Cisco IOS Service Selection Gateway Configuration Guide, Release 12.4
Overview of SSG
Download this chapter
Overview of SSGOverview of SSG
Download the complete book
Book-level PDF: Cisco IOS Service Selection Gateway Configuration Guide, Release 12.4Book-level PDF: Cisco IOS Service Selection Gateway Configuration Guide, Release 12.4 (PDF - 6 MB)
give_us_feedback

Table Of Contents

Overview of SSG

Contents

Prerequisites for SSG

Restrictions for SSG

Information About SSG

Overview of Cisco's Subscriber Edge Services Solution

Benefits of Using SSG

Components of a Subscriber Edge Services Solution

SSG

SESM

AAA Server

Services

Subscriber Edge Services Network Architecture

How Does SSG Work?

SSG Network Deployments

SSG Supported Access Protocols

Where to Go Next

Additional References

Related Documents

Technical Assistance


Overview of SSG

The Cisco Service Selection Gateway (SSG) is a Cisco IOS software feature set that works with the Cisco Subscriber Edge Services Manager (SESM) and other components to provide a subscriber edge services solution. SESM is used to deliver on-demand subscriber services across any SSG-enabled network. SSG provides on-demand service enforcement within the Cisco network. As part of a subscriber edge services solution, SSG provides subscriber authentication, service selection, and service connection capabilities to subscribers of Internet services.

Module History

This module was first published on May 2, 2005, and last updated on May 2, 2005.

Contents

Prerequisites for SSG

Restrictions for SSG

Information About SSG

Where to Go Next

Additional References

Prerequisites for SSG

A Cisco router running a version of Cisco IOS software that supports Service Selection Gateway (SSG).

An implementation of Cisco Subscriber Edge Services Manager (SESM).

A RADIUS or Directory-based authentication system.

Restrictions for SSG

SSG does not process multicast packets.

Information About SSG

Before you begin to configure SSG, you should understand the following concepts:

Overview of Cisco's Subscriber Edge Services Solution

Benefits of Using SSG

Components of a Subscriber Edge Services Solution

Subscriber Edge Services Network Architecture

How Does SSG Work?

SSG Network Deployments

SSG Supported Access Protocols

Overview of Cisco's Subscriber Edge Services Solution

The Cisco Service Selection Gateway (SSG) and Cisco Subscriber Edge Services Manager (SESM) are both components of the Cisco subscriber edge services solution. Cisco SESM is a product portfolio used for delivering on-demand subscriber services across any SSG-enabled network. SSG is the Cisco IOS feature set that serves as an access gateway that controls user access at the edge of the IP network.

A subscriber edge services solution is used to control user experience at the network edge. As an example, consider a business user that is accessing IP services via a wireless or other broadband connection in a hotel. SSG, in conjunction with SESM, redirects the unauthenticated subscriber's web browser to a walled garden, which might feature local weather and general hotel information. Upon registration, the subscriber may have expanded access to billing information, concierge services, printing services, and general Internet access. The subscriber edge services solution enables a service provider to advertise and offer on-demand, pay-per-use IP services based on location and type of access device.

Figure 1 shows how SSG and SESM manage subscriber access to network services.

Figure 1 Delivering Network Services with Cisco SESM and SSG

A subscriber edge services solution provides robust, highly scalable subscriber authentication, service selection, and service connection capabilities to subscribers in broadband and mobile environments.

Benefits of Using SSG

Service providers can generate revenue in two ways: by providing access technology and by providing network access. In a traditional service-provider environment, the service and access technologies are tightly joined, which makes it difficult to roll out new services, and restricts the service provider to flat billing based on the access technology.

SSG separates the service and access technologies, giving subscribers a selection of services from which to choose, and enabling service providers to implement service- and usage-based billing.

SSG, as part of a subscriber edge services solution, provides the following benefits:

Subscriber Authentication and Authorization

Subscriber Edge Services support user authentication to standard user databases. Subscriber and service profiles may be maintained in RADIUS servers and directory servers and may be owned by different entities. Single signon is supported to remove redundant authentication steps and provide subscribers with streamlined access to authorized services.

Web Portals

Subscriber Edge Services support web browser (HTTP) redirection or "captivation" of unauthenticated users to specific web pages. Web pages may be customized and personalized according to device, connection type, location, and other characteristics. This capability supports branding and targeted point-of-sale messaging. Service redirection and captivations are available to raise system messages or advertising at any time during a session.

