Configuring ISG Integration with SCE
First Published: February 22, 2008
Last Updated: September 15, 2010
Intelligent Services Gateway (ISG) is a Cisco IOS and Cisco IOS XE software feature set that provides a structured framework in which edge devices can deliver flexible and scalable services to subscribers. This module describes how to configure ISG and Cisco Service Control Engine (SCE) to function as a single policy enforcement point for subscriber sessions.
Finding Feature Information
For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Configuring ISG Integration with SCE" section.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS XE software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•Prerequisites for Configuring ISG Integration with SCE
•Restrictions for Configuring ISG Integration with SCE
•Information About Configuring ISG Integration with SCE
•How to Configure ISG Integration with SCE
•Configuration Examples for ISG Integration with SCE
•Additional References
•Feature Information for Configuring ISG Integration with SCE
Prerequisites for Configuring ISG Integration with SCE
The following prerequisites apply to the configuration of ISG integration with SCE.
Hardware Requirements
•An ISG platform, which can be a Cisco ASR 1000 series router
•An SCE platform
•Two connections between the ISG device and the SCE:
–A control path, through which the ISG device and SCE can exchange policy information
–A data path that carries the subscriber traffic
•A policy server configured to communicate with the ISG platform. The ISG-SCE integration removes any need for a communication layer between the policy server and the SCE.
Restrictions for Configuring ISG Integration with SCE
The following restrictions apply to the integration of the ISG and an SCE:
•When an SCE policy is deactivated, the policy is removed from the session on the SCE, and the session policy reverts to the default SCE policy.
•Only one SCE policy at a time may be applied to a session. Applying additional policies will override the policy previously applied on the SCE.
This feature requires a control bus communication protocol, which runs over RADIUS and RADIUS extensions (as specified in RFC 3576), operating in two modes; PUSH and PULL.
•In PULL mode the ISG device waits for a query from the SCE.
•In PUSH mode the download of an external feature is initiated by the ISG device as soon as an external service is activated on the subscriber session.
To work with the SCE for subscriber management, the control bus protocol must do the following:
•Support pushing a session and make relevant changes to a session to the SCE.
•Allow a session, its relevant identity, and the SCE policy profile to be pulled from the ISG device by using an identity-based query.
•Support accounting events, including the following:
–Accepting SCE initiated accounting events asynchronously.
–Correlating SCE accounting data to the appropriate ISG session.
–Parsing the SCE accounting data to perform protocol translation.
The per-user IP subnet assigned to Point-to-Point Protocol (PPP) users during login is not communicated to SCE. A per-user static route is downloaded to PPP users through the framed-route RADIUS attribute during login. ISG does not send the per-user subnet address for a PPP session to SCE in the CoA provision session (ProvSess) attribute.
Information About Configuring ISG Integration with SCE
Before you configure ISG integration with SCE, you should understand the following concepts:
•Overview of ISG-SCE Integration
•ISG and SCE Roles in Subscriber Management
Overview of ISG-SCE Integration
The ISG Integration with SCE feature integrates ISG and SCE at the policy plane level so that for purposes of subscriber provisioning, ISG and SCE function as a single logical entity. The ISG device and SCE communicate to manage subscriber sessions jointly, minimizing the requirements for coordination with additional external components. ISG handles subscriber management at Layer 4 and below. SCE is primarily focused at Layer 4 and above. When ISG and SCE are configured to work together, they provide tools for these functions:
•Subscriber mapping—Subscriber awareness is distributed between ISG and the SCE. The shared subscriber session is referenced by both devices using a unique session identifier allocated by the ISG. Identity keys such as IP Address, IP Subnet, network access server (NAS) identifier, and NAS port are also associated to the session. SCE policies that should be enabled on the session are identified by their policy names.
•Subscriber policy updates—Change subscriber policies in real time.
ISG and SCE Roles in Subscriber Management
Table 1 shows the specific roles of ISG and SCE in subscriber management.
Table 1 ISG and SCE Roles in Subscriber Management
|
|
Subscriber aggregation (broadband remote access service—BRAS) Subscriber authorization or authentication Policy management Policy enforcement for •Quality of service (QoS) •Multiprotocol label switching (MPLS) virtual private network (VPN) •Redirection •Session termination •Postpaid billing |
Policy enforcement for •Application-aware services •Redirection and application-based policy management •Service security •Behavioral classification •URL caching and filtering •Value-added services •Parental controls •Usage and content billing |
ISG pushes policies (or external services) to the SCE for a given subscriber session, in the form of RADIUS change of authorization (CoA) messages. External service activation can be triggered by the policy manager component inside the ISG or by an external authentication, authorization, and accounting (AAA) server. The SCE sees the ISG as the policy manager. ISG serves as a proxy for service activation requests from the external AAA server to the SCE. The SCE sends accounting records to the ISG. The ISG, if configured to do so, serves as a proxy that sends the accounting records to an external AAA server. SCE can also query the ISG about session information for unprovisioned sessions. ISG informs SCE when a session terminates by means of a RADIUS Packet of Disconnect (PoD).
