- select
- server (SSG)
- server-group
- server-port
- session-identifier
- sessions auto cleanup
- show ssg auto-domain exclude-profile
- show ssg binding
- show ssg connection
- show ssg dial-out exclude-list
- show ssg direction
- show ssg host
- show ssg interface
- show ssg multidomain ppp exclude-list
- show ssg next-hop
- show ssg open-garden
- show ssg pass-through-filter
- show ssg pending-command
- show ssg port-map ip
- show ssg port-map status
- show ssg prepaid default-quota
- show ssg radius-proxy
- show ssg service
- show ssg summary
- show ssg tcp-redirect group
- show ssg user transparent
- show ssg user transparent authorizing
- show ssg user transparent passthrough
- show ssg user transparent suspect
- show ssg user transparent unidentified
- show ssg vc-service-map
- source ip
- ssg aaa group prepaid
- ssg accounting
- ssg attribute 44 suffix host ip
- ssg auto-domain
- ssg auto-logoff arp
- ssg auto-logoff icmp
- ssg bind direction
- ssg bind service
select
Note 
Effective with Cisco IOS Release 15.0(1)M, the select command is not available in Cisco IOS software.
To override the default Autodomain selection algorithm, use the select command in SSG-auto-domain mode. To reenable the default algorithm for selecting the Autodomain, use the no form of this command.
select {username | called-station-id}
no select {username | called-station-id}
Syntax Description
username |
Configures the algorithm to use only the username to select the Autodomain. |
called-station-id |
Configures the algorithm to use only the Access Point Name (APN) Called-Station-ID. |
Command Default
The algorithm attempts to find a valid Autodomain based on the APN Called-Station-ID and then by username.
Command Modes
SSG-auto-domain
Command History
Usage Guidelines
Use the select command to override the default algorithm for selecting the Autodomain. By default, the algorithm attempts to find a valid Autodomain based on APN Called-Station-ID and then by username. Using this command, you can configure the algorithm to use only the APN or only the username.
Note The Autodomain exclusion list is applied even if the mode is selected using the select command.
Examples
The following example shows how to configure the algorithm to search for a valid Autodomain based only on the username:
ssg enable
ssg auto-domain
mode extended
select username
exclude apn motorola
exclude domain cisco
download exclude-profile abc password1
nat user-address
The following example shows how to configure the algorithm to search for a valid Autodomain based only on the APN:
select called-station-id
Related Commands
server (SSG)
Note Effective with Cisco IOS Release 15.0(1)M, the server (SSG) command is not available in Cisco IOS software.
To add a server to a captive portal group, use the server command in SSG-redirect-group configuration mode. To remove a server from a captive portal group, use the no form of this command.
server ip-address port
no server ip-address port
Syntax Description
ip-address |
IP address of the server to be added to the captive portal group. |
port |
TCP port of the server to be added to the captive portal group. |
Command Default
No default behavior or values.
Command Modes
SSG-redirect-group configuration
Command History
Usage Guidelines
Use the server command in SSG-redirect-group configuration mode to add a server, defined by its IP address and TCP port, to a captive portal group.
Service Selection Gateway (SSG) TCP Redirect for Services provides nonauthorized users access to controlled services within an SSG. Packets sent upstream from an unauthenticated user are forwarded to the captive portal that deals with the packets in a suitable manner, such as routing them to a logon page. You can also use captive portals to handle requests from authorized users who request access to services into which they are not logged.
You must enable SSG using the ssg enable command and SSG TCP Redirect for Services using the ssg tcp-redirect command before you can define a captive portal group. Use the server-group command in SSG-redirect configuration mode to create and name a captive portal group before using the server command to add servers to the captive portal group.
Examples
The following example adds a server at IP address 10.0.0.0 and TCP port 8080 and a server at IP address 10.1.2.3 and TCP port 8081 to a captive portal group named "RedirectServer":
ssg enable
ssg tcp-redirect
server-group RedirectServer
server 10.0.0.0 8080
server 10.1.2.3 8081
Related Commands
server-group
Note Effective with Cisco IOS Release 15.0(1)M, the server-group command is not available in Cisco IOS software.
To define a group of one or more servers that make up a named captive portal group and enter SSG-redirect-group configuration mode, use the server-group command in SSG-redirect configuration mode. To remove a captive portal group and any servers configured within that portal group, use the no form of this command.
server-group group-name
no server-group group-name
Syntax Description
group-name |
The name of the captive portal group. |
Command Default
No default behavior or values.
Command Modes
SSG-redirect configuration
Command History
Usage Guidelines
Use this command to define and name a captive portal group. Service Selection Gateway (SSG) TCP Redirect for Services provides nonauthorized users access to controlled services within an SSG. Packets sent upstream from an unauthenticated user are forwarded to the captive portal that deals with the packets in a suitable manner, such as routing them to a logon page. You can also use captive portals to handle requests from authorized users who request access to services into which they are not logged.
After defining a captive portal group with the server-group command, identify individual servers for inclusion in the captive portal group using the server ip-address port command in SSG-redirect-group configuration mode.
You must enable SSG using the ssg enable command and SSG TCP Redirect for Services using the ssg tcp-redirect command before you can define a captive portal group.
Note This command, along with the server command, replaces the ssg http-redirect group group-name server ip-address port command.
Examples
The following example defines a captive portal group named "RedirectServer":
ssg enable
ssg tcp-redirect
server-group RedirectServer
Related Commands
server-port
Note Effective with Cisco IOS Release 15.0(1)M, the server-port command is not available in Cisco IOS software.
To configure the ports on which Service Selection Gateway (SSG) listens for RADIUS-requests from configured RADIUS clients, use the server-port command in SSG-radius-proxy configuration mode. To stop SSG from listening for RADIUS requests from configured RADIUS clients on a port, use the no form of this command.
server-port [auth auth-port] [acct acct-port]
no server-port [auth auth-port] [acct acct-port]
Syntax Description
Command Default
Port 1645 is the default RADIUS authentication port.
Port 1646 is the default RADIUS accounting port.
Command Modes
SSG-radius-proxy configuration
Command History
Usage Guidelines
Use this command to configure the authentication and accounting ports for the SSG Autologon Using Proxy RADIUS feature. Ports configured with this command are global parameters that apply to all proxy clients in the SSG.
Examples
The following example shows how to configure port 23 as the RADIUS authentication port and port 45 as the RADIUS accounting port:
server-port auth 23 acct 45
Related Commands
session-identifier
Note Effective with Cisco IOS Release 15.0(1)M, the session-identifier command is not available in Cisco IOS software.
To override Service Selection Gateway (SSG) automatic RADIUS client session identification and to configure SSG to identify the specified client session by a specific type of ID attribute, use the session-identifier command in SSG-radius-proxy-client mode. To configure SSG to perform user identification only by the username without using a session identification, use the no form of this command.
session-identifier [auto | msid | correlation-id | acct-sess-id]
no session-identifier [auto | msid | correlation-id | acct-sess-id]
Syntax Description
Command Default
SSG selects the attribute used for session identification according to the type of client device.
Command Modes
SSG-radius-proxy-client
Command History
Usage Guidelines
By default, SSG automatically selects the attribute to use for session identification according to the type of RADIUS client device. This attribute is used in the SSG Proxy RADIUS logon table. SSG assigns the following vendor-specific attributes (VSAs) to identify client sessions:
•3GPP2-Correlation-ID for Packet Data Serving Nodes (PDSNs)
•Accounting-Session-ID for Home Agents (HAs)
•Calling-Station-ID (MSID) for non-CDMA2000 devices such as a general packet radio system (GPRS)
Use the session-identifier command to override the automatic session identification. Use the auto keyword to return to automatic session identification.
