Frequently Asked Questions

Transcription

1 CHAPTER 4 This chapter provides answers to frequently asked questions (FAQs) about the Cisco Subscriber Edge Services Manager (SESM) solution. Topics are: SESM Logging FAQ, page 4-1 SESM AAA Server FAQ, page 4-3 SESM Web Portals FAQ, page 4-4 SESM Captive Portal FAQ, page 4-11 SESM Web Proxy FAQ, page 4-18 SESM RDP and RADIUS FAQ, page 4-28 SESM Java FAQ, page 4-36 SESM Performance FAQ, page 4-37 SESM Logging FAQ This section contains answers to frequently asked questions on SESM Logging. Enabling and Disabling Logging in SESM Applications To enable or disable logging in SESM applications. open the following file: <SESM>/<application>/config/<application>.xml For example, If you need to enable or disable logging in NWSP, the location will be: <SESM>/nwsp/config/nwsp.xml Note Configuration files for ERP based applications (except RDP) are under <SESM>/tools/config/<application name>.xml 4-1

2 SESM Logging FAQ Chapter 4 Refer the Logger MBean: <Configure jmxname="com.cisco.sesm:name=logger" <Set name="debug" type="boolean">false</set> <Set name="debugpatterns"></set> <Set name="debugthreads"></set> <Set name="debugverbosity">low</set> <Set name="logdateformat">yyyymmdd:hhmmss.sss</set> <Set name="logfile"><property name="application.home" default="."/>/logs/yyyy_mm_dd.application.log</set> <Set name="logframe" type="boolean">false</set> <Set name="logthread" type="boolean">false</set> <Set name="logstack" type="boolean">false</set> <Set name="logtoerr" type="boolean">false</set> <Set name="trace" type="boolean">true</set> <Set name="warning" type="boolean">true</set> </Configure> To turn on logging the next time you start the applications, change the debug property to true. To disable logging in the applications, reset the debug property to false. To modify the debug verbosity, set the debugverbosity property to the required level this can be either LOW, MED or MAX. This change does not take effect until the applications are restarted. You can alter the logging levels dynamically through the SESM Applications section of the Logging screen in the SESM Application Manager. For more information on the Application Manager, see Cisco Subscriber Edge Services Manager Administration and Configuration Guide. Enabling and Disabling Logging in Jetty Web Server To enable or disable logging in the Jetty Web Server, open the following file: <SESM>/jetty/config/<application>.jetty.xml For example, if you need to enable or disable Jetty debugs for NWSP, the location will be: <SESM>/jetty/config/nwsp.jetty.xml Refer to the following section: <Configure jmxname="org.mortbay.jetty:debug=0" > <Set name="debug" type="boolean">false</set> <Set name="debugpatterns"></set> <Set name="verbose" type="int">0</set> <Set name="suppressstack" type="boolean">false</set> <Set name="suppresswarnings" type="boolean">false</set> </Configure> To enable logging in the Jetty Web Server, set the debug property to true. To disable logging in Jetty, reset the debug property to false. This change does not take effect until the application is restarted. You can alter the logging levels dynamically through the Jetty Web Servers section of the Logging screen in the SESM Application Manager. For more information on the Application Manager, see Cisco Subscriber Edge Services Manager Administration and Configuration Guide. 4-2

3 Chapter 4 SESM AAA Server FAQ SESM AAA Server FAQ This section contains answers to frequently asked questions on SESM AAA Server. Configuring AAA Server to Include Attribute 18 Values in Access-Reject Responses RADIUS Attribute 18 is also referred to as the Reply-Message attribute. SESM currently includes a RADIUS filter which can be applied to RADIUS responses and configured to add attributes and values when these responses contain a particular response code (For example, 3 in the case of Access-Reject). This filter is not used by the SESM RADIUS server by default but can be configured for use by following these steps. Open <SESM>/tools/config/aaa.xml in a text editor. Add the AddAVsFilter as a handler. Within the config, locate the following section <Set name="handlers"> <Array class="com.cisco.sesm.erp.erphandler"> <Item> <New class="com.cisco.sesm.erp.radius.aaahandler"> <Set name="name">aaa</set> <Set name="aaafilename"><systemproperty name="application.home" default="."/>/config/aaa.properties</set> </New> </Item> Immediately after the </Item> tag add the following - <Item> <New class="com.cisco.sesm.erp.radius.addavsfilter"> <Set name="name">avfilter</set> <Set name="nexthandler">aaa</set> <Set name="responsecodes"> <Array class="java.lang.integer"> <Item type="int">3</item> </Set> <Set name="avs"> <Array class="java.lang.string"> <Item>Reply-Message:somemessage</Item> </Set> </New> </Item> Configure the required Attribute 18 message. In the configuration snippet given above, the attribute 18 message is currently set to be somemessage. Change this to the appropriate attribute 18/Reply-Message you want returned. In the same configuration snippet, it is specified that this attribute will be added to Access-Reject messages by the highlighted value 3. Three is the decimal RADIUS code for Access-Reject. 4-3

4 SESM Web Portals FAQ Chapter 4 Step 4 Configure the RADIUS Listener to use the AddAVsFilter. After the AddAVsFilter has been configured, ensure the single RADIUS listener used by the AAA server is making use of this handler, before it calls the standard AaaHandler. Locate in config the following section: <Set name="listeners"> <Array class="com.cisco.sesm.erp.erplistener"> <Item> <New class="com.cisco.sesm.erp.radius.radiuslistener"> <Set name="handler">aaa</set> </New> </Item> </Set> Change the <Set name="handler">aaa</set> to <Set name="handler">avfilter</set> (this matches the name set when you added the AddAVsFilter handler configuration in step 2). Listeners tend to be automatically named after their first configured handler, so this has the effect of changing the listeners name to "AVFilter". Therefore you need to update the remaining configuration for the listener. Locate the line <Configure jmxname="com.cisco.sesm:name=aaa,radiuslistener=aaa,component=threadpool"> and change the highlighted RADIUSListener=AAA to be RADIUSListener=AVFilter. Locate the line <Configure jmxname="com.cisco.sesm:name=aaa,radiuslistener=aaa,component=radiusserversocket"> and change the highlighted RADIUSListener=AAA to be RADIUSListener=AVFilter. SESM Web Portals FAQ This section contains answers to frequently asked questions on SESM Web Portals. Enabling and Disabling Single Sign-On SESM web portals have Single Sign-On enabled after installation. To disable this feature: <SESM>/<application>/config/<application>.xml. For example, If NWSP is the SESM application you wish to modify then: <SESM>/nwsp/config/nwsp.xml Locate the following line in the SESM MBean: <Set name="singlesignon" type="boolean">true</set> Change the boolean property to false. 4-4

