Node Route Processor-Service Selection Gateway (NRP-SSG)

This feature module describes the Node Route Processor-Service Selection Gateway (NRP-SSG) feature. It includes information on the benefits of the new feature, supported platforms, related documents, and so forth.

This document includes the following sections:

Feature Overview

The NRP-SSG is a feature of Cisco IOS Release 12.0(3)DC. It is a switching solution for service providers who offer intranet, extranet, and Internet connections to subscribers using high-speed data circuit equipment (DCE) such as Asymmetric Digital Subscriber Line (ADSL) to allow simultaneous access to network services. The NRP-SSG with Web Selection works in conjunction with the Cisco Service Selection Dashboard (SSD). The Cisco SSD is a customizable web-based application that allows users to select from multiple passthrough and proxy services through a standard web browser.

Figure 1 shows a diagram of a typical network topology including the NRP-SSG. This is an end-to-end, service-oriented DSL deployment consisting of Digital Subscriber Line Access Multiplexers (DSLAMs), ADSL modems, and other internetworking components and servers. The NRP-SSG resides in the Cisco 6400 universal access concentrator, which acts as a central control point for Layer 2 and Layer 3 services. This can include services available through Asynchronous Transfer Mode (ATM) virtual circuits (VCs), virtual private dial-up networks (VPDNs), or normal routing methods.

Figure 1 NRP-SSG Connection Between ADSL Equipment and Network Services

The NRP-SSG communicates with the authentication, authorization, and accounting (AAA) management network where Remote Access Dial-In User Service (RADIUS), Dynamic Host Configuration Protocol (DHCP), and Simple Network Management Protocol (SNMP) servers reside and with the Internet service provider (ISP) network, which may connect to the Internet, corporate networks, and value-added services.

A licensed version of the NRP-SSG works with the Cisco SSD to present to subscribers a menu of network services that can be selected from a single graphical user interface (GUI). This improves flexibility and convenience for subscribers, and enables service providers to bill subscribers based on connect time and services used, rather than charging a flat rate.

The user opens an HTML browser and accesses the URL of the Cisco SSD, a web server application. The Cisco SSD forwards user login information to the NRP-SSG, which forwards the information to the AAA server.

If the user is not valid, the AAA server sends an Access-Reject message.
If the user is valid, the AAA server sends an Access-Accept message with information specific to the user's profile about which services the user is authorized to use. The NRP-SSG logs the user in, creates a host object in memory, and sends the response to the Cisco SSD.

Based on the contents of the Access-Accept response, the Cisco SSD presents a dashboard menu of services that the user is authorized to use, and the user selects one or more of the services. The NRP-SSG then creates an appropriate connection for the user and starts RADIUS accounting for the connection.

Note that when a non-Point-to-Point Protocol (non-PPP) user, such as in a bridged networking environment, disconnects from a service without logging off, the connection remains open and the user will be able to reaccess the service without going through the logon procedure. This is because no direct connection (PPP) exists between the subscribers and the NRP-SSG. To prevent non-PPP users from being logged on to services indefinitely, be sure to configure the Session-Timeout and/or Idle-Timeout RADIUS attributes.

Note that the Cisco SSD functionality discussed throughout this document is available only with the NRP-SSG with Web Selection product.

Benefits

Web-Based Dashboard

The NRP-SSG with Web Selection works in conjunction with the Cisco SSD. The Cisco SSD is a specialized web server that allows users to log on to and disconnect from multiple passthrough and proxy services through a standard web browser.

After the user opens a web browser, the NRP-SSG allows access to a single IP address or subnet, referred to as the "default network." This is typically the IP address of the Cisco SSD. The Cisco SSD prompts the user for a username and password. After the user is authenticated, the Cisco SSD presents a list of available services.

RADIUS Authentication and Accounting

The NRP-SSG is designed to work with RADIUS-based AAA servers that accept vendor-specific attributes (VSAs).

Multiple Traffic-Type Support

The NRP-SSG supports the following types of services:

Passthrough Service

The NRP-SSG can forward traffic through any interface via normal routing or a next hop table. Because Network Address Translation (NAT) is not performed for this type of traffic, overhead is reduced. Passthrough service is ideal for standard Internet access.