Examples
The following example shows how to configure SSG to use the Correlation-ID to identify the specified client session:
session-identifier correlation-id
The following example shows how to configure the RADIUS client to proxy all requests from IP address 172.16.0.0 to the RADIUS server, to assign the shared secret "cisco" to the client, and to use the Accounting-Session-ID attribute to identify the specified client session:
client-address 172.16.0.0
key cisco
session-identifier acct-session-id
Related Commands
sessions auto cleanup
Note Effective with Cisco IOS Release 15.0(1)M, the sessions auto-cleanup command is not available in Cisco IOS software.
To configure an aggregation device to attempt to recover PPP over Ethernet (PPPoE) sessions that failed after reload by notifying customer premises equipment (CPE) devices about the PPPoE session failures, use the sessions auto cleanup command in BBA group configuration mode. To disable PPPoE session recovery after reload, use the no form of this command.
sessions auto cleanup
no sessions auto cleanup
Syntax Description
This command has no arguments or keywords.
Command Default
PPPoE session recovery after reload is not enabled.
Command Modes
BBA group configuration
Command History
Usage Guidelines
If the PPP keepalive mechanism is disabled on a CPE device, the CPE device has no way to detect link or peer device failures over PPPoE connections. When an aggregation device that serves as the PPPoE session endpoint reloads, the CPE will assume that the link is up and will continue to send traffic to the aggregation device. The aggregation device will drop the traffic for the failed PPPoE session.
The sessions auto cleanup command enables an aggregation device to attempt to recover PPPoE sessions that existed before a reload. When the aggregation device detects a PPPoE packet for a "half-active" PPPoE session (a PPPoE session that is active on the CPE end only), the device notifies the CPE of the PPPoE session failure by sending a PPPoE active discovery terminate (PADT) packet. The CPE device is expected to respond to the PADT packet by taking failure recovery action.
The sessions auto cleanup command must be configured in a PPPoE profile. This command enables PPPoE session recovery after reload on all ingress ports that use the PPPoE profile.
Examples
In the following example, PPPoE session recovery after reload is configured in PPPoE profile "group1".
bba-group pppoe group1
virtual-template 1
sessions auto cleanup
Related Commands
|
|
|
|---|---|
bba-group pppoe |
Creates a PPPoE profile. |
show ssg auto-domain exclude-profile
Note Effective with Cisco IOS Release 15.0(1)M, the show ssg auto-domain exclude-profile command is not available in Cisco IOS software.
To display the contents of an Autodomain exclude profile downloaded from the AAA server, use the show ssg auto-domain exclude-profile command in global configuration mode.
show ssg auto-domain exclude-profile
Syntax Description
This command has no arguments or keywords.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
Use this command in global configuration mode to display the contents of an Autodomain exclude-profile downloaded from the AAA server. If any exclude entries downloaded from the AAA server are removed by the no exclude {apn | domain} name command, these entries will not be displayed by the show ssg auto-domain exclude-profile command.
Examples
The following sample displays the contents of an Autodomain exclude profile downloaded from the AAA server. The report is self-explanatory.
Router# show ssg auto-domain exclude-profile
Exclude APN Entries Downloaded:
apn1.gprs apr2.com
Exclude Domain Entries Downloaded:
cisco.com abcd.com
Related Commands
show ssg binding
Note Effective with Cisco IOS Release 15.0(1)M, the show ssg binding command is not available in Cisco IOS software.
To display service names that have been bound to interfaces and the IP addresses to which they have been bound, use the show ssg binding command in privileged EXEC mode.
show ssg binding [begin expression | exclude expression | include expression]
Syntax Description
Command Modes
Privileged EXEC (#)
Command History
Usage Guidelines
Use this command to display services and the interfaces to which they have been bound.
Examples
The following example shows all service names that have been bound to interfaces:
Router# show ssg binding
WhipitNet -> 192.168.1.1 (NHT)
Service1.com -> 192.168.1.2 (NHT)
Service2.com -> 192.168.1.3 (NHT)
Service3.com -> 192.168.1.4 (NHT)
GoodNet -> 192.168.2.1
Perftest -> 192.168.1.6
Related Commands
|
|
|
|---|---|
clear ssg service |
Removes a service. |
show ssg service |
Displays the information for a service. |
ssg bind service |
Specifies the interface for a service. |
show ssg connection
Note Effective with Cisco IOS Release 15.0(1)M, the show ssg connection command is not available in Cisco IOS software.
To display the connections of a given Service Selection Gateway (SSG) host and a service name, use the show ssg connection command in privileged EXEC mode.
show ssg connection {ip-address | network-id subnet-mask} service-name [interface]
Syntax Description
Command Modes
Privileged EXEC (#)
Command History
Examples
Prepaid Service Based on Volume: Example
The following example displays the SSG connection for a prepaid service that uses a volume-based quota:
Router# show ssg connection 10.10.1.1 InstMsg
------------------------ConnectionObject Content -----------------------
User Name:
Owner Host:10.10.1.1
Associated Service:InstMsg
Connection State:0 (UP)
Connection Started since:*00:25:58.000 UTC Tue Oct 23 2001
User last activity at:*00:25:59.000 UTC Tue Oct 23 2001
Connection Traffic Statistics:
Input Bytes = 0, Input packets = 0
Output Bytes = 0, Output packets = 0
Quota Type = 'VOLUME', Quota Value = 100
Session policing disabled
Prepaid Service Based on Time: Example
The following example displays the SSG connection for a prepaid service that uses a time-based quota:
Router# show ssg connection 10.10.1.2 Prepaid-internet
------------------------ConnectionObject Content -----------------------
User Name:Host
Owner Host:10.10.1.2
Associated Service:Prepaid-internet
Connection State:0 (UP)
Connection Started since:*00:34:06.000 UTC Tue Oct 23 2001
User last activity at:*00:34:07.000 UTC Tue Oct 23 2001
Connection Traffic Statistics:
Input Bytes = 0, Input packets = 0
Output Bytes = 0, Output packets = 0
Quota Type = 'TIME', Quota Value = 100
Session policing disabled
Autologin Service: Example
The following example shows the service connection for the autologon service to host 10.3.6.1:
Router# show ssg connection 10.3.6.1 autologin
------------------------ ConnectionObject Content -----------------------
User Name:autologin
Owner Host:10.3.6.1
Associated Service:autologin
Connection State:0 (UP)
Connection Started since:
*20:41:26.000 UTC Fri Jul 27 2001
User last activity at:*20:41:26.000 UTC Fri Jul 27 2001
Connection Traffic Statistics:
Input Bytes = 0 (HI = 0), Input packets = 0
Output Bytes = 0 (HI = 0), Output packets = 0
MSISDN: Example
The following sample output for the show ssg connection command shows the MSISDN that is used for service logon:
Router# show ssg connection 10.0.1.1 proxy2
------------------------ConnectionObject Content -----------------------
User Name: dev-user2
Owner Host: 10.0.1.1
Associated Service: proxy2
Calling station id: 12345
Connection State: 0 (UP)
Connection Started since: *17:44:59.000 GMT Sun Jul 6 2003
User last activity at: *17:44:59.000 GMT Sun Jul 6 2003
Connection Traffic Statistics:
Input Bytes = 0, Input packets = 0
Output Bytes = 0, Output packets = 0
Session policing disabled
Subnet-Based Subscriber: Example
The following sample output for the show ssg connection command shows the subnet mask of the subscribed host:
Router# show ssg connection 10.0.1.1 255.255.255.0 passthru
------------------------ConnectionObject Content -----------------------
User Name: dev-user2
Owner Host: 10.0.1.1 (Mask : 255.255.255.0)
Associated Service: passthru1
Calling station id: 00d0.792f.8054
Connection State: 0 (UP)
Connection Started since: *17:44:59.000 GMT Sun Jul 6 2004
User last activity at: *17:44:59.000 GMT Sun Jul 6 2004
Connection Traffic Statistics:
Input Bytes = 0, Input packets = 0
Output Bytes = 0, Output packets = 0
Table 9 describes the significant fields shown in the displays.