5 Chapter 4 SESM Web Portals FAQ This change does not take effect until the applications are restarted. To enable the Single Sign-On again, simply re-set the Boolean to true. Configuring Confirmation While Logging On to or Logging Off from a Service The SESM web portal can be configured to have a confirmation screen presented to the subscriber before connecting to, or disconnecting from, a service. To modify these features: <SESM>/<application>/config/<application>.xml For example, If NWSP is the SESM application you wish to modify, then: <SESM>/nwsp/config/nwsp.xml Locate the following in the WebAppMBean: <Set name="confirmatservicelogon" type="boolean">false</set> <Set name="confirmatservicelogoff" type="boolean">true</set> The configuration above is the default after a SESM installation, and will result in a confirmation screen being presented to users when they attempt to disconnect from a service. Modify the boolean property to TRUE or FALSE as required to modify the default configuration. This change does not take effect until the application is restarted. Configuring Confirmation While Logging Off from Subscriber Account The SESM web portal can be configured to have a confirmation screen presented to the subscriber before he logs out. To modify this feature: <SESM>/<application>/config/<application>.xml For example, If NWSP is the SESM application you wish to modify, then: <SESM>/nwsp/config/nwsp.xml Locate the following in the WebAppMBean: <Set name="confirmataccountlogoff" type="boolean">true</set> This is the default configuration after a SESM Installation, and will result in a confirmation screen being presented to subscribers before they log out. Change the boolean property to FALSE, to disable this feature. This change does not take effect until the application is restarted. To enable this feature again, reset the boolean property to TRUE. 4-5

6 SESM Web Portals FAQ Chapter 4 Configuring User Credential Length The SESM web portal can be configured to enforce a minimum and maximum length for usernames and passwords (used when creating sub-accounts and when subscribers decide to change passwords). To modify this feature: <SESM>/<application>/config/<application>.xml For example, If NWSP is the SESM application you wish to modify, then: <SESM>/nwsp/config/nwsp.xml Locate the following in the WebAppMBean: <!-- Minimum length for usernames. --> <Set name="usernameminlength" type="int">1</set> <!-- Maximum length for usernames. --> <Set name="usernamemaxlength" type="int">30</set> <!-- Minimum length for passwords. --> <Set name="passwordminlength" type="int">1</set> <!-- Maximum length for passwords. --> <Set name="passwordmaxlength" type="int">30</set> Modify the appropriate values to enforce minimum and maximum length for usernames and passwords. For example, to enforce a minimum password and username length of 6 characters: <!-- Minimum length for usernames. --> <Set name="usernameminlength" type="int">6</set> <!-- Maximum length for usernames. --> <Set name="usernamemaxlength" type="int">30</set> <!-- Minimum length for passwords. --> <Set name="passwordminlength" type="int">6</set> <!-- Maximum length for passwords. --> <Set name="passwordmaxlength" type="int">30</set> This change does not take effect until the application is restarted. Refreshing the Web Portal Service List Sometimes auto-connect services appear as though they have not successfully connected after a subscriber has logged on to the Web Portal. This is because SESM presents subscribers their service-list before the service has finished being connected. To refresh the service-list after users log-in: <SESM>/nwsp/webapp/WEB-INF/web.xml 4-6

7 Chapter 4 SESM Web Portals FAQ Refer to the following Servlet definition: <servlet> <servlet-name>refreshdelay</servlet-name> <description> Sets the request attribute "refreshdelay" for the page refresh delay in seconds, if the initialisation parameter is a string representation of a non-zero integer. The purpose of a page refresh is to correctly display any delayed service connections. Replace the following parameter value by eg 5 so that the home page refreshes after 5 seconds. </description> <servlet-class>com.cisco.sesm.webapp.decorator.refreshdelaydecorator</servlet-class> <init-param> <param-name>refreshdelay</param-name> <param-value>0</param-value> </init-param> <load-on-startup>1</load-on-startup> </servlet> Modify the refreshdelay property to a suitable number of seconds so that the subscriber's service list page in SESM is refreshed after they have logged in to the application. For example, five seconds. <servlet> <servlet-name>refreshdelay</servlet-name> <description> Sets the request attribute "refreshdelay" for the page refresh delay in seconds, if the initialisation parameter is a string representation of a non-zero integer. The purpose of a page refresh is to correctly display any delayed service connections. Replace the following parameter value by eg 5 so that the home page refreshes after 5 seconds. </description> <servlet-class>com.cisco.sesm.webapp.decorator.refreshdelaydecorator</servlet-class> <init-param> <param-name>refreshdelay</param-name> <param-value>5</param-value> </init-param> <load-on-startup>1</load-on-startup> </servlet> This change does not take effect until the applications are restarted. Enabling Port-Bundle Host-Key SESM applications do not need to maintain a list of SSG/client-subnet mappings if they are run with Port-Bundle Host-Key. To convert a SESM application to running with Port-Bundle Host-Key from using the IP Host-Key (and associated SSG / client subnet mappings): <SESM>/<application>/config/<application>.xml For example, If NWSP is the SESM application you wish to modify, then: <SESM>/nwsp/config/nwsp.xml 4-7

