Configuring ISA Layer 3 Access
Available Languages
Table Of Contents
Configuring ISA Layer 3 Access
Restrictions for Configuring Layer 3 Access
Information About ISA Layer 3 Access
Supported Types of Layer 3 Sessions
Default Services for IP Sessions
How to Configure ISA Layer 3 Access
Creating an IP Interface Session
Creating IP Subscriber Sessions
Configuring Layer 4 Redirect for Unauthenticated Subscribers
Unauthenticated Layer 4 Redirect
Configuring L4 Redirection in a Service Policy Map
Configuring a Control Policy for Unauthenticated Layer 4 Redirect
Configuring ISA Port-Bundle Host Key
Overview of ISA Port-Bundle Host Key
Port Bundle Host Key Mechanism
Benefits of ISA Port-Bundle Host Key
Prerequisites for the ISA Port-Bundle Host Key Feature
Restrictions for the ISA Port-Bundle Host Key Feature
Enabling the ISA Port-Bundle Host Key Feature in a Service Policy Map
Enabling the ISA Port-Bundle Host Key Feature in a User or Service Profile on the AAA Server
Configuring Port-Bundle Host Key Parameters
Verifying ISA Port-Bundle Host Key Configuration
Configuring ISA Transparent Autologon
Prerequisites for ISA Transparent Autologon
Identifying Traffic for ISA Transparent Autologon in a Control Policy Class Map
Configuring a Control Policy for ISA Transparent Autologon
Configuration Examples for ISA Layer 3 Access
ISA IP Interface Session Configuration: Example
ISA IP Subscriber Session Configuration: Example
Unauthenticated Layer 4 Redirect: Example
ISA Port-Bundle Host Key Configuration: Example
ISA Transparent Autologon Configuration: Example
Feature Information for Configuring ISA Layer 3 Access
Configuring ISA Layer 3 Access
The Intelligent Service Architecture (ISA) is a core set of Cisco IOS components that provide a structured framework in which edge access devices can deliver flexible and scalable services to subscribers. A Cisco device that is running a Cisco IOS image with ISA is called an Intelligent Service Gateway (ISG). This module contains information on how to configure ISA to bring up IP interface sessions, IP sessions based on source IP address, and IP subnet sessions. This module also describes how to configure policies for identifying and authorizing IP sessions; specifically, Layer 4 redirection for unauthenticated subscribers, port-bundle host key functionality, and transparent autologon.
Module History
This module was first published on April 11, 2005, and was last updated April 11, 2005.
Finding Feature Information in This Module
Your Cisco IOS software release may not support all features. To find information about feature support and configuration, use the "Feature Information for Configuring ISA Layer 3 Access" section.
Contents
•
Restrictions for Configuring Layer 3 Access
•
•
•
•
Restrictions for Configuring Layer 3 Access
Overlapping static IP subscribers are not supported.
Overlapping IP subscribers in different virtual routing and forwarding instances (VRFs) are not supported on the same interface.
IP interface sessions can be created only through static command-line interface (CLI) provisioning.
Information About ISA Layer 3 Access
Before you configure ISA Layer 3 access, you should understand the following concepts:
•
•
Supported Types of Layer 3 Sessions
ISA supports three types of layer 3 sessions:
•
•
•
IP Interface Sessions
An IP interface session includes all IP traffic received on a specific physical or virtual interface. IP interface sessions are provisioned through the CLI; that is, a session is created when the IP interface session commands are entered.
IP interface sessions might be used in situations in which a subscriber is represented by an interface (with the exception of PPP) and communicates using more than one IP address. For example, a subscriber using routed bridge encapsulation (RBE) access might have a dedicated ATM virtual circuit (VC) to home customer premises equipment (CPE) that is hosting multiple PCs.
