-
Cisco IOS Service Selection Gateway Configuration Guide, Release 12.4
-
Service Selection Gateway Features Roadmap
-
Overview of SSG
-
Implementing SSG: Initial Tasks
-
Configuring SSG to Serve as a RADIUS Proxy
-
Configuring SSG to Authenticate Web Logon Subscribers
-
Configuring SSG to Authenticate PPP Subscribers
-
Configuring SSG to Authenticate Subscribers with Transparent Autologon
-
Configuring SSG to Authenticate Subscribers Automatically in the Service Domain
-
Configuring SSG for On-Demand IP Address Renewal
-
Configuring SSG Support for Subnet-Based Authentication
-
Configuring SSG for MAC-Address-Based Authentication
-
Configuring SSG for Subscriber Services
-
Configuring SSG Subscriber Experience Features
-
Configuring SSG to Log Off Subscribers
-
Configuring Accounting for SSG
-
RADIUS Profiles and Attributes for SSG
-
Table Of Contents
Overview of Cisco's Subscriber Edge Services Solution
Components of a Subscriber Edge Services Solution
Subscriber Edge Services Network Architecture
SSG Supported Access Protocols
Feature Information for Overview of SSG
Overview of SSG
First Published: May 2, 2005Last Updated: October 2, 2009
Note
Effective with Cisco IOS Release 15.0(1)M, this feature is not available in Cisco IOS software.
The Cisco Service Selection Gateway (SSG) is a Cisco IOS software feature set that works with the Cisco Subscriber Edge Services Manager (SESM) and other components to provide a subscriber edge services solution. SESM is used to deliver on-demand subscriber services across any SSG-enabled network. SSG provides on-demand service enforcement within the Cisco network. As part of a subscriber edge services solution, SSG provides subscriber authentication, service selection, and service connection capabilities to subscribers of Internet services.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Overview of SSG" section.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•
Prerequisites for SSG
•
•
•
Restrictions for SSG
SSG does not process multicast packets.
Information About SSG
Before you begin to configure SSG, you should understand the following concepts:
•
•
•
•
Overview of Cisco's Subscriber Edge Services Solution
The Cisco Service Selection Gateway (SSG) and Cisco Subscriber Edge Services Manager (SESM) are both components of the Cisco subscriber edge services solution. Cisco SESM is a product portfolio used for delivering on-demand subscriber services across any SSG-enabled network. SSG is the Cisco IOS feature set that serves as an access gateway that controls user access at the edge of the IP network.
A subscriber edge services solution is used to control user experience at the network edge. As an example, consider a business user that is accessing IP services via a wireless or other broadband connection in a hotel. SSG, in conjunction with SESM, redirects the unauthenticated subscriber's web browser to a walled garden, which might feature local weather and general hotel information. Upon registration, the subscriber may have expanded access to billing information, concierge services, printing services, and general Internet access. The subscriber edge services solution enables a service provider to advertise and offer on-demand, pay-per-use IP services based on location and type of access device.
Figure 1 shows how SSG and SESM manage subscriber access to network services.
Figure 1 Delivering Network Services with Cisco SESM and SSG
A subscriber edge services solution provides robust, highly scalable subscriber authentication, service selection, and service connection capabilities to subscribers in broadband and mobile environments.
Benefits of Using SSG
Service providers can generate revenue in two ways: by providing access technology and by providing network access. In a traditional service-provider environment, the service and access technologies are tightly joined, which makes it difficult to roll out new services, and restricts the service provider to flat billing based on the access technology.
SSG separates the service and access technologies, giving subscribers a selection of services from which to choose, and enabling service providers to implement service- and usage-based billing.
SSG, as part of a subscriber edge services solution, provides the following benefits:
Subscriber Authentication and Authorization
Subscriber Edge Services support user authentication to standard user databases. Subscriber and service profiles may be maintained in RADIUS servers and directory servers and may be owned by different entities. Single sign-on is supported to remove redundant authentication steps and provide subscribers with streamlined access to authorized services.
Web Portals
Subscriber Edge Services support web browser (HTTP) redirection or "captivation" of unauthenticated users to specific web pages. Web pages may be customized and personalized according to device, connection type, location, and other characteristics. This capability supports branding and targeted point-of-sale messaging. Service redirection and captivations are available to raise system messages or advertising at any time during a session.
Subscriber Self-Care
Subscriber Edge Services support subscriber account self-management. Subscribers can change their own account details (such as address, phone number, and password) and create and manage sub-accounts. Account self-registration and service self-subscription allow subscribers to fill in their initial account details and sign up for new services without assistance. Self-care improves customer satisfaction and reduces operational expenses.
Web-based Service Selection
SSG with SESM allows a service provider to create a branded web portal that presents subscribers with a menu of services. Subscribers can log on to and disconnect from different services using a web browser. This web-based service selection method takes advantage of the wide availability of web browsers and eliminates problems related to client software (such as license fees, distribution logistics, and an increased customer support burden).
Billing Flexibility for Service Providers
Cisco SSG allows subscribers to dynamically select and modify services. SSG monitors user connections, service logon and logoff, and user activity per service. By providing per-connection accounting, SSG enables service providers to bill subscribers for connection time, speed, and services used rather than charging a flat rate. Using SSG, service providers can also package sell prepaid services.
