG accounting must be enabled in order for the SSG Prepaid features to be used. SSG accounting is enabled by default. If it has been disabled, enable it by using the ssg accounting command in global configuration mode.
Restrictions for SSG Prepaid Features
•
•
•
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
DETAILED STEPS
Configuring RADIUS Service Profiles for the SSG Prepaid Support Feature
To configure support of the SSG Prepaid feature, you must add the following vendor-specific attributes to RADIUS profiles:
•
•
•
Redirecting TCP Traffic for SSG Prepaid Quota Refill
Perform this task to configure SSG to redirect a user's TCP traffic to a prepaid portal when the user runs out of quota on the billing server.
Prerequisites
The SESM Captive Portal feature must be configured on the appropriate port to listen for redirect requests.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
DETAILED STEPS
Step 1
ssg tcp-redirect
Example:Router(config)# ssg tcp-redirect
Sets the server group and server used for quota refill redirection.
Step 2
server-group group-name
Example:Router(config-ssg-redirect)# server-group myserver group
Defines the group of one or more servers that make up a named captive portal group and enters SSG-redirect-group configuration mode.
•
Step 3
server ip-address port
Example:Router(config-ssg-redirect-group)# server 192.168.10.10 port 1Adds a server to a captive portal group.
•
•
Step 4
Repeat Step 3 to add servers to the captive portal group.
—
Step 5
end
Example:Router(config-ssg-redirect-group)# end
Exits SSG-redirect-group configuration mode.
Step 6
redirect prepaid-user to server-group-name
Example:Router(config-ssg-redirect)# redirect prepaid-user to myserver
Configures a captive portal group for redirection of prepaid user traffic.
•
Verifying Configuration of the SSG Prepaid Feature
This optional task explains how to verify the configuration and operation of the SSG Prepaid feature. The commands contained in the task steps can be used in any sequence and may need to be repeated.
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
Step 1
The following output is displayed for a user that has a nonzero volume quota with a nonzero idle timeout:
Router# show ssg connection 172.16.0.0 Internet------------------------ConnectionObject Content -----------------------User Name:quserOwner Host:172.16.0.0Associated Service:InternetConnection State:0 (UP)Connection Started since:*01:45:09.000 GMT Thu Oct 9 2003User last activity at:*01:45:09.000 GMT Thu Oct 9 2003Connection Traffic Statistics:Input Bytes = 4000, Input packets = 40Output Bytes = 4000, Output packets = 40Prepaid quota:Quota Type = `Volume', Quota Value = 11200Timeout Value = 60Session policing disabledThe following output is displayed for a user that has a zero volume quota with zero idle timeout:
Router# show ssg connection 172.16.0.0 Internet------------------------ConnectionObject Content -----------------------User Name:quserOwner Host:172.16.0.0Associated Service:InternetConnection State:0 (UP)Connection Started since:*02:29:09.000 GMT Thu Oct 9 2003User last activity at:*02:30:14.000 GMT Thu Oct 9 2003Connection Traffic Statistics:Input Bytes = 0, Input packets = 0Output Bytes = 0, Output packets = 0Prepaid quota:Quota Type = 'VOLUME', Quota Value = 0Timeout Value = 0Session policing disabledThe following output is displayed when a user receives a time quota:
Router# show ssg connection 172.16.0.0 Internet------------------------ConnectionObject Content -----------------------User Name:quserOwner Host:172.16.0.0Associated Service:InternetConnection State:0 (UP)Connection Started since:*02:35:51.000 GMT Thu Oct 9 2003User last activity at:*02:35:51.000 GMT Thu Oct 9 2003Connection Traffic Statistics:Input Bytes = 0, Input packets = 0Output Bytes = 0, Output packets = 0Prepaid quota:Quota Type = 'TIME', Quota Value = 30Session policing disabledThe following output is displayed when a user receives a zero time quota with idle timeout:
Router# show ssg connection 172.16.0.0 Internet------------------------ConnectionObject Content -----------------------User Name:quserOwner Host:172.16.0.0Associated Service:InternetConnection State:0 (UP)Connection Started since:*02:38:20.000 GMT Thu Oct 9 2003User last activity at:*02:38:20.000 GMT Thu Oct 9 2003Connection Traffic Statistics:Input Bytes = 0, Input packets = 0Output Bytes = 0, Output packets = 0Prepaid quota:Quota Type = 'TIME', Quota Value = 0Timeout Value = 60Session policing disabledStep 2
