Table Of Contents
Configuring ISA Control Policies
Prerequisites for Configuring ISA Control Policies
Restrictions for Configuring ISA Control Policies
Information About ISA Control Policies
How to Configure an ISA Control Policy
Configuring a Control Class Map
Configuring a Control Policy Map
Applying the Control Policy Map
Applying a Control Policy Map Globally on the Router
Applying a Control Policy Map to an Interface or Subinterface
Applying a Control Policy Map to a Virtual Template
Applying a Control Policy Map to an ATM VC Class
Applying a Control Policy Map to an ATM PVC
Monitoring and Maintaining ISA Control Policies
Configuration Examples for ISA Control Policies
Control Policy for Layer 2 Access and Service Provisioning: Example
Control Policy Restricting Access on the Basis of Interface and Access Media: Example
Control Policy for ISA Prepaid Billing Support: Example
Control Policies for ISA Transparent Autologon: Example
Feature Information for ISA Control Policies
Configuring ISA Control Policies
The Intelligent Service Architecture (ISA) is a core set of Cisco IOS components that provide a structured framework in which edge access devices can deliver flexible and scalable services to subscribers. A Cisco device that is running a Cisco IOS image with ISA is called an Intelligent Service Gateway (ISG). ISA control policies are a means of defining the actions that your system will take in response to specified condition and events. A wide variety of system actions, conditions, and events can be combined using a consistent policy language, providing a flexible and precise way of configuring ISA. This module provides information about how to configure ISA control policies.
Module History
This module was first published on April 28, 2005, and last updated April 11, 2005.
Finding Feature Information in This Module
Your Cisco IOS software release may not support all features. To find information about feature support and configuration, use the "Feature Information for ISA Control Policies" section.
Contents
•Prerequisites for Configuring ISA Control Policies
•Restrictions for Configuring ISA Control Policies
•Information About ISA Control Policies
•How to Configure an ISA Control Policy
•Configuration Examples for ISA Control Policies
•Feature Information for ISA Control Policies
Prerequisites for Configuring ISA Control Policies
Authentication, authorization, and accounting (AAA) method lists must be configured prior to defining authentication and authorization actions.
Restrictions for Configuring ISA Control Policies
Control policies are activated for specific contexts, not directly on sessions. Control policies apply to all sessions hosted on the context.
Only one control policy map may be applied to a given context.
Control policies can only be defined through CLI.
Not all actions may be associated with all events.
A new control class may not be inserted between existing control classes once a control policy map has been defined.
Information About ISA Control Policies
Before you configure ISA control policies, you should understand the following concepts:
Control Policies
Control policies define the actions that the system will take in response to specified events and conditions. For example, a control policy can be configured to authenticate specific subscribers and then provide them with access to specific services.
A control policy is made of one or more control policy rules. A control policy rule is an association of a control class and one or more actions. The control class defines the conditions that must be met before the actions will be executed.
There are three steps involved in defining a control policy:
1. Create one or more control class maps.
A control class map specifies the conditions that must be met for a policy to be activated, and, optionally, the event that causes the class to be evaluated. A control class map may contain multiple conditions, each of which will evaluate to either true or false. Match directives can be used to specify whether all, any, or none of the individual conditions must evaluate true in order for the class to evaluate true.
2. Create a control policy map.
A control policy map contains one or more control policy rules. A control policy rule associates a control class map with one or more actions. Actions are numbered and executed sequentially.
3. Apply the control policy map.
A control policy map is activated by applying it to a context. A control policy map can be applied to one or more of the following types of contexts:
•Global
•Interface
•Subinterface
•Virtual template
•Virtual circuit (VC) class
•Permanent virtual circuit (PVC)
In general, control policy maps that are applied to more specific contexts take precedence over policy maps applied to more general contexts. In the list above, the context types are listed in order of precedence. For example, a control policy map that is applied to a PVC takes precedence over a control policy map that is applied to an interface.
Note Traffic policies are another type of policy used by ISA. Traffic policies define the handling of data packets and are configured in service policy maps or service profiles. For more information about traffic policies, see the "Configuring ISA Subscriber Services" module.
Uses of Control Policies
Use control policies to configure ISA to perform specific actions in response to specific events and conditions. For example, control policies could be used for the following purposes:
•To activate a default service when a subscriber session is first detected
•To sequence the gleaning of subscriber identity, where a control protocol exists on the access side
•To determine how the system responds to an idle timeout or to a subscriber who has run out of credit
•To enable transparent autologon, which enables authorization on the basis of an IP address or MAC address
•To configure the maximum amount of time a session can remain unauthenticated
•To send periodic session state information to other devices
How to Configure an ISA Control Policy
Perform the following tasks to configure an ISA control policy:
•Configuring a Control Class Map (required)
•Configuring a Control Policy Map (required)
•Applying the Control Policy Map (required)
•Monitoring and Maintaining ISA Control Policies (optional)
Configuring a Control Class Map
A control class map contains conditions that must be met for a control policy to be executed. A control class map can contain one or more conditions. Perform this task to configure a control class map.
