Release 3.1.6
May 2008
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public
domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
CCDE, CCENT, Cisco Eos, Cisco Lumin, Cisco StadiumVision, the Cisco logo, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work,
Live, Play, and Learn is a service mark; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP,
CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity,
Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone,
iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MGX, Networkers,
Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to
Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain
other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship
between Cisco and any other company. (0804R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the
document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
Preface xi
Prerequisites 3-1
Uninstalling the DHCP Lease Query LEG from the SM Server 8-2
Uninstalling the DHCP Lease Query LEG from the SCE Device 10-1
Topologies 17-2
This document explains how to install and configure the Cisco Service Control Management Suite
(SCMS) Subscriber Manager (SM) Login Event Generators (LEGs).
This document is intended for system administrators and integrators who are responsible for the
installation, configuration, and maintenance of the LEG components. The administrator or system
integrator should be familiar with the following:
• CNR extensions concept
• DHCP protocol
• MPLS/VPN architecture
• RADIUS extensions concept
• RADIUS protocol
• SOAP concepts
• Cisco Service Control Subscriber Management and Subscriber Integration concepts
For complete information about Cisco's SCMS subscriber integration concept, see the Cisco SCMS
Subscriber Manager User Guide.
Organization
This guide contains the following sections:
Related Publications
Use this Cisco SCMS SM LEGs User Guide in conjunction with the following Cisco documentation:
• Cisco SCMS Subscriber Manager User Guide
• Cisco Service Control Application for Broadband User Guide
Conventions
This document uses the following conventions:
Convention Indication
bold font Commands and keywords and user-entered text appear in bold font.
italic font Document titles, new or emphasized terms, and arguments for which you supply
values are in italic font.
[ ] Elements in square brackets are optional.
{x | y | z } Required alternative keywords are grouped in braces and separated by
vertical bars.
[x|y|z] Optional alternative keywords are grouped in brackets and separated by
vertical bars.
string A nonquoted set of characters. Do not use quotation marks around the string or
the string will include the quotation marks.
courier font Terminal sessions and information the system displays appear in courier font.
< > Nonprinting characters such as passwords are in angle brackets.
[ ] Default responses to system prompts are in square brackets.
!, # An exclamation point (!) or a pound sign (#) at the beginning of a line of code
indicates a comment line.
Tip Means the following information will help you solve a problem.
Caution Means reader be careful. In this situation, you might perform an action that could result in equipment
damage or loss of data.
Timesaver Means the described action saves time. You can save time by performing the action described in
the paragraph.
Warning Means reader be warned. In this situation, you might perform an action that could result in
bodily injury.
This module defines terms and concepts that are necessary for understanding the Login Event Generators
(LEGs) and the Subscriber Manager (SM) configuration and operation. More information about all items
can be found in the Cisco SCMS Subscriber Manager User Guide.
• General Concepts, page 1-1
• CNR Concepts, page 1-3
• DHCP Concepts, page 1-4
• RADIUS Concepts, page 1-5
• MPLS/VPN BGP Concepts, page 1-7
• SOAP Concepts, page 1-9
General Concepts
• Cable/Satellite Modem, page 1-1
• CPE (Customer Premise Equipment), page 1-1
• LEG (Login Event Generator), page 1-2
• Pull-request, page 1-2
• RDR (Raw Data Record), page 1-2
• Subscriber Domain, page 1-2
• Subscriber ID, page 1-2
• Subscriber Mappings, page 1-2
Cable/Satellite Modem
A data modem that provides Internet access over cable and satellite networks. The modem usually
corresponds to a single subscriber of the Internet Service Provider (ISP).
Pull-request
A message sent from a service control engine (SCE) platform to the SM or the LEG when it identifies
the use of a new subscriber IP address in the network. The SM uses the IP address provided in this
message to query the database to retrieve the subscriber data of the subscriber associated with this
address and to send its data to the SCE.
Subscriber Domain
The SM provides the option of partitioning SCE platforms and subscribers into subscriber domains. A
subscriber domain is a group of SCE platforms that share a group of subscribers. Subscriber domains
can be configured using the SM configuration file and can be viewed using the SM Command-Line
Utility (CLU).
It is also possible to configure domain aliases. A domain alias is a synonym for the actual domain name
in the SM. Domain aliases are configured in the SM configuration file.
For additional information about domains and domain aliases, see the Configuration File Options
module of the Cisco SCMS Subscriber Manager User Guide.
Subscriber ID
The Service Control solution requires a unique identifier for each subscriber. A subscriber ID represents
a logical subscriber entity from the service provider perspective.
Subscriber Mappings
The SCE platform requires mappings between the network IDs (IP addresses) of the flows it encounters
and the subscriber IDs. The SM database contains the network IDs that map to the subscriber IDs. The
SCE network-ID-to-subscriber mappings are constantly updated from the SM database.
The main function of the SM LEGs is to provide the SM/SCE with network-ID-to-subscriber mappings
in real time.
For information about the SCE platforms, see the Cisco SCE 1000 2xGBE Installation and
Configuration Guide and the Cisco SCE 2000 4xGBE Installation and Configuration Guide.
CNR Concepts
• Communication Link Failure Handling, page 1-3
• DHCP DoS Attack Filter, page 1-3
• Remote Procedure Call Protocol (PRPC), page 1-3
• SM C++ API, page 1-3
• SM Cable Support Module, page 1-4
• Subscriber Autologout, page 1-4
• Subscriber Mode, page 1-4
SM C++ API
The SM C++ API exposes a set of operations designed to enable subscriber integration with the Cisco
system. The CNR LEG uses the SM C++ API as its basic communication layer.
For additional information about the C++ API, see the Cisco SCMS SM C/C++ API Programmer Guide.
Subscriber Autologout
The SM supports the configuration of an autologout timer (lease-time) for each subscriber. The timer is
set when performing a subscriber cableLogin or login operation. The CNR LEG extracts and sets an
autologout value from the DHCP IP lease expiration time option.
Subscriber Mode
The Subscriber Mode defines which entity is referred to as the subscriber in the LEG and in the SM.
Cable providers usually prefer using the Cable Modem (CM) as the subscriber entity to be assigned
multiple IP addresses (one per Customer Premises Equipment (CPE)).
The CNR LEG supports the CPE as Subscriber and CM as Subscriber (the default) modes, as defined
by the configuration.
The CNR LEG works with the SM cable support module when operating in the “CPE as Subscriber”
mode. For additional information about cable environment subscriber modes, see the the CPE as
Subscriber in Cable Environment module of the Cisco SCMS Subscriber Manager User Guide.
DHCP Concepts
• DHCP ACK Packet, page 1-4
• DHCP Lease Extension Transaction (Renewal), page 1-5
• DHCP Lease Query Transaction, page 1-5
• DHCP Release Transaction, page 1-5
• DHCP Sniffer, page 1-5
• Subscriber Policy, page 1-5
DHCP Sniffer
The software logic inside the SCE device that analyzes DHCP traffic and sends the information to the
SCE-Sniffer DHCP LEG using the raw data record (RDR) protocol.
Subscriber Policy
A subscriber policy package usually defines the policy enforced by Cisco SCMS solutions on each
subscriber. The DHCP Lease Query LEG and the SCE-Sniffer DHCP LEG can handle the package ID
in any of the following ways:
• Set the policy according to configurable options of the DHCP initial login or lease extension
transactions
• Set the policy using a constant default value
• Leave the policy unset
For additional information, see the Cisco Service Control Application for Broadband User Guide.
RADIUS Concepts
• NAS (Network Access System), page 1-6
• RADIUS Accounting Transactions, page 1-6
• RADIUS Accounting Start/Interim/Stop, page 1-6
• RADIUS Authentication Transactions, page 1-6
RADIUS Sniffer
The software logic inside the SCE device that analyzes RADIUS traffic and sends the information to the
SCE-Sniffer RADIUS LEG using the RDR protocol.
Note Currently the LEG supports subscriber mappings over VPN only for VPNs that are defined by a
VLAN-ID (also referred to as "VPNs of type VLAN").
Note The SM is able to learn VLAN VPNs automatically: upon subscriber login with a VLAN-ID that is
unknown to the SM, the SM will add the VPN automatically using the VLAN-ID as a VPN name
Subscriber Policy
A subscriber policy package usually defines the policy enforced by Cisco SCMS solutions on each
subscriber. The RADIUS Listener LEG and the SCE-Sniffer RADIUS LEG can handle the package ID
in any of the following ways:
• Set the policy according to configurable attributes of the RADIUS transactions
• Set the policy using a constant default value
• Leave the policy unset
For additional information, see the Cisco Service Control Application for Broadband User Guide.
CE (Customer Edge)
A router on the service provider site that connects to the PE (Provider Edge) router in the MPLS core.
The CE router only passes the message packet with the IP address and is not concerned with the
MPLS/VPN label.
PE (Provider Edge)
A router in the service provider MPLS core that provides routing information between the customer
router and the MPLS/VPN network. The PE router maintains a VRF (Virtual Routing and Forwarding)
table for each customer site to determine how to route the packet.
RD (Route Distinguisher)
An 8-byte value that is concatenated with an IPv4 prefix to create a unique VPN IPv4 prefix.
The RD uniquely identifies the VPN VRF within a PE router.
RR (Route Reflector)
A network element in the service provider network that is used to distribute BGP routes to the service
provider BGP-enabled routers. Route Reflectors provide a mechanism for both minimizing the number
of update messages transmitted within the autonomous system and reducing the amount of data that is
propagated in each message.
RT (Route Target)
Used by the routing protocols to control import and export policies and to build arbitrary VPN topologies
for customers.
VPN ID
The Service Control solution requires a unique identifier for each VPN. A VPN ID represents a logical
VPN entity from the service provider perspective.
SOAP Concepts
• SOAP, page 1-9
• UsernameToken Profile, page 1-9
• WSDL, page 1-9
• WSS, page 1-9
SOAP
SOAP is a lightweight protocol intended for exchanging structured information in a decentralized,
distributed environment. It uses XML technologies to define an extensible messaging framework
providing a message construct that can be exchanged over a variety of underlying protocols. The
framework has been designed to be independent of any particular programming model and other
implementation specific semantics.
UsernameToken Profile
The <wsse:UsernameToken> is an element introduced in the WSS SOAP Message Security documents
as a way of providing a username.