IP Sessions
An IP session includes all the traffic that is associated with a single subscriber IP address. If the IP address is not unique to the system, other distinguishing characteristics such as VRF or MAC address form part of the identity of the session. An ISG can be configured to create IP sessions upon receipt of Dynamic Host Configuration Protocol (DHCP) packets and unknown IP source addresses. See the "IP Session Creation" section for more information.
IP sessions may be hosted for a connected subscriber device (one routing hop from the ISG) or one that is multiple hops from the gateway.
IP Subnet Sessions
An IP subnet session represents all the traffic that is associated with a single IP subnet. IP subnet sessions are used to apply uniform edge processing to packets associated with a particular IP subnet.
Like an IP session, an IP subnet session may be hosted whether it is directly connected or it is multiple hops from the gateway.
IP subnet sessions are created the same way as IP sessions, except that when a subscriber is authorized or authenticated and the Framed-IP-Netmask attribute is present in the user or service profile, the ISG converts the source-IP-based session into a subnet session with the subnet value in the Framed-IP-Netmask attribute.
Note
IP Session Creation
The following events may be used to signal the start of an IP session or IP subnet session:
•
If the following conditions are met, receipt of a DHCP Discover packet will trigger the creation of an IP session:
–
–
–
•
In the absence of a DHCP DISCOVER packet, a new IP session is triggered by the appearance of an IP packet with an unrecognized source IP address.
IP Session Termination
An IP session may be terminated in one of the following ways:
•
If DHCP is used to detect a new session, its departure may also be signaled by a DHCP event.
•
An application command that is used to terminate the session. The application stop command is typically used to terminate the session when a subscriber initiates an account logoff from a Web portal. An application stop may also result from the actions of an administrator, such as action taken in response to rogue behaviour from a subscriber.
•
Idle timeouts and session timeouts can be used to detect or impose termination of an IP session.
Default Services for IP Sessions
Newly created IP sessions may require a default service to allow subsequent subscriber packets to be processed appropriately; for example, to permit or force TCP packets to a captive portal where menu-driven authentication and service selection can be performed. A default service policy map or service profile may be configured for IP sessions to redirect traffic, enable port-bundle host-key functionality for session identification, or enable transparent autologon. A default service would also likely include a network service, typically a VRF, so that subscriber packets may be routed or forwarded.
How to Configure ISA Layer 3 Access
The first task is required to configure ISA Layer 3 access. The last three tasks are optional and configure policies for the identification and authorization of IP sessions.
•
•
•
Bringing Up Layer 3 Sessions
An ISG creates IP sessions for IP traffic on subscriber-side interfaces. The following tasks enable IP sessions on the interface and indicate how a session will be identified. Perform one or both of the following tasks to bring up Layer 3 ISA sessions:
•
•
Creating an IP Interface Session
An ISA IP interface session encompasses all IP packets that cross the specified interface or subinterface. Perform this task to create an ISA IP interface session.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
DETAILED STEPS
Creating IP Subscriber Sessions
Perform this task to enable ISA to create an IP session or IP subnet session when it receives a DHCP DISCOVER packet or an IP packet from an unrecognized source IP address.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
DETAILED STEPS
Configuring Layer 4 Redirect for Unauthenticated Subscribers
Before you configure Layer 4 redirect for unauthenticated subscribers, you should understand the following concept:
•
Note
Perform the following tasks to configure Layer 4 redirect for unauthenticated subscribers:
•
•
Unauthenticated Layer 4 Redirect
The ISA Layer 4 Redirect feature redirects specified TCP or User Datagram Protocol (UDP) packets to servers that have been configured to handle the packets in a specific manner. Unauthenticated Layer 4 redirect is one application of the ISA Layer 4 Redirect feature. Typically, unauthenticated Layer 4 redirect is configured to redirect the TCP traffic of unauthenicated subscribers to a web portal where subscribers can log in and the authentication process can begin.
Configuring L4 Redirection in a Service Policy Map
Perform this task to configure ISA Layer 4 redirection in a service policy map on the router.