SUMMARY STEPS
1. enable
2. configure terminal
3. class-map type control [match-all match-any match-none] class-map-name
4. available {authen-status | authenticated-domain | authenticated-username | dnis | media | mlp-negotiated | nas-port | no-username | protocol | service-name | source-ip-address | timer | tunnel-name | unauthenticated-domain | unauthenticated-username}
5. greater-than [not] nas-port {adapter adapter-number | channel channel-number | ipaddr ip-address | port port-number | shelf shelf-number | slot slot-number | sub-interface sub-interface-number | type interface-type | vci vci-number | vlan vlan-id | vpi vpi-number}
6. greater-than-or-equal [not] nas-port {adapter adapter-number | channel channel-number | ipaddr ip-address | port port-number | shelf shelf-number | slot slot-number | sub-interface sub-interface-number | type interface-type | vci vci-number | vlan vlan-id | vpi vpi-number}
7. less-than [not]nas-port {adapter adapter-number | channel channel-number | ipaddr ip-address | port port-number | shelf shelf-number | slot slot-number | sub-interface sub-interface-number | type interface-type | vci vci-number | vlan vlan-id | vpi vpi-number}
8. less-than-or-equal [not] nas-port {adapter adapter-number | channel channel-number | ipaddr ip-address | port port-number | shelf shelf-number | slot slot-number | sub-interface sub-interface-number | type interface-type | vci vci-number | vlan vlan-id | vpi vpi-number}
9. match authen-status {authenticated | unauthenticated}
10. match authenticated-domain {domain-name | regexp regular-expression}
11. match authenticated-username {username | regexp regular-expression}
12. match dnis {dnis | regexp regular-expression}
13. match media {async | atm | ether | ip | isdn | mpls | serial}
14. match mlp-negotiated {no | yes}
15. match nas-port {adapter adapter-number | channel channel-number | ipaddr ip-address | port port-number | shelf shelf-number | slot slot-number | sub-interface sub-interface-number | type {async | atm | basic-rate | enm | ether | fxo | fxs | none | primary-rate | synch | vlan | vty} | vci vci-number | vlan vlan-id | vpi vpi-number}
16. match no-username {no | yes}
17. match protocol {atom | ip | pdsn | ppp | vpdn}
18. match service-name {service-name | regexp regular-expression}
19. match source-ip-address ip-address subnet-mask
20. match timer {timer-name | regexp regular-expression}
21. match tunnel-name {tunnel-name | regexp regular-expression}
22. match unauthenticated-domain {domain-name | regexp regular-expression}
23. match unauthenticated-username {username | regexp regular-expression}
DETAILED STEPS
Configuring a Control Policy Map
A control policy map contains one or more control policy rules, which associate a control class with one or more actions. Perform this task to configure a control policy map.
SUMMARY STEPS
1. enable
2. configure terminal
3. policy-map type control policy-map-name
4. class type control {control-class-name | always} [event {account-logon | credit-exhausted | quota-depleted | service-start | service-stop | session-default-service | session-service-found | session-start | timed-policy-expiry}
5. action-number authenticate aaa list list-name
6. action-number authorize [aaa list list-name] [password password] [upon network-service-found {continue | stop}] identifier {authenticated-domain | authenticated-username | dnis | mac-address | nas-port | source-ip-address | tunnel-name | unauthenticated-domain | unauthenticated-username}
7. action-number collect [aaa list list-name] identifier {authen-status | authenticated-domain | authenticated-username | dnis | media | mlp-negotiated | nas-port | no-username | protocol | service-name | source-ip-address | timer | tunnel-name | unauthenticated-domain | unauthenticated-username}
8. action-number if upon network-service-found {continue | stop}
9. action-number service [disconnect | local | vpdn]
10. action-number service-policy type control policy-map-name
11. action-number service-policy type service [unapply] [aaa list list-name service] {name service-name | identifier {authenticated-domain | authenticated-username | dnis | nas-port | tunnel-name | unauthenticated-domain | unauthenticated-username}}
12. action-number set-timer name-of-timer minutes
DETAILED STEPS
Applying the Control Policy Map
A control policy map must be activated by applying it to a context. Perform one or more of the following tasks to apply a control policy to a context:
•Applying a Control Policy Map Globally on the Router
•Applying a Control Policy Map to an Interface or Subinterface
•Applying a Control Policy Map to a Virtual Template
•Applying a Control Policy Map to an ATM VC Class
•Applying a Control Policy Map to an ATM PVC
Applying a Control Policy Map Globally on the Router
Perform this task to apply a control policy globally.