Related Commands
|
|
|
|---|---|
clear ssg connection |
Removes the connections of a given host and a service name. |
show ssg dial-out exclude-list
Note Effective with Cisco IOS Release 15.0(1)M, the show ssg dial-out exclude-list command is not available in Cisco IOS software.
To display information about the Dialed Number Identification Service (DNIS) prefix profile and the DNIS exclusion list, use the show ssg dial-out exclude-list command in privileged EXEC mode.
show ssg dial-out exclude-list
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC (#)
Command History
Usage Guidelines
Use this command to display the DNIS profile name and all DNIS entries configured via CLI or downloaded from a authentication, authorization, and accounting (AAA) server.
Examples
The following example shows sample output for the show ssg dial-out exclude-list command:
Router# show ssg dial-out exclude-list
Exclude DNIS prefixes downloaded from profile exclude_dnis_aaa
Related Commands
show ssg direction
Note Effective with Cisco IOS Release 15.0(1)M, the show ssg direction command is not available in Cisco IOS software.
To display the direction of all interfaces for which a direction has been specified, use the show ssg direction command in privileged EXEC mode.
show ssg direction [begin expression | exclude expression | include expression]
Syntax Description
Command Modes
Privileged EXEC (#)
Command History
Usage Guidelines
Use this command to show all interfaces that have been specified as uplinks or downlinks.
Examples
The following example shows the direction of all interfaces that have been specified as uplinks or downlinks.
Router# show ssg direction
ATM0/0/0.10: Uplink
BVI1: Downlink
FastEthernet0/0/0: Uplink
Related Commands
|
|
|
|---|---|
ssg bind direction |
Specifies an interface as a downlink or uplink interface. |
show ssg host
Note Effective with Cisco IOS Release 15.0(1)M, the show ssg host command is not available in Cisco IOS software.
To display information about a Service Selection Gateway (SSG) subscriber and the current connections of the subscriber, use the show ssg host command in privileged EXEC mode. The command syntax of the show ssg host command depends on whether the SSG Port-Bundle Host Key feature is enabled.
When SSG Port-Bundle Host Key Is Not Enabled
show ssg host [ip-address | count | username [subnet-mask]]
When SSG Port-Bundle Host Key Is Enabled
show ssg host [ip-address | count | username] [interface [username] [subnet-mask]]
Syntax Description
Command Default
If no argument is provided, all current connections are displayed.
Command Modes
Privileged EXEC (#)
Command History
Usage Guidelines
You can specify the Service Selection Gateway (SSG) downlink interface only when the SSG Port-Bundle Host Key feature is enabled. To enable the host key, enter the ssg port-map command in global configuration mode. To disable the host key, enter the no ssg port-map command.
Examples
Display All Active Hosts: Example
The following example shows all active hosts:
Router# show ssg host
1:10.3.1.1 [Host-Key 70.13.60.3:64]
2:10.3.6.1 [Host-Key 70.13.60.3:65]
### Active HostObject Count:2
Simple IP Host: Example
The following example shows information about a simple IP host with an IP address of 10.0.0.0:
Router# show ssg host 10.0.0.0
------------------------ HostObject Content -----------------------
Activated: TRUE
Interface:
User Name: user1
Owner Host: 10.0.0.0
Msg IP: 0.0.0.0 (0)
Host DNS IP: 0.0.0.0
Proxy logon from client IP: 10.0.48.3
Device: PDSN (Simple IP)
NASIP : 10.0.48.3
SessID: 12345678
APN :
MSID : 5551000
Timer : None
Maximum Session Timeout: 0 seconds
Host Idle Timeout: 60000 seconds
Class Attr: NONE
User policing disabled
User logged on since: *05:59:46.000 UTC Fri May 3 2002
User last activity at: *05:59:52.000 UTC Fri May 3 2002
SMTP Forwarding: NO
Initial TCP captivate: NO
TCP Advertisement captivate: NO
Default Service: NONE
DNS Default Service: NONE
Active Services: internet-blue;
AutoService: internet-blue;
Subscribed Services: internet-blue; iptv; games; distlearn; corporate; shop; banking; vidconf;
Subscribed Service Groups: NONE
Mobile IP Host: Example
The following example shows information about a mobile IP host with an IP address of 10.0.0.0:
Router# show ssg host 10.0.0.0
------------------------ HostObject Content -----------------------
Activated: TRUE
Interface:
User Name: user1
Owner Host: 10.0.0.0
Msg IP: 0.0.0.0 (0)
Host DNS IP: 0.0.0.0
Proxy logon from client IP: 10.0.48.4
Device: HA
NASIP : 10.0.48.4
SessID: 44444445
APN :
MSID : 5551001
Timer : None
Maximum Session Timeout: 0 seconds
Host Idle Timeout: 60000 seconds
Class Attr: NONE
User policing disabled
User logged on since: *06:01:02.000 UTC Fri May 3 2002
User last activity at: *06:01:09.000 UTC Fri May 3 2002
SMTP Forwarding: NO
Initial TCP captivate: NO
TCP Advertisement captivate: NO
Default Service: NONE
DNS Default Service: NONE
Active Services: internet-blue;
AutoService: internet-blue;
Subscribed Services: internet-blue; iptv; games; distlearn; corporate; shop; banking; vidconf;
Subscribed Service Groups: NONE
Two Hosts with the Same IP Address: Examples
The following example shows two host objects with the same IP address:
Router# show ssg host 10.3.1.1
SSG:Overlapping hosts for IP 10.3.1.1 at interfaces:FastEthernet0/0/0
Virtual-Access1
In this case, use the interface argument to uniquely identify the host:
Router# show ssg host 10.3.1.1 FastEthernet0/0/0
.
.
.
Note Note that the output produced by this command is the same as that produced by the command without the interface argument. The interface argument is used to uniquely identify a host only when there are overlapping host IP addresses.
The following example shows the usernames logged in to the active hosts:
Router# show ssg host username
1:10.3.1.1 (active) Host name:pppoauser
2:10.3.6.1 (active) Host name:ssguser2
### Total HostObject Count(including inactive hosts):2
Host Associated with a VRF: Example
The following sample output for the show ssg host command shows a VRF called "BLUE" associated with a host that has the IP address 10.0.0.2:
Router# show ssg host 10.0.0.2
------------------------ HostObject Content ----------------------
Activated: TRUE
Interface: Ethernet1/0 VRF Name: BLUE
User Name: prep-user1
Owner Host: 10.0.0.2
Subnet-Based Subscriber: Example
The following example shows information about a subnet-based subscriber with an IP address of 10.0.0.0 and a subnet mask of 255.255.255.0:
Router# show ssg host 10.0.0.0 255.255.255.0
------------------------ HostObject Content -----------------------
Activated: TRUE
Interface:
User Name: user1
Host IP : 10.0.0.0
Mask : 255.255.255.0
Msg IP: 0.0.0.0 (0)
Host DNS IP: 0.0.0.0
Maximum Session Timeout: 0 seconds
Host Idle Timeout: 60000 seconds
Class Attr: NONE
User policing disabled
User logged on since: *05:59:46.000 UTC Fri May 3 2004
User last activity at: *05:59:52.000 UTC Fri May 3 2004
SMTP Forwarding: NO
Initial TCP captivate: NO
TCP Advertisement captivate: NO
Default Service: NONE
DNS Default Service: NONE
Active Services: NONE
AutoService: NONE
Subscribed Services: passthru1; proxynat1; tunnel1; proxy1
Subscribed Service Groups: NONE
Table 10 describes the significant fields shown in the displays.