The ISA Layer 4 Redirect feature can also be configured in a service profile on a AAA server. For more information about redirecting Layer 4 subscriber traffic, see the module "Redirecting ISA Subscriber Traffic."
Prerequisites
The ISA Layer 4 Redirect feature is configured under a traffic class within the service policy map. This task assumes that you have defined the traffic class map. See the module "Configuring ISA Subscriber Services" for more information.
Traffic can be redirected to a server or server group. If you are redirecting traffic to a server group, this task assumes that the server group has been configured. See the module "Redirecting ISA Subscriber Traffic" for more information about configuring server groups.
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
Configuring a Control Policy for Unauthenticated Layer 4 Redirect
Perform this task to configure a control policy that will apply a service configured with Layer 4 redirect at the start of every session. The service is unapplied once the subscriber has been authenticated and account logon has occurred.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
DETAILED STEPS
What to Do Next
You must apply the control policy to a context by using the service-policy type control command. For information about applying control policies, see the module "Configuring ISA Control Policies."
Configuring ISA Port-Bundle Host Key
Before you configure the ISA Port-Bundle Host Key feature, you should understand the following concepts:
•
•
•
•
•
Perform the following tasks to configure the ISA Port-Bundle Host Key feature:
•
•
•
•
Overview of ISA Port-Bundle Host Key
The ISA Port-Bundle Host Key feature serves as an in-band signaling mechanism for session identification at external portals. TCP packets from subscribers are mapped to a local IP address for the ISA gateway and a range of ports. This mapping allows the portal to identify the ISA gateway from which the session originated. The mapping also identifies sessions uniquely even when subscribers have overlapping IP addresses. The ISA Port-Bundle Host Key feature enables a single portal to be deployed for multiple VRFs even when there are subscribers with overlapping IP addresses.
Port Bundle Host Key Mechanism
With the ISA Port-Bundle Host Key feature, an ISG performs Port-Address Translation (PAT) and Network Address Translation (NAT) on the TCP traffic between the subscriber and the portal. When a subscriber TCP connection is set up, the ISG creates a port mapping that changes the source IP address to a configured ISA IP address and changes the source TCP port to a port allocated by the ISG. The ISG assigns a bundle of ports to each subscriber because one subscriber can have several simultaneous TCP sessions when accessing a web page. The assigned port-bundle host key, or combination of port bundle and ISA source IP address, uniquely identifies each subscriber. The host key is carried in RADIUS packets sent between the portal server and the ISG in the Subscriber IP vendor-specific attribute (VSA). Table 5 describes the Subscriber IP VSA. When the portal server sends a reply to the subscriber, the ISG reverse translates the destination IP address and destination TCP port according to the translation tables.
For each TCP session between a subscriber and the portal, the ISG uses one port from the port bundle as the port map. Individual port mappings are flagged as eligible for reuse on the basis of inactivity timers, but are not explicitly removed once assigned. The number of port bundles is limited per ISA address, but , but there is no limit to the number of ISA IP addresses that can be configured for port bundle usage.
Port-Bundle Length
The port-bundle length is used to determine the number of ports in one bundle. By default, the port-bundle length is four bits. The maximum port-bundle length is ten bits. See Table 2 for available port-bundle length values and the resulting port-per-bundle and bundle-per-group values. You may want to increase the port-bundle length when you see frequent error messages about running out of ports in a port bundle.
Note
Benefits of ISA Port-Bundle Host Key
Support for Overlapped Subscriber IP Addresses Extended to Include External Portal Usage
The ISA Port-Bundle Host Key feature enables external portal access regardless of subscriber IP address or VRF membership. Without the use of port-bundle host keys, all subscribers accessing a single external portal must have unique IP addresses. Furthermore, since port-bundle host keys isolate VRF-specific addresses from the domain in which the portal resides, routing considerations are simplified.