SUMMARY STEPS
1. enable
2. configure terminal
3. service-policy type control policy-map-name
DETAILED STEPS
Applying a Control Policy Map to an Interface or Subinterface
Perform this task to apply an ISA control policy to an interface or subinterface.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface type number
4. service-policy type control policy-map-name
DETAILED STEPS
Applying a Control Policy Map to a Virtual Template
Perform this task to apply an ISA control policy map to a virtual template.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface virtual-template number
4. service-policy type control policy-map-name
DETAILED STEPS
Applying a Control Policy Map to an ATM VC Class
A VC class is a set of preconfigured VC parameters that are configured and applied to a particular VC or ATM interface. Perform this task to apply an ISA control policy map to an ATM VC class.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface virtual-template number
4. service-policy type control policy-map-name
DETAILED STEPS
Applying a Control Policy Map to an ATM PVC
Perform this task to apply an ISA control policy to an ATM PVC.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface atm interface-number[.subinterface-number {mpls | multipoint | point-to-point}]
4. pvc vpi/vci
5. service-policy type control policy-map-name
DETAILED STEPS
Monitoring and Maintaining ISA Control Policies
Optionally, you can perform this task to monitor and maintain ISA control policy operation. Steps can be performed in any order.
SUMMARY STEPS
1. enable
2. show class-map type control
3. show policy-map type control
4. clear class-map type control
5. clear policy-map type control
DETAILED STEPS
Configuration Examples for ISA Control Policies
This section contains the following examples of ISA control policies:
•Control Policy for Layer 2 Access and Service Provisioning: Example
•Control Policy Restricting Access on the Basis of Interface and Access Media: Example
•Control Policy for ISA Prepaid Billing Support: Example
•Control Policies for ISA Transparent Autologon: Example
Control Policy for Layer 2 Access and Service Provisioning: Example
The following example shows how to configure a control policy that produces the following results:
•VPDN forwarding is applied to anyone dialing in from "xyz.com".
•Access to locally terminated Layer 3 network resources is provided to anyone dialing in from "def.com".
•Anyone else is barred.
! Configure the control class maps.class-map type control match-all MY-FORWARDED-USERSmatch unauthenticated-domain "xyz.com"!class-map type control match-all MY-LOCAL-USERSmatch unauthenticated-domain "def.com"!! Configure the control policy map.policy-map type control MY-POLICYclass type control MY-FORWARDED-USERS event session-start1 service-policy type service identifier nas-port2 service local!class type control MY-LOCAL-USERS event session-start1 service local!class type control always event session-start2 service disconnect!! Apply the control policy globally.interface Dialer1service-policy type control MY-POLICYControl Policy Restricting Access on the Basis of Interface and Access Media: Example
This example shows how to configure a control policy to allow access only to users who enter the router from a particular interface and access type. In this case, only PPPoE users will be allowed; everyone else gets barred.
The class map, "MATCHING-USERS", will evaluate true only if all of the lines within it also evaluate true; however, within "MATCHING-USERS" is a nested class map, "NOT-ATM". This nested class map represents a subcondition that must also evaluate to true. Note that the class map "NOT-ATM" specifies "match-none". This means that "NOT-ATM" evaluates to true only if each and every condition line within it evaluates to false.
The third condition specifies matching on the NAS port associated with this subscriber. Specifically, only subscribers that arrive on an Ethernet interface and on slot 3 will evaluate to true.
! Configure the control class maps.class-map type control match-all MATCHING-USERSclass type control NOT-ATMmatch media ethermatch nas-port type ether slot 3!class-map type control match-none NOT-ATMmatch media atm!If the conditions in the class map "MATCHING-USERS" evaluate to true, the first action to be executed is to authenticate the user. If authentication is successful, the service named "gold" will be downloaded and applied. Finally, a Layer 3 service is provided.
If "MATCHING-USERS" is not evaluated as true, the "always" class will apply, which results in barring anyone who does not match "MATCHING-USERS".
! Configure the control policy map.policy-map type control my-pppoe-ruleclass type control MATCHING-USERS event session-start1 authenticate aaa list XYZ2 service-policy type service gold3 service local!class type control always1 service disconnect!! Apply the control policy to an interface.interface ethernet3/0service-policy type control my-pppoe-ruleFinally, the policy is associated with an interface.
