- Overview of ISG
- Configuring ISG Control Policies
- Configuring ISG Access for PPP Sessions
- Configuring ISG Access for IP Subscriber Sessions
- Configuring ISG IPv6 Support
- Configuring MQC Support for IP Sessions
- Configuring ISG Port-Bundle Host Key
- Configuring ISG as a RADIUS Proxy
- ISG RADIUS Proxy Support for Mobile Users: Hotspot Roaming and Accounting Start Filtering
- Walk-By User Support for PWLANs in ISG
- Configuring RADIUS-Based Policing
- Configuring Ambiguous VLAN support for IP sessions over ISG
- Configuring ISG Policies for Automatic Subscriber Logon
- Configuring DHCP Option 60 and Option 82 with VPN-ID Support for Transparent Automatic Logon
- Enabling ISG to Interact with External Policy Servers
- Configuring ISG Subscriber Services
- Configuring ISG Network Forwarding Policies
- Configuring ISG Accounting
- Configuring ISG Support for Prepaid Billing
- Configuring ISG Policies for Session Maintenance
- Redirecting Subscriber Traffic Using ISG Layer 4 Redirect
- Configuring Layer 4 Redirect Logging
- Configuring ISG Policies for Regulating Network Access
- Configuring ISG Integration with SCE
- Service Gateway Interface
- ISG MIB
- ISG SSO and ISSU Support
- Troubleshooting ISG with Session Monitoring and Distributed Conditional Debugging
- Configuring ISG Troubleshooting Enhancements
- Finding Feature Information
- Prerequisites for Walk-By User Support for PWLANs in ISG
- Restrictions for Walk-By User Support for PWLANs in ISG
- Information About Walk-By User Support for PWLANs in ISG
- How to Configure Walk-By User Support for PWLANs in ISG
- Configuration Examples for Walk-By User Support for PWLANs in ISG
- Additional References
- Feature Information for Walk-By User Support for PWLANs in ISG
Walk-By User Support in ISG
The Walk-By User Support in ISG feature enables the Cisco Intelligent Services Gateway (ISG) to handle unauthenticated sessions from neighboring devices that do not intend to use the ISG service. These sessions, called walk-by sessions or lite sessions, may be triggered by various initiators.
With the implementation of this feature, unauthenticated users are assigned lite sessions based on the default session. These lite sessions optimize resource usage because they enable the walk-by user to use only session start services mentioned in the default policy configured for the default session.
This module describes how to create and apply a default policy for default sessions to enable the Walk-By User Support in ISG feature.
- Finding Feature Information
- Prerequisites for Walk-By User Support for PWLANs in ISG
- Restrictions for Walk-By User Support for PWLANs in ISG
- Information About Walk-By User Support for PWLANs in ISG
- How to Configure Walk-By User Support for PWLANs in ISG
- Configuration Examples for Walk-By User Support for PWLANs in ISG
- Additional References
- Feature Information for Walk-By User Support for PWLANs in ISG
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for Walk-By User Support for PWLANs in ISG
Your implementation of the Cisco software image must support authentication, authorization, and accounting (AAA) and Intelligent Services Gateway (ISG).
Restrictions for Walk-By User Support for PWLANs in ISG
IPv6 sessions are not supported.
Only Layer 4 Redirect (L4R), Port-Bundle Host Key (PBHK), and service virtual routing and forwarding (VRF) features are supported. The L4R feature for walk-by session supports only 16 translation entries.
Lite sessions do not support prepaid, accounting, quality of service (QoS), timers, or RADIUS-timeout features.
Information About Walk-By User Support for PWLANs in ISG
Default Sessions
A default session is a template session that is used as a reference by lite sessions created for walk-by subscribers on a given interface. When an edge device connects to an open service set ID (SSID) in a public wireless LAN (PWLAN) environment a lite session is created on the Intelligent Services Gateway (ISG). Each lite session applies the session start services defined in the default policy configured for the default session. Only one default session can be configured on each device interface. The default policy defines the default session start services and features to be used as a template for the lite session.
Lite Sessions or Walk-By Sessions
In most public wireless LAN (PWLAN) setups, a high percentage of Intelligent Services Gateway (ISG) sessions are unauthenticated sessions from wireless devices that do not use the PWLAN service. These sessions are called walk-by sessions or lite sessions, and users that use these sessions are called walk-by users. Walk-by sessions consume a significant amount of CPU, memory and other physical resources of the ISG router. This resource utilization may lead to an increase in the number of ISG devices that are required for a given PWLAN deployment.
A lite session inherits the session start services applied for the default session. Lite sessions are created on ISG to support walk-by users and optimize resource usage. Each lite session is associated with an individual timer that specifies the duration for which the session can utilize PWLAN services while remaining unauthenticated. If these lite sessions remain unauthenticated even after the timer expires, these sessions are deleted from ISG.
Lite sessions are also created when dedicated sessions fail authentication.
Dedicated Sessions
A dedicated or regular session is a full-fledged Intelligent Services Gateway (ISG) subscriber session. All subscriber sessions that are authenticated cause the creation of dedicated sessions on ISG. The policy manager of ISG decides whether to create a complete session context (a dedicated session) or a minimal session context (a lite session).
Note | ISG provides high availability support for converted (lite to dedicated) unclassified and DHCPv4 sessions. |
Supported Triggers
Walk-by sessions can be created through any of the following session initiators:
-
Packet trigger: Here the session creation is triggered by a subscriber’s IP packet having an unclassified IP address or MAC address.
-
RADIUS proxy: This trigger is commonly used in PWLAN deployments where ISG acts as a RADIUS proxy. Here, the session creation is triggered by the subscriber’s RADIUS packets.
