TWAN Profile Configuration Mode Commands

Mode

The TWAN Profile Configuration Mode is used to configure the Radius client addresses (WLC) and access-type corresponding to the Radius clients to enable SaMOG to attach a session to a specific WiFi Access Network.

Exec > Global Configuration > Context Configuration > TWAN Profile Configuration

configure > context context_name > twan-profile twan_profile_name

Entering the above command sequence results in the following prompt: 

[context_name]host_name(config-twan-profile)#

Important

The commands or keywords/variables that are available are dependent on platform type, product version, and installed license(s).

access-type

This command allows you to specify the access-type for the RADIUS client or specify a default access type for all RADIUS clients under a TWAN profile.

Product

SaMOG

Privilege

Security Administrator, Administrator

Mode

Exec > Global Configuration > Context Configuration > TWAN Profile Configuration

configure > context context_name > twan-profile twan_profile_name

Entering the above command sequence results in the following prompt: 

[context_name]host_name(config-twan-profile)#

Syntax

access-type client { ipv4 | ipv6_address[/mask ] } { eogre | ip | pmip } 
access-type { eogre | ip [ vrf vrf_name ]| pmip } 
no access-type { client { ipv4/ipv6_address[/mask  ] } | eogre | ip [ vrf ] | pmip }

no

Removes the previously configured access type for the TWAN profile.

client { ipv4 | ipv6_address [/ mask ] }

Specifies the IP address of the RADIUS client.

ipv4 | ipv6_address must be an IP address in IPv4 dotted-decimal or IPv6 colon-separated-hexadecimal notation. mask must be a subnet mask bit of the IP address. The mask bit is a numeric value which corresponds to the number of bits in the subnet mask.

ip [ vrf vrf_name ]

Specifies that all RADIUS clients under this TWAN profile will use the Layer 3 IP (L3IP) access type.

vrf : Specifies to use the VRF name to install the IP flow for L3IP subscriber session.

vrf_name must be an alphanumeric string between 1 and 63 characters.

eogre

Specifies that all RADIUS clients under this TWAN profile will use the Ethernet over GRE (EoGRE) access type.

pmip

Specifies that all RADIUS clients under this TWAN profile will use the Proxy Mobile IP version 6 (PMIPv6) access type.

Usage Guidelines

Use this command to configure the access type for a specific NAS/WLC IP address or IP address with a subnet mask, or a common access type for the entire TWAN profile.

Example

The following command sets the default access type for the TWAN profile to EoGRE 

access-type eogre arg1

The following command configures a RADIUS client with IP address 192.168.15.50 with access type as eogre , and a client with IP address 192.168.16.50 with access type as pmip under the current TWAN profile. 

access-type client 192.168.15.50 eogre 
access-type client 192.168.16.50 pmip

dictionary

Configure the dictionary to be used to forward the permanent identity of the subscriber to the AAA server.

Product

SaMOG

Privilege

Security Administrator, Administrator

Mode

Exec > Global Configuration > Context Configuration > TWAN Profile Configuration

configure > context context_name > twan-profile twan_profile_name

Entering the above command sequence results in the following prompt: 

[context_name]host_name(config-twan-profile)#

Syntax

dictionary { custom70 | custom71 }  
default dictionary

default

Configures the dictionary to its default value.

Default: custom70

Usage Guidelines

Use this command to configure the dictionary to forward the permanent identity of the subscriber to the AAA server. The dictionary configuration at the TWAN profile level will be applied to all the RADIUS clients under that TWAN profile.

Configure the custom71 dictionary when Cisco WLC is used with PMIPv6 as the access-type. Configuring the custom71 dictionary enables attributes like the UE's permanent identity (NAI), subscribed APN, network protocol (PMIPv6), and LMA address (CGW service's bind address) to be sent in the Cisco Vendor-specific attributes to WLC. The WLC uses this information to build the PMIPv6 PBU to the SaMOG gateway when the aaa-override option is enabled on the Cisco WLC. These attributes are not sent when the custom70 dictionary is configured.

To configure the dictionary to use for individual RADIUS clients, use the dictionary keyword in the radius client command under the TWAN Profile Configuration Mode.