Proxy Service

When a subscriber requests access to a proxy service, the NRP-SSG will proxy the Access-Request to the remote AAA server. Upon receiving an Access-Accept from the remote RADIUS server, the NRP-SSG responds to the subscriber with the Access-Accept. To the remote AAA server, the NRP-SSG appears as a client.

During remote authentication, if the RADIUS server assigns an IP address to the subscriber, the NRP-SSG performs NAT between the assigned IP address and the subscriber's real IP address. If the remote RADIUS server does not assign an IP address, NAT is not performed.

When a user selects a proxy service, there is another username and password prompt. After authentication, the service is accessible until the user logs out from the service, logs out from the Cisco SSD, or is timed out.

Transparent Passthrough—Supported only in Cisco IOS Releases 12.0(3)DC and 12.0(5)DC

When enabled, transparent passthrough allows unauthenticated subscriber traffic to be routed through the NRP-SSG in either direction. Filters can be specified to control transparent passthrough traffic. Some of the applications for this feature include:

Making the NRP-SSG easy to integrate into an existing network by not requiring users who have authenticated with a network access servers (NAS) to authenticate with the NRP-SSG
To allow management traffic (such as TACACS+, RADIUS, and SNMP) from NASes connected to the host network to pass through to the service provider network
To allow visitors or guests to access certain parts of the network

Multicast

The NRP-SSG supports multicast traffic, which includes normal multicast packets and Internet Group Management Protocol (IGMP) packets.

In order for the NRP-SSG to forward multicast packets to the IOS routing engine, it must be configured as follows:

The interface on which multicast packets are received must be configured as an uplink or downlink interface, or a service must be bound to the interface. An uplink interface is an interface to services; a downlink interface is an interface to subscribers.
Multicast must be enabled.

If multicast is not enabled, multicast packets received on the interface will be dropped.

PPP Termination Aggregation (PTA) and PTA Multi-Domain (PTA-MD)

PTA can only be used by PPP-type users. AAA is performed exactly as in the proxy service type. A subscriber logs on to a service using a PPP dialer application with a username of the form user@service. The NRP-SSG recognizes the @service as a service profile and loads the service profile from the local configuration or a AAA server. The NRP-SSG forwards the AAA request to the remote RADIUS server as specified by the service profile's RADIUS-Server Attribute. An address is assigned to the subscriber through RADIUS Attribute 8 or Cisco-AVpair "ip:addr-pool." NAT is not performed, and all user traffic is aggregated to the remote network. With PTA, users can only access one service. Users will not have access to the default network or the Cisco SSD.

While PTA terminates the PPP session into a single routing domain, PTA-MD terminates the PPP sessions into multiple IP routing domains, thus supporting a wholesale VPN model where each domain is isolated from the other by an ATM core and has the capability to support overlapping IP addresses.

Packet Filtering

The NRP-SSG uses IOS access control lists (ACLs) to prevent users, services, and passthrough traffic from accessing specific IP addresses and ports.

Services

When an ACL attribute is added to a service profile, all users of that service are prevented from accessing the specified IP address, subnet mask, and port combinations through the service.

Users

When an ACL attribute is added to a user profile, it will apply globally to all of the user's traffic.

Transparent Passthrough—Supported only in Cisco IOS Releases 12.0(3)DC and 12.0(5)DC

Upstream and downstream attributes, including inacl and outacl attributes, can be added to a special pseudo-service profile that can be downloaded to the NRP-SSG from a RADIUS server. Additionally, locally configured ACLs can be used. After the ACLs have been defined, they are applied to all traffic passed by the transparent passthrough feature.

Service Access Order

When users are accessing multiple services, the NRP-SSG must determine the services for which the packets are destined. To do this, the NRP-SSG uses an algorithm to create a service access order list. This list is stored in the user's host object and contains services that are currently open and the order in which they are searched.