Router# show ssg service Internet------------------------ ServiceInfo Content -----------------------Uplink IDB: gw:10.0.0.0Name:InternetType:PASS-THROUGHMode:CONCURRENTService Session Timeout:0 secondsService Idle Timeout:0 secondsService refresh timeleft:102 minutesAuthorization Required ! Indicates a prepaid serviceAuthentication Type:CHAPReference Count:1DNS Server(s):No Radius server group created. No remote Radius servers.Prepaid Redirect Service Group = InternetRedirectGroup !Service-specific redirect groupIncluded Network Segments:172.16.0.0/255.255.0.0Excluded Network Segments:ConnectionCount 1Full User Name not usedDomain List:Active Connections:1 :RealIP=10.0.0.0, Subscriber=172.18.0.2------------------------ End of ServiceInfo Content ----------------Step 3
Router# show ssg tcp-redirect groupCurrent TCP redirect groups:InternetRedirectGroupDefaultRedirectGroup! The default redirect group is used to redirect prepaid connections when the user runs out of quota and the corresponding service is not configured with any service-specific redirect group.Unauthenticated user redirect group:None SetDefault service redirect group:None SetPrepaid user default redirect group:DefaultRedirectGroupSMTP forwarding group:None SetDefault initial captivation group:None SetDefault advertising captivation group:None SetStep 4
Router# show running-config...ssg prepaid reauthorization drop-packetssg prepaid threshold volume 2000ssg prepaid threshold time 10...ssg tcp-redirectserver-group InternetRedirectGroupserver 255.255.255.253 8080server 255.255.255.100 80!server-group DefaultRedirectGroupserver 10.0.0.1 8080server 10.0.0.20 80!redirect prepaid-user to DefaultRedirectGroup...
Configuring Postpaid Tariff Switching for SSG
Perform this task to configure the Postpaid Tariff Switching for SSG feature.
Post-Paid VSA
SSG uses VSA 26 in the service profile to specify the tariff switch points. Table 15 describes the contents of this VSA
.
SUMMARY STEPS
1.
DETAILED STEPS
Step 1
Add the Post-Paid VSA (attribute 26) to the service profile using the parameters listed in Table 15.
Specifies the tariff switch points for postpaid tariff switching.
Examples
The following example shows the configuration of the Service Profile Definition to support a daily fee. The tariff switch will occur each midnight.
SSG Service-Info = "PPW00:00:00:127"The following example show the configuration of the Service Profile Definition to support an off-peak tariff in which a tariff switch occurs Monday through Friday at 8:00 p.m.:
SSG Service-Info = "PPW20:00:00:31"The following example shows the configuration of the Service Profile Definition to support an on-peak tariff in which a tariff switch occurs Monday through Friday at 6:00 a.m.:
SSG Service-Info = "PPW06:00:00:31"Configuration Examples for SSG Accounting
This section contains the following examples:
•
•
•
•
Accounting Update Interval per Service in RADIUS: Example
In the following example, the interim accounting interval for the RADIUS service profile named proxy_ser is set at 90 using the L90 attribute:
user = proxy_ser{radius=7200-SSG-v1.1 {check_items= {2=cisco}reply_attributes= {9,251="TX"9,251="R10.10.0.0;255.255.0.0"9,251="S255.255.255.253;1645;1646;cisco;2;0"9,251="L90"28=600}}}In the following example, the local profile cisco.com is configured on the router to send an interim accounting update every 90 seconds:
Router(config)# local-profile cisco.comRouter(config-prof)# attribute 26 9 1 "L90"Basic Prepaid Configuration: Examples
The following example shows how to configure SSG to provide basic prepaid billing services:
radius-server attribute 44 include-in-access-reqradius-server attribute 55 include-in-acct-reqThe following example show a service profile configured to support a prepaid service:
ExampleProfile Password = "servicecisco", Service-Type = OutboundService-Info = "IVideo Jam",Service-Info = "R10.10.10.0;255.255.255.0",Service-Info = "D10.10.10.10",Service-Info = "Omy-video.net",Service-Info = "MS",Service-Info = "Z"TCP Redirect for Prepaid Users: Example
The following example shows how to configure a captive portal group called PrepaidRedirectGroup, add two servers to PrepaidRedirectGroup, and redirect prepaid users to the newly created captive portal:
ssg enablessg tcp-redirectserver-group PrepaidRedirectGroupserver 10.0.0.1 8080server 10.0.0.20 80endredirect prepaid-user to PrepaidRedirectGroupConfiguring Prepaid Threshold Value: Examples
The following example shows how to configure a threshold time value of 10 seconds:
ssg prepaid threshold time 10The following example shows how to configure a threshold volume value of 2000 bytes:
ssg prepaid threshold volume 2000The following example shows how to configure SSG to drop traffic during reauthorization:
ssg prepaid reauthorization drop-packetAdditional References
The following sections provide references related to the SSG Accounting feature.
