Table Of Contents
Concurrent or Sequential Service Access Mode
Domain Name System Redirection
Cisco SSG Mobile Wireless Applications
Dynamic Subscriber Provisioning Using a Single APN
Cisco SSG MWAM Ordering Information
Data Sheet—"Spring 2004"
Cisco Service Selection Gateway for Multiprocessor WAN Application Module Mobile Wireless Applications
The Cisco® Service Selection Gateway (SSG) running on the Cisco Multiprocessor WAN Application Module (MWAM) is an important part of the Cisco Mobile Exchange that enables mobile wireless service providers to create new revenue-generating opportunities by offering on-demand services. Cisco SSG is a Cisco IOS® Software feature module that provides RADIUS authentication and accounting per subscriber for differentiated services based on IP domains. Cisco SSG acts as a dynamic service creation and management platform that can aggregate incoming networks and apply dynamic policies to each user of those networks based on profile entries in authentication, authorization, and accounting (AAA), Lightweight Directory Access Protocol (LDAP), or Oracle databases. The users are allowed access to various services (groups of IP destinations) based on these profiles and accounting for each of these services can be based on volume of traffic or time of connection. This improves flexibility and convenience for subscribers, including the ability to log on to multiple services simultaneously. These services can include open gardens, walled gardens, Internet, extranet, and corporate services, to name a few.
Cisco SSG works in conjunction with the Cisco Subscriber Edge Services Manager (SESM), a software toolkit that resides on a Windows/UNIX/Linux server. The Cisco SESM toolkit allows for external systems to control user connections on Cisco SSG dynamically. Together with the Cisco SESM, Cisco SSG provides dynamic service connect and disconnect, prepaid accounting, self-care, branding and advertising, bandwidth-on-demand, and captive portal capabilities. Subscribers interact with a Cisco SESM-based Web application using a standard Internet browser (Figure 1).
Figure 1
Cisco SSG and SESM Solution
Cisco SSG Service Types
•
Pass-through—Traffic is forwarded by normal routing or next-hop table. The Cisco SSG performs AAA, but Network Address Translation (NAT) is not performed. This service type is well suited to standard Internet access.
•
•
Figure 2
Cisco SSG Service Types
Cisco SSG Features
Concurrent or Sequential Service Access Mode
Cisco SSG services can be configured for concurrent or sequential access. Concurrent access allows users to log in to this service while simultaneously connected to other services. Sequential access requires that the user log out of all other services before accessing a service configured for sequential access. In addition, Cisco SSG services can be configured into mutually exclusive groups, where the services within that group are sequential access, while services outside the group can be concurrent access.
TCP Redirect
The Cisco SSG allows users to authenticate without knowing the URL of the Cisco SESM Web portal. If a user who has not logged in sends packets upstream to a configurable group of TCP ports, the Cisco SSG sends those packets to a captive portal group (one or more servers). The Web portal handles the incoming packets in a suitable manner, such as returning a login page. When operating in a prepaid environment, Cisco SSG performs top-up redirection for low prepaid balances.
Domain Name System Redirection
When the Cisco SSG receives a Domain Name System (DNS) request, it performs domain-name matching by using the domain-name attribute from the service profiles of the currently logged-in services. If a match is found, the request is redirected to the DNS server for the matched service. If a match is not found and the user is logged in to a service that has Internet connectivity, the request is redirected to the first service in the user's service access order list that has Internet connectivity. If a match is not found and the user is not logged in to a service that has Internet connectivity, the request is forwarded to the DNS server defined in the client's TCP/IP stack.
DNS Fault Tolerance
The Cisco SSG can be configured to work with a single DNS server, or two servers in a fault-tolerant configuration. Based on an internal algorithm, DNS requests are switched to the secondary server if the primary server fails to respond with a DNS reply within a certain time limit.
Auto-Logon
Auto-logon logs users into their default services as soon as they log on to the Cisco SSG. Users can bypass the Cisco SESM and access services directly.
Auto-Domain
Using auto-domain in the Cisco SSG, it is possible to automatically log on a user to a service based on either the access point name identifier or a structured username user@service during the account logon time itself. Users can bypass the Cisco SESM and access a service, such as a corporate intranet or Internet service provider (ISP). Auto-domain also is supported from the Cisco SESM, if a user enters a structured username during the account logon time. Auto-domain in Cisco SSG makes it possible to log on a user to either L2TP or proxy services.
Open Garden
All unauthenticated users can access open garden services. Operators can use this feature to provide self-provisioning, account maintenance, free services for trial, or to advertise services to their users. The service profile for open garden services is configured locally (local-profile), or remotely in a RADIUS, LDAP, or Oracle database. The traffic sent to the open garden services is not accounted for.
Cisco SSG Mobile Wireless Applications
Dynamic Subscriber Provisioning Using a Single APN
By simply changing the user's policy profile in an AAA, LDAP, or Oracle database, the service provider can allow or deny access to services in real time, providing differentiated services based on the subscriber's rate plan. When this policy provisioning is applied in conjunction with Cisco SESM and a portal application, user self-provisioning can be provided. For example, for a new user: The Cisco SSG redirects the traffic to a portal where the user can enter information to set up a new account. When the user enters the necessary information, the portal opens the appropriate service by interfacing to the Cisco SSG through Cisco SESM (Figure 3).
Figure 3
Operator Dynamic Service Provisioning and Subscriber Self Care
Network Aggregation
The Cisco SSG can aggregate the service creation and management function for multiple types of networks, including General Packet Radio Service (GPRS), Universal Mobile Telecommunications Service (UMTS), Code Division Multiple Access (CDMA), Integrated Digital Enhanced Network (iDEN), Circuit Switched Data (CSD), Wireless LAN (WLAN), and more, giving users the same user experience, regardless of the type of access. From a service provider perspective, this allows for common service management operation across multiple network types and multiple gateway vendors. This also provides investment protection as the network evolves (Figure 4).
Figure 4
Common Service Creation and Management
Captive Portal
Initial traffic from the user can be redirected to a portal application that can control the Cisco SSG through the Cisco SESM. This flexibility opens up the possibility for advertisement, graphical service control, value-added services, user self-provisioning, and account top-off to name a few (Figure 5).
Figure 5
Portal Enablement
Corporate Access
By using the ability of the Cisco SSG to establish L2TP tunnels to the LNS in enterprises and act as a proxy to the remote AAA server, operators can offer corporate data services. When users sign in to the Cisco SSG, they are also logged in to the corporate network (Single-Sign-On). If the private IP addresses between multiple corporations overlap, Cisco SSG can perform NAT to map these to nonoverlapping addresses on the end-user side of the Cisco SSG (Figure 6).
Figure 6
Enterprise Connectivity
Cisco SSG MWAM Ordering Information