The algorithm that creates this list orders the open services based on the size of the network. Network size is determined by the subnet mask of the Service Route RADIUS attribute. A subnet that contains more hosts implies a larger network. In the case of networks that are the same size, the services will be listed in the order in which they were last accessed.

When creating service profiles, be sure to define as small a network as possible. If there is overlapping address space, packets might be forwarded to the wrong service.

Next Hop Gateway

The next hop gateway attribute is used to specify the next hop key for a service. Each NRP-SSG uses its own next hop gateway table that associates this key with an actual IP address.

Note that this attribute overrides the IP routing table for packets destined to a service.

DNS Redirection

When the NRP-SSG receives a DNS request, it performs domain name matching using the Domain Name attribute from the service profiles of the currently logged in services.

If a match is found, the request is redirected to the DNS server for the matched service.

If a match is not found and the user is logged on to a service that has Internet connectivity, the request is redirected to the first service in the user's service access order list that has Internet connectivity. Internet connectivity is defined as a service containing a Service Route attribute of 0.0.0.0/0.

If a match is not found and the user is not logged on to a service that has Internet connectivity, the request is forwarded using the normal routing methods specified in the client's Transmission Control Protocol/Internet Protocol (TCP/IP) stack.

Fault Tolerance for DNS

The NRP-SSG can be configured to work with a single DNS server, or two servers in a fault-tolerant configuration. Based on an internal algorithm, DNS requests will be switched to the secondary server if the primary server begins to perform poorly or fails.

Session-Timeout and Idle-Timeout RADIUS Attributes

In a dial-up networking or bridged (non-PPP) network environment, a user might disconnect from the NAS and release the IP address without logging out from the NRP-SSG. If this happens, the NRP-SSG will continue to allow traffic to pass from that IP address and this might be a problem if the IP address is obtained by another user.

The NRP-SSG provides two mechanisms to prevent this problem:

Idle-Timeout attribute—Specifies the maximum time a session or connection can remain idle before it is disconnected.
Session-Timeout attribute—Specifies the maximum amount of time a host or service object can remain active at any one time.

The Session-Timeout and Idle-Timeout attributes can be used in either a user or service profile. In a user profile, the attribute applies to the user's session. In a service profile, the attribute individually applies to each service connection.

Concurrent or Sequential Service Access Mode

NRP-SSG services can be configured for concurrent or sequential access. Concurrent access allows users to log on to this service while simultaneously connected to other services. Sequential access requires that the user log out of all other services before accessing a service configured for sequential access.

Concurrent access is recommended for most services. Sequential access is ideal for services for which security is important, such as corporate intranet access, or for which there is a possibility of overlapping address space.

Extended High System Availability

The NRP-SSG supports extended high system availability (EHSA) redundancy. You can configure this chassis redundancy at the slot level of the Cisco 6400 for adjacent slot or subslot pairs. For example, if you have NRP-SSGs installed in slots 1 and 2, you can set a preferred device between the two. To ensure that configuration is consistent between redundant NRP-SSGs, you can configure automatic synchronization between the two. You can also manually force the primary and secondary devices in a redundant pair to switch roles. See the Cisco 6400 UAC Software Configuration Guide for more information on EHSA redundancy.

Related Features and Technologies

The NRP-SSG works in conjunction with the Cisco SSD. The Cisco SSD is a specialized web server, populated by the service provider, that lists all of the potential networks (or services) a particular customer can access. Customers select and deselect services from a menu through an HTML browser.

Supported Platforms

This feature is supported on these platforms:

Cisco 6400 series

New Supported Standards, MIBs, and RFCs

MIBs

None

RFCs

None

Standards

None

Prerequisites

Cisco Service Selection Dashboard

If you want to perform Layer 3 service selection, you must install and configure the Cisco Service Selection Dashboard as described in the Cisco Service Selection Dashboard User Guide.

Configuration Tasks

Perform the following tasks to configure the NRP-SSG.