How to Configure ISG Integration with SCE
Before configuring ISG and SCE integration, verify that you have configured ISG for control and access policies, accounting, session maintenance, and network access regulation. Details on all these configurations are found in the Cisco IOS XE Intelligent Services Gateway Configuration Guide.
It is also necessary to have the SCE configured appropriately. Instructions for configuring the SCE are in the Cisco Service Control Engine (SCE) Software Configuration Guide, Release 3.1.
Perform the following tasks to configure ISG integration with SCE:
•Configuring Communication Between SCE and ISG
•Configuring SCE Connection Parameter on ISG
•Configuring Control Policy on the Policy Manager
•Configuring Services
Configuring Communication Between SCE and ISG
Communication between the SCE and the ISG device is managed by an external policy delegation (EPD) handler module in Cisco IOS software. The EPD implements the control bus on the ISG and handles all messaging between the ISG device and SCE. Details of communications between the ISG and AAA servers are found in the Cisco IOS Intelligent Services Gateway Configuration Guide. This task is necessary to establish the parameters for the communication between the ISG device and the SCE, including the following:
•Port to which CoA messages are sent from the ISG device and SCE
•Port on which ISG should receive access, accounting, and connection management requests from SCE
•Shared secret between the ISG device and SCE
To configure communication between SCE and the ISG device, enter the following commands on the ISG device.
SUMMARY STEPS
1. enable
2. configure terminal
3. aaa server radius {sesm | proxy | policy-device}
4. client ipaddress [port coa destination port] [key shared secret]
5. authentication port port number
6. accounting port port number
7. key shared secret
8. exit
DETAILED STEPS
|
|
|
Step 1 |
enable
Router> enable |
Enables privileged EXEC mode. •Enter your password if prompted. |
Step 2 |
configure terminal
Router# configure terminal |
Enters global configuration mode. |
Step 3 |
aaa server radius {sesm | proxy | policy-device}
Router(config)# aaa server radius policy-device |
Enters RADIUS server configuration mode and configures the RADIUS profile. |
Step 4 |
client ipaddress [port coa destination port] [key shared secret]
Router(config-locsvr-radius)# client 10.10.10.1 key cisco port 1431 |
Configures client-specific details. •The IP address identifies the destination for CoA messages. If no port is configured, the default port (3799) is used. ISG sends CoA messages to the SCE to provision, update, or deactivate a session and activate or deactivate policies. •A shared secret configured for a specific client overrides the key configured using the key shared-secret command. |
Step 5 |
authentication port port-number
Router(config-locsvr-radius)# authentication port 1433 |
Specifies the port on which the EPD handler listens for session and identity query requests from SCE. •If no port is specified, the default port (1645) is used. |
Step 6 |
accounting port port-number
Router(config-locsvr-radius)# accounting port 1435 |
Specifies the port on which the EPD handler listens for accounting and peering requests and maintenance packets from SCE. •If no port is specified, the default port (1646) is used. |
Step 7 |
key shared-secret
Router(config-locsvr-radius)# key xxxxxxxxxx |
Configures the secret shared between the EPD handler and SCE. •This key is used if no per-client shared secret is configured. |
Step 8 |
exit
Router(config-locsvr-rasius)# exit |
Exits RADIUS server configuration mode. |
Configuring SCE Connection Parameter on ISG
To configure the server connection management on either a per-server or a global basis, perform the steps in this section.
SUMMARY STEPS
1. enable
2. configure terminal
3. policy-peer address ip-address keepalive seconds
4. policy-peer keepalive seconds
5. exit
|
|
|
Step 1 |
enable
Router> enable |
Enables privileged EXEC mode. •Enter your password if prompted. |
Step 2 |
configure terminal
Router# configure terminal |
Enters global configuration mode. |
Step 3 |
policy-peer address ip-address keepalive seconds
Router(config)# policy-peer address 10.10.10.1 keepalive 6 |
Configures the keepalive value, in seconds, for a specific policy defined by the given IP address. •Valid values are from 5 to 3600. •The default value is zero (0). •If the default value is in effect on the ISG device, the keepalive value proposed by the external policy device is used. |
Step 4 |
policy-peer keepalive seconds
Router(config)# policy-peer keepalive 10 |
Configures the keepalive value, in seconds, globally. •The range of valid values is from 5 to 3600. •The default value is zero (0). •If no per-server keepalive value is configured, the global value is used. •If different values are configured on the ISG device and the SCE, the lower value is used as the keepalive interval. •If neither a per-server nor a global value is configured, the default value of zero is used. |
Step 5 |
exit
Router(config)# exit |
Exits global configuration mode. |
Configuring Control Policy on the Policy Manager
To configure the policy manager to download a service, through rules configured by Cisco IOS command line interface (CLI) commands, follow the steps in this section.