-
DHCP: This trigger is another SIP used in a few PWLAN deployments. Here, the session creation is triggered by the subscriber’s DHCP control packets.
-
EoGRE walkby: When ISG is configured for EoGRE, DHCP control packets and unclassified MAC packets on the EoGRE interface trigger session creation on ISG.
Session Limit
The total number of sessions supported on ISG is 128,000. Currently, ISG can support 128,000 lite sessions and 64,000 converted sessions. ISG can also now support 64,000 tunnel endpoints.
How to Configure Walk-By User Support for PWLANs in ISG
Creating and Enabling a Default Policy for a Default Session
Perform this task to create and enable a default policy for a default session on an interface. Each interface can have only one default policy.
A default session is set up to optimize the creation of Intelligent Services Gateway (ISG) sessions for walk-by users. The default session serves as a template that is used by lite sessions for walk-by users. The default policy contains session start services only to which all lite sessions refer. A default policy has the following two functions:
1.
enable
2.
configure
terminal
3.
policy-map
type
service
policy-map-name
4.
service
local
5.
ip
portbundle
6.
exit
7.
class-map
type
traffic
match-any
class-map-name
8.
match
access-group {input |
output} {access-list-number |
name
access-list-name}
9.
exit
10.
policy-map
type
service
policy-map-name
11.
[priority]
class
type
traffic {class-map-name |
default {in-out |
input |
output}}
12.
redirect
to
group {server-group-name |
ip
server-ip-address [port
port-number]} [duration
seconds [frequency
seconds]]
13.
exit
14.
exit
15.
policy-map
type
control
policy-map-name
16.
class
type
control {control-class-name |
always} [event
session-start]
17.
action-number
service-policy
type
service
name
policy-map-name
18.
action-number
service-policy
type
service
name
policy-map-name
19.
action-number
set-timer
name-of-timer
minutes
20.
exit
21.
exit
22.
interface
type
number
23.
service-policy
type
control {policy-map-name |
default [def-policy-map-name]}
24.
service-policy
type
control {policy-map-name |
default [def-policy-map-name]}
25.
end
26.
show
running-config
interface
type
number
DETAILED STEPS
Configuration Examples for Walk-By User Support for PWLANs in ISG
Example: Creating and Enabling a Default Policy for a Default Session
The following example shows how to create and enable a default policy named DefRULE on the Gigabit Ethernet interface:
Device> enable Device# configure terminal Device(config)# policy-map type service PBHK Device(config-service-policymap)# service local Device(config-service-policymap)# ip portbundle Device(config-service-policymap)# exit Device(config)# class-map type traffic match-any ALLTRAFFIC Device(config-traffic-classmap)# match access-group input 100 Device(config-traffic-classmap)# exit Device(config)# policy-map type service L4R Device(config-service-policymap)# class type traffic ALLTRAFFIC Device(config-service-policymap-class-traffic)# redirect to group PORTAL Device(config-service-policymap-class-traffic)# exit Device(config-service-policymap)# exit Device(config)# policy-map type control DefRULE Device(config-control-policymap)# class type control always event session-start Device(config-control-policymap-class-control)# 10 service-policy type service name PBHK Device(config-control-policymap-class-control)# 20 service-policy type service name L4R Device(config-control-policymap-class-control)# 30 set-timer UNAUTH 1 Device(config-control-policymap-class-control)# exit Device(config-control-policymap)# exit Device(config)# interface GigabitEthernet 0/0/4 Device(config-if)# service-policy type control default DefRULE Device(config-if)# service-policy type control RegRULE Device(config-if)# end
The following sample output from the show running-config interface command displays the policies configured on the Gigabit Ethernet interface. The default policy configured for default sessions on the Gigabit Ethernet interface is DefRULE, and the regular policy configured for dedicated sessions on the Gigabit Ethernet interface is RegRULE.
Device# show running-config interface GigabitEthernet 0/0/4 Building configuration... Current configuration : 318 bytes ! interface GigabitEthernet0/0/4 ip address 192.0.2.1 255.255.255.0 negotiation auto service-policy type control default DefRULE service-policy type control RegRULE ip subscriber routed initiator unclassified ip-address end
Additional References
Related Documents
Related Topic |
Document Title |
---|---|
Cisco IOS commands |
|
ISG commands |
Technical Assistance
Description |
Link |
---|---|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
Feature Information for Walk-By User Support for PWLANs in ISG
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Feature Name |
Releases |
Feature Information |
---|---|---|
Walk-By User Support for PWLANs in ISG |
Cisco IOS XE Release 3.7S |
The Walk-By User Support for PWLANs in ISG feature enables the Intelligent Services Gateway (ISG) that is configured as a RADIUS proxy to handle unauthenticated sessions from wireless devices that do not use the public wireless LAN (PWLAN) service. These sessions are called walk-by sessions. With the implementation of this feature, unauthenticated users are assigned lite sessions based on the default session. These lite sessions optimize resource usage because they enable the walk-by user to use only session start services mentioned in the default policy configured for the default session. The following commands were introduced or modified: clear subscriber lite-session, clear subscriber session, debug subscriber lite-session errors, debug subscriber lite-session events, service-policy type control, show subscriber default-session, and show subscriber statistics. |
Walkby session support on EoGRE interface |
Cisco IOS XE Release 3.13.1S |
This feature enables the Intelligent Services Gateway (ISG) to support walk-by sessions over EoGRE interfaces |
HA support for converted (lite to dedicated) sessions |
Cisco IOS XE Release 3.13.1S |
This feature enables the Intelligent Services Gateway (ISG) to support high availability for converted (lite to dedicated) sessions. |