8 SESM Web Portals FAQ Chapter 4 Remove SSG/client subnet mappings. A SESM application that was installed with PBHK disabled will have at least one line similar to the one below in the SSGMBean (note that there may be several lines within comment delimiters. Ensure the line is outside any comment): <Call name="setsubnetattribute"><arg> </arg><arg> </arg><arg>ip</arg><arg> </arg></call> Remove this line, and any other SSG/client-subnet mappings. Set the Bundle Length. A SESM application that was installed with PBHK disabled will have a Bundle Length set to zero in the SSGMBean. Within the same file, refer to the following line: <Call name="setglobalattribute"><arg>bundle_length</arg><arg>0</arg></call> To enable PBHK, set the Bundle length to match that on the SSG (default on the SSG is 4). <Call name="setglobalattribute"><arg>bundle_length</arg><arg>4</arg></call> Note If you are using the Captive Portal application then you will also need to make these changes to the captiveportal.xml file. PBHK will be enabled when the application is restarted. Enabling IP Host-Key To convert a SESM application from running with Port-Bundle Host-Key (PBHK) to use the IP Host-Key (and associated SSG / client subnet mappings): <SESM>/<application>/config/<application>.xml For example, If NWSP is the SESM application you wish to modify, then: <SESM>/nwsp/config/nwsp.xml Set bundle-length to Zero. To disable PBHK, you have to set the BUNDLE_LENGTH attribute to zero in the application configuration file. a. Locate the following in the the SSGMBean: <Call name="setglobalattribute"><arg>bundle_length</arg><arg>4</arg></call> b. Change the BUNDLE_LENGTH to zero: <Call name="setglobalattribute"><arg>bundle_length</arg><arg>0</arg></call> 4-8

9 Chapter 4 SESM Web Portals FAQ Add SSG/Client-subnet mappings. When PBHK is disabled, the applications need to have a mapping of SSG IP addresses and the subscribers IP ranges that are associated with those SSGs. This is to ensure that the applications send RADIUS packets for a particular subscriber to the appropriate SSG. You now need to add an SSG/Client-subnet mapping, which is done by inserting a line such as the one below within the SSGMBean (put this line below the BUNDLE_LENGTH line that was discussed in ): <Call name="setsubnetattribute"><arg> </arg><arg> </arg><arg>ip</arg><arg> </arg></call> This line maps subscribers on the /8 network to the SSG at To add additional mappings for that SSG, simply add another line to the file: <Call name="setsubnetattribute"><arg> </arg><arg> </arg><arg>ip</arg><arg> </arg></call> <Call name="setsubnetattribute"><arg> </arg><arg> </arg><arg>ip</arg><arg> </arg></call> To add a mapping for a second SSG, simply add another line with a different SSG IP address and client address range: <Call name="setsubnetattribute"><arg> </arg><arg> </arg><arg>ip</arg><arg> </arg></call> <Call name="setsubnetattribute"><arg> </arg><arg> </arg><arg>ip</arg><arg> </arg></call> <Call name="setsubnetattribute"><arg> </arg><arg> </arg><arg>ip</arg><arg> </arg></call> Note If you are using Captive Portal in your network, you must make these changes to the captiveportal.xml file too. This change does not take effect until the application is restarted. Modifying AAA Server Attributes To modify the RADIUS server IP address and RADIUS secrets that are used by the SESM applications when they are communicating with the AAA servers: <SESM>/<application>/config/<application>.xml For example, If NWSP is the SESM application you wish to modify, then: <SESM>/nwsp/config/nwsp.xml 4-9

10 SESM Web Portals FAQ Chapter 4 Locate the following section: <Configure jmxname="com.cisco.sesm:name=aaa,connection=serviceprofile"> <Set name="throttle" type="int">256</set> <Set name="timeout" type="int">4000</set> <Set name="maxretries" type="int">3</set> <Set name="primaryip"> </set> <Set name="primaryport" type="int">1812</set> <Set name="secret">cisco</set> <Set name="secondaryip"> </set> <Set name="secondaryport" type="int">1812</set> <Set name="servicepassword">servicecisco</set> <Set name="servicegrouppassword">groupcisco</set> </Configure> Modify the primaryip and secondaryip attributes to change the RADIUS server the portal is using. The RADIUS shared secrets and service passwords can also be modified in this section of the file. Restricting the RADIUS Source Ports You can restrict the ports that the SESM applications use in order to make the system more secure. To do this: <SESM>/<application>/config/<application>.xml For example, If NWSP is the SESM application you wish to modify, then: <SESM>/nwsp/config/nwsp.xml Locate the following section: <!-- - If we need to restrict the range of source ports used, then use entries like the following <Call name="setglobalattribute"><arg>min_local_port</arg><arg>50000</arg></call> <Call name="setglobalattribute"><arg>max_local_port</arg><arg>50999</arg></call> --> This feature is disabled by default, as it is contained within a set of comment de-limiters (<!-- -->). Remove the comment de-limiters, and set the MIN_LOCAL_PORT and MAX_LOCAL_PORT values appropriately to enable the feature: <!-- - If we need to restrict the range of source ports used, then use entries like the following --> <Call name="setglobalattribute"><arg>min_local_port</arg><arg>50000</arg></call> <Call name="setglobalattribute"><arg>max_local_port</arg><arg>50999</arg></call> Setting MAX_LOCAL_PORT as less than or equal to MIN_LOCAL_PORT will cause an error. This change does not take effect until the application is restarted. 4-10