Example

The following command configures the TWAN profile to use custom71 dictionary: 

dictionary custom71

do show

Executes all show commands while in Configuration mode.

Product

All

Privilege

Security Administrator, Administrator

Syntax

do show

Usage Guidelines

Use this command to run all Exec mode show commands while in Configuration mode. It is not necessary to exit the Config mode to run a show command.

The pipe character | is only available if the command is valid in the Exec mode.


Caution

There are some Exec mode show commands which are too resource intensive to run from Config mode. These include: do show support collection , do show support details , do show support record and do show support summary . If there is a restriction on a specific show command, the following error message is displayed: 

Failure: Cannot execute 'do	show support' command from Config mode.

end

Exits the current configuration mode and returns to the Exec mode.

Product

All

Privilege

Security Administrator, Administrator

Syntax

end

Usage Guidelines

Use this command to return to the Exec mode.

exit

Exits the current mode and returns to the parent configuration mode.

Product

All

Privilege

Security Administrator, Administrator

Syntax

exit

Usage Guidelines

Use this command to return to the parent configuration mode.

radius

This command allows you to specify the IP address and shared secret of the RADIUS accounting and authentication client from which RADIUS accounting and authentication requests are received or configure the Radius VRF for an IPoVLAN model.

Product

SaMOG

Privilege

Security Administrator, Administrator

Mode

Exec > Global Configuration > Context Configuration > TWAN Profile Configuration

configure > context context_name > twan-profile twan_profile_name

Entering the above command sequence results in the following prompt: 

[context_name]host_name(config-twan-profile)#

Syntax

radius { client ipv4 | ipv6_address[/mask ] [ encrypted ] key value [ disconnect-message [ dest-port destination_port_number ] ] [ dictionary { custom70 | custom71 } ] | ip vrf vrf_name } 
no radius { client ipv4/ipv6_address[/mask ] | ip vrf vrf_name } 
radius cisco-mpc-protocol-interface { none | eogre | pmipv6 | suppress } 
[ no ] radius cisco-mpc-protocol-interface

no

Removes the previously configured RADIUS client address or IP VRF under this TWAN profile.

client { ipv4 | ipv6_address [/ mask ] }

Specifies the IP address of the RADIUS client (WLC).

ipv4 | ipv6_address must be an IP address in IPv4 dotted-decimal or IPv6 colon-separated-hexadecimal notation. mask must be a subnet mask bit of the IP address. The mask bit is a numeric value which corresponds to the number of bits in the subnet mask.


Important

A maximum of 16 RADIUS clients can be configured under one TWAN profile.

[ encrypted ] key value

Specifies the shared secret key used to authenticate the client to the servers. The encrypted keyword indicates that the key specified is encrypted.

The key value must be an alphanumeric string of 1 through 127 characters without encryption, and 1 through 288 characters with encryption enabled.

The encrypted keyword is intended only for use by the chassis while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the key keyword is the encrypted version of the plaint text key. Only the encrypted key is saved as part of the configuration file.

disconnect-message

Specifies to send RADIUS disconnect message to the configured RADIUS accounting client in call failure scenarios.

dest-port destination_port_number

Specifies the port number to which the disconnect message must be sent.

destination_port_number must be an integer from 1 through 65535.

dictionary { custom70 | custom71 }

Specifies to forward the permanent identity of the subcriber to the AAA server using the custom70 or custom71 dictionary.

Configure the custom71 dictionary when Cisco WLC is used with PMIPv6 as the access-type. Configuring the custom71 dictionary enables attributes like the UE's permanent identity (NAI), subscribed APN, network protocol (PMIPv6), and LMA address (CGW service's bind address) to be sent in the Cisco Vendor-specific attributes to WLC. The WLC uses this information to build the PMIPv6 PBU to the SaMOG gateway when the aaa-override option is enabled on the Cisco WLC. These attributes are not sent when the custom70 dictionary is configured.

To configure the dictionary to use for all RADIUS clients belonging to a specific TWAN profile, use the dictionary command under the TWAN Profile Configuration Mode.