WSDL
WSDL is an XML format for describing network services as a set of endpoints operating on messages
containing either document-oriented or procedure-oriented information. The operations and messages
are described abstractly, and then bound to a concrete network protocol and message format to define
an endpoint. Related concrete endpoints are combined into abstract endpoints (services).
WSS
WS-Security (Web Services Security) is a communications protocol providing a means for applying
security to Web Services. Originally developed by IBM, Microsoft, and VeriSign, the protocol is now
officially called WSS and is developed and maintained via committee in Oasis-Open.
The protocol contains specifications on how integrity and confidentiality can be enforced on Web
Services messaging. WS-Security incorporates security features in the header of a SOAP message and
thus works in the application layer. Thus, it ensures end-to-end security.
CNR LEG
CH A P T E R 2
About the CNR LEG
This module describes the Subscriber Manager CNR LEG software module.
The Cisco Network Registrar (CNR) Login Event Generator (LEG) is a software module that forwards
login and logout events from the CNR to the Cisco Service Control Management Suite Subscriber
Manager (SCMS SM). The CNR LEG is actually a CNR extension developed in C++. The extension
points used by CNR LEG are:
• init-entry
• post-send-packet
• post-packet-decode
This module describes the CNR LEG installation procedures for both Widows and Solaris platforms. It
also describes the uninstall procedure.
• Prerequisites, page 3-1
• Package Contents, page 3-1
• Installing the CNR LEG on Windows, page 3-2
• Installing the CNR LEG on Solaris, page 3-3
• Uninstalling the CNR LEG, page 3-4
Prerequisites
CNR LEG is operable with any CNR version 5.0 or later.
The platform requirements (OS/CPU/RAM/disk) are the same as the CNR requirements for both
Windows and Solaris. See the Cisco Network Registrar (CNR) Installation Guide for platform
requirements details.
Package Contents
The CNR LEG distribution part of the SCMS-SM LEG distribution file and is located in the CNR_LEG
directory. The following table describes the contents of the CNR LEG distribution package supplied by
Cisco.
Note You must use the cfg-dir full path in the init-args argument.
Note You must use a slash (“/”) and not a back-slash (“\”) as the path separator.
Note You must use the cfg-dir full path in the init-args argument.
1. Any sequence number can be used for this command.
2. Any sequence number can be used for this command.
3. Any sequence number can be used for this command.
Note You must use a slash (“/”) and not a back-slash (“\”) as the path separator.
This module explains how to configure the CNR LEG and to configure the Subscriber Manager (SM) to
use the CNR LEG module.
• Information About Configuring the CNR LEG, page 4-1
• Information About Configuring the Subscriber Manager, page 4-4
Note It is important to properly configure SM-LEG failure handling on the SM before continuing with the
CNR LEG configuration. For information about configuring the SM, See the Configuration File Options
module of the Cisco SCMS Subscriber Manager User Guide.
In order to configure the failure handling, you must do the following in the configuration file:
• Activate SM-LEG Failure Handling
• Set LEG-Domains associations
Note You do not have to configure domain aliases in those cases where each CMTS updates a single
subscriber domain and you have configured the subscriber domain names in the SM to be the IP address
of the matching CMTS.
Configuring Autologout
To automatically log out subscribers when their lease time expires, you must configure the SM
autologout interval. After every autologout interval time, the SM checks which subscriber IP addresses
have a lease time that has expired and begins to automatically remove these IP addresses from the
system.
Lease time is the timeout defined by the LEG during the login operation of each IP address, based on
the lease-time option. All subscriber login events will start a timer of lease_time seconds. When the
timer expires and the grace_period, which is another configuration parameter, has also passed, the
subscriber's IP addresses are removed causing the subscriber to be removed from the SCE platform
database. If the subscriber logs on with an existing IP address during the countdown period, the timer is
reset and the countdown period restarts.
If the autologout value is set to zero (0), the SM's autologout mechanism is disabled.
If the autologout interval is set to a value greater than zero, the SM's autologout mechanism is enabled.
Note The subscriber record (with no mappings) remains in the SM database, preserving the subscriber state.
Autologout Example
The following example is a portion of a sample p3sm.cfg configuration file showing how to configure
the autologout interval to 6 minutes:
[Auto Logout]
# The following parameter configures the time between each run of
# the auto-logout mechanism. After every “auto-logout” time
# interval, the SM checks which subscriber IP addresses have a lease
# time that has expired, and begins to automatically remove these IP
# addresses from the system (causing it to be removed from the SCE
# platform's database).
# Auto-logout should be activated when the LEG/API cannot provide
# logout indications.
auto_logout_interval=360
# The following parameter defines the grace period in seconds for
# subscriber auto logout. A subscriber will be logged out only after
# timeout period + grace period seconds.
grace_period=10
# The following parameter defines the maximum rate (logouts per
# second) that the auto-logout task will perform logouts from the
# system. This enables to spread the load of the logout operations
# over time, and reduce the performance impact on other operations.
# the value should be calculated so it spreads the logouts over at
# least half of 'auto_logout_interval' time. (default 50)
max_rate=50
[RPC.Server]
# RPC server port (default 14374)
port=14374
To view the status of the PRPC server in the SM, use the p3rpc CLU.
>p3rpc --show
This module describes the log messages written to the CNR Log.
Log Messages
The following messages are displayed during the LEG startup procedure. (This message is logged every
time the DHCP server is restarted):
• "CNR LEG: init entry called - starting initialization" – CNR LEG
initialization was called
• "CNR LEG: finished initialization successfully"
The following messages are displayed – containing the configuration or default parameters – at
initialization:
• "CNR LEG: thread priority =<integer value>"
• "CNR LEG: buffer size =<integer value>"
• "CNR LEG: reconnect timeout =<integer value>"
• "CNR LEG: encoding =<encoding>"
• "CNR LEG: KA duration =<integer value>"
• "CNR LEG: session timeout =<integer value>"
• "CNR LEG: debug mode on =<integer value>"
• "CNR LEG: trace level =<integer value>"
• "CNR LEG: lease time option =<integer value>"
• "CNR LEG: SM port =<integer value>"
• "CNR LEG: SM IP =<IP address>"
• "CNR LEG: report errors on =<integer value>"
• "CNR LEG: CM as Subscriber =<integer value>"
• "CNR LEG: Attack-Filter on =<integer value>"
• "CNR LEG: Attack threshold <integer value>sec"
• "CNR LEG: Filter entries =<integer value>"
• "CNR LEG: Log filter every <integer value> attacks"
• "CNR LEG: DEBUG MODE ON - enabling trace level <trace level>"
This module describes the CNR LEG design, logging, tracing, and operations performed by the CNR
LEG.
The purpose of this appendix is to provide insight into the CNR LEG operation and integration with
CNR.
• CNR LEG High Level Design, page 6-1
• Logging and Tracing, page 6-2
• Extensions Point Operation, page 6-2
SM CNR LEG
Cable
post-send-packet
support
module post-packet-encode
SM Core init-entry
functionality Extension Point
loginCable logoutCable
PRPC
Server
Message
queue
Network
Network task
157052
Non-blocking C++ API
The only operations performed in the context of the CNR extension dispatching thread are message
creation and placement in a message queue. A separate thread performs the heavy network operations.
Note that if for some reason the message queue is full, the message will be dropped to avoid the risk of
creating a delay, which would damage CNR performance.
Note Changes made to the LEG configuration file become effective only when the LEG is restarted.
init-entry
The extension point init-entry initializes and terminates the CNR LEG.
During initialization, the CNR LEG performs the following operations:
• Reading the configuration file
• Initializing the LEG logging and tracing
• Creating a Nonblocking C++ API instance and connecting it to the SM
• Starting the C++ API network-task thread
During termination, the CNR LEG performs the following operations:
• Stopping and freeing the Nonblocking C++ API instance
• Stopping the C++ API network-task thread
post-send-packet
The extension point post-send-packet sends the following cableLogin operations to the SM:
• Verifying that the request-dictionary is for DHCP REQUEST and the response dictionary is for
DHCP ACK
• Extracting CM-MAC, CPE-MAC, and CMTS-IP from the request dictionary
• Extracting the assigned CPE-IP and lease time from the response dictionary
• In CM as Subscriber mode CM requests are ignored
• Calling the Nonblocking C++ API cableLogin or login operation with the parameters extracted
• If no CM-MAC (option 82) is found, an attempt to extend the lease based solely on the IP address
is performed
post-packet-decode
The extension point post-packet-decode sends the following cableLogout or logout operations to the
SM:
• Verifying that the request dictionary is for either DHCP RELEASE or DHCP DECLINE
• Extracting CM-MAC, CPE-MAC, CPE-IP, and CMTS-IP from the request dictionary
• Calling the Nonblocking C++ API cableLogout\logout operation with the parameters extracted
This module describes the Service Control Management Suite (SCMS) Subscriber Manager (SM) DHCP
Lease Query Login Event Generator (LEG) software module.
• Information About the DHCP Lease Query LEG, page 7-1
• Information About DHCP Lease Query LEG Functionality, page 7-3
SCE
Traffic (1)
Pull Pull
Response Request
(6) (2)
DHCP DHCP
SM Lease Server
Query
157054
LEG
The subscriber's traffic (1) triggers a pull-request from the SCE (2). The SM receives the request for
processing. If the SM does not find a subscriber with a matching IP address in the subscriber database,
it passes the pull-request to the DHCP Lease Query LEG (3). The LEG queries the DHCP server. If the
server finds a match for the IP address in its database, the server replies with the subscriber information
(4). The LEG performs a login operation (5). This operation updates the subscriber database based on
the received information and logs the subscriber into the SCE (6), which triggered the pull-request.
If desired, install the DHCP Lease Query LEG directly on the SCE device to integrate the SCE with
DHCP servers without the use of an SM server. The following diagram represents the operation of the
LEG when installed on the SCE device:
SCE
Traffic (1)
Pull Pull
Response Request
(4) (2)
Lease
Query (3)
DHCP DHCP
Lease Server
Query
157055
LEG
The subscriber's traffic (1) triggers a pull-request from the SCE (2). The Lease Query LEG receives the
request and queries the DHCP server. If the server finds a match for the IP address in its database, the
server replies with the subscriber information (3). Based on the received information, the LEG responds
to the SCE with a pull-response, which includes the subscriber ID and the IP address lease-time returned
from the DHCP server (4).