Portal Provisioning for Subscriber and ISA IP Addresses No Longer Required
Without the ISA Port-Bundle Host Key feature, a portal must be provisioned for subscriber and ISA IP addresses before the portal is able to send RADIUS packets to the ISG or send HTTP packets to subscribers. The ISA Port-Bundle Host Key feature eliminates the need to provision a portal in order to allow one portal server to serve multiple ISGs and to allow one ISG to be served by multiple portal servers.
Prerequisites for the ISA Port-Bundle Host Key Feature
The external portal must support port-bundle host keys and must be configured with the same port-bundle host key parameters.
Restrictions for the ISA Port-Bundle Host Key Feature
The following restrictions apply to the ISA Port-Bundle Host Key feature:
•
•
•
•
•
Enabling the ISA Port-Bundle Host Key Feature in a Service Policy Map
Perform this task to enable the ISA Port-Bundle Host Key feature in a service policy map. The ISA Port-Bundle Host Key feature will be applied to any subscriber whos uses this service policy map.
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
What to Do Next
You may want to configure a method of activating the service policy map or service profile; for example, control policies can be used to activate services. For more information about methods of service activation, see the module "Configuring ISA Subscriber Services."
Enabling the ISA Port-Bundle Host Key Feature in a User or Service Profile on the AAA Server
Perform this task to enable the ISA Port-Bundle Host Key feature in a user profile or service profile on the AAA server.
SUMMARY STEPS
1.
DETAILED STEPS
What to Do Next
If you enabled the ISA Port Bundle Host Key feature in a service profile, you may want to configure a method of activating the service profile; for example, control policies can be used to activate services. For more information about methods of service activation, see the module "Configuring ISA Subscriber Services."
Configuring Port-Bundle Host Key Parameters
Perform this task to configure ISA Port-Bundle Host Key parameters and specify the interface for which ISA will reverse translate the IP address and port number for downstream traffic.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
DETAILED STEPS
Verifying ISA Port-Bundle Host Key Configuration
Perform this task to display information about ISA port-bundle host key configuration.
SUMMARY STEPSh
1.
2.
3.
4.
DETAILED STEPS
Configuring ISA Transparent Autologon
The following prerequisites apply to ISA Transparent Autologon:
•
Before you configure ISA Transparent Autologon, you should understand the following concept:
To configure ISA Transparent Autologon, perform the following tasks:
•
•
Prerequisites for ISA Transparent Autologon
Depending on your AAA implementation, you may need to configure the IP source address or MAC address in the username field and a global address in the password field of the user profile.
ISA Transparent Autologon
Service providers commonly implement a policy at the start of IP sessions that redirects all subscriber packets to a logon portal for authenticatoin. Following successful authentication, per-subscriber authorization data is typically returned from a AAA server. For some deployments, usually in subscriber networks that are well protected against spoofing and denial-of-service (DoS) attacks, service providers are willing to forgo authentication and trust subscriber identity. The ISA Transparent Logon feature allows service providers to grant certain subscribers access to services without requiring the subscribers to log on.
ISA transparent autologon enables an IP address or MAC address to be used in place of the username in authorization requests. Enabling the AAA server to authorize subscribers on the basis of their source IP address or MAC address allows subscriber profiles to be downloaded from the AAA server as soon as packets are received from subscribers.
The event that triggers transparent autologon is session-start. For IP sessions, session-start occurs when a DHCP DISCOVER request is received or when an unrecognized source IP address is detected.
Identifying Traffic for ISA Transparent Autologon in a Control Policy Class Map
Perform this task to configure a control policy class map that specifies the traffic to which ISA transparent autologon will apply.
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
Configuring a Control Policy for ISA Transparent Autologon
ISA transparent autologon allows subscribers to be authorized on the basis of their source IP address or MAC address. Perform this task to configure ISA transparent autologon in a control policy.
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
Step 1
enable
Example:Router> enable
Enables privileged EXEC mode.