11 Chapter 4 SESM Captive Portal FAQ SESM Captive Portal FAQ This section contains answers to frequently asked questions on the SESM Captive Portal. Ports and Associated TCP Redirections The SESM Captive Portal application listens on several different ports for the various types of redirections performed by the SSG. The default ports and the types of redirections are outlined below: Table 4-1 Ports and TCP Redirections Default Port Type of Redirection Port 8090 Unauthenticated User Redirection. Port 8091 Initial Captivation. Port 8092 Advertisement Captivation. Port 8093 Default Service Redirect. Port 8094 Named Service Redirect 1. Port 8095 Named Service Redirect 2. Port 8096 Named Service Redirect 3. Port 8099 Secure Port. Port 8101 Unauthenticated Web-Proxy User. An example SSG configuration, that has been constructed to align the SSG s TCP redirects to these ports, is available in a SESM installation in the following file: <SESM>/captiveportal/config/ssgconfig.txt Enabling / Disabling Redirections To disable the Captive Portal redirections: <SESM>/captiveportal/config/captiveportal.xml Refer to the following section: <Set name="userredirecton" type="boolean">true</set> <Set name="initialcaptivateon" type="boolean">true</set> <Set name="advertisingcaptivateon" type="boolean">true</set> <Set name="serviceredirecton" type="boolean">true</set> 4-11

12 SESM Captive Portal FAQ Chapter 4 To disable a specific type of redirection, advertising captivation in the example below, set the appropriate property to false: <Set name="userredirecton" type="boolean">true</set> <Set name="initialcaptivateon" type="boolean">true</set> <Set name="advertisingcaptivateon" type="boolean">false</set> <Set name="serviceredirecton" type="boolean">true</set> If a request were to be made to a Captive Portal port that had been disabled in the manner above, the user would be redirected to the errorurl in the captiveportal.xml file: <Set name="errorurl"> name="serviceportal.host" default="captiveportal"/>:<systemproperty name="serviceportal.port" default="8080"/>/home</set> Modifying Unauthenticated User Redirection URL When the Captive Portal receives a request on the unauthenticated user port (8090), it will redirect the subscriber to the SESM web portal by default. <SESM>/captiveportal/config/captiveportal.xml Refer to this section: <Set name="userredirecturl"> name="serviceportal.host" default="captiveportal"/>:<systemproperty name="serviceportal.port" default="8080"/>/home</set> This line essentially redirects the user to the following URL, where captiveportal is the hostname of the SESM machine, and 8080 is the port that the SESM web portal is running: Modify this URL to redirect unauthenticated users to a different URL, for example, : <Set name="userredirecturl"> name="serviceportal.host" default=" name="serviceportal.port" default="80"/>/news_and_media</set> It is important to realise that the server to which you redirect unauthenticated users must be available to them. This server is typically the SESM Subscriber Portal, residing on the default-network defined in the SSG. If Captive Portal is configured to redirect unauthenticated users to a server that is outside of the default-network, or an open-garden, then the SSG will TCP-redirect them back to Captive Portal. Users will only be permitted to access the default-network, and any open-garden services, before authentication. 4-12

13 Chapter 4 SESM Captive Portal FAQ Modifying Initial Captivation URL, Initial Captivation Duration and Initial Captivation Delay Redirection Inside the Default Network/Open Gardens There are three configuration options for Initial Captivation; the initialcaptivateurl, the intialcaptivateduration and the initialcaptivatedelay. By default, the Captive Portal will redirect a user that is subject to Initial Captivation to the SESM Message Portal for a duration of 15 seconds before they are redirected to their originally requested URL. To view the default settings: <SESM>/captiveportal/config/captiveportal.xml Refer to the following lines: <Set name="initialcaptivateurl"> name="messageportal.host" default="captiveportal"/>:<systemproperty name="messageportal.port" default="8085"/>/initial</set> <Set name="initialcaptivateduration">15</set> <Set name="initialcaptivatedelay" type="int">0</set> Redirection Outside the Default Network/Open Gardens Alternatively, the Captive Portal can be configured to redirect all users to a specific URL while they are subject to Initial Captivation in the example below: <Set name="initialcaptivateurl"> name="messageportal.host" default="news.bbc.co.uk"/>:<systemproperty name="messageportal.port" default="80"/>/</set> The Captive Portal can also be configured to redirect a user to the Home URL in the user-profile, or to the location URL for the users given location, by substituting a keyword into the initialcaptivateurl parameter. personalurl This will have the user redirected to their personal URL when they are subject to initial captivation. locationurl This will have the user redirected to the location URL when they are subject to initial captivation. For example: <Set name="initialcaptivateurl">personalurl</set> When users are subject to initial captivation, they are only permitted to access the server defined in the initial captivation server-group on the SSG. To achieve redirections to servers other than the initial captiation server, you must: Shorten the captive duration on the SSG to its minimum; 1 second Introduce a delay in the Captive Portal s HTTP redirection of the user to be greater than 1 second 4-13

14 SESM Captive Portal FAQ Chapter 4 This way, users will be captured, the redirection will pause for a short while (1 second) until the captive period has elapsed, and then redirect to the desired external URL. This delay in Captive Portal is activated by editing the following line: <Set name="initialcaptivatedelay" type="int">0</set> The value of this delay should just exceed the duration on the SSG, and since the Captive Portal delay is measured in milliseconds, this can be set to: <Set name="initialcaptivatedelay" type="int">1100</set> Users that are redirected outside of the default network are not truly captive using this method. Modifying Advertising Captivation URL, Advertising Captivation Duration and Advertising Captivation Delay Redirection Inside the Default Network/Open Gardens There are three configuration options for Advertisment Captivation the advertisingcaptivateurl, the advertisingcaptivateduration and the advertisingcaptivatedelay. By default, the Captive Portal will redirect a user that is subject to Advertisement Captivation to the SESM Message Portal for a duration of 15 seconds before they are redirected back to their originally requested URL. To view the default settings: <SESM>/captiveportal/config/captiveportal.xml Refer to the following lines: <Set name="advertisingcaptivateurl"> name="messageportal.host" default="captiveportal"/>:<systemproperty name="messageportal.port" default="8085"/>/advertising</set> <Set name="advertisingcaptivateduration">15</set> <Set name="advertisingcaptivatedelay" type="int">0</set> Redirection Outside the Default Network/Open Gardens Alternatively, Captive Portal can be configured to redirect all users to a specific URL while they are subject to Advertising Captivation: in the example below: <Set name="initialcaptivateurl"> name="messageportal.host" default="news.bbc.co.uk"/>:<systemproperty name="messageportal.port" default="80"/>/</set> Captive Portal can also be configured to redirect a user to the Home URL in the user-profile, or to the location URL for the users given location, by substituting a keyword into the advertisingcaptivateurl parameter. personalurl This will have the user redirected to their personal URL when they are subject to advertising captivation 4-14