Note An Internet Engineering Task Force (IETF) standard defines the DHCP Lease-Query transaction. The
LEG supports the RFC 4388 standard. For more information, see the IETF website.
• Subscriber ID—By default, the subscriber ID is the modem MAC address, which you extract from
option 82 (Remote ID sub-option of the DHCP Relay Agent Information Option). Therefore, the
DHCP server must support and store option 82 for each Customer Premise Equipment (CPE). This
default can be overwritten by configuration. Furthermore, the LEG can assign the IP address as a
fallback if the option does not exist in the server's response. This fallback is disabled by default.
• Lease time—The assigned IP is added to the SM or SCE database with a lease time taken from
option 51. Note that if option 51 does not appear in the DHCPLEASEACTIVE reply, an infinite
lease time is assigned for this IP address.
• Package—Configurable options in the DHCP message determine how to assign the package
information. The LEG includes a component that converts the package information data from the
DHCP packet to a subscriber package ID. If the packet does not contain package information, it is
possible to log in the subscriber with a default package, or log in the subscriber with no package
information at all. The package options are assumed to be encoded as strings.
After extracting the preceding information, the LEG logs the subscriber into the SM/SCE.
Package Contents
The DHCP Lease Query LEG distribution is part of the SM LEG distribution. The DHCP Forwarder
application distribution and installation script are also part of the SM LEG distribution.
The DHCP Lease Query LEG uses the DHCP Forwarder application on UNIX machines. For more
information, see DHCP Forwarder Application, page 12-1.
The LEG installation package includes a set of configuration files and command-line utilities for the
LEG.
The SCMS SM LEG distribution file contains the DHCP Lease Query LEG distribution, which is located
in the Lease_Query_LEG directory. Cisco supplies a DHCP Lease Query LEG distribution package. The
following table describes the package contents:
Table 7-1 File Layout of the DHCP Lease Query LEG Distribution Package
Table 7-1 File Layout of the DHCP Lease Query LEG Distribution Package (continued)
This module describes the procedures for installing, uninstalling, and upgrading the DHCP Lease Query
LEG on the subscriber manager (SM).
Note This module is relevant if you are using the subscriber manager server on your network. You should
install the DHCP Lease Query LEG on the SM server and not on the service control engine (SCE) device.
• Installing the DHCP Lease Query LEG on the SM, page 8-1
• Uninstalling the DHCP Lease Query LEG from the SM Server, page 8-2
• Upgrading the DHCP Lease Query LEG, page 8-2
Note After the installation of the PQI file, the SM restarts itself automatically.
Step 1 Backup the configuration files of the DHCP Lease Query LEG.
The original configuration files are deleted by the uninstall process in the next step.
Step 2 Uninstall theDHCP Lease Query LEG by running the p3inst CLU
>p3inst --uninstall -f lease-query-pqi
Step 6 Load the new configuration of the SM by running the p3sm CLU
>p3sm --load-config
This module describes how to configure the DHCP Lease Query LEG on the subscriber manager and
how to use the command-line utilities (CLU).
Note This module is relevant if you are using the subscriber manager server on your network. You should
install the DHCP Lease Query LEG on the SM server and not on the service control engine (SCE) device.
• dhcp_servers
Defines to which DHCP servers the LEG can send requests.
You must enter the IP addresses or hostnames of the DHCP servers separated by commas.
• server_port
Defines the UDP port to which the DHCP servers listen and the Lease Query messages are sent. It
is recommended to use 9067 when working with the DHCP Forwarder. The default value is 9067.
• listening_port
Defines the UDP port to which the LEG listens and the Lease Query replies are sent. It is
recommended to use 9068 when working with the DHCP Forwarder. The default value is 9068.
• client_port
Defines the UDP port that the LEG uses when sending Lease Query messages to the DHCP servers.
It is recommended to use 8068 when working with the DHCP Forwarder. The default value is 8068.
• client_ip_address
Defines the source IP address of the lease-query packets sent to the DHCP servers. The giaddr field
of the DHCP packet also uses this IP address. This parameter is useful for machines with multiple
network interfaces.
The default value is the loopback IP address of the machine.
• support_auto_logout
Defines whether the LEG should query the DHCP servers whenever the autologout mechanism
identifies an expired lease.
Possible values for this parameter are true and false. The default value is false.
• use_forwarder
Defines whether the LEG utilizes the DHCP Forwarder application on the local machine.
Possible values for this parameter are true and false. The default value is true.
• fail_over_criteria
Defines the number of consecutive request failures (timeouts) that triggers a fail-over. Since the
queries are not answered when the server fails, these queries will time out. The consecutive
timed-out queries are counted and when they reach this threshold, the second server is set as the
active server. The default value is 3.
Note The session_timeout parameter affects how long it will take to detect a failed server. Only when the
configured amount of queries fail will the fail-over process be triggered.
• log_timed_out_queries
Controls log messages regarding timed-out queries.
Possible values for this parameter are true or false. The default value is true.
• log_failed_queries
Controls log messages regarding queries that are not sent.
Possible values for this parameter are true or false. The default value is true.
• log_all_queries
Controls log messages regarding each query sent and any reply received.
Possible values for this parameter are true or false. The default value is false.
Use this parameter only for troubleshooting.
• log_login_failures
Controls log messages regarding replies that did not result in the login of a subscriber to the SM.
Possible values for this parameter are true or false. The default value is true.
The [Subscriber ID] section defines the functionality of how the LEG handles the subscriber ID. The
subscriber ID can be taken from a DHCP option, with the ability to fallback to using the allocated IP
address as the subscriber ID. This section contains the following parameters:
• dhcp_option
Defines which DHCP option to use as the subscriber ID. The format of this parameter is the option
number itself; or for DHCP options that have sub-options, the format is the DHCP option and
sub-option type, separated by a colon. For example: 43:123 or 61. The default value is 82:2
(Relay-Agent-Information using the Remote-ID information).
• dhcp_option_type
Defines the format type of the DHCP option defined by the dhcp_option parameter.
Optional values are binary, indicating a binary string converted to an ASCII hexadecimal string; or
string, indicating an ASCII string. The default value is binary.
• default_id
Defines whether in cases where the dhcp_option is not found in the DHCP packet, the LEG should
fall back to a different way of defining the subscriber ID. The supported fallbacks are:
– ip—Use the allocated IP address to create a subscriber ID in the format of: IP_aaa.bbb.ccc.ddd
– Not setting this parameter—No fallback. No login will be performed.
• By default, this parameter is not set.
The [DHCP-Lease-Query-Ids] section contains the message type numbers of the different Lease Query
transaction message types. This is necessary, because the DHCP Lease Query definition is an IETF draft.
This section contains the following parameters:
• lease_query
Defines the DHCPLEASEQUERY message type value. The default value is 13.
• lease_active
Defines the DHCPLEASEACTIVE message type value. The default value is 16.
The following is a sample configuration file:
[DHCP-Lease-Query-LEG]
start=yes
dhcp_servers = 198.1.2.3, 198.5.6.7
fail_over_criteria=10
session_timeout=10
log_timed_out_queries=true
log_failed_queries=true
log_all_queries=true
log_login_failures=true
[Subscriber ID]
dhcp_option=44
dhcp_option_type=binary
[DHCP-Lease-Query-Ids]
lease_query=13
lease_active=16
The subscriber policy configuration in the DHCP Lease Query LEG can be handled in one of the
following ways:
• Dynamic assignment of policy information using information extracted from the DHCP packet. See
Dynamic Assignment of Policy Information, page 9-4.
• Static assignment of a constant package ID for all subscribers who log on via the DHCP Lease Query
LEG. See Static Assignment of Policy Information, page 9-7.
• use_default
Determines whether to use a default policy when no policy information can be extracted from the
DHCP data, such as the configurable options are missing or no options were configured.
Possible values for this parameter are true or false. The default value is false.
• default_policy
Defines the default policy ID to use if no policy information is extracted from the DHCP data. This
parameter is relevant only if the use_default parameter is set to true.
Possible values for this parameter are any integer number. This parameter has no default value.
• allow_login_with_no_policy
Defines whether to perform a login without policy information when no policy information can be
extracted from the DHCP data and the use_default parameter is set to false.
This parameter is relevant only if the use_default parameter is set to false.
Possible values for this parameter are true or false. The default value is true.
• policy_property_name
Defines the name of the application property that contains the policy information. This parameter
has no default value.
Note The policy_property_name parameter is case sensitive and must be written exactly as defined by the
SCA BB Console. For example, packageId, monitor, upVlinkId, or downVlinkId.
• log_all
Defines whether to write detailed user-log messages for all policy association events.
Possible values for this parameter are true or false. The default value is false.
• log_default_assignment
Defines whether to write a user-log message for every assignment of the default value (as defined
by the default_policy parameter).
Possible values for this parameter are true or false. The default value is false.
• mapping_table.<policy_name>
Multiple entries containing the information to convert from the policy information as it appears in
the DHCP packet to the policy property value to be used by the SCA BB application.
These entries do not have default values.
Note The policy_name is case sensitive and must be written exactly as it exists in the DHCP packets.
The [Additional Data] section of the configuration file contains the following parameters:
• label_options
Defines which DHCP option to extract to add to the login operation.
Possible values are the option number or, in the case of DHCP options with sub-options, the option
and sub-option separated by a colon. For example, 43:123 or 61.
There is no default value for this parameter.
• label_keys
Defines the keys that should mark the DHCP options defined by the label_options parameter.
There is no default value for this parameter.
• label_options_type
Defines the format type of the DHCP option defined by the label_options parameter.
Possible values for this parameter are binary (a binary string that is converted to an ASCII
hexadecimal string) or string (an ASCII string).
The default value is binary.
Operation Description
--show Displays all of DHCP Lease Query LEG
configurations and status
--show-statistics Displays counters of DHCP messages handled and
number of logon operations performed
--show-version Displays the version number of the DHCP Lease
Query LEG
--help Displays a list of available operations and
arguments with a short explanation of their
meanings
>p3leasequery --show
DHCP Lease-Query LEG:
=====================
Active: true
DHCP Servers:
Active: 10.1.2.3
Standby: N/A
Session timeout: 20
Fail over criteria: 3
Subscriber ID:
Option: 82:2
Format: binary
Fallback: none
Command terminated successfully
>
Note This section is relevant if you intend to install the DHCP Lease Query LEG directly on the service
control engine (SCE) device in an SM-less installation.