•
Step 2
configure terminal
Example:Router# configure terminal
Enters global configuration mode.
Step 3
policy-map type control policy-map-name
Example:Router(config)# policy-map type control TAL
Creates or modifies a control policy map, which is used to define a control policy.
Step 4
class type control {class-map-name | always} event session-start
Example:Router(config-control-policymap)# class type control TAL-subscribers event session-start
Specifies a control class, which defines the conditions that must be met in order for an associated set of actions to be executed.
•
Step 5
action-number authorize [aaa list {list-name | default}] [password password] identifier {source-ip-address | mac-address}
Example:Router(config-control-policymap-class-control)# 1 authorize aaa list TAL_LIST password cisco identifier source-ip-address
Inserts the source IP address or MAC address into the username field of authorization requests.
•
What to Do Next
You must apply the control policy to a context by using the service-policy type control command. For information about applying control policies, see the module "Configuring ISA Control Policies."
You may want to configure policies to determine what should happen for transparent autologon subscribers whose IP address or MAC address authorization fails; for example, you may want to redirect the subscriber to the policy server for authentication.
Configuration Examples for ISA Layer 3 Access
This section contains the following examples:
•
•
•
•
•
•
ISA IP Interface Session Configuration: Example
The following example shows an IP interface session configured on Ethernet interface 0/0:
interface ethernet0/0ip subscriberidentifier interfaceISA IP Subscriber Session Configuration: Example
The followin example shows how to configure ISA to create IP sessions upon receipt of DHCP DISCOVER packets:
interface ethernet0/0ip subscriberinitiator dhcpUnauthenticated Layer 4 Redirect: Example
In the following example, Layer 4 redirect is configured in the service policy map "BLIND-RDT". This policy is applied to all sessions at session start and redirects subsribers TCP traffic to the server group called "PORTAL". At account logon the subscriber is authenticated and the redirection is unapplied.
Service-policy type control DEFAULT-IP-POLICYpolicy-map type control DEFAULT-IP-POLICYclass type control always event session-start1 service-policy type service BLIND-RDT!class type control always event account-logon1 authenticate aaa list AUTH-LIST2 service-policy type service unapply BLIND-RDTpolicy-map type service BLIND-RDTclass type traffic CLASS-ALLredirect to group PORTAL!redirect server-group PORTALserver ip 10.2.36.253 port 80ISA Port-Bundle Host Key Configuration: Example
The following example shows how to configure the ISA Port-Bundle Host Key feature to apply to all sessions:
policy-map type service ISGPBHKServiceip portbundle!policy-map type control PBHKRuleclass type control always event session-start1 service-policy type service ISGPBHKService!service-policy type control PBHKRuleinterface ethernet0/0ip address 10.1.1.1 255.255.255.0ip portbundle outside!ip portbundlematch access-list 101length 5source ethernet0/0ISA Transparent Autologon Configuration: Example
In the following example, if the client is from the 1.1.1.0 subnet, ISA transparent autologon is applied and an authorization request is sent to the list "TAL_LIST" with the subscriber's source IP address as the username. If the authorization request is successful, any automatic-activation services specified in the returned user profile are activated for the session and the execution of rules within the control-policy stops. If the authorization is not successful, the rule execution proceeds and the subscriber is redirected to the policy server to login. If the subscriber does not log in within five minutes, the session is disconnected.