The following tasks are optional:

Configuring Local Service Profiles (required for Layer 2 service selection)
Configuring Transparent Passthrough
Configuring Redundancy
Configuring Fastswitching
Configuring Multicast

Configuring RADIUS Profiles

You must set up user and service RADIUS profiles on the AAA server as described in this section. Service profiles can also be defined locally using the local-profile command.You can optionally set up pseudo-service profiles also as described in this section.

This section describes RADIUS attributes that can be used to define specific AAA elements in NRP-SSG user profiles, service profiles, and specialized pseudo-service profiles.

For detailed information on the syntax of these attributes, see "NRP-SSG Vendor-Specific Attributes".

User Profiles

RADIUS user profiles contain a password, a list of subscribed services and/or groups, and access control lists.

Cisco AVPair Attributes

This section specifies Cisco AVPair attributes that appear within user profiles.

Table 1 Cisco AVPair Attributes

Attribute Usage

Upstream Access Control List (inacl)

Specifies either an IOS standard access control list or an extended access control list to be applied to upstream traffic coming from the user.

Downstream Access Control List (outacl)

Specifies either an IOS standard access control list or an extended access control list to be applied to downstream traffic going to the user.

Attribute	Usage
Upstream Access Control List (inacl)	Specifies either an IOS standard access control list or an extended access control list to be applied to upstream traffic coming from the user.
Downstream Access Control List (outacl)	Specifies either an IOS standard access control list or an extended access control list to be applied to downstream traffic going to the user.

User Profile Attributes

This section specifies standard and vendor-specific RADIUS attributes that can be used in NRP-SSG user profiles.

Table 2 User Profile Attributes

Attribute Usage

Password

Specifies the user's password (check attribute).

Session-Timeout

Specifies, in seconds, the maximum length of the user's session (reply attribute).

Idle-Timeout

Specifies, in seconds, the maximum time a connection can remain idle (reply attribute).

Service Name

Subscribes the user to a service. There can be multiple instances of this attribute within a single user profile. Use one attribute for each service to which the user is subscribed (reply attribute).

Service Group

Subscribes the user to a service group. There can be multiple instances of this attribute within a single user profile. Use one attribute for each service group to which the user is subscribed (reply attribute).

Auto Service

Automatically logs a user into a service when the user logs on to the NRP-SSG (reply attribute).

Attribute	Usage
Password	Specifies the user's password (check attribute).
Session-Timeout	Specifies, in seconds, the maximum length of the user's session (reply attribute).
Idle-Timeout	Specifies, in seconds, the maximum time a connection can remain idle (reply attribute).
Service Name	Subscribes the user to a service. There can be multiple instances of this attribute within a single user profile. Use one attribute for each service to which the user is subscribed (reply attribute).
Service Group	Subscribes the user to a service group. There can be multiple instances of this attribute within a single user profile. Use one attribute for each service group to which the user is subscribed (reply attribute).
Auto Service	Automatically logs a user into a service when the user logs on to the NRP-SSG (reply attribute).

Service Profiles

Service profiles include the password, service type (outbound), type of service (passthrough or proxy), the service access mode (sequential or concurrent), the DNS server IP address, networks that exist in the service domain, access control lists, and other optional attributes.

Cisco AVPair Attributes

This section specifies Cisco AVPair attributes that appear within service profiles.

Table 3 Cisco AVPair Attributes

Attribute	Usage
Upstream Access Control List (inacl)	Specifies either an IOS standard access control list or an extended access control list to be applied to upstream traffic coming from the user.
Downstream Access Control List (outacl)	Specifies either an IOS standard access control list or an extended access control list to be applied to downstream traffic going to the user.

Standard Service Profile Attributes

This section specifies standard RADIUS attributes that can be used in NRP-SSG service profiles.

Table 4 Standard Service Profile Attributes

Attribute Usage

Password

Specifies the password (check attribute).

Service-Type

Specifies the level of service (check attribute). Must be "outbound."

Session-Timeout

Specifies, in seconds, the maximum length of the session (reply attribute).

Idle-Timeout

Specifies, in seconds, the maximum time a service connection can remain idle (reply attribute).