This module describes the procedures for installing, uninstalling, and upgrading the DHCP Lease Query
LEG on the SCE.
The SM-less integration supports a cascade SCE installation.
• Installing the DHCP Lease Query LEG on the SCE, page 10-1
• Uninstalling the DHCP Lease Query LEG from the SCE Device, page 10-1
• Upgrading the DHCP Lease Query LEG, page 10-2
Note After the installation of the PQI file, the management agent restarts itself automatically. Please wait until
the management agent is up before proceeding with configuring the LEG.
Uninstalling the DHCP Lease Query LEG from the SCE Device
Step 1 Uninstall the DHCP Lease Query LEG using the CLI on the SCE device.
Note After the uninstallation of the PQI file, the management agent restarts itself automatically. Please wait
until the management agent is up before using the SCE device.
Step 1 Backup the configuration files of the DHCP Lease Query LEG.
The original configuration files are deleted by the uninstall process in the next step.
The files to backup are leaseq.cfg and dhcp_pkg.cfg, which both reside in the
~pcube/sm/server/root/config directory.
Step 2 Uninstall the DHCP Lease Query LEG.
Run the following CLI on the SCE device.
SCE2000#>configure
SCE2000(config)#>interface LineCard 0
SCE2000(config if)#>pqi uninstall file LEG-PQI
Note After the uninstallation of the PQI file, the management agent restarts itself automatically. Please wait
until the management agent is up before using the SCE device.
Note After the installation of the PQI file, the management agent restarts itself automatically. Please wait until
the management agent is up before proceeding with configuring the LEG.
This module describes how to configure the DHCP Lease Query LEG on the SCE and the CLI.
• Configuring the DHCP Lease Query LEG on the SCE, page 11-1
• Information About the DHCP Lease Query LEG CLI, page 11-1
Configuration CLI
Use the Command-Line Interface (CLI) to configure the general LEG settings of the DHCP Lease Query
LEG.
To enable the LEG:
SCE(config)# subscriber LEG dhcp-lease-query
To set the session_timeout configuration variable (see also Information About Configuring the DHCP
Lease Query LEG, page 9-1):
SCE(config)# subscriber LEG dhcp-lease-query session-timeout DECIMAL
To set the session_timeout variable to the default value:
The failover criteria configuration variable defines the number of consecutive request failures (timeouts)
that triggers a fail-over. Because the queries are not answered when the server fails, these queries time
out. The consecutive timed-out queries are counted and when they reach this threshold, the second server
is set as the active server. The default value is 3.
To set the fail_over_criteria:
SCE(config)# subscriber LEG dhcp-lease-query failover-criteria DECIMAL
The format of the subscriber ID can be set to binary or string. Setting the subscriber ID to binary
indicates a binary string converted to an ASCII hexadecimal string. Setting it to string indicates an
ASCII string. Use the ip-fallback parameter to set the IP to be the subscriber ID if the DHCP option is
not found in the packet.
To set the subscriber ID option:
SCE(config)# subscriber LEG dhcp-lease-query sub-id-option STRING binary|string
[ip-fallback]
For example:
• subscriber LEG dhcp-lease-query sub-id-option 82:2 binary
This example uses DHCP option 82:2 for the subscriber ID, and its type is binary. No fallback is
performed if the option is not found.
• subscriber LEG dhcp-lease-query sub-id-option 43:1 string ip-fallback
This example uses DHCP option 32:1 for the subscriber ID, and its type is string. The IP is used as
the subscriber ID if the DHCP option is not found.
To set the subscriber ID option to the default value:
SCE(config)# default subscriber LEG dhcp-lease-query sub-id-option
For policy association, the LEG uses exactly the same file described in the Configuring Policy
Association section. Set and load the configuration file with the following CLI (you must specify the full
path and the file name):
SCE(config)# subscriber LEG dhcp-lease-query package-association-file STRING
The default package association configuration does not assign package information. To set the
configuration back to the default configuration file:
SCE(config)# default subscriber LEG dhcp-lease-query package-association-file
To set all parameters of the DHCP lease query LEG to the default settings, use the following CLI:
SCE(config)# default subscriber LEG dhcp-lease-query
Show CLI
To view the general configuration of the LEG, enter the following command:
SCE# show subscriber LEG dhcp-lease-query
This module describes how to install the DHCP forwarder application as well as adding and removing
resources.
Note This module is only relevant when the DHCP Lease Query LEG is installed on the subscriber manager
server.
The DHCP Forwarder application acts as a bridge between the DHCP Lease Query LEG and the DHCP
servers. The LEG sends a request to the DHCP Forwarder, which then forwards the request to the
appropriate DHCP server. The DHCP Forwarder passes the replies from the DHCP servers to the LEG.
The LEG signals the forwarder which server should receive each request. Therefore, no special
configuration is needed for this application.
Because only root privileged applications can open ports under 1024 (DHCP uses ports 67 and 68), the
DHCP Forwarder runs with root privileges.
• Installing the DHCP Forwarder, page 12-1
• Uninstalling the DHCP Forwarder, page 12-2
• DHCP Forwarder VCS Agent, page 12-2
Step 1 Run the DHCP Forwarder installation script from the Lease_Query_LEG directory of the SM DIST root
directory.
You must run the DHCP Forwarder installation script as root.
#./install-forwarder.sh
The installation script extracts the DHCP Forwarder distribution to the sm-inst-dir
\sm\server\addons\dhcp-forwarder directory (sm-inst-dir refers to the SM installation directory). The
script adds the initialization scripts to their location according to the machine's OS.
Step 2 Run the DHCP Forwarder application.
The DHCP Forwarder application can be run using one of the following methods:
• Restart the machine. The initialization script will start the application automatically.
• Run the following command as root:
#/etc/init.d/p3dhcpforwarder start
Note It is not possible to run the script if the /etc/motd file exists. The file should be moved or removed prior
to running the install-forwarder.sh script.
Run the following command via a Telnet session on each of the servers:
>ps -ea -o pid,s,args
Look for the line containing the text "DHCP_FORWARDER". This line contains the path and arguments
of the DHCP Forwarder to be used in the next step.
Step 4 Define the OnlineCmd, PathName, and Arguments parameters.
Define the parameters as follows:
• OnlineCmd—Type the DHCP Forwarder start command:
/etc/init.d/p3dhcpforwarder start
• PathName—Type the DHCP Forwarder process path (from the previous step). For example:
/opt/pcube/j2re1.4.2_05/bin/java
• Arguments—Type the DHCP Forwarder process arguments (from the previous step). For example:
DAPP=DHCP_FORWARDER -jar /opt/pcube/sm/server.
For further information about the parameters, see the following figure.
Note The arguments line might seem shorter than the actual full argument list. This is perfectly acceptable.
Step 1 Right-click on the DHCP Forwarder Resource icon and choose Delete from the drop-down menu.
This module describes the Service Control Management Suite (SCMS) Subscriber Manager (SM)
SCE-Sniffer DHCP Login Event Generator (LEG) software module.
• Information About the SCE-Sniffer DHCP LEG, page 13-1
• Information About SCE-Sniffer DHCP LEG Functionality, page 13-2
SCE
Traffic (1)
RDR(2)
Login
Logout (3)
SCE-
Sniffer SM
DHCP
157081
LEG
Note A logout operation is also performed when the lease time of the subscriber is expired, and the SM is
configured to perform auto logouts. Release transactions also trigger logout operations, but do not
replace the auto logout mechanism of the SM.
This module describes the procedures for installing, uninstalling, and upgrading the SCE-Sniffer DHCP
login event generator (LEG) on the subscriber manager (SM).
The SCE-Sniffer DHCP LEG is an external component (PQI file) of the SM software and should be
installed separately using the SM Command-Line Utility (CLU). The SCE-Sniffer DHCP LEG
distribution is part of the SM LEG distribution.
The installation package of the LEG includes a set of configuration files and CLU commands for the
SCE-Sniffer DHCP LEG.
• Installing the SCE-Sniffer DHCP LEG, page 14-1
• Uninstalling the SCE-Sniffer DHCP LEG, page 14-2
• Upgrading the SCE-Sniffer DHCP LEG, page 14-2
Prerequisites
Verify that the Service Control Application for Broadband (SCA BB) is installed on all SM and SCE
devices. If not, install the application as described in the Cisco Service Control Application for
Broadband User Guide.
Note After the installation of the PQI file, the Subscriber Manager restarts automatically.
Note It is recommended to familiarize yourself with these files immediately after the first installation and edit
them according to your specific needs. See Configuring the SCE-Sniffer DHCP LEG for more
information.
Step 3 Load the configuration files to the SM using the p3sm CLU
Run the p3sm command line utility from the SM CLU.
This command-line utility loads the new configuration to the SM and activates it.
>p3sm --load-config
Step 4 Configure the SCE to send RDRs to the LEG
Run the RDR-formatter CLI on the SCE platform to add the LEG as a category 3 RDR destination. You
must use the same port number as defined by the RDR server in the SM. The default port number is
33001.
Note To support SM cluster topology, set the cluster VIP as the SM-IP in the following CLI.
SCE2000>configure
SCE2000(config)>RDR-formatter destination SM-IP port port category number 3 priority 100
SCE2000(config)>exit
The original configuration files are deleted by the uninstall process in the next step.
Step 2 Force the SCEs to store the RDRs during the upgrade.
To force the SCEs to store the RDRs, disable the RDR Server on the SM by setting the start parameter
in the RDR Server section to false and loading the configuration by running the following CLU:
>p3sm --load-config
Step 3 Uninstall the SCE-Sniffer DHCP LEG by running the p3inst CLU
>p3inst --uninstall -f dhcpsnif.pqi
Note After the uninstall process has successfully completed, the SM automatically restarts.
Possible values for this parameter are true and false. The default value is false.
• use_default_domain
Defines whether all login operations should use the default domain “subscribers”.
Possible values for this parameter are true and false. The default value is true.
If the value is set to false, the SM will log in the subscribers using the domain name identical to the
IP address of the SCE that received the DHCP traffic for that subscriber. In this case, you will have
to configure domain aliases as described in Cisco SCMS Subscriber Manager User Guide.