Related Documents
Configuring SESM
Cisco Subscriber Edge Services Manager documentation
SSG commands
RADIUS commands
RADIUS configuration tasks
"Configuring RADIUS" chapter in the Cisco IOS Security Configuration Guide
Configuring L2TP
•
Technical Assistance
Feature Information for Configuring SSG Accounting
Table 16 lists the features in this module and provides links to specific configuration information.
Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.
For information on a feature in this technology that is not documented here, see the Service Selection Gateway Features Roadmap.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note
Table 16 Feature Information for Configuring SSG Accounting
Extended Prepaid Tariff Switching for SSG
12.3(14)T
12.4The Extended Prepaid Tariff Switch for SSG feature is used to measure the usage of specific services at various times, even when the monetary value of the volume quota does not change at the time of tariff switching.
The following section provides information about this feature:
Postpaid Tariff Switching for SSG
12.2(16)B
12.3(4)T
12.3(14)T
12.4The Postpaid Tariff Switching for SSG feature allows changes in tariffs during the lifetime of a connection.
The following section provides information about this feature:
•
SSG Accounting
12.0(3)DC
12.2(4)B
12.2(11)T
12.2(16)B
12.3(4)T
12.3(14)T
12.4The SSG Accounting feature allows a service provider to decide how to configure billing and accounting for its users.
The following sections provide information about this feature:
•
SSG Accounting Update Interval Per Service
12.2(13)T
The SSG Accounting Update Interval Per Service feature allows the service provider to configure different accounting intervals for different services.
The following sections provide information about this feature:
•
SSG Default Quota for Prepaid Billing Server Failure
12.3(11)T
The SSG Default Quota for Prepaid Billing Server Failure feature enables SSG to be configured to allocate a default quota when the prepaid server fails to respond to an authorization request.
The following section provide information about this feature:
•
SSG Prepaid Enhancements
12.2(16)B
12.3(4)T
12.3(14)T
12.4The SSG Prepaid Enhancements feature adds support for prepaid tariff switching, postpaid tariff switching, and simultaneous volume- and time-based prepaid billing to the existing SSG Prepaid feature.
The following sections provide information about this feature:
•
•
•
SSG Prepaid Idle Timeout
12.2T
12.3(4)TThe SSG Prepaid Idle Timeout feature enables SSG to return residual quota to the billing server from services that a user is logged into but not actively using.
The following sections provide information about this feature:
SSG Prepaid Tariff Switching
12.2(4)B
12.2(11)TThe SSG Prepaid Tariff Switching feature allows changes in tariffs during the lifetime of a connection.
The following sections provide information about this feature:
•
•
•
SSG Suppression of Unused Accounting Records
12.2T
12.3(4)TThe SSG Suppression of Unused Accounting Records feature allows you to turn off unneeded Service Selection Gateway (SSG) accounting records.
The following sections provide information about this feature:
Configuring SSG Accounting
15.0(1)M
This feature was removed in Cisco IOS Release 15.0(1)M.
CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco Pulse, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, and Flip Gift Card are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Fast Step, Follow Me Browsing, FormShare, GainMaker, GigaDrive, HomeLink, iLYNX, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0908R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2005-2009 Cisco Systems, Inc. All rights reserved.