15 Chapter 4 SESM Captive Portal FAQ locationurl This will have the user redirected to the location URL when they are subject to advertising captivation For example: <Set name="advertisingcaptivateurl">locationurl</set> When users are subject to advertising captivation, they are only permitted to access the server defined in the advertising captivation server-group on the SSG. To achieve redirections to servers other than the advertising server, you must: Shorten the captive duration on the SSG to its minimum 1 second Introduce a delay in the Captive Portal s HTTP redirection of the user to be greater than 1 second This way, users will be captured, the redirection will pause for a short while (1 second) until the captive period has elapsed, and then redirected to the desired external URL..This delay in Captive Portal is activated by editing the following line: <Set name="advertisingcaptivatedelay" type="int">0</set> The value of this delay should just exceed the duration on the SSG, and since the Captive Portal delay is measured in milliseconds, this can be set to: <Set name="advertisingcaptivatedelay" type="int">1100</set> Users that are redirected outside of the default network are not truly captive using this method. Modifying Default Service Redirect URL Captive Portal redirects users that are subject to a default service redirect to the SESM web portal. To modify the default Service Redirect URL: <SESM>/captiveportal/config/captiveportal.xml Locate this line: <Set name="serviceredirectdefaulturl"> To have these users redirected to an alternative webserver, for example,yahoo; modify as follows: <Set name="serviceredirectdefaulturl"> If users are service-redirected to Captive Portal, it can mean that they have no active services. As such, they will only be able to reach the Default-Network and any Open-Garden services. This should be taken into consideration when modifying the default service redirect URL. Configuring Prepaid User Redirection in SSG Subscribers with prepaid internet access will be able to access the internet till their quota in the billing server is exhausted. However, when a subscriber's quota is exhausted, the SSG can do two things; either disconnect the service immediately, or do prepaid user redirection. 4-15

16 SESM Captive Portal FAQ Chapter 4 In prepaid user redirection, the subscriber's attempted access to the prepaid service will be redirected to a defined server group in the TCP-redirect configuration in SSG. This server group should redirect these users to the Captive Portal application, which will in turn HTTP-redirect the users to a web portal, where a recharge page will be displayed to the subscriber. SESM web portals include a recharge stub that can be customized in order to facilitate the recharge operation. The following examples can be used to configure prepaid user redirection on an SSG that supports the feature: Configure a default prepaid redirection group as follows: ssg tcp-redirect server-group PREPAID_REDIR_DEFAULT server ! redirect prepaid-user to PREPAID_REDIR_SERVER This example is given in a SESM install in captiveportal/config/ssgconfig.txt You can also configure a prepaid redirection group on a per service basis instead of as default: ssg tcp-redirect server-group PREPAID_REDIR_SERVICE1 server This example is given in a SESM install in captiveportal/config/ssgconfig.txt Configure the per-service redirection in a service profile using the Z subattribute code. For example: Z;PREPAID_REDIR_SERVICE1 Service-Info = "..." where... is the string you give here This example is given in a SESM install in nwsp/config/aaa.properties. Configuring Captive Portal for Prepaid User Redirections The default Captive Portal application does not have a port configured to receive the prepaid user redirections that the SSG can send to it. As such, we need to edit manually. Configuring Jetty to Receive Prepaid User Redirections You need to have Jetty open another socket when it starts the Captive Portal, so that the application can receive and handle these requests. To configure an additional socket in Captive Portal: <SESM>/jetty/config/captiveportal.jetty.xml Add another SESMSocketListener to the file. To do this, copy and paste an existing section of the config into this section of the configuration file: <Call name="addlistener"> <Arg><New class="com.cisco.sesm.jetty.sesmsocketlistener"></new></arg> </Call> 4-16

17 Chapter 4 SESM Captive Portal FAQ Configure this new SESMSocketListner. Copy an existing configuration section to achieve this, as in the example below. Note that we re configuring SESMSocketListener number 8 to be called genericredirect2, and the port that we re opening is <Configure jmxname="org.mortbay.jetty:name=jetty,server=0,sesmsocketlistener=8"> <Set name="port" type="int"><systemproperty name="genericredirect2.port" default="8097"/></set> <Set name="minthreads" type="int">5</set> <Set name="maxthreads" type="int">255</set> <Set name="maxidletimems" type="int">60000</set> </Configure> Configuring Captive Portal to Handle Prepaid User Redirections You need to add a generic redirection in the Captive Portal application configuration file which utilises this new port to handle prepaid user redirection. <SESM>/captiveportal/config/captiveportal.xml Add a generic redirection: <Call name="definegenericredirect"> <Arg>8097</Arg> <Arg> uri</arg> <Arg>CPURL=capturedURL</Arg> </Call> If you are using NWSP, configure captive portal to redirect to the NWSP recharge page, in captiveportal.xml: <Call name="definegenericredirect"> <Arg>8097</Arg> <Arg> <Arg>CPURL=capturedURL</Arg> </Call> This has configured the Captive Portal to HTTP-redirect the prepaid users to the dummy recharge page on the SESM web portal. Billing Server Requirements In order for the SSG to invoke prepaid user redirection, the billing server must respond with an idle-timeout value which is greater than zero in the authorization response that it sends to the SSG when the subscriber has run out of quota. There is an example below of the SSG debug information produced when users have exhausted their quota, and an idle-timeout is included in the RADIUS response to the SSG. When the SSG receives this, it will redirect traffic that is destined for the prepaid service to the configured server-group (PREPAID) for the duration of the idle-timeout, without disconnecting the service. Once this period has elapsed, the 4-17

