-
Cisco 10000 Series Internet Router Service Selection Gateway Configuration Guide
-
About This Guide
-
Service Selection Gateway Overview
-
Scaling and Performance
-
SSG Logon and Logoff
-
Authentication and Accounting
-
Service Selection Methods
-
Service Connection
-
Service Profiles and Cached Service Profiles
-
SSG Hierarchical Policing
-
Interface Configuration
-
SSG TCP Redirect
-
Miscellaneous SSG Features
-
Monitoring and Maintaining SSG
-
SSG Implementation Notes
-
Configuration Example for SSG
-
Glossary
-
Index
-
Table Of Contents
Service Profiles and Cached Service Profiles
Downstream Access Control List
Configuration of Cached Service Profiles
Service Profiles and Cached Service Profiles
The RADIUS server or the SESM downloads service profiles to the Cisco 10000 series router (SSG node) as needed. Typically, the SSG removes the service profile from memory after the user logs off. Therefore, each time the user attempts to access services, RADIUS or the SESM downloads the service profile, creating unnecessary traffic. The Cached Service Profiles feature is designed to eliminate this inefficient overhead.
This chapter describes the service profiles and cached service profiles supported by the Cisco 10000 series router:
Service Profiles
Service profiles define the services that subscribers can select. Each service that is accessible has a profile that defines the attributes of the service. Service profiles are configured on the RADIUS server or directly on the Cisco 10000 series router. The RADIUS server or SESM downloads the service profiles to the router as needed.
Service profiles include the following information: password, service type (outbound), type of service (passthrough or proxy), service access mode (sequential or concurrent), DNS server IP address, networks that exist in the service domain, access control lists, and timeouts. The following sections describe the attributes included in RADIUS service profiles. For more information, refer to the "Service Selection Gateway" chapter in the Cisco 6400 Feature Guide, Release 12.2(2)B.
Downstream Access Control List
Specifies either an IOS standard access control list or an extended access control list to be applied to downstream traffic going to the user.
Cisco-AVpair = "ip:outacl [#number]={standard-access-control-list | extended-access-control-list}"Upstream Access Control List
Specifies either an IOS standard access control list or an extended access control list to be applied to upstream traffic coming from the user.
Cisco-AVpair = "ip:inacl[#number]={standard-access-control-list | extended-access-control-list}"Domain Name
(Optional) Specifies domain names that get DNS resolution from the DNS server(s) specified by the DNS server address.
Service-Info = "Oname1[;name2]...[;nameX]"Full Username
Indicates that RADIUS authentication and accounting requests use the full username (user@service).
Service-Info = "X"MTU Size
Specifies the PPP MTU size of the SSG as a LAC. By default, the PPP MTU size is 1500 bytes.
Service-Info = "Bsize"
Note
In Directory Enabled Service Selection Subscription (DESS) mode, SESM does not support the use of this attribute.
RADIUS Server
Specifies the remote RADIUS servers that SSG uses to authenticate, authorize, and perform accounting for a service logon for a proxy service type. This attribute is only used in proxy service profiles and is required.
You can configure each remote RADIUS server with timeout and retransmission parameters. SSG will perform failover among the servers.
Service-Info ="SRadius-server-address;auth-port;acct-port;secret-key[;retrans;timeout;deadtime]"Service Authentication Type
Specifies whether the SSG uses the CHAP or PAP protocol to authenticate users for proxy services.
Service-Info = "Aauthen-type"Service-Defined Cookie
Enables you to include user-defined information in RADIUS authentication and accounting requests.
Service-Info = "Vstring"
Note
•
Service Description
(Optional) Describes the service.
Service-Info = "Idescription"Service Mode
(Optional) Defines whether the user is able to log on to this service while simultaneously connected to other services (concurrent mode) or whether the user cannot access any other services while using this service (sequential mode). The default is concurrent mode.
Service-Info = "Mmode"Service Next-Hop Gateway
(Optional) Specifies the next-hop key for this service. Each SSG uses its own next-hop gateway table to associate this key with an actual IP address.
Service-Info = "Gkey"Service Route
Specifies networks available to the user for this service.
Service-Info = "Rip_address;mask"Service URL
(Optional) Specifies the URL that is displayed in the SESM HTTP address field when the service opens.
Service-Info = "Hurl"or
Service-Info = "Uurl"If the SESM web application is designed to use HTML frames, then this attribute also specifies whether the service is displayed in a new browser window or in a frame in the current (SESM) window, as follows:
•
•
Type of Service
(Optional) Indicates whether the service is proxy, tunnel, or passthrough.
Service-Info = "Ttype"Service Profile Example
Example 7-1 is a service profile formatted for use with a freeware RADIUS server:
Example 7-1 Service Profile
service1.com Password = "cisco", Service-Type = outbound,Idle-Timeout = 1800,Service-Info = "R192.168.1.128;255.255.255.192",Service-Info = "R192.168.2.0;255.255.255.192",Service-Info = "R192.168.3.0;255.255.255.0",Service-Info = "Gservice1",Service-Info = "D192.168.2.81",Service-Info = "MC",Service-Info = "TP",Service-Info = "ICompany Intranet Access",Service-Info = "Oservice1.com"Cached Service Profiles
The Cached Service Profiles feature enables SSG to use a cached copy of a service profile instead of downloading the profile from RADIUS every time a user logs on to the service.
SSG downloads service profiles when an IP user logs on to a service through SESM, or when a PPP user logs on to SSG through a structured username. SSG then downloads the service profile from the RADIUS server based on the service name. SSG retrieves the parameters that are specific to the service from the service profile and stores them locally. SSG authenticates the user based on the type of service and the AAA servers configured for that service. Upon successful authentication, the user is connected to the service. SSG downloads the service profile every time a user logs on to that service. This creates unnecessary traffic between the SSG and RADIUS.
The Cached Service Profiles feature eliminates the inefficiency of downloading the service profile each time a user logs on to a service. Instead, SSG caches the service profile and uses this cached profile when the user attempts to log on to the service again. If another user attempts to log on to the service, SSG uses the cached profile to process the service connection.
The following describes how service profiles are cached:
•
•
•
•
•
•
•
If the profile changes on the RADIUS server, the SSG timer process periodically updates the cached profile to ensure that the service information is current.
If the service profile fails to update, SSG retains the cached service profile. When a new user connects to the SSG, SSG downloads the service profile again. If SSG cannot download the service profile, the user is not allowed to log on to the service.
Configuration of Cached Service Profiles
To enable cached service profiles, use the ssg service-cache enable command in global configuration mode. Cached service profiles are enabled by default.
To set the refresh-interval time, which sets the length of time after which all the existing service profiles are downloaded, use the ssg service-cache refresh-interval command in global configuration mode. The refresh time is two hours by default.
To refresh the service profile, even when the timer has not yet expired, use the ssg service-cache refresh command in privileged EXEC mode. You can use this command to refresh a specific service name or to refresh all services. If the service with that service name is not in use when you enter the ssg service-cache command, the command does not attempt to download the service profile.