Configuring Control Policy on the ISG
To configure the control policy on the ISG device, perform the steps in this section.
SUMMARY STEPS
1. enable
2. configure terminal
3. policy-map type control policy-map-name
4. class type control {class-map-name | always} event session-start
5. action-number service-policy type service name service-name
6. exit
DETAILED STEPS
|
|
|
Step 1 |
enable
Router> enable |
Enables privileged EXEC mode. •Enter your password if prompted. |
Step 2 |
configure terminal
Router# configure terminal |
Enters global configuration mode. |
Step 3 |
policy-map type control policy-map-name
Router(config)# policy-map type control GOLD_POLICY |
Configures the specified policy-map on the ISG and enters policy map configuration mode. |
Step 4 |
class type control {class-map-name | always} event session-start
Router(config-control-policymap)# class type control always event acct-notification |
Specifies to apply actions matching conditions defined by the class-map-name or always for an event type. •Event types include the following: account-logoff, account-logon, acct-notification, credit-exhausted, quota-depleted, service-failed, service-start, service-stop, session-default-service, session-restart, session-service-found, session-start, and timed-policy-expiry. |
Step 5 |
action-number service-policy type service name service-name
Router(config-control-policymap)# 1 service-policy type service name sce-service |
Defines the list of actions to be performed when the control policy is matched. |
Step 6 |
exit
Router(config-control-policymap)# exit |
Exits policy map configuration mode. |
Configuring Auto Service on the AAA Server
To download a service to the ISG by means of auto service, perform the steps in this section.
SUMMARY STEPS
1. Cisco-Avpair="subscriber: auto-logon-service=sce-service"
DETAILED STEPS
Step 1 Cisco-Avpair="subscriber: auto-logon-service=sce-service"
Downloads a service name from the SCE to the ISG device.
Configuring Services
To configure services, perform the steps in this section. You can configure this feature either on the ISG device, using the Cisco IOS command line interface (CLI) commands, or on the AAA server.
Configuring Services on ISG
To configure a service containing accounting features and to activate an external policy on the SCE device, follow the steps in this section.
SUMMARY STEPS
1. enable
2. configure terminal
3. policy-map type service service-map-name
4. class-map type traffic class-map-name
5. accounting aaa list listname
6. sg-service-type external-policy
7. policy-name name
8. service-monitor enable
9. exit
DETAILED STEPS
|
|
|
Step 1 |
enable
Router> enable |
Enables privileged EXEC mode. •Enter your password if prompted. |
Step 2 |
configure terminal
Router# configure terminal |
Enters global configuration mode. |
Step 3 |
policy-map type service service-map-name
Router(config-traffic-classmap)# policy-map type service SVC |
Creates a service and enters traffic class map configuration mode. |
Step 4 |
class-map type traffic class-map-name
Router(config-control-policymap-class-control)# class-map type traffic bar |
Defines a traffic class and enters control policy-map class configuration mode. |
Step 5 |
accounting aaa list listname
Router(config-service-policymap)# accounting aaa list list1 |
Configures accounting for ISG and enters service policy map configuration mode. |
Step 6 |
sg-service-type external-policy
Router(config-control-policymap)# sg-service-type external-policy |
Defines the service as an external policy and enters policy map configuration mode. |
Step 7 |
policy-name name
Router(config-control-policymap)# policy-name gold
|
Defines a corresponding external policy name on the SCE. |
Step 8 |
service-monitor enable
Router(config-control-policymap)# service-monitor enable
|
Enables service monitoring for the external policy device. |
Step 9 |
exit
Router(config-pol-map)# exit |
Exits policy map configuration mode. |
Configuring Services on the AAA Server
To configure a service on the external AAA server, perform the steps in this section.
SUMMARY STEPS
1. Cisco:Avpair="subscriber:sg-service-type=external-policy"
2. Cisco:Avpair="subscriber:policy-name=gold"
3. Cisco:Avpair="subscriber:service-monitor=1"
4. Cisco:Avpair="accounting-list=list1"
DETAILED STEPS
Step 1 Cisco:Avpair="subscriber:sg-service-type=external-policy"
Defines the service as an external policy.
Step 2 Cisco:Avpair="subscriber:policy-name=gold"
Defines a corresponding external policy name on the ISG.