Related Commands
|
|
|
|---|---|
clear ssg host |
Removes a host object or a range of host objects. |
ssg port-map |
Enables the SSG port-bundle host key. |
show ssg interface
Note Effective with Cisco IOS Release 15.0(1)M, the show ssg interface command is not available in Cisco IOS software.
To display information about Service Selection Gateway (SSG) interfaces, use the show ssg interface command in user EXEC or privileged EXEC mode.
show ssg interface [interface | brief]
Syntax Description
interface |
(Optional) Specific interface for which to display information. |
brief |
(Optional) Gives brief information about each of the SSG interfaces and their usage. |
Command Modes
User EXEC (>)
Privileged EXEC (#)
Command History
Usage Guidelines
Use this command without any keywords or arguments to display information about all SSG interfaces.
Examples
The following example shows the show ssg interface brief command:
Router# show ssg interface brief
Interface Direction bindingtype Status
ATM3/0.1 Uplink Dynamic Up
ATM3/0.2 Downlink Static Down
Related Commands
show ssg multidomain ppp exclude-list
Note Effective with Cisco IOS Release 15.0(1)M, the show ssg multidomain ppp exclude-list command is not available in Cisco IOS software.
To display the contents of a PPP Termination Aggregation-Multidomain (PTA-MD) exclusion list, use the show ssg multidomain ppp exclude-list command in privileged EXEC mode.
show ssg multidomain ppp exclude-list
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC (#)
Command History
Usage Guidelines
This command is used to verify the contents of a PTA-MD exclusion list.
Examples
Adding Domains to an Existing PTA-MD Exclusion List
In the following example, a PTA-MD exclusion list that already includes "cisco", "motorola", "nokia", and "voice-stream" is downloaded from the authentication, authorization, and accounting (AAA) server. After the exclusion list is downloaded, "microsoft" and "sun" are added to the exclusion list.
The exclusion list currently on the AAA server includes "cisco", "motorola", "nokia", and "voice-stream":
user = pta_md{
profile_id = 119
profile_cycle = 2
member = SSG-DEV
radius=6510-SSG-v1.1 {
check_items= {
2=cisco
}
reply_attributes= {
9,253="XPcisco"
9,253="XPmotorola"
9,253="XPnokia"
9,253="XPvoice-stream"
In the following example, the PTA-MD exclusion list is downloaded to the router from the AAA server. The password to download the exclusion list is "cisco". After the PTA-MD exclusion list is downloaded, "microsoft" and "sun" are added to the list using the router command-line interface (CLI).
ssg multidomain ppp
download exclude-profile pta_md cisco
exclude domain microsoft
exclude domain sun
The enhancements to the exclusion list are then verified:
Router# show ssg multidomain ppp exclude-list
Profile name :pta_md
1 cisco
2 motorola
3 nokia
4 voice-stream
Domains added via CLI :
1 microsoft
2 sun
Related Commands
show ssg next-hop
Note Effective with Cisco IOS Release 15.0(1)M, the show ssg next-hop command is not available in Cisco IOS software.
To display the next-hop table, use the show ssg next-hop command in privileged EXEC mode.
show ssg next-hop [begin expression | exclude expression | include expression]
Syntax Description
Command Modes
Privileged EXEC (#)
Command History
Usage Guidelines
Use this command to display all next-hop IP addresses.
Examples
The following example shows the next-hop table:
Router# show ssg next-hop
Next hop table loaded from profile prof-nhg:
WhipitNet -> 192.168.1.6
Service1.com -> 192.168.1.3
Service2.com -> 192.168.1.2
Service3.com -> 192.168.1.1
GoodNet -> 192.168.1.2
Perftest -> 192.168.1.5
End of next hop table.
Related Commands
|
|
|
|---|---|
clear ssg next-hop |
Removes the next-hop table. |
ssg next-hop download |
Downloads the next-hop table from a RADIUS server. |
show ssg open-garden
Note Effective with Cisco IOS Release 15.0(1)M, the show ssg open-garden command is not available in Cisco IOS software.
To display a list of all configured open garden services, use the show ssg open-garden command in privileged EXEC mode.
show ssg open-garden
Syntax Description
This command has no keywords or arguments.
Command Modes
Privileged EXEC (#)
Command History
Examples
In the following example, all configured open garden services are displayed:
Router# show ssg open-garden
nrp1-nrp2_og1
nrp1-nrp2_og2
nrp1-nrp2_og3
nrp1-nrp2_og4
Related Commands
show ssg pass-through-filter
Note Effective with Cisco IOS Release 15.0(1)M, the show ssg pass-through-filter command is not available in Cisco IOS software.
To display the downloaded filter for transparent pass-through, use the show ssg pass-through-filter command in privileged EXEC mode.
show ssg pass-through-filter [begin expression | exclude expression | include expression]
Syntax Description
Command Modes
Privileged EXEC (#)
Command History
Usage Guidelines
Use this command to display the downloaded transparent pass-through filter. The filter prevents pass-through traffic from accessing the specified IP address and subnet mask combinations. The filter is set using the ssg pass-through command.
To display a filter defined on the command line, use the show running-config command.
Examples
The following example shows the pass-through filter:
Router# show ssg pass-through-filter
Service name: filter01
Password: cisco
Direction: Uplink
Extended IP access list (SSG ACL)
permit tcp 172.16.6.0 0.0.0.255 any eq telnet
permit tcp 172.16.6.0 0.0.0.255 192.168.250.0 0.0.0.255 eq ftp
Related Commands
|
|
|
|---|---|
clear ssg pass-through-filter |
Removes the downloaded filter for transparent pass-through. |
ssg pass-through |
Enables transparent pass-through. |
show ssg pending-command
Note Effective with Cisco IOS Release 15.0(1)M, the show ssg pending-command command is not available in Cisco IOS software.
To display current pending commands, such as next-hop or filters, use the show ssg pending-command command in privileged EXEC mode.
show ssg pending-command
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC (#)
Command History
Usage Guidelines
Use this command to display the current pending commands.
Examples
The following example shows the pending commands:
Router# show ssg pending-command
SSG pending command list:
ssg bind service Service1.com 192.168.103.1
ssg bind service Perftest206 192.168.104.5
Related Commands
|
|
|
|---|---|
clear ssg pending-command |
Removes all pending commands. |
show ssg port-map ip
Note Effective with Cisco IOS Release 15.0(1)M, the show ssg port-map ip command is not available in Cisco IOS software.
To display information about a particular port bundle, use the show ssg port-map ip command in privileged EXEC mode.
show ssg port-map ip ip-address port port-number
Syntax Description
ip-address |
IP address used to identify the port bundle. |
port port-number |
TCP port number used to identify the port bundle. |
Command Modes
Privileged EXEC (#)
Command History
Usage Guidelines
This command displays the following information about a port bundle:
•Port maps in the port bundle
•IP address of the subscriber
•Interface through which the subscriber is connected
•Downlink VRF
Examples
The following is sample output for the show ssg port-map ip command:
Router# show ssg port-map ip 192.168.0.1 port 64
State = RESERVED
Subscriber Address = 10.1.1.1
Downlink Interface = Ethernet1/0
Downlink VRF = BLUE
Port-mappings:-
Subscriber Port: 1 Mapped Port: 1039
Table 11 describes the significant fields shown in the display.
Related Commands
|
|
|
|---|---|
show ssg port-map status |
Displays information on port bundles. |
show ssg port-map status
Note Effective with Cisco IOS Release 15.0(1)M, the show ssg port-map status command is not available in Cisco IOS software.