• is_cable
Indicates whether to check if this is a cable modem transaction; i.e., compare the value of the
Remote-Id sub-option (option 82 sub-option 2) with the haddr DHCP header field. If it is a cable
modem transaction, use only the policy information.
Possible values for this parameter are true and false. The default value is true.
The [Sniffer] section contains the following parameters:
• packet_types
Contains the DHCP packet types to send to the LEG.
Possible values for this parameter are any combination of the following types: DHCPACK,
DHCPRELEASE. The default value is set to DHCPACK and DHCPRELEASE.
Note For this LEG to work correctly, use the configuration file to enable the RDR server in the SM.
dhcp_option=82:2
dhcp_option_type=binary
default_id=ip
Subscriber policy configuration in the SCE-Sniffer DHCP LEG can be handled in any of the following
ways:
• Dynamic assignment of policy information using information extracted from the DHCP packet, See
Dynamic Assignment of Policy Information, page 15-3.
• Static assignment of a constant package Id for all subscribers that log on via the SCE-Sniffer DHCP
LEG, See Static Assignment of Policy Information, page 15-6.
• name_seperator_value
Defines the separator character to use between two options when concatenating them to each other
to create the policy name. Any character is accepted. The default value is '_'.
• use_default
Determines whether to use a default policy when no policy information can be extracted from the
DHCP data, such as the configurable options are missing or no options were configured.
Possible values for this parameter are true or false. The default value is false.
• default_policy
Defines the default policy ID to use if no policy information is extracted from the DHCP data. This
parameter is relevant only if the use_default parameter is set to true.
Possible values for this parameter are any integer number. This parameter has no default value.
• allow_login_with_no_policy
Defines whether to perform a login without policy information when no policy information can be
extracted from the DHCP data and the use_default parameter is set to false.
This parameter is relevant only if the use_default parameter is set to false.
Possible values for this parameter are true or false. The default value is true.
• policy_property_name
Defines the name of the application property that contains the policy information. This parameter
has no default value.
Note The policy_property_name parameter is case sensitive and must be written exactly as defined by the
SCA BB Console. For example, packageId, monitor, upVlinkId, or downVlinkId.
• log_all
Defines whether to write detailed user-log messages for all policy association events.
Possible values for this parameter are true or false. The default value is false.
• log_default_assignment
Defines whether to write a user-log message for every assignment of the default value (as defined
by the default_policy parameter).
Possible values for this parameter are true or false. The default value is false.
• mapping_table.<policy_name>
Multiple entries containing the information to convert from the policy information as it appears in
the DHCP packet to the policy property value to be used by the SCA BB application.
These entries do not have default values.
Note The policy_name is case sensitive and must be written exactly as it exists in the DHCP packets.
The [Additional Data] section of the configuration file contains the following parameters:
• label_options
Defines which DHCP option to extract to add to the login operation.
Possible values are the option number or, in the case of DHCP options with sub-options, the option
and sub-option separated by a colon. For example, 43:123 or 61.
There is no default value for this parameter.
• label_keys
Defines the keys that should mark the DHCP options defined by the label_options parameter.
There is no default value for this parameter.
• label_options_type
Defines the format type of the DHCP option defined by the label_options parameter.
Possible values for this parameter are binary (a binary string that is converted to an ASCII
hexadecimal string) or string (an ASCII string).
The default value is binary.
label_options=82:1
label_keys=PORT_ID
label_option_type=string
This module describes the SCE-Sniffer DHCP LEG command-line utility (CLU).
Operation Description
--show Displays all of SCE-Sniffer DHCP LEG
configurations and status
--show-statistics Displays counters of DHCP messages handled and
number of logon operations performed
--show-version Displays the version information of the
SCE-Sniffer DHCP LEG
--help Displays a list of available operations and
arguments, with a short explanation of their
meanings.
DHCPRELEASE
DHCP options with package information:
type = 43, subtype = 102
type = 43, subtype = 101
Subscriber ID:
Option: 82:2
Format: binary
Fallback: none
Command terminated successfully
>
This module describes the Service Control Management Suite (SCMS) Subscriber Manager (SM)
RADIUS Listener Login Event Generator (LEG) software module.
• About the RADIUS Listener LEG, page 17-1
• Topologies, page 17-2
Topologies
The following diagram illustrates a topology in which a RADIUS server/proxy forwards or proxies the
RADIUS Accounting messages to the RADIUS Listener LEG.
Figure 17-1 Example of RADIUS Server Forwarding RADIUS Accounting Messages to RADIUS
Listener LEG
RADIUS RADIUS
Server/Proxy Listener
Control
Links
NAS / GGSN
SCE
Edge Router
Internet
NAS / GGSN Traffic SCE
157112
Links
The following diagram illustrates a topology in which the NAS performs authentication with the
RADIUS server, and sends RADIUS Accounting messages to the RADIUS Listener LEG and,
optionally, to the RADIUS server.
Figure 17-2 Example of NAS Sending RADIUS Accounting Messages to both the RADIUS Listener
LEG and the RADIUS Server
RADIUS RADIUS
Server/Proxy Listener
Control RADIUS
Links Accounting
NAS / GGSN
SCE
Edge Router
Internet
NAS / GGSN Traffic SCE
157113
Links
This module describes the procedures for installing the software on the subscriber manager (SM). It also
describes uninstalling the software.
The RADIUS Listener LEG is part of the SM installation package. The installation package also includes
configuration files and the Command-Line Utility of the LEG.
• Installing the RADIUS Listener LEG Software, page 18-1
• Uninstalling the RADIUS Listener LEG, page 18-2
Note Setting the start parameter to no does not remove the RADIUS Listener LEG from the SM installation.
You can reinstall the software again by setting the start parameter to yes.
This module describes the configuration procedure for the RADIUS Listener LEG.
The RADIUS Listener LEG is configured using the SM configuration file p3sm.cfg, which resides in
the sm-inst-dir/sm/server/root/config directory (sm-inst-dir refers to the SM installation directory).
The configuration file consists of sections headed by a bracketed section title; for example,
[Radius.Subscriber ID]. Each section consists of several parameters having the format
parameter=value. The number sign (“#”) at the beginning of a line signifies that it is a remark.
The general RADIUS Listener LEG configuration settings reside in the [Radius Listener] section. All
additional RADIUS Listener LEG sections start with the prefix Radius., such as [Radius.NAS.nas1],
and they are defined initially as remark lines.
• Configuring the General Settings, page 19-1
• Information About the Regular Expression Utility, page 19-2
• Configuring RADIUS Attributes Mapping, page 19-6
• Configuring the NAS Devices, page 19-13
• ip
The IP address to which the RADIUS listener should bind. Use this parameter only in cases where
the IP address used for RADIUS transactions is not the main IP address of the SM machine. (For
example in an SM cluster.)
Possible values are any IP address in dotted notation. The default value is not set.
• packet_types
Defines the RADIUS protocol packet types to analyze.
Possible values are accounting-start, accounting-interim, accounting-stop separated by a
comma.
The default value is accounting-start,accounting-interim,accounting-stop.
Example
The following example is a portion of a configuration file illustrating the [Radius Listener] section:
[Radius Listener]
# The following parameter defines whether the SM should
# run the RADIUS Listener at startup.
# Receives the values: yes, no. (default no)
start=no
# accounting port number (default 1813)
accounting_port=1813
# RADIUS packet types
packet_types=accounting-start,account-interim,accounting-stop
Supported Syntax
Within a regular expression, the following characters have special meaning:
• Positional Operators
– ^ matches at the beginning of a line
– $ matches at the end of a line
– \A matches the start of the entire string
– \Z matches the end of the entire string
– \b matches at a word break (Perl5 syntax only)
Unsupported Syntax
Some flavors of regular expression utilities support additional escape sequences, and this is not meant
to be an exhaustive list of unsupported syntax.
• (?mods) inlined compilation/execution modifiers (Perl5)
• \G end of previous match (Perl5)
• [.symbol.] collating symbol in class expression (POSIX)
• [=class=] equivalence class in class expression (POSIX)
• s/foo/bar/ style expressions as in sed and awk (note: these can be accomplished through other means
in the API)
• In order to remove the “name” prefix from a given name (e.g. name@cisco.com), define the
following manipulation rule: .*@(.*)
• If no reduction is needed, either define the following reduction rule (.*) , or do not define any rule.
• In order to find a partial match from of a name (e.g. find 'isco' in name@cisco.com), define the
following matching rule: mapping_table.cisco=<value>
• In order to find a full match of a name, define the following matching rule:
mapping_table.cisco=<value>
• In order to define a default value for an empty or non-existent attribute value:
mapping_table.^$=<value>
Note If the character or string was not found in the input string when performing reduction (stripping
characters or strings), the result of the regular expression is an empty string. In previous versions, if the
character or string was not found in the input string when performing reduction, the result of the regular
expression is the input string.
Note Brackets '[' or ']' are used by the regular expression mechanism and also in the section definitions in the
configuration files. If either of these characters form a part of the reduction rule definition
(field_manipulation parameter) or in matching rule definition (mapping_table parameter), it should be
preceded by two backslashes ('\\') in order to be used as part of the value.
[Sample Section]
mapping_table.^12\\[user7$=7 will have a full match result to the '12\[user7' string
mapping_table.^12\[user7$=7 will have a full match result to the '12[user7' string
mapping_table.^12[user7$=7 will have a full match result to the '12[user7' string as well.
Note Parentheses '(' or ')' and the pipe character '|' should be preceded by a single backslash '\'. For example,
if you have the rule ^(?:88|99)(.*)$ --input=886, the CLU command should be as shown in the
following example:
The following examples demonstrate regular expression operations that do not significantly impact
performance:
• Removal of prefixes or suffixes—Use a regular expression of the format .*<String>(.*) or
(.*)<String>.*.
• Matching prefixes or suffixes—Use a regular expression of the format ^<String>or <String>$.
To calculate the impact of the regular expression usage on the login rate, the p3radius
test-reduction-rule and test-manipulation-rule CLU commands provide the average processing time
for a single reduction/matching operation.
Note Using complex regular expression patterns will cause performance degradation; the degradation
increases relative to the length of the string being manipulated. It is strongly recommended not to use
the [] operands with the .* or with the (.*) operands.
The subscriber ID is usually put in the User-Name RADIUS attribute. However, in certain installations,
it is possible to use a different RADIUS attribute. For example, in wireless environments, it is possible
to use the 3GPP-IMSI or the 3GPP2-IMSI attributes. The default is to use the User-Name attribute.