Subscriber Self-Care

Subscriber Edge Services support subscriber account self-management. Subscribers can change their own account details (such as address, phone number, and password) and create and manage sub-accounts. Account self-registration and service self-subscription allow subscribers to fill in their initial account details and sign up for new services without assistance. Self-care improves customer satisfaction and reduces operational expenses.

Web-based Service Selection

SSG with SESM allows a service provider to create a branded web portal that presents subscribers with a menu of services. Subscribers can log on to and disconnect from different services using a web browser. This web-based service selection method takes advantage of the wide availability of web browsers and eliminates problems related to client software (such as license fees, distribution logistics, and an increased customer support burden).

Billing Flexibility for Service Providers

Cisco SSG allows subscribers to dynamically select and modify services. SSG monitors user connections, service logon and logoff, and user activity per service. By providing per-connection accounting, SSG enables service providers to bill subscribers for connection time, speed, and services used rather than charging a flat rate. Using SSG, service providers can also package sell prepaid services.

Open Access

Open access is an important trend in the access-provider industry. Regulators in an increasing number of countries are demanding that access providers provide equal-access service to competing Internet service providers (ISPs). SSG can enable access providers to deploy services through multiple ISPs, allowing the consumer to choose their preferred ISP.

Flexibility and Convenience for Subscribers

SSG provides users with access to multiple simultaneous services, such as the Internet, gaming servers, connectivity to corporate networks, and the luxury of differential service selection. Users can dynamically connect to and disconnect from any of the available services.

Components of a Subscriber Edge Services Solution

The following sections describe the components of a subscriber edge services solution:

SSG

SESM

AAA Server

Services

SSG

SSG is the Cisco IOS feature set that controls user access at the edge of an IP network. SSG is deployed at network access control points, and subscribers connect to service destinations through SSG. The role of SSG is to identify and authenticate subscribers and then load a subscriber-specific profile that governs the network services that the subscriber is entitled to access.

SESM

SESM is a software toolkit that interacts with SSG to control the user experience at the network edge by providing a set of web-based interactive applications. These applications interact with the user to obtain identity and credentials for authentication and payment. SESM web applications also interact with the user to provide service selection, subscriber account self-management, and self-subscription. These applications can be personalized, localized, and customized to display advertisements and notifications according to where the user connects to the network and with which device.

AAA Server

An authentication, authorization, and accounting (AAA) server is used in a subscriber edge services solution as the data repository for service, subscriber, and policy information. SSG is designed to work with two types of servers: RADIUS-based AAA servers that accept vendor-specific attributes (VSAs) and Lightweight Directory Access Protocol (LDAP) directories.

Note In order to use an LDAP directory, SSG must be used with SESM, and SESM must be configured for LDAP mode. For information on creating and maintaining subscriber, service, and policy information in an LDAP directory, refer to the Cisco Subscriber Management Guide.

Services

The term services means different things in different contexts. At the most fundamental and technical level, a service is defined in networking terms as a network destination: a subset of the service network. From a router perspective, a network destination is defined in terms of interfaces, next-hop definitions, and IP definitions.

Services have attributes. Some of these attributes refer to whether and how the user must be authenticated to access the services; other service attributes allow access filters and determine usage limits and quotas. The collection of attributes is known as a service profile.

At the user level, services may be described in more businesslike terms: free services versus fee-based services, gold service versus bronze, service selection, subscriber self provisioning, and so on. From the service provider perspective, a subscriber is defined by means of a user profile, which determines the services to which the subscriber is entitled.

These are examples of services that providers can offer:

VPN services—Level 2 and Level 3 VPNs, irrespective of the type of transport. The services may include telecommuter access to corporate, or equal access to a number of different ISPs from an access provider.

Filter services—Services that are implemented in the edge device or some inline device that limits access in some way, like firewalls, SPAM filters, virus filters and others.

Prepaid services

Content Service Gateways (CSGs):—Used to charge per page or unit of content (such as mp3 or gif files).

Tiered Internet access—(for example bronze, silver, or gold)

Dynamic bandwidth on demand

Integrated voice and data

Internet gaming and multimedia services

Distance learning services

Video on demand

Peer-to-peer application control (for example, constraining bandwidth available for music downloads)

Higher bandwidth for premium users, irrespective of applications

Subscriber Edge Services Network Architecture

Figure 2 illustrates how the components of a subscriber edge services network work together.

Figure 2 Service Selection Gateway Topology

Subscribers access the SESM web portal application using any web browser on a variety of devices, such as a desktop computer over DSL, a cellular phone over GPRS or CDMS, or a PDA over a WLAN. Depending on how SSG has been configured, unauthenticated users can either be forwarded to the SESM captive portal or automatically logged into the network. Service providers can thus use the SSG feature set of the router to design a service selection access network.