18 SESM Web Proxy FAQ Chapter 4 SSG will attempt to re-authorise the user by asking the billing server for more quota. If the user has not added more quota to their account by this time, they will be subject to prepaid user redirection once again. 01:15:14: RADIUS: Received from id 21645/ :1812, Access-Accept, len 83 01:15:14: RADIUS: authenticator 3C C9 E DD 2C - 8F D3 79 6A B B6 01:15:14: RADIUS: Service-Type [6] 6 Framed [2] 01:15:14: RADIUS: Vendor, Cisco [26] 27 01:15:14: RADIUS: ssg-service-info [251] 21 "Nvideo-city-prepaid" 01:15:14: RADIUS: Vendor, Cisco [26] 13 01:15:14: RADIUS: ssg-control-info [253] 7 "QT100" 01:15:14: RADIUS: Vendor, Cisco [26] 11 01:15:14: RADIUS: ssg-control-info [253] 5 "QV0" 01:15:14: RADIUS: Idle-Timeout [28] :15:14: RADIUS( ): Received from id 21645/48 01:15:14: SSG-CTL-EVN: Creating radius packet 01:15:14: SSG-CTL-EVN: Response is good 01:15:14: SSG-CTL-EVN: Volume Quota = 0 01:15:14: SSG-CTL-EVN: Time Quota = :15:14: SSG-CTL-EVN: Idle timeout present, Value = 60 01:15:14: SSG-CTL-EVN: Initializing Quota timer for msec 01:15:14: SSG-CTL-EVN: Starting Quota timer for mseconds 01:15:14: SSG-CTL-EVN: Initializing volume reauth timer for 60 seconds If the billing server simply replies with a quota value of zero, the prepaid service will be disconnected, and the user will be subject to default service redirection (if configured). SESM Web Proxy FAQ This section contains answers to frequently asked questions on the SESM Web Proxy. All attribute changes described in this section are done by modifying the appropriate configuration file. These changes require the application to be restarted. All attributes can also be changed via AgentView, running on port +100 (8190 by default for Captive Portal, 8202 by default for Web Proxy). Changes using AgentView take effect immediately, and will remain in the configuration file if the store operation is performed. All attribute changes in the MBean for th proxy handler can be made in a separate configuration file, which is then polled. This requires the two configuration sections for the file poller to be uncommented and the corresponding configuration in the original file to be removed. Changes via file polling take effect each time the polled file has been updated and the configured polling interval has elapsed. The full Plug-and-Play solution needs the SSG, the SESM Captive Portal, Web Proxy and DNS Proxy applications to be correctly configured and running. Configuring and Debugging SSG The default configuration for SESM Captive Portal and Web Proxy is as follows: Port 8090 on Captive Portal for unauthenticated users Port 8101 on Captive Portal for authenticated proxy users Port 8102 on Web Proxy for authenticated proxy users with an active internet service. 4-18

19 Chapter 4 SESM Web Proxy FAQ The corrsponding configuration onthe SSG: ssg tcp-redirect! server-group UNAUTH_USER server <Captive Portal IP> 8090! redirect unauthenticated-user to UNAUTH_USER! server-group WEBPROXY_UNAUTH server <Captive Portal IP> 8090! server-group WEBPROXY_AUTH server <Captive Portal IP> 8101! server-group WEBPROXY_SERVICE_8102 server <Web Proxy IP> 8102! redirect permanent http unauthenticated to WEBPROXY_UNAUTH redirect permanent http authenticated to WEBPROXY_AUTH! SSG Debug Commands: debug ssg tcp-redirect errors debug ssg tcp-redirect events debug ssg tcp-redirect packets debug ssg tcp-redirect server events debug ssg ctrl-errors debug ssg ctrl-events debug ssg ctrl-packets debug ssg errors debug ssg events debug radius terminal monitor Debugging for a client IP: show ssg tcp-redirect mapping <client IP> Detailed debugging for a client IP: debug ip packet detail <acl> Where on the SSG the config eg for <acl> = 101 access-list 101 permit ip host <client IP> any access-list 101 permit ip host any <client IP> 4-19

20 SESM Web Proxy FAQ Chapter 4 Enabling accountwebproxy in Captive Portal Captive Portal sends a message to the SSG to indicate that the request is from a proxy user only if accountwebproxy is set to true. By default it is set to false, as most deployments do not use Plug-and-Play. To switch on the full set of Plug-and-Play features in Captive Portal: <SESM>/captiveportal/config/captiveportal.xml Refer to the following lines: <!-- Enable the SSG Account Web Proxy feature --> <Set name="accountwebproxy" type="boolean">false</set> Change to: <!-- Enable the SSG Account Web Proxy feature --> <Set name="accountwebproxy" type="boolean">true</set> Setting sesmsessionenabled in Captive Portal The SESMSession is required to get locations for use in whitelists and blacklists. By default, use of the SESMSession is set to false, as most Plug-and-Play deployments use only a default whitelist or blacklist that is not location specific. <SESM>/captiveportal/config/captiveportal.xml Refer to the following lines: <!-- Set this to true if require location-based white/black lists.--> <Set name="sesmsessionenabled" type="boolean">false</set> Change to: <!-- Set this to true if require location-based white/black lists.--> <Set name="sesmsessionenabled" type="boolean">true</set> Configuring SESM Hosts The SESM web portal requires the remote address and remote port to be proxied to it to determine the correct session. The web proxy handler in Captive Portal and Web Proxy sends this information in the request header for standard proxy requests. They send it out-of-band as a separate request to /com.cisco.sesm.proxymetadata on the web portal for secure proxy requests, as SSL does not allow the request to be modified. Both Captive Portal and Web Proxy need to be told which hosts to send this data to. The installation program automatically updates this list of hosts to include the web portal given in the install. It may be necessary to add other aliases and/or IP addresses. 4-20