The RADIUS Listener can be configured to concatenate several RADIUS attributes for use as the
Subscriber ID.
To define which attribute(s) to use for the subscriber ID, configure the [Radius.Subscriber ID] and the
[Radius.Field.<field name>] sections. To define the attribute(s) to use, configure the following
parameters in the [Radius.Subscriber ID] section:
• fields
Defines the RADIUS protocol fields names. When defining multiple fields, use commas between
the field names. The field name must not start or end with a space character and it cannot contain
an '=' character. A maximum of three fields can be defined.
The default value is user_name.
The following is an example of setting this parameter:
fields=user_name,vpn
• field_separator
Defines the character or string to be used when concatenating several fields.
In you define three values for the fields parameter (user_name, vpn, and IP) and the field separator
is being defined:
– The field_separator parameter must contain user_name, vpn, and IP in the same order as they
were defined in the fields parameter.
– The separator character between the 1st and 2nd attributes and between the 2nd and 3rd
attributes can be different; for example, user_name-vpn::IP
– The separator can be string; for example, ::
– The separator can be an empty string; for example, field_separator=user_namevpnIP
• The default value is _.
The following is an example of setting this parameter with the value '-':
field_separator=user_name-vpn
• field_manipulation.<field name>=<regular expression>
The field_manipulation parameters define how to manipulate the RADIUS field values.
The <field name> part of this parameter is one of the fields defined in the fields parameter. The
<regular expression> part of this parameter is the reduction regular expression to be used on the
<field name> value.
It is possible to define a field_manipulation rule for each name in the field property. The following
is an example of setting this parameter:
field_manipulation.user_name=(.*)@.*
field_manipulation.vpn=(.*)
It is possible to configure the RADIUS listener to strip a RADIUS attribute based on a selected
character or string using a regular expression rule. This provides a convenient method for obtaining
the subscriber ID from a prefix or a suffix of an attribute value.
For example, you can obtain the subscriber ID from the USERNAME attribute value of
subscriber@domain-name by stripping the characters from the value by using the (.*)@.* regular
expression rule to produce the subscriber. Similarly, you can obtain the domain name by using the
.*@(.*) regular expression rule.
For each field defined by the fields parameter, you must also define a [Radius.Field.<field name>]
section with the following parameters:
• radius_attribute
Configure the radius_attribute parameter with the RADIUS attribute number. Use the following
format for Vendor Specific Attributes (VSA): 26(vendor-id;sub-attribute). For example,
26(10415;1).
The default value is -1.
• radius_attribute_type
Configure radius_attribute_type parameter according to the RADIUS attribute format.
Possible values for this parameter are integer and string. The default value is string.
Validation Rules
When regular expression rules are used for reduction of RADIUS attributes, the following validation
rules are applied:
• The protocol field amount must not exceed three fields.
• Each field defined in the fields parameter must have a corresponding [Radius.Field.<field>] section.
• If the separator character is defined, the order of the fields is checked.
• Each field defined in the fields parameter may have a single reduction regular expression rule. If a
rule exists, the regular expression validity check is performed.
Configuring Stripping of the Attribute Value Example using Regular Expression Rule
The following is an example configuration file illustrating how to configure the stripping of an attribute
value using a regular expression rule:
[Radius.Subscriber ID]
# Field name
fields=user_name
# Field manipulation
field_manipulation.user_name=(.*)@.*
[Radius.Field.user_name]
# RADIUS protocol attribute number
radius_attribute=1
# the type of the attribute (type "integer" or "string")
radius_attribute_type = string
The above configuration applied on ‘john@some-domain.com’ will extract “john” as a Subscriber ID.
Subscriber policy configuration in the RADIUS Listener can be handled in any of the following ways:
• Extract the data from a RADIUS attribute
• Set a default value for all subscribers that log on via the RADIUS Listener
• Do not set any policy to the subscriber
It is possible to define a field_manipulation rule for each name in the field property. This is the
default rule if there is a non-configured field manipulation. The following is an example of setting
this parameter:
field_manipulation.user_name=(.*)@.*
field_manipulation.ip=(.*)
• mapping_table.<regExp>=<property-value>
The mapping_table parameters define a conversion table between the result of the attribute value
manipulation, the matching rule, and the property value.
The <regExp>part of this parameter defines the regular expression matching rule. The
<property-value>part of this parameter defines the integer result if the regular expression is
matched.
There is no default value for this parameter, but it is possible to set a default value by using the
following expression: mapping_table.^$=<value>. This value is used if the mapping result is an
empty string.
The following is an example of setting this parameter.
mapping_table..*@.*=1
mapping_table..*=2
For each field defined by the fields parameter, you must also define a [Radius.Field.<field name>]
section with the following parameters:
• radius_attribute
Configure the radius_attribute parameter with the RADIUS attribute number. Use the following
format for Vendor Specific Attributes (VSA): 26(vendor-id;sub-attribute). For example,
26(10415;1).
The default value is -1.
• radius_attribute_type
Configure radius_attribute_type parameter according to the RADIUS attribute format.
Possible values for this parameter are integer and string. The default value is string.
Validation Rules
When regular expression rules are used for reduction of RADIUS attributes, the following validation
rules are applied:
• The protocol field amount must not exceed three fields.
• Each field defined in the fields parameter must have a corresponding [Radius.Field.<field>] section.
• The property value in the mapping table is an integer.
• The “=” operator is concatenated to the property value with no space between them.
• A validity test is performed for each regular expression that is used for matching and reduction.
# Field separator
field_separator=user_name@vpn
# Field manipulation
field_manipulation.user_name=(.*)@.*
# Mapping table
mapping_table..*@.*=1
mapping_table.^$=2
mapping_table..*=3
[Radius.Field.user_name]
# RADIUS protocol attribute number
radius_attribute = 1
# the type of the attribute (type "integer" or "string")
radius_attribute type = string
[Radius.Field.vpn]
# RADIUS protocol attribute number.
# use the following format for VSAs: 26 vendor-id;sub-attribute)
# for example: 26(9;1)
radius_attribute = 26(9;1)
# the type of the attribute (type "integer" or "string")
radius_attribute_type = string
Note Currently the LEG supports subscriber mappings over VPN only for VPNs that are defined by a
VLAN-ID (also referred to as "VPNs of type VLAN").
Note The configured attribute can be a regular RADIUS attribute or a VSA. It is possible to encode the
attribute as an integer in which case it will be a single IP address. It can also be encoded as a string and
will therefore be an IP-Address/IP-Range value: the value must be formatted as A.B.C.D/E or A.B.C.D.
Note The supported format of the Framed-Route attribute is as described in RFC-2865. It must start with a
string that starts with the route itself in the format A.B.C.D/E followed by a space. Other values follow
the space, but the LEG ignores these other values.
To define which attribute to use for the subscriber IP address, configure the [Radius.Subscriber IP
Address] and the [Radius.Field.<field name>] section. To define the attribute to use, configure the
following parameters:
• fields
Defines the RADIUS protocol field name. Only one field name can be defined.
The default value is not set.
• vpn_field
Defines the RADIUS protocol attribute field name to be used as the VPN information related to the
IP address.
The default value is not set.
For the field defined by the fields parameter, you must also define a [Radius.Field.<field name>]
section with the following parameters:
• radius_attribute
Configure the radius_attribute parameter with the RADIUS attribute number. Use the following
format for Vendor Specific Attributes (VSA): 26(vendor-id;sub-attribute). For example,
26(10415;1).
The default value is -1.
• radius_attribute_type
Configure radius_attribute_type parameter according to the RADIUS attribute format.
Possible values for this parameter are integer and string. The default value is string.
Step 1 Copy the example Radius.NAS.XXX section that exists in the configuration file
The remarks from the parameters and section header should be removed.
Step 2 Configure a section name of the format [Radius.NAS.my_name_for_the_NAS].
Step 3 Configure the domain, IP_address, NAS_identifier, and secret parameters:
• domain
Set the domain parameter with a valid subscriber domain name.
• IP_address
Set the IP_address parameter with the NAS IP address with which the RADIUS messages arrive. IP
address should be in dotted notation (xxx.xxx.xxx.xxx).
• NAS_identifier
Set the NAS_identifier parameter with a NAS-ID attribute with which the RADIUS messages are
sent.
• secret
Set the secret parameter with the secret key defined in the NAS for this connection.
Step 1 Configure the subscriber manager (SM) machine as the destination of accounting messages.
You must configure the following parameters:
• The SM IP address
• The UDP ports to which the RADIUS Listener listens
• The shared secret configured for this client in the SM configuration file
Step 2 Verify that the Accounting-Start message is sent with the correct attributes
• The attribute configured in the subscriber ID attribute mapping in the SM configuration file. See
Mapping of RADIUS Attribute to Subscriber ID, page 19-6.
• The attribute configured in the subscriber IP address attribute mapping in the SM configuration file,
the Framed-Route or the Framed-IP-Address. See Mapping of RADIUS Attribute to Subscriber IP
Address, page 19-11.
• (Optional) The attribute configured in the Subscriber package attribute mapping in the SM
configuration file. See Mapping of RADIUS Attribute to Subscriber Policy, page 19-9.
Step 3 Verify that the Accounting-Stop message is sent with the correct attributes
• The attribute configured in the subscriber ID attribute mapping in the SM configuration file. See
Mapping of RADIUS Attribute to Subscriber ID, page 19-6.
• The attribute configured in the subscriber IP address attribute mapping in the SM configuration file,
the Framed-Route or the Framed-IP-Address. See Mapping of RADIUS Attribute to Subscriber IP
Address, page 19-11.
Note It is recommended that you configure the RADIUS client to not send Authentication and
Accounting-Intermediate messages to the SM to reduce the load of packet handling.
This module describes the command-line utility (CLU) commands when the software is installed on the
Subscriber Manager (SM).
Operation Description
--show Displays all of the NAS and RADIUS
configurations and other general information
(status of ports, regular expression configuration,
etc.)
--show-statistics Displays counters of RADIUS messages handled
and number of logon operations performed.
--test-reg-exp Returns a value indicating if the regular
expression is valid or not.
--test-manipulation Validates the section definition and performs the
manipulation operation on a given field's data
against the specified section in a given
configuration file.
Operation Description
--test-reduction-rule Performs reduction of the input string and returns:
• The reduction result.