Attribute	Usage
Password	Specifies the password (check attribute).
Service-Type	Specifies the level of service (check attribute). Must be "outbound."
Session-Timeout	Specifies, in seconds, the maximum length of the session (reply attribute).
Idle-Timeout	Specifies, in seconds, the maximum time a service connection can remain idle (reply attribute).

NRP-SSG Specific Service Profile Attributes

This section specifies VSAs that appear within service profiles.

Table 5 NRP-SSG Service Profile Attributes

Attribute Usage

Type of Service

(Optional) Indicates whether the service is proxy (requiring remote authentication) or passthrough (does not require authentication). The default is passthrough.

Service Mode

(Optional) Specifies whether the user is able to log on to this service while simultaneously connected to other services (concurrent) or whether the user cannot access any other services while using this service (sequential). The default is concurrent.

DNS Server Address

(Optional) Specifies the primary and/or secondary DNS servers for this service.

Service Route

(Required) Specifies networks that exist for the service. There can be multiple instances of this attribute within a single user profile.

RADIUS Server

(Required for proxy services) Specifies the remote RADIUS server that the NRP-SSG will use to authenticate and authorize a service log on for a proxy service type.

Next Hop Gateway

(Optional) Specifies the next hop key for this service. Each NRP-SSG uses its own next hop gateway table that associates this key with an actual IP address. For information on creating a next hop gateway table, see "Next Hop Gateway Pseudo-Service Profile".

Domain Name

(Optional) Specifies domain names that get DNS resolution from the DNS server(s) specified in DNS Server Address.

Service Description

(Optional) Provides a description of the service that is displayed to the user.

Attribute	Usage
Type of Service	(Optional) Indicates whether the service is proxy (requiring remote authentication) or passthrough (does not require authentication). The default is passthrough.
Service Mode	(Optional) Specifies whether the user is able to log on to this service while simultaneously connected to other services (concurrent) or whether the user cannot access any other services while using this service (sequential). The default is concurrent.
DNS Server Address	(Optional) Specifies the primary and/or secondary DNS servers for this service.
Service Route	(Required) Specifies networks that exist for the service. There can be multiple instances of this attribute within a single user profile.
RADIUS Server	(Required for proxy services) Specifies the remote RADIUS server that the NRP-SSG will use to authenticate and authorize a service log on for a proxy service type.
Next Hop Gateway	(Optional) Specifies the next hop key for this service. Each NRP-SSG uses its own next hop gateway table that associates this key with an actual IP address. For information on creating a next hop gateway table, see "Next Hop Gateway Pseudo-Service Profile".
Domain Name	(Optional) Specifies domain names that get DNS resolution from the DNS server(s) specified in DNS Server Address.
Service Description	(Optional) Provides a description of the service that is displayed to the user.

Service Group Profiles

Service group profiles contain a list of services and/or service groups and can be used to create directory structures for locating and logging on to services. When a user is subscribed to a service group, the user automatically is subscribed to all services and groups within that service group. A service group profile includes the password and the service type (outbound) as check attributes and a list of services and/or a list of service groups as reply attributes.

This section specifies vendor-specific attributes that can be used in NRP-SSG service group profiles.

Table 6 Service Group Profile Attributes

Attribute Usage

Service Name

Lists services that belong to the service group. There can be multiple instances of this attribute within a single user profile. Use one attribute for each service (reply attribute).

Service Group

Lists the service subgroups that belong to this service group. When configured, the service group and service name attributes can define an organized directory structure for accessing services.

There can be multiple instances of this attribute within a service group profile. Use one attribute for each service subgroup that belongs to this service group.

Group Description

Provides a description of the service group.

Password

Specifies the password (check attribute).

Service-Type

Specifies the level of service (check attribute). Must be "outbound."

Attribute	Usage
Service Name	Lists services that belong to the service group. There can be multiple instances of this attribute within a single user profile. Use one attribute for each service (reply attribute).
Service Group	Lists the service subgroups that belong to this service group. When configured, the service group and service name attributes can define an organized directory structure for accessing services. There can be multiple instances of this attribute within a service group profile. Use one attribute for each service subgroup that belongs to this service group.
Group Description	Provides a description of the service group.
Password	Specifies the password (check attribute).
Service-Type	Specifies the level of service (check attribute). Must be "outbound."