Subscribers can use SESM to manager their accounts, subscribe to new services, and select those services that they want to use. Service providers can use a subscriber edge services solution to offer and advertise value-added services and to associate these services with their brand identities.

How Does SSG Work?

A licensed version of SSG works with SESM to present to users a menu of services that can be selected from a single graphical user interface (GUI). This functionality improves flexibility and convenience for subscribers and enables service providers to bill subscribers for only the connect time and services used, rather than by charging a flat rate.

For instance, when SSG is used with SESM, the user opens an HTML browser and is redirected to the SESM web server application. SSG always allows access to a single IP address or subnet—referred to as the default network—where SESM is typically located. SESM prompts the user for a username and password.

SESM forwards the user's logon information to SSG, which forwards the information to either the AAA server, or to the RADIUS-DESS Proxy (RDP) component of SESM for LDAP authentication. If the user is not valid, the AAA server or RDP sends an Access-Reject message. If the user is valid, the AAA server or RDP sends an Access-Accept message with information specific to the user's profile about which services the user is authorized to use. SSG logs the user in and sends the response to SESM.

Depending on the contents of the Access-Accept or Access-Reject response, SESM presents a menu of authorized services, one or more of which is selected by the user. SSG then creates an appropriate connection for the user and, optionally, starts RADIUS accounting for the connection.

SSG Network Deployments

Service selection technology can be used in many types of access technology; for example:

Broadband cable

Digital Subscriber Line (DSL)

Ethernet to home or office

Public Wide Area Network (PWLAN)

Mobile wireless, including General Packet Radio Service (GPRS) and Code Division Multiple Access (CDMA)

SSG Supported Access Protocols

SSG supports the following protocols and encapsulations:

Point-to-Point Protocol (PPP), including PPP over Ethernet (PPPoE), PPP over ATM (PPPoA), and PPP over Layer 2 Tunnel Protocol (PPPoL2TP)

Routed Bridged Encapsulation (RBE) and RFC1483 IP

SSG accepts traffic on the following interface types:

ATM PVCs and subinterfaces

Ethernet interfaces and subinterfaces

Logical interfaces such as GRE and IPinIP

Packet over SONET (POS) interfaces

Serial and channelized interfaces

Where to Go Next

SSG configuration tasks are described in the following modules:

Implementing SSG: Initial Tasks—this process explains how to enable SSG and establish communication with the AAA server and SESM.

Configuring SSG to Serve as a RADIUS Proxy—this module describes the types of deployments that use SSG as a RADIUS proxy and how to configure them.

Configuring SSG to Authenticate Subscribers—the following processes explain how to configure SSG to authenticate subscribers according to the method of subscriber login.

Configuring SSG to Authenticate Web Logon Subscribers

Configuring SSG to Authenticate PPP Subscribers

Configuring SSG to Authenticate Subscribers with Transparent Autologon

Configuring SSG to Authenticate Subscribers Automatically in the Service Domain

Configuring SSG for On-Demand IP Address Renewal

Configuring SSG Support for Subnet-Based Authentication

Configuring SSG for MAC-Address-Based Authentication

Configuring SSG for Subscriber Services—this process describes how to configure SSG to create services and allow subscribers to use them.

Configuring SSG to Log Off Subscribers—this process explains how to configure methods of subscriber logoff, such as SSG autologoff and timeouts.

Configuring SSG Accounting—this process explains how to configure SSG support for subscriber accounting and billing, including per-service accounting, broadcast accounting, and prepaid services.

RADIUS Profiles and Attributes for SSG—this module describes RADIUS profiles and their attributes.

Additional References

The following sections provide references related to configuring SSG.

Related Documents

Related Topic
Document Title

Configuring SESM

Cisco Subscriber Edge Services Manager documentation.

RADIUS commands

Cisco IOS Security Command Reference, Release 12.4

RADIUS configuration tasks

"Configuring RADIUS" chapter in the Cisco IOS Security Configuration Guide, Release 12.4

Configuring L2TP

Cisco IOS Dial Technologies Configuration Guide, Release 12.4

Cisco IOS Dial Technologies Command Reference, Release 12.4


Technical Assistance

Description
Link

Technical Assistance Center (TAC) home page, containing 30,000 pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log on from this page to access even more content.

http://www.cisco.com/public/support/tac/home.shtml


Copyright © 2005 Cisco Systems, Inc. All rights reserved.
This module first published May 2, 2005. Last updated May 2, 2005.