• The average time (in milliseconds) for a
single reduction operation. The average time
is used for performance analysis.
--test-matching-rule Performs a match of the input string against a
given regular expression and returns:
• A result indicating if there is a match or not.
• Average time (in milliseconds) for a single
matching operation. The average time is used
for performance analysis.
Properties
==========
property name: packageId
------------------------
vpn: VSA Vendor-id: 1 sub attribute: 2 type: string
user_name: radius attribute: 1 type: string
Reduction configuration rules:
Field=vpn; Pattern=.*
Field=user_name; Pattern=.*
Matching configuration rules:
Matching Pattern=.*; Matching Value=2
Matching Pattern=123; Matching Value=3
property name: monitor
----------------------
filter-id: radius attribute: 2 type: integer
Matching configuration rules:
Matching Pattern=^$; Matching Value=1
property name: upVlinkId
------------------------
property name: downVlinkId
--------------------------
Command terminated successfully
>
separator: user_name-vsa@filter-id
Reduction iteration [0]: field data=, RegExp Pattern=(.*)@.*, concatenated string (with
separator)=-
Reduction iteration [1]: field data=cisco.LTD.sanjose, RegExp Pattern=(.*).LTD(.*),
concatenated string (with separator)=-cisco.sanjose@
Reduction iteration [2]: field data=172.16.1.1, RegExp Pattern=.*, concatenated string
(with separator)=-cisco.sanjose@
Manipulation result:-cisco.sanjose@
Command terminated successfully
>
This module describes the algorithm used for deciding the subscriber domain to which a subscriber
should be logged on.
Figure 22-1 Example of when the only NAS that the RADIUS Listener is configured with is the
Proxy Device
RADIUS RADIUS
Server/Proxy Listener
Control
Links
NAS 1
SCE
Edge Router
Internet
NAS 2 Traffic SCE
157107
Links
To solve the problem of distinguishing between two NAS devices, the following algorithm is used:
• If a NAS-Identifier attribute exists in the Accounting-Start message and a NAS device is configured
with that identifier, this NAS subscriber domain configuration is used.
• If the NAS-Identifier attribute does not exist, the same test will be performed on the
NAS-IP-Address attribute. If the NAS-IP-Address attribute exists in the Accounting-Start message
the NAS device was configured, this NAS domain configuration is used.
• Otherwise, the domain configured for the NAS identified by the Accounting-Start packet source IP
address is used.
Using the RADIUS attributes provides the ability to distinguish between the two NAS devices.
Note If none of the three NAS identification characteristics (packet source IP, NAS-Identifier, or
NAS-IP-Address) matches the RADIUS message, the message is dropped because of RADIUS packet
processing reasons. The domain selection stage will not be performed.
The Service Control Management Suite (SCMS) Subscriber Manager (SM) SCE-Sniffer RADIUS Login
Event Generator (LEG) is a software module that receives Raw Data Record (RDR) messages containing
RADIUS information from Service Control Engine (SCE) devices configured with a RADIUS Sniffer
service. The SCE-Sniffer RADIUS LEG is an extension of the SM software and runs as part of the SM
process.
SCE
Traffic (1)
RDR(2)
Login
Logout (3)
SCE-
Sniffer SM
RADIUS
157082
LEG
This module describes the SCE-Sniffer RADIUS LEG transactions for login and logout operations
The Service Control Engine (SCE) devices analyze the RADIUS transactions and send the information
to the SCE-Sniffer RADIUS LEG that resides on the Subscriber Manager (SM). The LEG performs login
or logout operations to the SM using the information sent from the SCE devices.
• SCE-Sniffer RADIUS Functionality, page 24-1
• Information About RADIUS Attributes, page 24-2
• Information About RADIUS Packets, page 24-4
Subscriber ID Association
By default, the attribute used for the subscriber ID association is the User-Name attribute (#1), but it can
be configured to any other attribute including the Vendor-Specific attribute (#26).
The only requirement is that the configured attribute must be of type string.
This attribute must exist in the RADIUS traffic for successful login operations, because a subscriber
cannot be introduced to the SM without its ID.
For logout operations, which are triggered by Accounting-Stop packets only, this attribute is not
mandatory, because logouts can be performed using the mapping information.
Domain Association
Note Domain association is only relevant for login operations and is optional.
Domain association is based on the Network Access System (NAS) that initiated the RADIUS
transaction. The RADIUS attributes that identify the NAS are NAS-Identifier (#32), and
NAS-IP-Address (#4). If none of the attributes exist, the LEG tries to identify the NAS using the IP
address of the NAS taken from the UDP packet.
Before a login operation occurs, the NAS properties, NAS-Identifier and NAS-IP-Address, are matched
against the configured domains or domain aliases of the SM. The login operation uses the matched
domain or domain alias as the subscriber domain.
The domain association is performed in stages, as follows:
1. If the NAS-Identifier attribute exists, and a domain name or alias is configured in the SM for the
same NAS-Identifier, the domain name or alias is used as the subscriber domain.
2. If the previous step fails, the same test is performed on the NAS-IP-Address attribute.
3. If the NAS-IP-Address does not exist as well, the same test is performed on the IP address of the
NAS.
4. If the NAS-Identifier and the NAS-IP-Address attributes are missing or does not match to an
existing SM domain or alias, the default subscriber domain is used.
Policy Association
Note Policy association is only relevant for login operations and is optional.
The user can configure policy association. You can use any RADIUS attribute for policy association,
including the Vendor-Specific attribute.
The term policy association refers to the act of setting a subscriber property according to information
extracted from the RADIUS packets. An example of policy association is setting the packageId property
of the Service Control Application for Broadband (SCA BB) solution to control the network service
level for which the subscriber is entitled.
To associate policy from a RADIUS attribute, the configured attribute must be of type string or integer.
The subscriber property values are always integers. However, if the association is based on a string
RADIUS attribute, it is mandatory to configure a mapping table. If the association is based on an integer
RADIUS attribute, a mapping table is not needed, but can be used. See Information About Configuring
the Policy Settings for more information on configuring a mapping table.
You can define a default value for the policy if the configured RADIUS attribute is missing from the
packet. The default value is valid only if the policy has not been set before (for example by other LEGs,
or the Subscriber Manager).
The Information About Configuring the Policy Settings section describes how to configure the policies.
Subscriber IP Association
The Subscriber IP Address is normally based on the Framed-IP-Address attribute, but can also be based
on the RADIUS attribute. In different topologies, the subscriber IP address specification might be sent
as a RADIUS attribute other than the Framed-IP-Address attribute.
The following algorithm extracts the IP addresses in this LEG:
1. If the user configured an attribute from which to extract the IP, the LEG will look for that attribute
in the RDR. If the attribute exists, the LEG will use the attribute as the subscriber IP address.
2. If the attribute does not exist or is not configured, the LEG will look for the Framed-Route
attributes; several Framed-Route attributes may exist. If any Framed-Route attributes exist, the LEG
will use these attributes as the subscriber IP addresses.
3. If there are no Framed-Route attributes, the LEG will look for a Framed-IP-Address attribute and a
Framed-IP-Netmask attribute. If a Framed-IP-Address attribute exists, the LEG will use this
attribute as the subscriber IP address. If both the Framed-IP-Address and the Framed-IP-Netmask
attributes exist, the operation is performed with the IP range represented by the IP address and the
IP netmask.
4. Otherwise, the LEG will perform a login without the IP address.
Note The configured attribute can be a regular RADIUS attribute or a VSA. It is possible to encode the
attribute as an integer in which case it will be a single IP address. It can also be encoded as a string and
will therefore be an IP-Address/IP-Range value: the value must be formatted as A.B.C.D/E or A.B.C.D
Note The supported format of the Framed-Route attribute is as described in RFC-2865. It must start with a
string that starts with the route itself in the format A.B.C.D/E followed by a space. Other values follow
the space, but the LEG ignores these other values.
Accounting-Start Packet
An Accounting-Start packet initiates a login operation with the following subscriber properties:
• Subscriber ID—See Subscriber ID Association, page 24-2
• Subscriber IP—See Subscriber IP Association, page 24-3
• Domain—See Domain Association, page 24-2
• Policy—See Policy Association, page 24-3
If the Accounting-Start packet does not hold the subscriber ID, the login operation is not performed and
an error message is written to the user log. All other properties (subscriber IP, domain, and policy) are
optional.
Note The Accounting-Start and Accounting-Interim-Update packets are the only packets that hold all the
subscriber properties. Use these packets whenever possible.
Accounting-Interim-Update Packet
An Accounting-Interim-Update packet initiates a login operation with exactly the same properties as the
Accounting-Start packet.
If the Accounting-Interim-Update packet does not hold the subscriber ID, the login operation is not
performed and an error message is written to the user log. All other properties (subscriber IP, domain,
and policy) are optional.
Note Use this packet when the subscribers are connected to the network for a long time in a single session.
Accounting-Stop Packet
An Accounting-Stop packet initiates a logout operation with the following subscriber properties:
• Subscriber ID—See Subscriber ID Association, page 24-2
• Subscriber IP—See Subscriber IP Association, page 24-3
Unlike the Accounting-Start packet, the subscriber ID is not mandatory in the Accounting-Stop packet.
If it does not exist, the logout is based only on the mappings information. If the Accounting-Stop packet
has a subscriber ID but does not have the mappings, all mappings of the subscriber are logged out. If
both properties are missing, the logout operation is not performed and an error message is written to the
user log.
Note The Accounting-Stop packet is the only packet that initiates a logout operation. If you need to perform
logouts, you must use this packet for integration.
Access-Accept Packet
An Access-Accept packet initiates a login operation with the following subscriber properties:
• Subscriber ID—See Subscriber ID Association, page 24-2
• Subscriber IP—See Subscriber IP Association, page 24-3
• Policy—See Policy Association, page 24-3
The subscriber ID is mandatory, subscriber IP and policy are not. If the subscriber ID is missing, the
login operation is not performed and an error message is written to the user log.
Note The Access-Accept packet does not hold any information needed for domain association. If you are
using domains, consider using the accounting packets for domain integration.
This module describes the procedures for installing and running the SCE-Sniffer RADIUS LEG. It also
describes the procedure to uninstall the SCE-Sniffer RADIUS LEG.