21 Chapter 4 SESM Web Proxy FAQ Open the following files: <SESM>/captiveportal/config/captiveportal.xml <SESM>/webproxy/config/webproxy.xml Refer to the following lines: <Set name="sesmhostlist"> <Array class="java.lang.string"> <Item>mywebportal</Item> </Set> Change as follows: <Set name="sesmhostlist"> <Array class="java.lang.string"> <Item>mywebportal</Item> <Item>myalias</Item> <Item>x.x.x.x</Item> </Set> There is no need to include the SESM hosts in the default white list, as they will always be proxied to, if sesmhostsallowed is set to true, which it is by default. The SESM web portal needs to know from which servers it can accept the proxy meta-data with remote address and port. The installation program will update the list of servers that do proxy handling to include the Captive Portal given in the install. The following configuration cannot be set via AgentView. It is essential to add the IP address of the Web Proxy if it is different from Captive Portal. It may be necessary to add any other public aliases. <SESM>/mywebportal/webapp/WEB-INF/web-jetty.xml Refer to the following lines: <Set name="sesmproxylist"> <Array type="java.lang.string"> <Item>captiveportal</Item> <Item> </Item> <Item>localhost</Item> </Set> Change as follows: <Set name="sesmproxylist"> <Array type="java.lang.string"> <Item>captiveportal</Item> <Item>a.b.c.d</Item> <Item>webproxyifondifferentmachine</Item> </Set> where a.b.c.d is the IP address of the Captive Portal. 4-21

22 SESM Web Proxy FAQ Chapter 4 Configuring Whitelists in Captive Portal for Non-Proxy Users For non-proxy users you can configure transparent proxying by configuring proxy ports: <SESM>/captiveportal/config/captiveportal.xml Refer to the following section: <!-- The listener ports where transparent proxying will occur for non-proxy users according to the white/black lists. Uncomment the example below to allow this type of proxying for unauthenticated user redirection and default unauthorized service redirection. --> <!-- <Set name="proxyports"> <Array class="java.lang.string"> <Item>8090</Item> <Item>8093</Item> </Set> --> Ensure the following section is uncommented to allow transparent proxying of non-proxy requests on specific listener ports: <Set name="proxyports"> <Array class="java.lang.string"> <Item>8090</Item> <Item>8093</Item> </Set> The installation program updates these ports if they are different from the default values.by default Captive Portal proxies only proxy requests. Editing Captive Portal WhiteLists The Captive Portal application has default and location-specific whitelists, which are lists of hosts that the Captive Portal will permit unauthenticated users to access. If a location-specific whitelist is available, it will be used for the user in that location. In all other cases, the default whitelist is used. The default whitelist must include any Open Garden services in the deployment. To edit the Captive Portal whitelist: <SESM>/captiveportal/config/captiveportal.xml 4-22

23 Chapter 4 SESM Web Proxy FAQ Refer to the following section: <!-- <Set name="proxyhostswhitelists"> <New class="java.util.hashmap"> <Put name="default"> <Array class="java.lang.string"> <Item>.cisco.com</Item> </Put> <Put name="london"> <Array class="java.lang.string"> <Item> <Item>freeservices</Item> </Put> </New> </Set> --> After installation, there are some example entries in the array that define the whitelists. To add an entry for OPENGARDEN to the default white list and to remove the example location-specific white list, remember to uncomment (remove the <!-- and --> delimiters) the white lists: <Set name="proxyhostswhitelists"> <New class="java.util.hashmap"> <Put name="default"> <Array class="java.lang.string"> <Item>.cisco.com</Item> <Item>OPENGARDEN</Item> </Put> </Set> These changes will take effect when the Captive Portal is restarted. Enabling WebProxy Blacklists The WebProxy application does not have blacklists configured by default. Blacklists are lists of hosts that the application shall not proxy for, and can be enabled by editing the following file. <SESM>/webproxy/config/webproxy.xml 4-23

24 SESM Web Proxy FAQ Chapter 4 Step 4 Refer to the following section: <!-- <Set name="proxyhostsblacklists"> <New class="java.util.hashmap"> <Put name="default"> <Array class="java.lang.string"> <Item>.microsoft.com</Item> </Put> <Put name="london"> <Array class="java.lang.string"> <Item> </Put> </New> </Set> --> To enable the black lists, uncomment the configuration (remove the <!-- and --> delimiters). <Set name="proxyhostsblacklists"> <New class="java.util.hashmap"> <Put name="default"> <Array class="java.lang.string"> <Item>.microsoft.com</Item> </Put> <Put name="london"> <Array class="java.lang.string"> <Item> </Put> </New> </Set> To add a host to the default black list and remove the example location-specific black list: <Set name="proxyhostsblacklists"> <New class="java.util.hashmap"> <Put name="default"> <Array class="java.lang.string"> <Item>.microsoft.com</Item> <Item> </Put> </New> </Set> These changes will take effect when the Web Proxy is restarted. Configuring PAC File Emulation in Captive Portal The Captive Portal can be configured to intercept and respond to requests made by clients for a Proxy Automatic Configuration script. This is enabled by default. To modify this: <SESM>/captiveportal/webapp/WEB-INF/web-jetty.xml Refer to the following section: 4-24

