-
Cisco IOS Service Selection Gateway Configuration Guide, Release 12.4T
-
Service Selection Gateway Features Roadmap
-
Overview of SSG
-
Implementing SSG: Initial Tasks
-
Configuring SSG to Serve as a RADIUS Proxy
-
Configuring SSG to Authenticate Web Logon Subscribers
-
Configuring SSG to Authenticate PPP Subscribers
-
Configuring SSG to Authenticate Subscribers with Transparent Autologon
-
Configuring SSG to Authenticate Subscribers Automatically in the Service Domain
-
Configuring SSG for On-Demand IP Address Renewal
-
Configuring SSG Support for Subnet-Based Authentication
-
Configuring SSG for MAC-Address-Based Authentication
-
Configuring SSG for Subscriber Services
-
Configuring SSG Subscriber Experience Features
-
Configuring SSG to Log Off Subscribers
-
Configuring Accounting for SSG
-
RADIUS Profiles and Attributes for SSG
-
SSG Mobile Wireless Enhancements
-
Table Of Contents
Configuring SSG Support for Subnet-Based Authentication
Prerequisites for SSG Support for Subnet-Based Authentication
Restrictions for SSG Support for Subnet-Based Authentication
Information About SSG Support for Subnet-Based Authentication
Identifying Subnet-Based Subscribers
Benefits of SSG Support for Subnet-Based Authentication
How to Configure SSG Support for Subnet-Based Authentication
Verifying SSG Support for Subnet-Based Authentication
Feature Information for SSG Support for Subnet-Based Authentication
Configuring SSG Support for Subnet-Based Authentication
First Published: May 2, 2005Last Updated: October 2, 2009
Note
Effective with Cisco IOS Release 15.0(1)M, this feature is not available in Cisco IOS software.
The SSG Support for Subnet-Based Authentication feature allows a service provider to identify subscribers to services by their subnet, rather than by a subscriber's IP address. This module describes how the Cisco Service Selection Gateway (SSG) recognizes and manages subnet-based subscribers.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for SSG Support for Subnet-Based Authentication" section.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•
•
•
•
•
Prerequisites for SSG Support for Subnet-Based Authentication
SSG must be enabled before subnet-based authentication for SSG can be configured.
Restrictions for SSG Support for Subnet-Based Authentication
•
•
•
•
•
Information About SSG Support for Subnet-Based Authentication
To configure the SSG Support for Subnet-Based Authentication feature, you should understand the following concepts:
•
•
Identifying Subnet-Based Subscribers
Subnet-based subscribers are identified whenever SSG receives a subnet mask along with an IP address from the authentication, authorization, and accounting (AAA) server. The IP address is found in the RADIUS Framed-IP (FIP) attribute (RADIUS attribute 8), and the IP subnet mask is found in the RADIUS-Framed-IP-Netmask (FIN) attribute (RADIUS attribute 9).
Benefits of SSG Support for Subnet-Based Authentication
Subnet-based authentication of subscribers gives service providers the option to provide services to their enterprise customers based on the IP subnet rather than on an individual IP address. This capability eliminates the need for each subscriber to self-identify and log in. Applications of subnet-based authentication include business internet services, video streaming, and pay-per-use Internet access for small office/home office (SOHO) customers.
How to Configure SSG Support for Subnet-Based Authentication
No configuration is required to identify subnet-based subscribers. Whenever SSG receives a subscriber's IP address and subnet mask from the AAA (RADIUS) server, SSG will treat that subscriber as a subnet-based subscriber.
This section contains the following task:
•
Verifying SSG Support for Subnet-Based Authentication
This optional task explains how to verify subnet-based authentication for SSG. The commands contained in the task steps can be used in any sequence and may need to be repeated.
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Step 1
Enables privileged EXEC mode. Enter your password if prompted.
Router> enableStep 2
Displays the connections of a given SSG host and service name. To display the connections of the specified subnet-based subscribed host, enter the network ID and IP subnet mask.
Router# show ssg connection 10.0.1.1 255.255.255.0 passthru------------------------ConnectionObject Content -----------------------User Name: dev-user2Owner Host: 10.0.1.1 (Mask : 255.255.255.0)Associated Service: passthru1Calling station id: 00d0.792f.8054Connection State: 0 (UP)Connection Started since: *17:44:59.000 GMT Sun Jul 6 2004User last activity at: *17:44:59.000 GMT Sun Jul 6 2004Connection Traffic Statistics:Input Bytes = 0, Input packets = 0Output Bytes = 0, Output packets = 0Step 3
Displays information about a subscriber and the subscriber's current connections. To display information about the specified subnet-based subscribed host, enter the IP subnet mask.
Router# show ssg host 10.0.0.0 255.255.255.0------------------------ HostObject Content -----------------------Activated: TRUEInterface:User Name: user1Host IP : 10.0.0.0Mask : 255.255.255.0Msg IP: 0.0.0.0 (0)Host DNS IP: 0.0.0.0Maximum Session Timeout: 0 secondsHost Idle Timeout: 60000 secondsClass Attr: NONEUser policing disabledUser logged on since: *05:59:46.000 UTC Fri May 3 2004User last activity at: *05:59:52.000 UTC Fri May 3 2004SMTP Forwarding: NOInitial TCP captivate: NOTCP Advertisement captivate: NODefault Service: NONEDNS Default Service: NONEActive Services: NONEAutoService: NONESubscribed Services: passthru1; proxynat1; tunnel1; proxy1Subscribed Service Groups: NONE
Additional References
The following sections provide references related to the SSG Support for Subnet-Based Authentication feature.
Related Documents
SSG commands
SESM
Cisco Subscriber Edge Services Manager documentation.
RADIUS commands
RADIUS configuration tasks
"Configuring RADIUS" chapter in the Cisco IOS Security Configuration Guide
Technical Assistance
Feature Information for SSG Support for Subnet-Based Authentication
Table 1 lists the features in this module and provides links to specific configuration information. Only features that were introduced or modified in Cisco IOS Release 12.3(14)T or a later release appear in the table.
Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.
For information on a feature in this technology that is not documented here, see the Service Selection Gateway Features Roadmap.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note
Table 1 Feature Information for SSG Support for Subnet-Based Authentication
SSG Support for Subnet-Based Authentication
12.3(14)T
12.4
15.0(1)MThe SSG Support for Subnet-Based Authentication feature allows a service provider to identify subscribers to services by their subnet, rather than by a subscriber's IP address.
The following sections provide information about this feature:
•
•
•
The following commands were modified by this feature: show ssg connection, show ssg host.
This feature was removed in Cisco IOS Release 15.0(1)M.
CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Nurse Connect, Cisco Pulse, Cisco SensorBase, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, Flip Gift Card, and One Million Acts of Green are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Lumin, Cisco Nexus, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Follow Me Browsing, GainMaker, iLYNX, IOS, iPhone, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, SenderBase, SMARTnet, Spectrum Expert, StackWise, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0910R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2005-2009 Cisco Systems, Inc. All rights reserved.