Step 3 Cisco:Avpair="subscriber:service-monitor=1"
Enables service monitoring for the external policy device.
Step 4 Cisco:Avpair="accounting-list=list1"
Configures accounting for ISG.
Troubleshooting Tips
The following command can be used to troubleshoot the integration of ISG with SCE:
•show subscriber policy peer {address ip-address | handle connection-handle | id | all}
Examples
This section contains sample output of the show subscriber policy peer command.
show subscriber policy peer all
The following example shows sample output of the command when the all keyword is used.
Router# show subscriber policy peer all
Negotiated keepalive: 1000
Time since last keepalive: 00:00:14
Remove owner on pull: TRUE
show subscriber policy peer all detail
The following example shows sample output for the show subscriber policy peer command when the detail keyword is added.
Router# show subscriber policy peer all detail
Negotiated keepalive: 1000
Time since last keepalive: 00:04:00
Remove owner on pull: TRUE
Associated session details:
12.134.4.5session_guid_str
12.34.4.5session_guid_str
Configuration Examples for ISG Integration with SCE
This section contains the following examples:
•ISG Control Bus Configuration: Example
•ISG Integration with SCE: Example
•SCE Control Bus Configuration: Examples
ISG Control Bus Configuration: Example
The following example shows how to configure the ISG control bus with the SCE management IP address and shared authentication key:
aaa server radius policy-device
message-authenticator ignore
policy-peer address 10.10.10.10 keepalive 60
interface GigabitEthernet5/1/1
ip address 10.10.10.1 255.255.255.0
ISG Integration with SCE: Example
The following example shows how to configure two SCEs, each with the same authentication and accounting ports. ISG handles CoA messages on port 1700 for one SCE and on default port 3799 for the other SCE. Peering is maintained for each SCE with the ISG via different keepalive intervals.
When a user session starts, POLICY-LOCAL is applied. If the user's profile at the AAA server has auto-logon, the session will begin using the SCE-SERVICE-LOCAL service. This service has the SCE service-monitor facility enabled. If the user profile does not specify auto-logon to the SCE-SERVICE-LOCAL service, SCE will use its default values for the policy-name argument and the service-monitor command, which are configured at the SCE.
aaa accounting network service_acct start-stop group radius
aaa accounting network session_acct start-stop group radius
aaa server radius policy-device
message-authenticator ignore
client 10.10.10.1 port 1341 key cisco
class-map type traffic match-any bar
match access-group input 102
access-list 102 permit ip any any
policy-map type service sce_service
accounting aaa list service_acct
sg-service-type external-policy
policy-map type control sce_policy
class type control always event session-start
1 service-policy type service sce_service
class type control always event acct-notification
1 proxy aaa list session_acct
SCE Control Bus Configuration: Examples
SCE Control Bus Setup Configured in PUSH Mode
The following example shows how to configure the SCE control bus in PUSH mode:
scmp name ISG radius 10.10.10.2 secret cisco auth 1433 acct 1435
scmp subscriber send-session-start
subscriber anonymous-group name all IP-range
192.168.12.0:0xffffff00 scmp name ISG
SCE Control Bus Setup Configured in PULL Mode
The following example shows how to configure the SCE control bus in PULL mode:
scmp name ISG radius 10.10.10.2 secret cisco auth 1433 acct 1435
subscriber anaonymous-group name all IP-range
192.168.12.0:0xffffff00 scmp name ISG
Additional References
The following sections provide references related to ISG accounting.
Related Documents
Technical Assistance
|
|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |
http://www.cisco.com/techsupport |
Feature Information for Configuring ISG Integration with SCE
Table 2 lists the features in this module and provides links to specific configuration information. For information about a feature in this technology that is not documented here, see the "Intelligent Services Gateway Features Roadmap."
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS XE software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note Table 2 list only the Cisco IOS XE software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS XE software release train also support that feature.
Table 2 Feature Information for ISG Integration with SCE
|
|
|
ISG: Policy Control: ISG-SCE Control Bus |
Cisco IOS XE Release 2.2 |
ISG accounting provides the means to bill for account or service usage. ISG accounting uses the RADIUS protocol to facilitate interaction between ISG and an external RADIUS-based AAA or mediation server. The following sections provide information about this feature: •Information About Configuring ISG Integration with SCE •How to Configure ISG Integration with SCE The following commands were introduced or modified: aaa server radius policy-device, class type control, clear subscriber policy peer, clear subscriber policy peer session, policy-name, policy peer, proxy (ISG RADIUS proxy), service-monitor, sg-service-type external policy, show subscriber policy peer. |
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2009 Cisco Systems, Inc. All rights reserved.