Pseudo-Service Profiles

This section describes pseudo-service profiles. Pseudo-service profiles are used to define variable length tables or lists of information in the form of services. There are currently two types of pseudo-service profiles: Transparent Passthrough Filter and Next Hop Gateway. The following sections describe both types.

Transparent Passthrough Filter Pseudo-Service Profile

Transparent passthrough is designed to allow unauthenticated traffic (users or network devices that have not logged in to the NRP-SSG through the Cisco SSD) to be routed through normal IOS processing.

Note Transparent passthrough is supported only in Cisco IOS Releases 12.0(3)DC and 12.0(5)DC.

Table 7 Transparent Passthrough Filter Pseudo-Service Profile Attributes

Attribute	Usage
Upstream Access Control List (inacl)	Specifies either an IOS standard access control list or an extended access control list to be applied to upstream traffic coming from the user.
Downstream Access Control List (outacl)	Specifies either an IOS standard access control list or an extended access control list to be applied to downstream traffic going to the user.

The Transparent Passthrough Filter pseudo-service profile allows or denies access to IP addresses and ports accessed through the transparent passthrough feature.

To define what traffic can pass through, the NRP-SSG downloads the Transparent Passthrough Filter pseudo-service profile. This profile contains a list of access control list (ACL) attributes. Each item contains an IP address or range of IP addresses, a list of port numbers, and specifies whether traffic is allowed or denied.

To create a filter for transparent passthrough, create a profile that contains ACL attributes that define what can and cannot be accessed.

You can also create ACLs locally. For more information, see the ssg pass-through command in the Command Reference section.

Next Hop Gateway Pseudo-Service Profile

Because multiple NRP-SSGs might access services from different networks, each service profile specifies a next hop key, which is any string identifier, rather than an actual IP address. For each NRP-SSG to determine the IP address of the next hop, each NRP-SSG downloads its own next hop gateway table that associates keys with IP addresses.

Table 8 Next Hop Gateway Pseudo-Service Profile Attributes

Attribute Usage

Next Hop Gateway Entry

Associates next hop gateway keys with IP addresses.

Attribute	Usage
Next Hop Gateway Entry	Associates next hop gateway keys with IP addresses.

To create a next hop gateway table, create a profile and give it any name. Use the Next Hop Gateway Entry attribute to associate service keys with their IP addresses. When you have finished, repeat this for each NRP-SSG if the next hop IP addresses are different. For an example next hop gateway pseudo-service profile, see "Sample Pseudo-Service Profiles".

For more information, see the ssg next-hop command in the Command Reference section.

NRP-SSG Vendor-Specific Attributes

The NRP-SSG uses vendor-specific RADIUS attributes. If using the NRP-SSG with Cisco User Control Point (UCP) software, specify settings that allow processing of the NRP-SSG attributes while configuring the CiscoSecure Access Control Server (ACS) component. If using another AAA server, you must customize that server's RADIUS dictionary to incorporate the NRP-SSG vendor-specific attributes.

Table 9 lists vendor-specific attributes used by the NRP-SSG. By sending an Access-Request packet with the vendor-specific attributes shown in the table, the Cisco Service Selection Dashboard (SSD) can send requests to the NRP-SSG to log on and log off an account and disconnect and connect services. The vendor ID for all of the Cisco-specific attributes is 9.

Table 9 Vendor-Specific RADIUS Attributes for the NRP-SSG

AttrID VendorID SubAttrID SubAttrName SubAttrDataType

26

9

1

Cisco-AVpair

String

26

9

250

Account-Info

String

26

9

251

Service-Info

String

26

9

253

Control-Info

String

AttrID	VendorID	SubAttrID	SubAttrName	SubAttrDataType
26	9	1	Cisco-AVpair	String
26	9	250	Account-Info	String
26	9	251	Service-Info	String
26	9	253	Control-Info	String

The following sections describe the format of each subattribute.