Default: custom70

ip vrf vrf_name

Associates the specific TWAN profile with a Virtual Routing and Forwarding (VRF) Context instance for RADIUS communication.

vrf_name must be an alphanumeric string from 1 through 63 characters.

cisco-mpc-protocol-interface

Configures cisco-mpc-protocol-interface AVP for access-type eogre-pmip.

none

Configures cisco-mpc-protocol-interface AVP as none. It is neither eogre nor pmipv6.

eogre

Configures cisco-mpc-protocol-interface AVP as eogre.

pmipv6

Configures cisco-mpc-protocol-interface AVP as pmipv6

suppress

Suppresses cisco-mpc-protocol-interface AVP and it is not sent in the Access-Accept message.

no

Removes configuration for cisco-mpc-protocol-interface AVP.

Usage Guidelines

Use this command to specify the IP address and shared secret of the RADIUS accounting and authentication client from which RADIUS accounting and authentication requests are received or configure the VRF for RADIUS communication.

Example

The following example configures a RADIUS client with an IP address of 193.14.23.1 and an encrypted key of value enc32 

radius client 193.14.23.1 encrypted key enc32

session-trigger

This command specifies the protocol type that will trigger session creation on the SaMOG Gateway.

Product

SaMOG

Privilege

Security Administrator, Administrator

Mode

Exec > Global Configuration > Context Configuration > TWAN Profile Configuration

configure > context context_name > twan-profile twan_profile_name

Entering the above command sequence results in the following prompt: 

[context_name]host_name(config-twan-profile)#

Syntax

session-trigger { dhcp [ location { circuit-id | remote-id } ] | radius [ acct ] | pmip } 
default session-trigger 
no session-trigger dhcp location

default

Resets the configuration to its default value.

Default: RADIUS (authentication)-based session trigger.

no

If previously configured, removes the DHCP configuration.

dhcp [ location { circuit-id | remote-id } ]

Specifies the session trigger protocol as DHCP, and the sub-option to choose the UE location from the DHCP-Relay-Agent-Info option (DHCP option 82).

At least one TWAN profile must have a DHCP session trigger enabled. If multiple TWAN profiles have DHCP session trigger enabled, the first configured TWAN profile with DHCP session trigger is used.

radius [ acct ]

Specifies the session trigger protocol as RADIUS messages. The default configuration is RADIUS (authentication)-based session trigger.

acct: Specifies to trigger session on receiving RADIUS accounting messages.

pmip

Specifies the session trigger protocol as PMIP. SaMOG can create sessions based on the PMIPv6 (PBU) messages from the Access Point (AP).

Usage Guidelines

Use this command to specify the protocol type that will trigger session creation on the SaMOG Gateway.


Important

If this TWAN profile is configured with a DHCP session trigger, the access type must be EoGRE.

Example

The following command sets the session trigger to DHCP: 

session-trigger dhcp  location circuit-id
The following command sets the session trigger to PMIP: 
session-trigger pmip

ue-address

This command allows you to specify how the UE address allocation should be handled.

Product

SaMOG

Privilege

Security Administrator, Administrator

Mode

Exec > Global Configuration > Context Configuration > TWAN Profile Configuration

configure > context context_name > twan-profile twan_profile_name

Entering the above command sequence results in the following prompt: 

[context_name]host_name(config-twan-profile)#

Syntax

ue-address { dhcp | twan }  
no ue-address

no

If previously configured, disables the UE allocation configuration.

dhcp

Specifies that the UE address will be assigned at SaMOG by P-GW or GGSN, and sent to the UE using DHCP.

twan

Specifies that the UE address will be assigned at TWAN also. SaMOG receives the TWAN UE address through the Accounting Start Framed-IP-Address message, and NAT is performed between the two UE addresses.

Usage Guidelines

Use this command to specify how the UE address allocation should be handled. This configuration can be used to detect whether a DHCP request is expected or if the configuration setup is an IP@WLAN (no DHCP required) model.


Important

If the configured access-type is PMIP or EoGRE, the ue address configuration is ignored.

If the configured access-type is IP, and no ue address is configured, the call setup will fail.