25 Chapter 4 SESM Web Proxy FAQ <Call name="mapresourcebyextension"> <Arg>pac</Arg><Arg>/webproxy.pac</Arg> </Call> To disable the feature, comment-out the section: <!-- <Call name="mapresourcebyextension"> <Arg>pac</Arg><Arg>/webproxy.pac</Arg> </Call> --> Alternatively, to create a different mapping for a different file extension (cfg in this example) modify as follows: <Call name="mapresourcebyextension"> <Arg>pac</Arg><Arg>/webproxy.pac</Arg> </Call> <Call name="mapresourcebyextension"> <Arg>cfg</Arg><Arg>/webproxy.cfg</Arg> </Call> SESM comes with the example webproxy.pac file. If you configure additional mappings for other file extensions, you must also create the appropriate file to associate them with webproxy.cfg in the above example. These new files should be placed in the following location: <SESM>/captiveportal/webapp/ Configuring a No-Proxy Message in Captive Portal The Captive Portal can be configured to present a customisable message to web-proxy users. This feature is commented out by default. To enable this feature: Step 4 <SESM>/captiveportal/webapp/WEB-INF/web-jetty.xml Refer to the following line: <!-- <Set name="noproxyresource">/noproxy.html</set> --> To enable the feature, uncomment this line: <Set name="noproxyresource">/noproxy.html</set> Edit the following web page, to customize the message. <SESM>/captiveportal/webapp/noproxy.html Supported Browser Versions Internet Explorer versions 5.0 or less are not supported, as these have known issues with proxying. It is recommended that you use the latest versions of browsers such as IE 6.0 SP2 or Netscape

26 SESM Web Proxy FAQ Chapter 4 Connectivity Issues Ensure that the servers that do proxy handling have internet connectivity. This is for the white lists for Captive Portal, and in general for Web Proxy. In particular, some lab firewalls may allow standard requests (80/8080), but block secure requests (443/8443). Security Issues Ensure that direct access to the Web Proxy is not possible (default port used is 8102). The recommended approach is to use an ACL on the SSG, or configure a firewall depending on setup. Port-bundle Hostkey (PBHK) Issues Ensure that the SSG is port-mapping for Captive Portal (ports 8090 to 8101) and Web Proxy (port 8102) as well. For example: ssg port-map destination range 8443 to 8443 ip <SESM IP> destination range 8080 to 8102 ip <SESM IP> The default bundle-length is 4. This allows a maximum of 16 simultaneous TCP-connections. It is recommended to experiment with higher values of bundle-length, such as 6, if experiencing performance issues. The reason for the degraded performance is the large number of TCP-connections used with IE default proxy setting of using HTTP/1.0. To compensate for the increased bundle-length, increase the number of loopback addresses on the SSG so as to handle the same number of users. ssg port-map destination range 8443 to 8443 ip <SESM IP> destination range 8080 to 8102 ip <SESM IP> source ip Loopback0 source ip Loopback1 interface Loopback0 ip address ! interface Loopback1 ip address ! Other SSG Issues This section contains answers to frequently asked questions on the SSG. Bad Performance for Proxying Ensure that the SSG is not limiting the max number of sessions for the server-group excessively. The following would cause proxying to be very slow. server-group xxx max-session host

27 Chapter 4 SESM Web Proxy FAQ The reason for this is that the default proxy setting for IE is to use HTTP/1.0, which uses at least 16 connections. In practice, this may be quite a bit higher. If a limit for maximum number of sessions is to be set, a value of 50 has been shown to be suitable. SSG Fails to Redirect Correctly for Proxy Users Ensure that the SSG does not have no ip route-cache cef in the configuration of the interfaces used. This will cause permanent proxy redirection to fail. Accounting Does Not Work for PBHK and Proxying The SSG DDTS CSCsa44594 has been raised for 12.3(5)B and 12.3(x)T. If you upgrade from 12.3(3)B make sure you have a version with DDTS CSCsa44594 resolved. General Testing Issues If you experience issues after authentication with setting up the Web Proxy, but have not yet blocked direct access to the Web Proxy (using ACL or firewall), then it is worth configuring your browser to use the Web Proxy as its proxy server. This way, no TCP-redirection in the SSG is needed, and the functioning of the web proxy can be tested, eg. for internet access. Configuring the SSG to allow the SESM DNSproxy For example: ssg open-garden DNS local-profile DNS attribute "R ; " attribute "D " attribute "O*"! Configuring the SESM DNSProxy Application The DNSProxy application is installed by default, and is started by running the following script: <SESM>/tools/bin/startDNS.sh The SESM DNS proxy always remains in use for non-proxy users, but is only used once by proxy users to lookup the configured proxy server in their browser. To configure the DNS servers, that the DNSProxy application will use, to attempt to resolve requests, refer to the following file: <SESM>/tools/config/dns.xml This section defines the primary and secondary DNS servers: <Item> <New class="com.cisco.sesm.erp.dns.dnsdelegationhandler"> <Set name="name">resolver</set> 4-27

28 SESM RDP and RADIUS FAQ Chapter 4 <Set name="port">53</set> <Set name="servers"> <Array class="java.lang.string"> <Item> </Item> <Item> </Item> </Set> <Set name="timeout">5000</set> <Set name="dump" type="boolean">true</set> </New> </Item> To configure the substitute IP that the DNSProxy application will insert in responses to un-resolvable requests, refer to the following file: <SESM>/tools/config/dns.xml This section defines the substitute IP address. The IP that is used here should be an upstream IP address. <New class="com.cisco.sesm.erp.dns.dnssubstituteiphandler"> <Set name="name">dns</set> <Set name="resolverhandlername">resolver</set> <Set name="substituteipaddress"> </set> <Set name="timetolive">30</set> <Set name="dump">true</set> </New> SESM RDP and RADIUS FAQ This section contains answers to frequently asked questions on SESM RDP and RADIUS. RDP in Proxy Mode The Radius Data Proxy (RDP) can be configured to proxy authentication and/or accounting and/or service requests to a configured proxy RADIUS server and forward the response from the Proxy back to the client. Configuring Proxy Mode During SESM SPE Installation For SESM SPE installations, this is the simplest way of configuring the RDP for Proxy Mode. At the Enter further values for RDP screen, select the Proxy Mode option. 4-28

29 Chapter 4 SESM RDP and RADIUS FAQ Figure 4-1 Enter Further Values for RDP Screen If the Proxy Mode option is selected, the subsequent screen will request details of the Primary and Secondary Proxy RADIUS servers; IP-Address, Port and Shared Key. 4-29