Note All RADIUS attributes are case sensitive.

Cisco-AVpair Attribute

The Cisco-AVpair attributes are used in user and service profiles. The Cisco-AVpair attributes are used to configure ACLs.

Upstream Access Control List

This attribute specifies either an IOS standard access control list or an extended access control list to be applied to upstream traffic coming from the user.

: Cisco-AVpair = "ip:inacl[#number]={standard-access-control-list | extended-access-control-list}"

Syntax Description

Usage

Use the Service Route attribute to specify networks that exist for a service. For more information, see "Service Access Order".

Example

RADIUS Server

This attribute specifies the remote RADIUS server that the NRP-SSG will use to authenticate, authorize, and perform accounting for a service log on for a proxy service type. This attribute is only used in proxy service profiles. This attribute is required for proxy service profiles.

Syntax Description

Usage

Use the DNS Resolution attribute to specify domain names that get DNS resolution from this DNS server. For more information, see "Service Access Order".

Example

Service User

This attribute indicates the username provided by the Cisco SSD user to log on to the service and for authentication with the home gateway.

Syntax Description

Usage

To define the IP address of the next hop for each service, the NRP-SSG downloads a special service profile that associates the next hop gateway key for each service with an IP address.

To create a next hop gateway table, create a service profile and give it any name. Use this attribute to associate service keys with their IP addresses. When you have finished, repeat this for each NRP-SSG.

Example

Octets Output

Current RADIUS standards only support the counting of up to 32 bits of information with the ACCT-Output-Octets attribute. Standards such as ADSL have much higher throughput.

In order for the accounting server to keep track of and bill for this usage, the NRP-SSG uses the Octets attribute.

The Octets Output attribute keeps track of how many times the 32-bit integer rolled over and the value of the integer when it overflowed for outbound data.

Syntax Description

Usage

Use this attribute to accurately keep track of and bill for usage. To calculate the actual number of bytes, use the following formula:

Example

In the following example, the rollover is 2 and the value is 153 (2 * 232 + 153 = 8589934745):

Octets Input

Current RADIUS standards only support the counting of up to 32 bits of information with the ACCT-Input-Octets attribute. Standards such as ADSL have much higher throughput.

In order for the accounting server to keep track of and bill for this usage, the NRP-SSG uses the Octets attribute.

The Octets Input attribute keeps track of how many times the 32-bit integer rolled over and the value of the integer when it overflowed for inbound data.

Syntax Description

Usage

Use this attribute to accurately keep track of and bill for usage. To calculate the actual number of bytes, use the following formula:

Example

In the following example, the rollover is 3 and the value is 151 (3 * 232 + 151 = 12884902039):

Sample User and Service Profiles

This section provides samples of user profiles and service profiles used with the
NRP-SSG.

Sample User Profile

The following is an example of a user profile. The profile is formatted for use with a freeware RADIUS server:

servicename	Name of the service.
username	Username used to access the service. Required for proxy services.
password	Password used to access the service. Required for proxy services.

ip_address_1	IP address of the primary DNS server.
ip_address_2	(Optional) IP address of the secondary DNS server used for fault tolerance.

ip_address	IP address.
mask	Subnet mask.

Radius-server-address	IP address of the RADIUS server.
auth-port	UDP port number for authentication and authorization requests.
acct-port	UDP port number for accounting requests.
secret-key	Secret key shared with RADIUS clients.

name1	Domain name that gets DNS resolution from this server.
name2...X	(Optional) Additional domain name(s) that gets DNS resolution from this server.

number	Access list identifier.
standard-access-control-list	Standard access control list.
extended-access-control-list	Extended access control list.

type	P—Passthrough. Indicates the user's packets are forwarded through the NRP-SSG. This is the default.
	X—Proxy. Indicates the NRP-SSG performs proxy service.

key	Service name or key specified in the Service Next Hop Gateway service profile.
ip_address	IP address of the next hop for this service.

rollover	Number of times the 32-bit integer rolled over to 0.
value	Value in the 32-bit integer when the stop record was generated and the service or user was logged out.

Table of Contents