|
|
This feature module describes further enhancements to the Node Route Processor—Service Selection Gateway (NRP-SSG) feature. It includes information on the benefits of the enhancements, supported platforms, related documents, and configuration.
This document includes the following sections:
The enhancements described in this document are included in Cisco IOS Release 12.1(3) DC. The NRP-SSG feature was first released in Cisco IOS Release 12.0(3) DC, and enhancements were added in Cisco IOS Releases 12.0(5) DC, 12.0(7) DC, and 12.1(1)DC.
The NRP-SSG is a switching solution for service providers who offer intranet, extranet, and Internet connections to subscribers using high-speed data circuit equipment (DCE) such as asymmetric digital subscriber line (ADSL) to allow simultaneous access to network services. The NRP-SSG with Web Selection works in conjunction with the Cisco Service Selection Dashboard (SSD), an open source web-based server application that allows users to select from multiple passthrough and proxy services through a standard web browser.
NRP-SSG Single Host Logon
Prior to this release, PPP-based NRP-SSG subscribers had to perform three logon sessions to log on to a service through Cisco SSD:
Now subscribers only perform two logon sessions to log on to a service through Cisco SSD:
Proxy RADIUS Enhancements
Two new Service-Info vendor-specific attributes (VSAs) are available for proxy RADIUS service profiles:
For the proxy RADIUS enhancements, the sizes of the user-defined string and full username are limited to the smaller of the following values:
Node Route Processor—Service Selection Gateway Enhancements IV are supported on the Cisco 6400 node route processor (NRP).
Standards
None
MIBs
None
RFCs
No new or modified RFCs are supported by these feature enhancements.
In order to use the Single Host Logon feature, you must install and configure Cisco SSD version 2.5 or higher.
To configure the proxy RADIUS enhancements, enter one or both of the following Service-Info vendor-specific attributes (VSAs) in the proxy RADIUS service profile:
For general information on configuring RADIUS profiles for NRP-SSG, see the "Configuring RADIUS Profiles" section in the Node Route Processor —Service Selection Gateway feature module.
The NRP-SSG uses vendor-specific RADIUS attributes. If using the NRP-SSG with Cisco User Control Point (UCP) software, specify settings that allow processing of the NRP-SSG attributes while configuring the CiscoSecure Access Control Server (ACS) component. If using another AAA server, you must customize that server's RADIUS dictionary to incorporate the NRP-SSG vendor-specific attributes.
Table 1 lists vendor-specific attributes used by the NRP-SSG to support the proxy RADIUS enhancements. The vendor ID for all of the Cisco-specific attributes is 9.
| AttrID | Vendor ID | SubAttrID | SubAttrName | SubAttrDataType |
|---|---|---|---|---|
26 | 9 | 251 | Service-Info | String |
This section defines the Service-Defined Cookie and the Full Username Attribute, for use in the proxy RADIUS service profile.
This attribute enables you to include user defined information in the RADIUS authentication and accounting requests.
Service-Info = "Vstring" Syntax Description
string | Information of your choice that you wish to include in the RADIUS authentication and accounting requests. |
Example (RADIUS Freeware Format)
Service-Info = "VserviceIDandAAA-ID"
Example (CiscoSecure ACS for UNIX)
9,251="VserviceIDandAAA-ID"
 |
Note NRP-SSG does not parse or interpret the value of the Service-Defined Cookie. You must configure the proxy RADIUS server to interpret this attribute. |
|
Note NRP-SSG supports only one Service-Defined Cookie per RADIUS service profile. |
This attribute indicates that the RADIUS authentication and accounting requests use the full username (user@service).
Service-Info = "X" Example (RADIUS Freeware Format)
Service-Info = "X"
Example (CiscoSecure ACS for UNIX)
9,251="X"
Router# show ssg service serv1-proxy
------------------------ ServiceInfo Content -----------------------
Uplink IDB:
Name:serv1-proxy
Type:PROXY
Mode:CONCURRENT
Service Session Timeout:0 seconds
Service Idle Timeout:0 seconds
Class Attr:NONE
Authentication Type:CHAP
Reference Count:1
Next Hop Gateway Key:my-key
DNS Server(s):Primary:10.13.1.5
Radius Server:IP=10.13.1.2, authPort=1645, acctPort=1646, secret=my-secret
Included Network Segments:
10.13.0.0/255.255.0.0
Excluded Network Segments:
Full User Name Used
Service Defined Cookie exist
Domain List:service1.com;
Active Connections:
1 :Virtual=255.255.255.255, Subscriber=10.20.10.2
------------------------ End of ServiceInfo Content ----------------
Step 2 To check the content of the RADIUS profiles, refer to the user documentation for your RADIUS server.
To troubleshoot communication between the RADIUS server and the NRP, use the debug radius command.
The following proxy RADIUS service profile contains a Service-Defined Cookie and a Full Username Attribute:
user = serv1-proxy{
profile_id = 98
profile_cycle = 42
member = Single_Logon
radius=6510-SSG-v1.1a {
check_items= {
2=alex
}
reply_attributes= {
9,251="Oservice1.com"
9,251="R10.13.0.0;255.255.0.0"
9,251="TX"
9,251="D10.13.1.5"
9,251="S10.13.1.2;1645;1646;my-secret"
9,251="Gmy-key"
9,251="X"
9,251="Vproxy-service_at_X.X.X.X"
}
}
}
This section documents one modified command. All other commands used with this feature are documented in the Cisco IOS Release 12.1 command reference publications and Cisco 6400 feature modules.
To display the information for a service, use the show ssg service privileged EXEC command.
show ssg service [service-name [{begin expression | exclude expression | include expression}]]
Syntax Description
service-name (Optional) Name of an active NRP-SSG service. begin (Optional) Begin with the line that contains expression exclude (Optional) Exclude lines that contain expression. include (Optional) Include lines that contain expression. expression (Optional) Word or phrase used to determine what lines will be shown.
Defaults
If no service name is provided, the command displays information for all services.
Command Modes
Privileged EXEC
Command History
12.0(3) DC This command was introduced. 12.1(3) DC The output of this command was modified to state when the following Service-Info Attributes exist in the proxy RADIUS service profile:
Release
Modification
Usage Guidelines
Use this command to display connection information for a service.
Examples
The following example displays the information for the service called serv1-proxy:
Router# show ssg service serv1-proxy
------------------------ ServiceInfo Content -----------------------
Uplink IDB:
Name:serv1-proxy
Type:PROXY
Mode:CONCURRENT
Service Session Timeout:0 seconds
Service Idle Timeout:0 seconds
Class Attr:NONE
Authentication Type:CHAP
Reference Count:1
Next Hop Gateway Key:my-key
DNS Server(s):Primary:10.13.1.5
Radius Server:IP=10.13.1.2, authPort=1645, acctPort=1646, secret=my-secret
Included Network Segments:
10.13.0.0/255.255.0.0
Excluded Network Segments:
Full User Name Used
Service Defined Cookie exist
Domain List:service1.com;
Active Connections:
1 :Virtual=255.255.255.255, Subscriber=10.20.10.2
------------------------ End of ServiceInfo Content ----------------
Related Commands
ssg bind service Specifies the interface for a service. show ssg binding Displays service names that have been bound to interfaces and the interfaces to which they have been bound. clear ssg service Removes a service.
Command
Description
AAA—Authentication, authorization, and accounting (pronounced "triple a").
RADIUS—Remote Access Dial-In User Service. Database for authenticating modem and ISDN connections and for tracking connection time.
Posted: Thu Sep 21 22:21:48 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.