ISA Configuration
interface Ethernet0/0service-policy type control RULEAaaa authentication login TAL_LIST group radiusaaa authentication login LOCAL localaccess-list 100 permit ip any anyclass-map type traffic match-any all-trafficmatch access-group input 100match access-group output 100policy-map type service redirectprofileclass type traffic all-trafficredirect to ip 10.0.0.148 port 8080class-map type control match-all CONDAmatch source-ip-address 1.1.1.0 255.255.255.0!class-map type control match-all CONDFmatch timer TIMERBmatch authen-status unauthenticatedpolicy-map type control RULEAclass type control CONDA event session-start1 authorize aaa list TAL_LIST password cisco identifier source-ip-address2 apply aaa list LOCAL service redirectprofile3 set-timer TIMERB 5 minutes!class type control CONDF event timed-policy-expiry1 service disconnectUser Profile Configuration
9.0.0.48 Password = "cisco"Service-Type = Outbound,Cisco:Account-Info = "AAuto-Internet;proxy-user;cisco"Service Profile Configuration
Auto-Internet Password = "cisco"Cisco:Service-Info = "IAuto-Internet",Cisco-Avpair = "traffic-class=input access-group 100"proxy-user Password = "cisco"Idle-Timeout = 5Additional References
The following sections provide references related to ISA Layer 3 access.
Related Documents
DHCP configuration
The "Configuring DHCP" chapter of the Cisco IOS IP Configuration Guide, Release 12.2.
Technical Assistance
Feature Information for Configuring ISA Layer 3 Access
Table 7 lists the features in this module and provides links to specific configuration information. Only features that were introduced or modified in Cisco IOS Release 12.2(27)SBA or later appear in the table.
Not all commands may be available in your Cisco IOS software release. For details on when support for specific commands was introduced, see the command reference documents.
If you are looking for information on a feature in this technology that is not documented here, see the "Intelligent Service Architecture Features Roadmap."
Cisco IOS software images are specific to a Cisco IOS software release, a feature set, and a platform. Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Note
Table 7 Feature Information for ISA Layer 3 Access
ISA:Session: Creation: IP Session: Protocol Event (DHCP)
12.2(27)SBA
Most ISA sessions are created upon detection of a data flow that cannot be affiliated with an already active session. An ISG can be configured to create an IP session upon receipt of the first DHCP DISCOVER packet received from a subscriber.
The following sections provide information about this feature:
•
ISA:Session: Creation: IP Session: Subnet and Source IP: L2
12.2(27)SBA
The ISA session is the primary component used for associating services and policies across specific data flows. An IP subnet session is an ISA session that includes any IP traffic from a single IP subnet . A source-IP-based session includes traffic from a single source IP address.
The following sections provide information about this feature:
•
ISA:Session: Creation: IP Session: Subnet and Source IP: L3
12.2(27)SBA
The ISA session is the primary component used for associating services and policies across specific data flows. An IP subnet session is an ISA session that includes any IP traffic from a single IP subnet . A source-IP-based session includes traffic from a single source IP address.
The following sections provide information about this feature:
•
ISA:Session: Creation: Interface IP Session: L2
12.2(27)SBA
ISA IP interface sessions include all IP traffic received on a specific physical or virtual interface. IP interface sessions are provisioned through the CLI; that is, a session is created when the IP interface session commands are entered.
The following sections provide information about this feature:
•
ISA:Session: Creation: Interface IP Session: L3
12.2(27)SBA
ISA IP interface sessions include all IP traffic received on a specific physical or virtual interface. IP interface sessions are provisioned through the CLI; that is, a session is created when the IP interface session commands are entered.
The following sections provide information about this feature:
•
ISA:Session: Authorization (MAC, IP)
12.2(27)SBA
ISA transparent autologon enables an IP address or MAC address to be used in place of the username in authorization requests. Enabling the AAA server to authorize subscribers on the basis of their source IP address or MAC address allows subscriber profiles to be downloaded from the AAA server as soon as packets are received from subscribers.
The following section provides information about this feature:
ISA:Session: Auth: PBHK
12.2(27)SBA
The ISA Port-Bundle Host Key feature serves as an in-band signaling mechanism for session identification at external portals. TCP packets from subscribers are mapped to a local IP address for the ISA gateway and a range of ports. This mapping allows the portal to identify the ISA gateway from which the session originated.
The following section provides information about this feature:
Copyright © 2005 Cisco Systems, Inc. All rights reserved.
Feedback