Open Access
Open access is an important trend in the access-provider industry. Regulators in an increasing number of countries are demanding that access providers provide equal-access service to competing Internet service providers (ISPs). SSG can enable access providers to deploy services through multiple ISPs, allowing the consumer to choose their preferred ISP.
Flexibility and Convenience for Subscribers
SSG provides users with access to multiple simultaneous services, such as the Internet, gaming servers, connectivity to corporate networks, and the luxury of differential service selection. Users can dynamically connect to and disconnect from any of the available services.
Components of a Subscriber Edge Services Solution
The following sections describe the components of a subscriber edge services solution:
•
•
SSG
SSG is the Cisco IOS feature set that controls user access at the edge of an IP network. SSG is deployed at network access control points, and subscribers connect to service destinations through SSG. The role of SSG is to identify and authenticate subscribers and then load a subscriber-specific profile that governs the network services that the subscriber is entitled to access.
SESM
SESM is a software toolkit that interacts with SSG to control the user experience at the network edge by providing a set of web-based interactive applications. These applications interact with the user to obtain identity and credentials for authentication and payment. SESM web applications also interact with the user to provide service selection, subscriber account self-management, and self-subscription. These applications can be personalized, localized, and customized to display advertisements and notifications according to where the user connects to the network and with which device.
AAA Server
An authentication, authorization, and accounting (AAA) server is used in a subscriber edge services solution as the data repository for service, subscriber, and policy information. SSG is designed to work with two types of servers: RADIUS-based AAA servers that accept vendor-specific attributes (VSAs) and Lightweight Directory Access Protocol (LDAP) directories.
Note
Services
The term services means different things in different contexts. At the most fundamental and technical level, a service is defined in networking terms as a network destination: a subset of the service network. From a router perspective, a network destination is defined in terms of interfaces, next-hop definitions, and IP definitions.
Services have attributes. Some of these attributes refer to whether and how the user must be authenticated to access the services; other service attributes allow access filters and determine usage limits and quotas. The collection of attributes is known as a service profile.
At the user level, services may be described in more businesslike terms: free services versus fee-based services, gold service versus bronze, service selection, subscriber self provisioning, and so on. From the service provider perspective, a subscriber is defined by means of a user profile, which determines the services to which the subscriber is entitled.
These are examples of services that providers can offer:
•
•
•
•
•
•
•
•
•
•
•
•
Subscriber Edge Services Network Architecture
Figure 2 illustrates how the components of a subscriber edge services network work together.
Figure 2 Service Selection Gateway Topology
Subscribers access the SESM web portal application using any web browser on a variety of devices, such as a desktop computer over DSL, a cellular phone over GPRS or CDMS, or a PDA over a WLAN. Depending on how SSG has been configured, unauthenticated users can either be forwarded to the SESM captive portal or automatically logged into the network. Service providers can thus use the SSG feature set of the router to design a service selection access network.
Subscribers can use SESM to manager their accounts, subscribe to new services, and select those services that they want to use. Service providers can use a subscriber edge services solution to offer and advertise value-added services and to associate these services with their brand identities.
How SSG Works
A licensed version of SSG works with SESM to present to users a menu of services that can be selected from a single graphical user interface (GUI). This functionality improves flexibility and convenience for subscribers and enables service providers to bill subscribers for only the connect time and services used, rather than by charging a flat rate.
For instance, when SSG is used with SESM, the user opens an HTML browser and is redirected to the SESM web server application. SSG always allows access to a single IP address or subnet—referred to as the default network—where SESM is typically located. SESM prompts the user for a username and password.
SESM forwards the user's logon information to SSG, which forwards the information to either the AAA server, or to the RADIUS-DESS Proxy (RDP) component of SESM for LDAP authentication. If the user is not valid, the AAA server or RDP sends an Access-Reject message. If the user is valid, the AAA server or RDP sends an Access-Accept message with information specific to the user's profile about which services the user is authorized to use. SSG logs the user in and sends the response to SESM.
Depending on the contents of the Access-Accept or Access-Reject response, SESM presents a menu of authorized services, one or more of which is selected by the user. SSG then creates an appropriate connection for the user and, optionally, starts RADIUS accounting for the connection.
SSG Network Deployments
Service selection technology can be used in many types of access technology; for example:
•
•
•
•
•
SSG Supported Access Protocols
SSG supports the following protocols and encapsulations:
•
•
SSG accepts traffic on the following interface types:
•
•
•
•
•
Where to Go Next
SSG configuration tasks are described in the following modules:
•
•
•
–
–
–
–
–
–
–
•
•
•
•
Additional References
The following sections provide references related to configuring SSG.
Related Documents
Configuring SESM
Cisco Subscriber Edge Services Manager documentation
RADIUS commands
RADIUS configuration tasks
"Configuring RADIUS" chapter in the Cisco IOS Security Configuration Guide
Configuring L2TP
•
Technical Assistance
Feature Information for Overview of SSG
Table 1lists the features in this module and provides links to specific configuration information.
Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.
For information on a feature in this technology that is not documented here, see the Service Selection Gateway Features Roadmap.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note
CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco Pulse, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, and Flip Gift Card are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Fast Step, Follow Me Browsing, FormShare, GainMaker, GigaDrive, HomeLink, iLYNX, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0908R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2005-2009 Cisco Systems, Inc. All rights reserved.