To display information on port bundles, use the show ssg port-map status command in privileged EXEC mode.
show ssg port-map status [free | reserved | inuse]
Syntax Description
Command Modes
Privileged EXEC (#)
Command History
Usage Guidelines
Entered without any keywords, the command displays a summary of all port-bundle groups, including the following information:
•A list of port-bundle groups
•Port-bundle length
•Number of free, reserved, and in-use port bundles in each group
Examples
Display All Bundles Example
The following example shows output for the show ssg port-map status command with no keywords:
Router# show ssg port-map status
Bundle-length = 4
Bundle-groups:-
IP Address Free Bundles Reserved Bundles In-use Bundles
10.13.60.2 4032 0 0
Table 12 describes the significant fields shown in the display.
Display In-Use Bundles Example
The following example shows output for the show ssg port-map status command with the inuse keyword:
Router# show ssg port-map status inuse
Bundle-group 10.13.60.2 has the following in-use port-bundles:-
Port-bundle Subscriber Address Interface
64 10.10.3.1 Virtual-Access2
Table 13 describes the significant fields shown in the display.
Related Commands
|
|
|
|---|---|
show ssg port-map ip |
Displays information on a particular port bundle. |
show ssg prepaid default-quota
Note Effective with Cisco IOS Release 15.0(1)M, the show ssg prepaid default-quota command is not available in Cisco IOS software.
To display the values of the Service Selection Gateway (SSG) prepaid default quota counters, use the show ssg prepaid default-quota command in privileged EXEC mode.
show ssg prepaid default-quota
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC (#)
Command History
|
|
|
|---|---|
12.3(11)T |
This command was introduced. |
12.4 |
This command was integrated into Cisco IOS Release 12.4. |
15.0(1)M |
This command was removed. |
Usage Guidelines
SSG maintains two counters to keep track of the number of times the SSG prepaid default quota has been allotted. One counter is for the total number of default quotas allotted by SSG (irrespective of how many times the prepaid server has become available and unavailable). The other counter keeps track of the number of default quotas allotted by SSG during the latest instance of prepaid server unavailability.
Note that the value of the counter for currently allocated default quotas will be zero when the prepaid billing server is available. The counter for currently allocated default quotas restarts at 1 each time the prepaid billing server becomes unavailable.
The clear ssg prepaid default-quota command clears the SSG default quota counters.
Examples
The following example shows sample output for the show ssg prepaid default-quota command:
Router# show ssg prepaid default-quota
### Total default quotas allocated since this counter was last cleared:10
Default Quota Threshold:100
Currently allocated Default Quotas:4
Table 14 describes the significant fields shown in the display.
Related Commands
|
|
|
|---|---|
clear ssg prepaid default-quota |
Clears the SSG prepaid default quota counters. |
ssg prepaid threshold |
Configures an SSG prepaid threshold value. |
show ssg radius-proxy
Note Effective with Cisco IOS Release 15.0(1)M, the show ssg radius-proxy command is not available in Cisco IOS software.
To display a list of all RADIUS proxy clients, details of a particular RADIUS proxy client, or the pool of IP addresses configured for a router or for a specific domain, use the show ssg radius-proxy command in privileged EXEC mode.
show ssg radius-proxy [ip-address [vrf vrf-name]] | [address-pool [domain domain-name] [free | inuse]]
Syntax Description
Command Default
Displays a list of RADIUS proxy clients.
Command Modes
Privileged EXEC (#)
Command History
Usage Guidelines
Use the show ssg radius-proxy command without any keywords or arguments to display a list of RADIUS proxy clients. This command also displays the IP addresses, device types, timers, and the number of proxy users for each proxy client. Use the ip-address argument to display the full list of proxy users for the specified RADIUS proxy client.
Use the address-pool keyword to display the IP address pools configured for a router or for a specific domain. You can also display which IP addresses are available or are in use.
Examples
The following example shows how to display a list of RADIUS proxy clients:
Router# show ssg radius-proxy
::::: SSG RADIUS CLIENT TABLE :::::
Client IP VRF Device type Users
10.0.0.2 Global PDSN 2
10.1.1.1 BLUE HA 1
The following example shows how to display details about the RADIUS proxy client at IP address 172.16.0.0:
Router# show ssg radius-proxy 172.16.0.0
::::: SSG RADIUS PROXY LOGON TABLE :::::
User SessionID Host IP Timer IP Tech
user1 12345678 50.0.0.100 None Simple
user1 12345679 (no host) None Mobile
The following example shows how to display information for IP addresses in the IP address pool:
Router# show ssg radius-proxy address-pool
Global Pool: Free Addresses= 10234 Inuse Addresses= 0
The following example shows how to display information about the IP addresses in the IP address pool in the domain called "ssg.com":
Router# show ssg radius-proxy address-pool domain ssg.com
Domain Pool(ssg.com): Free Addresses= 20 Inuse Addresses= 10
The following example shows how to display information about the IP addresses in the IP address pool for the domain called "ssg.com" that are currently in use:
Router# show ssg radius-proxy address-pool domain ssg.com inuse
Inuse Addresses in Domain Pool(ssg.com):10
10.1.5.1
10.1.5.2
10.1.5.3
10.1.5.4
10.1.5.5
10.1.5.6
10.1.5.7
10.1.5.8
10.1.5.9
10.1.5.10
The following example shows how to display information about the IP addresses in the IP address pool for the domain called "ssg.com" that are currently available:
Router# show ssg radius-proxy address-pool domain ssg.com free
Free Addresses in Domain Pool(ssg.com):20
10.1.5.11
10.1.5.12
10.1.5.13
10.1.5.14
10.1.5.15
10.1.5.16
10.1.5.17
10.1.5.18
10.1.5.19
10.1.5.20
10.1.5.21
10.1.5.22
10.1.5.23
10.1.5.24
10.1.5.25
10.1.5.26
10.1.5.27
10.1.5.28
10.1.5.29
10.1.5.30
Table 15 describes significant fields shown in the displays.
Related Commands
show ssg service
Note Effective with Cisco IOS Release 15.0(1)M, the show ssg service command is not available in Cisco IOS software.
To display the information for a Service Selection Gateway (SSG) service, use the show ssg service command in privileged EXEC mode.
show ssg service [service-name [begin expression | exclude expression | include expression]]
Syntax Description
Command Default
If no service name is provided, the command displays information for all services.
Command Modes
Privileged EXEC (#)
Command History
Usage Guidelines
Use this command to display connection information for a service.
Examples
L2TP Tunnel Service: Example
The following example shows the information for the L2TP tunnel service called "tunnel1". The attribute filter that is set in the service profile can be seen in the output.
Router# show ssg service tunnel1
------------------------ ServiceInfo Content -----------------------
Uplink IDB: gw: 0.0.0.0
Name: tunnel1
Type: TUNNEL
Mode: CONCURRENT
Service Session Timeout: 0 seconds
Service Idle Timeout: 0 seconds
Service refresh timeleft: 99 minutes
No Authorization Required
Authentication Type: CHAP
Attribute Filter: 31
Session policing disabled
Reference Count: 1
DNS Server(s):
No Radius server group created. No remote Radius servers.
TunnelId: ssg1
TunnelPassword: cisco
HomeGateway Addresses: 172.0.0.1
ConnectionCount 1
Full User Name not used
Domain List: Included Network Segments:
0.0.0.0/0.0.0.0
Active Connections:
1 : RealIP=172.0.1.1, Subscriber=10.0.1.1
------------------------ End of ServiceInfo Content ----------------
Proxy Service: Example
The following example shows information for the proxy service called "serv1-proxy":
Router# show ssg service serv1-proxy
------------------------ ServiceInfo Content -----------------------
Uplink IDB:
Name:serv1-proxy
Type:PROXY
Mode:CONCURRENT
Service Session Timeout:0 seconds
Service Idle Timeout:0 seconds
Class Attr:NONE
Authentication Type:CHAP
Reference Count:1
Next Hop Gateway Key:my-key
DNS Server(s):Primary:10.13.1.5
Radius Server:IP=10.13.1.2, authPort=1645, acctPort=1646, secret=my-secret
Included Network Segments:
10.13.0.0/255.255.0.0
Excluded Network Segments:
Full User Name Used
Service Defined Cookie exist
Domain List:service1.com;
Active Connections:
1 :Virtual=255.255.255.255, Subscriber=10.20.10.2
------------------------ End of ServiceInfo Content ----------------
Table 16 describes the significant fields shown in the display.