Control Policy for ISA Prepaid Billing Support: Example
The following example shows a control policy configured to redirect subscriber packets to the server group "redirect-sg" when the credit-exhausted event occurs:
service-policy type control RULEA!policy-map type control RULEAclass type control always event credit-exhausted1 service-policy type service redirectprofile!policy-map type service redirectprofileclass type traffic CLASS-ALLredirect to group redirect-sgpolicy-map type service mp3class type traffic CLASS-ACL-101authentication method-list cp-mlistaccounting method-list cp-mlistprepaid conf-prepaidsubscriber feature prepaid conf-prepaidthreshold time 20threshold volume 0method-list accounting ap-mlistmethod-list authorization defaultpassword ciscoControl Policies for ISA Transparent Autologon: Example
In the following example, if the client is from the 1.1.1.0 subnet, ISA transparent autologon is applied and an authorization request is sent to the list TAL_LIST with the subscriber's source IP address as the username. If the authorization request is successful, any automaticactivation services specified in the returned user profile are activated for the session and the execution of rules within the control-policy stops. If the authorization is not successful, the rule execution proceeds, and the subscriber is redirected to the policy server to log in. If the subscriber does not log in within five minutes, the session is disconnected.
interface Ethernet0/0service-policy type control RULEAaaa authentication login TAL_LIST group radiusaaa authentication login LOCAL localaccess-list 100 permit ip any anyclass-map type traffic match-any all-trafficmatch access-group input 100match access-group output 100policy-map type service redirectprofileclass type traffic all-trafficredirect to ip 10.0.0.148 port 8080class-map type control match-all CONDAmatch source-ip-address 1.1.1.0 255.255.255.0!class-map type control match-all CONDFmatch timer TIMERBmatch authen-status unauthenticatedpolicy-map type control RULEAclass type control CONDA event session-start1 authorize aaa list TAL_LIST password cisco identifier source-ip-address2 apply aaa list LOCAL service redirectprofile3 set-timer TIMERB 5 minutesclass type control CONDF event timed-policy-expiry1 service disconnectAdditional References
The following sections provide references related to ISA control policies.
Related Documents
Related Topic Document TitleISA commands
Cisco IOS Intelligent Service Architecture Command Reference
Technical Assistance
Feature Information for ISA Control Policies
Table 3 lists the features in this module and provides links to specific configuration information. Only features that were introduced or modified in Cisco IOS Release 12.2(27)SBA or later appear in the table.
Not all commands may be available in your Cisco IOS software release. For details on when support for specific commands was introduced, see the command reference documents.
If you are looking for information on a feature in this technology that is not documented here, see the "Intelligent Service Architecture Features Roadmap"
Cisco IOS software images are specific to a Cisco IOS software release, a feature set, and a platform. Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Note Table 3 lists only the Cisco IOS software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS software release train also support that feature.
Table 3 Feature Information for ISA Control Policies
Feature Name Releases Feature Configuration InformationISA:Policy Control: Policy: Domain Based (Auto-domain, Proxy)
12.2(27)SBA
ISA control policies manage the primary services and rules used to enforce particular contracts. These policies include programmable interfaces to dynamic triggers and conditional logic to be applied to flows within a session, or other characteristics of a session upon meeting the policy criteria. Polices can be configured to interpret the domain as a request to activate the service associated with that domain name, allowing users automatically receive services in accordance with the domain to which they are attempting to connect.
The following sections provide more information about this feature:
•Information About ISA Control Policies
ISA: Policy Control: Policy: Triggers (Time, Volume, Duration)
12.2(27)SBA
ISA control policies can be configured with time-based, volume-based,and duration-based policy triggers. Time-based triggers use an internal clock, allowing policies to be applied at specific times. Volume-based triggers are based on packet count; when the packet count reaches a specified value, the specified policy is applied.Duration-based triggers are based on an internal timer. Upon expiration of the timer, the specified policy is applied.
The following sections provide more information about this feature:
•Information About ISA Control Policies
ISA:Policy Control: Multidimensional Identity per Session
12.2(27)SBA
ISA control policies provide a flexible way to collect pieces of subscriber identity during session establishment. Control policies also allow session policy to be applied iteratively as more elements of identity become available to the system.
The following sections provide more information about this feature:
•Information About ISA Control Policies
ISA: Policy Control: Cisco Policy Language
12.2(27)SBA
ISA control policies are a structured replacement for feature-specific configuration commands and allow configurable functionality to be expressed in terms of an event, a condition, and an action. Control policies provide an intuitive and extensible framework, with a consistent set of CLI commands, for specifying system behavior. The ISA policy language is a aligned with the Cisco Common Classification Policy Language (C3PL).
The following sections provide more information about this feature:
•Information About ISA Control Policies
Copyright © 2005 Cisco Systems, Inc. All rights reserved.
This module first published April 28, 2005. Last updated April 28, 2005.