Related Commands
show ssg summary
Note Effective with Cisco IOS Release 15.0(1)M, the show ssg summary command is not available in Cisco IOS software.
To display a summary of the Service Selection Gateway (SSG) configuration, use the show ssg summary command in user EXEC or privileged EXEC mode.
show ssg summary
Syntax Description
This command has no arguments or keywords.
Command Modes
User EXEC (>)
Privileged EXEC (#)
Command History
Usage Guidelines
Use this command to display information such as which SSG features are enabled, how many users are active, how many services are active, and what filters are active.
Examples
The following example shows the show ssg summary command:
Router# show ssg summary
SSG Features Enabled:
TCP Redirect: Unauthenticated, Service, Captive portal.
QOS: User policing, Session Policing.
Host Key: Enabled
Related Commands
show ssg tcp-redirect group
Note Effective with Cisco IOS Release 15.0(1)M, the show ssg tcp-redirect group command is not available in Cisco IOS software.
To display information about the captive portal groups and the networks associated with those portal groups, use the show ssg tcp-redirect group command in privileged EXEC mode.
show ssg tcp-redirect group [group-name]
Syntax Description
group-name |
(Optional) The previously defined name for the captive portal group. |
Command Modes
Privileged EXEC (#)
Command History
Usage Guidelines
Use this command to display information about the captive portal groups and their associated networks as defined in your system.
If you omit the optional group-name argument, this command displays a list of all defined captive portal groups. If you specify the group-name argument, this command displays information about that group and its associated networks.
Examples
The following example shows how to display a list of all of the defined captive portal groups:
Router# show ssg tcp-redirect group
Current TCP redirect groups:
SESM1
SESM2
Default access-list: 101
Default unauthenticated user redirect group: None Set
Default service redirect group: None Set
Prepaid user default redirect group: None Set
SMTP forwarding group: None Set
Default initial captivation group: None Set
Default advertising captivation group: None Set
Table 17 describes the significant fields shown in the display.
The following example shows how to display a detailed description of the captive portal group called "RedirectServer":
Router# show ssg tcp-redirect group RedirectServer
TCP redirect group RedirectServer:
Showing all TCP servers (Address, Port):
10.2.36.253, 8080, FastEthernet0/0
Networks to redirect to (network-list RedirectNw):
172.16.10.0 /24
172.20.0.0 /16
TCP port to redirect:
80
Table 18 describes the significant fields shown in the display.
Related Commands
show ssg user transparent
Note Effective with Cisco IOS Release 15.0(1)M, the show ssg user transparent command is not available in Cisco IOS software.
To display a list of all the Service Selection Gateway (SSG) transparent autologon users, use the show ssg user transparent command in privileged EXEC mode.
show ssg user transparent
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC (#)
Command History
Usage Guidelines
Use this command to display the IP addresses and the states of all transparent autologon users that are active on SSG. The transparent autologon user states are passthrough (TP), suspect (SP), unidentified (NR), and waiting for authorization (WA).
Examples
The following is sample output from the show ssg user transparent command:
Router# show ssg user transparent
10.10.10.10 Passthrough
10.11.11.11 Suspect
10.120.120.120 Authorizing
### Total number of transparent users: 3
Related Commands
|
|
|
|---|---|
ssg login transparent |
Enables the SSG Transparent Autologon feature. |
show ssg user transparent authorizing
Note Effective with Cisco IOS Release 15.0(1)M, the show ssg user transparent authorizing command is not available in Cisco IOS software.
To display a list of all Service Selection Gateway (SSG) transparent autologon users for whom authorization is in progress and who are waiting for authentication, authorization, and accounting (AAA) server response, use the show ssg user transparent authorizing command in privileged EXEC mode.
show ssg user transparent authorizing [count]
Syntax Description
count |
(Optional) Displays the number of authorizing users. |
Command Modes
Privileged EXEC (#)
Command History
Usage Guidelines
Use this command to display all SSG transparent autologon users that are waiting for authorization (WA).
Examples
The following is sample output from the show ssg user transparent authorizing command with the count keyword:
Router# show ssg user transparent authorizing count
### Total number of WA users : 1
Related Commands
|
|
|
|---|---|
ssg login transparent |
Enables the SSG Transparent Autologon feature. |
show ssg user transparent passthrough
Note Effective with Cisco IOS Release 15.0(1)M, the show ssg user transparent passthrough command is not available in Cisco IOS software.
To display information about Service Selection Gateway (SSG) transparent autologon pass-through users, use the show ssg user transparent passthrough command in privileged EXEC mode.
show ssg user transparent passthrough [ip-address | count]
Syntax Description
ip-address |
(Optional) Display details for specified user IP address. |
count |
(Optional) Displays the number of pass-through users. |
Command Modes
Privileged EXEC (#)
Command History
Usage Guidelines
Use this command to display all SSG transparent autologon pass-through (TP) users that are active on SSG.
Examples
The following is sample output from the show ssg user transparent passthrough command for the user having IP address 10.10.10.10:
Router# show ssg user transparent passthrough 10.10.10.10
User IP Address : 10.10.10.10
Session Timeout : 200 (seconds)
Idle Timeout : 100 (seconds)
User logged on since : *16:33:57.000 GMT Mon May 19 2003
User last activity at : *16:33:57.000 GMT Mon May 19 2003
Current Time : *16:35:17.000 GMT Mon May 19 2003
Related Commands
|
|
|
|---|---|
ssg login transparent |
Enables the SSG Transparent Autologon feature. |
show ssg user transparent suspect
Note Effective with Cisco IOS Release 15.0(1)M, the show ssg user transparent suspect command is not available in Cisco IOS software.
To display a list of all Service Selection Gateway (SSG) transparent autologon suspect (SP) user IP addresses, use the show ssg user transparent suspect command in privileged EXEC mode.
show ssg user transparent suspect [count]
Syntax Description
count |
(Optional) Displays the number of suspect users. |
Command Modes
Privileged EXEC (#)
Command History
Usage Guidelines
An SSG transparent autologon suspect user is a user whose authentication, authorization, and accounting (AAA) authorization resulted in an Access Reject.
Examples
The following is sample output from the show ssg user transparent suspect command with and without the count keyword:
Router# show ssg user transparent suspect count
### Total number of SP users : 1
Router# show ssg user transparent suspect
10.0.0.1
### Total number of SP users : 1
Router#
Related Commands
|
|
|
|---|---|
ssg login transparent |
Enables the SSG Transparent Autologon feature. |
show ssg user transparent unidentified
Note Effective with Cisco IOS Release 15.0(1)M, the show ssg user transparent unidentified command is not available in Cisco IOS software.
display a list of Service Selection Gateway (SSG) transparent autologon users for whom there is no response from the authentication, authorization, and accounting (AAA) server to an authorization request (unidentified users), use the show ssg user transparent unidentified command in privileged EXEC mode.
show ssg user transparent unidentified [count]
Syntax Description
count |
(Optional) Displays the number of unidentified (NR) users. |
Command Modes
Privileged EXEC (#)
Command History
Usage Guidelines
Use this command to display all SSG transparent autologon unidentified (NR) users that are active on the SSG.
Examples
The following is sample output from the show ssg user transparent unidentified command with and without the count keyword:
Router# show ssg user transparent unidentified count
### Total number of NR (Unidentified) users : 1
Router# show ssg user transparent unidentified
10.0.0.2
### Total number of NR (Unidentified) users : 1
Router#
Related Commands
|
|
|
|---|---|
ssg login transparent |
Enables the SSG Transparent Autologon feature. |
show ssg vc-service-map
Note Effective with Cisco IOS Release 15.0(1)M, the show ssg vc-service-map command is not available in Cisco IOS software.
To display virtual circuit (VC)-to-service-name mappings, use the show ssg vc-service-map command in privileged EXEC mode.
show ssg vc-service-map [vpi/vci | service service-name]
Syntax Description
Command Modes
Privileged EXEC (#)
Command History
Usage Guidelines
Use this command to display VC-to-service-name mappings.
Examples
The following example shows the VCs mapped to the service name "Worldwide":
Router# show ssg vc-service-map service Worldwide
Interface From To Service Name Type
All 3 /33 None Worldwide non-exclusive
Related Commands
|
|
|
|---|---|
ssg vc-service-map |
Maps VCs to service names. |
source ip
Note Effective with Cisco IOS Release 15.0(1)M, the source ip command is not available in Cisco IOS software.
To specify Service Selection Gateway (SSG) source IP addresses to which to map the destination IP addresses in subscriber traffic, use the source ip command in SSG portmap configuration mode. To remove this specification, use the no form of this command.
source ip {ip-address | interface}
no source ip {ip-address | interface}
Syntax Description
ip-address |
SSG source IP address. |
interface |
Interface whose main IP address is used as the SSG source IP address. |
Command Default
No default behavior or values.
Command Modes
SSG portmap configuration
Command History
Usage Guidelines
With the SSG Port-Bundle Host Key feature, SSG maps the destination IP addresses in subscriber traffic to specified SSG source IP addresses.
All SSG source IP addresses configured with the source ip command must be routable in the management network where the Cisco Service Selection Dashboard (SSD) or Subscriber Edge Services Manager (SESM) resides.
If the interface for the source IP address is deleted, the port-map translations will not work correctly.
Because a subscriber can have several simultaneous TCP sessions when accessing a web page, SSG assigns a bundle of ports to each subscriber. Because the number of available port bundles is limited, you can assign multiple SSG source IP addresses (one for each group of port bundles). By default, each group has 4032 bundles, and each bundle has 16 ports. To modify the number of bundles per group and the number of ports per bundle, use the length command.
Examples
The following example shows the SSG source IP address specified with an IP address and with specific interfaces:
ssg port-map
source ip 10.0.50.1
source ip Ethernet 0/0/0
ssg port-map source ip Loopback 1
Related Commands
|
|
|
|---|---|
length (SSG) |
Modifies the port-bundle length upon the next SSG reload. |
ssg port-map |
Enables the SSG port-bundle host key and enters SSG portmap configuration mode. |
ssg aaa group prepaid
Note Effective with Cisco IOS Release 15.0(1)M, the ssg aa group prepaid command is not available in Cisco IOS software.
To specify the server group to be used for Service Selection Gateway (SSG) prepaid authorization, use the ssg aaa group prepaid command in global configuration mode. To remove this specification, use the no form of this command.
ssg aaa group prepaid server-group
no ssg aaa group prepaid server-group
Syntax Description
server-group |
Name of the server group to be used for SSG prepaid authorization. |
Command Default
If a server group is not specified by using the ssg aaa group prepaid command, the default RADIUS server configured on the router will be used for SSG prepaid authorization.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
The ssg aaa group prepaid command allows you to configure a global server for SSG prepaid authorization. Configure the global server group by using the aaa group server radius command. Use the ssg aaa group prepaid command to attach the server group to SSG for SSG prepaid authorization.
Examples
The following example shows how to configure a global SSG prepaid authorization server:
aaa group server radius ssg_prepaid
server 10.2.3.4 auth-port 1645 acct-port 1646
.
.
.
ssg aaa group prepaid ssg_prepaid
Related Commands
|
|
|
|---|---|
aaa group server radius |
Groups different RADIUS server hosts into distinct lists and distinct methods. |
ssg accounting
Note Effective with Cisco IOS Release 15.0(1)M, the ssg accounting command is not available in Cisco IOS software.
To enable Service Selection Gateway (SSG) accounting, use the ssg accounting command in global configuration mode. To disable SSG accounting, use the no form of this command.
ssg accounting [per-host] [per-service] [interval seconds] [{stop rate-limit records}]
no ssg accounting [per-host] [per-service] [interval seconds] [{stop rate-limit records}]
Syntax Description
Command Default
Accounting is enabled.
The interval is set at 600 seconds.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
The ssg accounting command enables the sending of start, stop, and interim accounting records for hosts and connections.
Examples
The following example shows how to enable the sending of per-host SSG accounting records at intervals of 60 seconds:
ssg accounting per-host interval 60
ssg attribute 44 suffix host ip
Note Effective with Cisco IOS Release 15.0(1)M, the ssg attribute 44 suffix host ip command is not available in Cisco IOS software.
To enable the appending of a client IP address to an accounting session ID to create a unique SSG accounting session ID, use the ssg attribute 44 suffix host ip command in global configuration mode. To disable the appending of the IP address, use the no form of this command.
ssg attribute 44 suffix host ip
no ssg attribute 44 suffix host ip
Syntax Description
This command has no arguments or keywords.
Command Default
SSG does not append the client IP address to the accounting session ID.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
Use the ssg attribute 44 suffix host ip command to create a unique session ID by appending the client's IP address to the RADIUS accounting session number (acct-session-id). This functionality applies to accounting packets generated by SSG for host accounting or connection accounting records.
Examples
The following example enables the SSG unique session ID:
ssg attribute 44 suffix host ip
Related Commands
|
|
|
|---|---|
ssg accounting |
Enables SSG accounting. |
ssg auto-domain
Note Effective with Cisco IOS Release 15.0(1)M, the ssg auto-domain command is not available in Cisco IOS software.
To enable Service Selection Gateway (SSG) Autodomain, use the ssg auto-domain command in global configuration mode. To remove all Autodomain configuration from the running configuration and to prevent further activation of autodomains, use the no form of this command.
ssg auto-domain
no ssg auto-domain
Syntax Description
This command has no arguments or keywords.
Command Default
Autodomain is disabled by default.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
To enable SSG Autodomain, use this command in global configuration mode. SSG must be enabled before the ssg auto-domain command can be entered.
Note The ssg auto-domain command enables basic Autodomain. In basic Autodomain, the profile downloaded from the AAA server for the Autodomain name is a service profile (either with or without SSG-specific attributes). By default, an attempt is made to find a valid service profile first based on Access Point Name (APN), then based on username. Use the mode extended command to configure Autodomain extended mode.
Use the no ssg auto-domain command to prevent further activations of autodomains and to remove all Autodomain configuration from the running-configuration. Subsequent reissuing of the ssg auto-domain command restores Autodomain to its former state.
Examples
The following example enables basic SSG Autodomain:
ssg enable
ssg auto-domain
Related Commands
ssg auto-logoff arp
Note Effective with Cisco IOS Release 15.0(1)M, the ssg auto-logoff arp command is not available in Cisco IOS software.
To configure Service Selection Gateway (SSG) to automatically log off hosts that have lost connectivity with SSG and to use the Address Resolution Protocol (ARP) ping mechanism to detect connectivity, use the ssg auto-logoff arp command in global configuration mode. To disable SSG Autologoff, use the no form of this command.
ssg auto-logoff arp [match-mac-address] [interval seconds]
no ssg auto-logoff arp
Syntax Description
Command Default
SSG autologoff is not enabled by default.
The default ARP ping interval is 30 seconds.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
Use the ssg auto-logoff arp command to configure SSG to use the ARP ping mechanism to detect connectivity to hosts. Use the optional match-mac-address keyword to configure SSG to check the MAC address of a host each time that host performs an ARP ping. If the SSG finds that the MAC address of the host has changed, SSG automatically initiates the logoff of that host.
Note ARP ping should be used only in deployments in which all hosts are directly connected to SSG through a broadcast interface (such as an Ethernet interface) or a bridged interface (such as a routed bridge encapsulation (RBE) or an integrated routing and bridging (IRB) interface).
ARP request packets are smaller than Internet Control Message Protocol (ICMP) ping packets, so it is recommended that you configure SSG autologoff to use ARP ping in cases in which hosts are directly connected.
ICMP ping can be used in all types of deployments. Refer to the ssg auto-logoff icmp command reference page for more information about SSG autologoff using ICMP ping.
ARP ping will work only on hosts that have a MAC address. ARP ping will not work for PPP users because they do not have a MAC table entry.
ARP ping does not support overlapping IP addresses.
SSG autologoff that uses the ARP ping mechanism will not work for hosts with static ARP entries.
You can use only one method of SSG autologoff at a time: ARP ping or ICMP ping. If you configure SSG to use ARP ping after ICMP ping has been configured, the ICMP ping function will become disabled.
Examples
The following example shows how to enable SSG autologoff and to configure SSG to use ARP ping to detect connectivity to hosts:
ssg auto-logoff arp interval 60
The following example shows how to enable SSG MAC address checking for autologoff:
ssg auto-logoff arp match-mac-address
The following example shows how to enable SSG MAC address checking for autologoff and to specify an ARP ping interval of 60 seconds:
ssg auto-logoff arp match-mac-address interval 60
Related Commands
|
|
|
|---|---|
ssg auto-logoff icmp |
Configures the SSG to automatically log off hosts that have lost connectivity with SSG and to use the ICMP ping mechanism to detect connectivity. |
ssg auto-logoff icmp
Note Effective with Cisco IOS Release 15.0(1)M, the ssg auto-logoff icmp command is not available in Cisco IOS software.
To configure Service Selection Gateway (SSG) to automatically log off hosts that have lost connectivity with SSG and to use the Internet Control Message Protocol (ICMP) ping mechanism to detect connectivity, use the ssg auto-logoff icmp command in global configuration mode. To disable SSG autologoff, use the no form of this command.
ssg auto-logoff icmp [timeout milliseconds] [packets number] [interval seconds]
no auto-logoff icmp
Syntax Description
Command Default
SSG autologoff is not enabled.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
When the ssg auto-logoff icmp command is specified, SSG will use the ICMP ping mechanism to detect connectivity to hosts.
Note ICMP ping may be used in all types of deployment situations.
ICMP ping supports overlapping IP addresses.
If a user is not reachable, a configured number of packets (p) will be sent, and each packet will be timed out (t). The user will be logged off in p * t milliseconds after the first pinging attempt. If p * t milliseconds is greater than the configured pinging interval, then the time taken to log off the host after connectivity is lost will be greater than the configured autologoff interval. If parameters are configured this way, the following warning will be issued: "Hosts will be auto-logged off (p * t) msecs after connectivity is lost." When the pinging interval is less than p * t, the timeout process for a host that has become unreachable will be invoked when the pinging to that host is still occurring. However, because the timeout process will check the status of the host object and find that it is in a pinging state, the host will not be pinged again.
You can use only one method of SSG autologoff at a time: Address Resolution Protocol (ARP) ping or ICMP ping. If you configure SSG to use ARP ping after ICMP ping has been configured, the ICMP ping function will become disabled.
Default values will be applied if a value of zero is configured for any parameters.
The ssg auto-logoff arp command will configure SSG to use the ARP ping mechanism to detect connectivity to hosts. ARP ping should be used only in deployment situations in which all hosts are directly connected to the SSG through a broadcast interface such as an Ethernet interface or a bridged interface such as a routed bridge encapsulation or an integrated routing and bridging interface.
ARP request packets are smaller than ICMP ping packets, so it is recommended that you configure SSG autologoff to use ARP ping in situations in which hosts are directly connected. For more information about SSG autologoff that uses ARP ping, see the ssg auto-logoff arp command reference page.
Examples
The following example shows how to enable SSG autologoff. SSG will use ICMP ping to detect connectivity to hosts.
Router(config)# ssg auto-logoff icmp interval 60 timeout 300 packets 3
Related Commands
|
|
|
|---|---|
ssg auto-logoff arp |
Configures the SSG to automatically log off hosts that have lost connectivity with SSG and to use the ARP ping mechanism to detect connectivity. |
ssg bind direction
Note Effective with Cisco IOS Release 15.0(1)M, the ssg bind direction command is not available in Cisco IOS software.
Note Effective with Cisco IOS Release 12.2(16)B, this command was replaced by the ssg direction command. The ssg bind direction command is still supported for backward compatibility, but support for this command may be removed in a future Cisco IOS release.
To specify an interface as a downlink or uplink interface, use the ssg bind direction command in global configuration mode. To disable the directional specification for the interface, use the no form of this command.
ssg bind direction {downlink | uplink} {ATM atm-interface | Async async-interface | BVI bvi-interface | Dialer dialer-interface | Ethernet ethernet-interface | FastEthernet fastethernet-interface | Group-Async group-async-interface | Lex lex-interface | Loopback loopback-interface | Multilink multilink-interface | Null null-interface | Port-channel port-channel-interface | Tunnel tunnel-interface | Virtual-Access virtual-access-interface | Virtual-Template virtual-template-interface | Virtual-TokenRing virtual-tokenring-interface}
no ssg bind direction {downlink | uplink} {ATM atm-interface | Async async-interface | BVI bvi-interface | Dialer dialer-interface | Ethernet ethernet-interface | FastEthernet fastethernet-interface | Group-Async group-async-interface | Lex lex-interface | Loopback loopback-interface | Multilink multilink-interface | Null null-interface | Port-channel port-channel-interface | Tunnel tunnel-interface | Virtual-Access virtual-access-interface | Virtual-Template virtual-template-interface | Virtual-TokenRing virtual-tokenring-interface}
Syntax Description
Command Default
All interfaces are configured as uplink interfaces by default.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
Use this command to specify an interface as downlink or uplink. An uplink interface is an interface to services; a downlink interface is an interface to subscribers.
Examples
The following example shows how to specify an ATM interface as a downlink interface:
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
ssg bind direction downlink ATM 0/0/0.10
Related Commands
|
|
|
|---|---|
show ssg binding |
Displays service names that have been bound to interfaces and the interfaces to which they have been bound. |
ssg bind service
Note Effective with Cisco IOS Release 15.0(1)M, the ssg bind service command is not available in Cisco IOS software.
To specify the interface for a service, use the ssg bind service command in global configuration mode. To unbind the service and the interface, use the no form of this command.
ssg bind service service-name {ip-address | interface-type interface-number} [distance-metric]
no ssg bind service service-name {ip-address | interface-type interface-number} [distance-metric]
Syntax Description
Command Default
A service is not bound to an interface.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
Use this command to bind a service to an interface. You can enter this command more than once in order to bind a service to more than one interface for interface redundancy.
Use the distance-metric argument to control the routing of upstream traffic. If more than one entry of the ssg bind service command for a service have the same metric, the upstream traffic will be load-balanced.
If a service is configured for multiple uplink interfaces, downstream traffic will be allowed on all the interfaces for any service bound to even one of those interfaces.
Examples
The following example shows the interface for the service defined as "MyService":
ssg bind service MyService ATM 0/0/0.10
The following example shows uplink interface redundancy configured for the service "sample-service". ATM interface 1/0.1 is configured as the primary interface and ATM interface 1/0.2 as the secondary interface.
ssg bind service sample-service atm 1/0.1
ssg bind service sample-service atm 1/0.2 100
Feedback