The SCE-Sniffer RADIUS LEG is an external component (PQI file) of the subscriber manager (SM)
software that should be installed separately using the SM command-line utilities. The SCE-Sniffer
RADIUS LEG distribution is part of the SM LEG distribution.
The installation package of the LEG includes a set of configuration files and command-line utilities for
the LEG.
• Installing the SCE-Sniffer RADIUS LEG Software, page 25-1
• Uninstalling the SCE-Sniffer RADIUS LEG, page 25-2
• Upgrading the SCE-Sniffer RADIUS LEG, page 25-2
Note After the installation of the PQI file, the SM will automatically restart.
Step 1 Install the PQI file of the SCE-Sniffer RADIUS LEG using the p3inst CLU.
Run the p3inst CLU from the SM CLU <sm-inst-dir>/sm/server/bin (sm-inst-dir refers to the SM
installation directory):
>p3inst --install -f rad_snif.pqi
Step 2 Edit the configuration file of the SCE-Sniffer RADIUS LEG
The name of the configuration file is rad_snif.cfg, and it is located under the configuration folder of the
SM (<sm-inst-dir>/sm/server/root/config).
It is recommended to familiarize yourself with this file immediately after the first installation, and edit
it according to your specific needs. See Configuring the SCE-Sniffer RADIUS LEG for more
information.
Step 3 Load the configuration file to the SM using the p3sm CLU
Note To support SM cluster topology, set the cluster VIP as the SM-IP in the above CLI command.
Note After the uninstall process has successfully completed, the SM will automatically restart.
>p3sm --load-config
Step 3 Uninstall the SCE-Sniffer RADIUS LEG using the p3inst --uninstall CLU of the SM.
Step 4 Perform the upgrade of the SM as described in the Cisco SCMS Subscriber Manager User Guide.
Step 5 Install the new version of the SCE-Sniffer RADIUS LEG using the p3inst --install CLU of the SM.
Step 6 Restore the configuration files of the SCE-Sniffer RADIUS LEG.
Step 7 Make the SCEs send the RDRs that they stored during the upgrade.
To make the SCEs send the RDRs that they stored during the upgrade, enable the RDR Server on the SM
by setting the start parameter in the RDR Server section to true.
Step 8 Load the new configuration by using the p3sm --load-config CLU of the SM.
This module describes the configuration instructions to configure the SCE-Sniffer RADIUS LEG.
The SCE-Sniffer RADIUS LEG is configured using the configuration file rad_snif.cfg, which resides
in the <sm-inst-dir>/sm/server/root/config directory (sm-inst-dir refers to the subscriber manager
(SM) installation directory).
The configuration file consists of sections headed by a bracketed section title; for example,
[SCE-Sniffer RADIUS LEG]. Each section consists of several parameters with the format of
parameter=value. The number sign (“#”) at the beginning of a line denotes that this is a remark line.
• Configuring the General Settings, page 26-1
• Configuring the Subscriber ID, page 26-2
• Information About Configuring the Subscriber IP Address, page 26-3
• Information About Configuring the Policy Settings, page 26-4
• log_all
Defines whether the LEG should add all messages, including successful logins and logouts, to the
user log.
Possible values for this parameter are true and false. The default value is false.
Note For this LEG to work correctly, use the configuration file to enable the RDR server in the SM.
The subscriber ID is identified by the User-Name attribute by default. You can configure the LEG to use
any other RADIUS attribute to identify the subscriber ID, including using the Vendor-Specific attribute.
Note If you want to keep the default identification according to the User-Name attribute, you can skip this
section.
Note The configured attribute must be of data type string. When using the Vendor-Specific attribute, the
configured vendor specific subtype must be of data type string.
The section used for subscriber ID configuration is called [RADIUS.Subscriber ID]. The following list
describes the parameters:
• radius_attribute
Defines the attribute number for the subscriber ID classification.
The default value is 1 (User-Name attribute).
• radius_attribute_vendor_id
This parameter is only relevant if radius_attribute is configured to 26 (Vendor-Specific attribute).
The parameter defines the vendor ID number for the subscriber ID classification.
This parameter has no default value.
• radius_sub_attribute
This parameter is only relevant if radius_attribute is configured to 26 (Vendor-Specific attribute).
The parameter defines the sub attribute within the vendor specific attribute that is used for
subscriber ID classification.
This parameter has no default value.
• radius_attribute_type
Defines the attribute type. Possible values for this parameter are integer or string. The default value
is string.
Policy configuration assigns policy information such as package ID, according to the RADIUS packets.
Configure the SCE-Sniffer RADIUS LEG using the policy section(s) to assign the policy information.
Note This section is optional. If you do not need to set policy information according to RADIUS packets, you
can skip this section. The SCE-Sniffer RADIUS LEG will not include any policy information when it
logs in subscribers. If the subscriber already has some policies set, the LEG will not affect it.
For each policy you want to define, you need to specify a different section named
[RADIUS.Policy.policyName]. You can use any string you want for policyName if the policy name is
unique inside the configuration file.
Each policy section has the following parameters:
• radius_attribute
Defines the attribute number that holds the policy information.
This parameter has no default value.
• radius_attribute_vendor_id
This parameter is only relevant if radius_attribute is configured to 26 (Vendor-Specific attribute).
The parameter defines the vendor ID number that holds the policy information.
This parameter has no default value.
• radius_sub_attribute
This parameter is only relevant if radius_attribute is configured to 26 (Vendor-Specific attribute).
The parameter defines the sub attribute of the vendor specific attribute that holds the policy
information.
This parameter has no default value.
• radius_attribute_type
Defines the type of the attribute.
Possible values are string or integer.
This parameter has no default value.
• default_value
Defines the default value to set in case the attribute is not found in the traffic.
The default value is set only if this policy has not been already set, for example by other LEG
interfaces.
This parameter is optional. If it does not exist, a default value will not be set for this policy.
• policy_name
Defines the name of the subscriber property. For instance, the packageId property defines the
policies of the SCA BB solution.
This parameter has no default value.
Note The policy_name parameter is case sensitive and must be written exactly as defined by the SCA BB
Console. For example, packageId, monitor, upVlinkId, or downVlinkId.
• mapping_table.<key>=<value>
A set of values (key, value) used to map the data retrieved from the RADIUS attribute to the policy
index configured by the application.
Note The mapping table key is case sensitive and must be written exactly as it exists in the RADIUS packets.
This module describes the Command-Line Utilities (CLU) to retrieve information and statistics about
the LEG
Operation Description
--show Displays all of SCE-Sniffer RADIUS LEG
configuration and status
--show-statistics Displays counters of RADIUS messages handled
and number of login/logout operations performed
--show-version Displays the SCE-Sniffer RADIUS LEG version
number
--help Displays a list of available operations and
arguments with a short explanation of their
meanings.
>p3radiussniff --show
SCE-Sniffer RADIUS LEG:
======================
Active: true
RADIUS packet types:
accounting_start
accounting_interim
accounting_stop
Subscriber ID Association
Attribute: 1
Policy Association:
attribute=26
vendorIdAttribute=1000
subAttribute=2
atributeType=string
defaultValue=1
policyName=packageId
Command terminated successfully
>
The Service Control Management Suite (SCMS) Subscriber Manager (SM) MPLS/VPN BGP Login
Event Generator (LEG) is a software module that dynamically provides the MPLS label for each VPN
using the border gateway procotol (BGP). It listens to the BGP traffic to determine the correct MPLS
label.
• MPLS/VPN Overview, page 28-1
• MPLS/VPN BGP LEG Overview, page 28-2
MPLS/VPN Overview
Internet service providers that have a common network of multiple server sites with IP interconnectivity
deployed on a shared infrastructure can be securely connected using a Virtual Private Network (VPN).
A VPN can secure a shared network connection by employing technologies such as authentication,
encryption, and tunneling. The VPN traffic is encapsulated and transparently sent from one site to
another enabling the traffic to be secured by encryption.
Customers that connect to the ISP using the VPN topology experience direct communication to the VPN
sites as though they have their own private network even though their traffic is traversing a public
network infrastructure and sharing the same infrastructure with other businesses.
Multiprotocol Label Switching (MPLS) is an emerging industry standard for implementing tag
switching technology on high-speed routers in large IP networks. MPLS is designed to carry information
of different protocols over a network and brings some of the advantages of circuit-switched networks to
switched IP networks.
Connecting the MPLS protocol with VPN, the MPLS/VPN topology consists of a set of sites that are
interconnected by means of an MPLS provider core network. At each site within the MPLS edge, one or
more Customer Edge (CE) routers are attached to one or more Provider Edge (PE) routers. The Provider
(P) router within the core routes packets to the PE routers. PE routers use the Border Gateway Protocol
to communicate dynamically with each other.
Figure 28-1 illustrates the MPLS/VPN topology:
CE CE
VPN A P VPN A
Site 2 PE Site 1
10.0.2.x 10.0.1.x
PE
P
CE CE
VPN B VPN B
Site 2 Site 1
157096
Service Provider's
10.0.2.x MPLS core 10.0.1.x
Some of the benefits of MPLS-based VPNs are seamless integration with customer intranets and
increased scalability with numerous sites for each VPN and many VPNs for each service provider.
PE PE PE PE
BGP
UNIX Machine
add_route
del_route
PRPC
157051
The BGP LEG also supports receiving BGP updates from a Route Reflector (RR), instead of from each
PE router separately. The BGP LEG can receive updates from a Route Reflector and from PEs that are
not covered by the Route Reflector at the same time.
VPN Entity
A VPN entity is a group of VPN sites. The following parameters define a VPN site:
• The Provider Edge (PE) router that is connected to the VPN site. The IP address of the loopback
interface identifies the router.
• An identifier for the VPN Virtual Routing and Forwarding (VRF) table. Either the Route
Distinguisher (RD) of the VRF or the Route Target (RT) that is used for exporting or importing
routes
The PE router assigns MPLS labels for each VPN site. The BGP protocol uses the MPLS labels to
publish the VPN routes to the other PE routers. The BGP LEG listens to the BGP traffic, extracts the
MPLS label, and adds the label to the VPN data in the SM database.
7. The BGP LEG analyzes BGP sessions and extracts the relevant data, such as RD/RT, MPLS label,
and the loopback IP of the PE router.
8. The BGP LEG updates the VPN in the SM with the added or removed MPLS label.
9. The Subscriber Manager updates its database with the new VPN information and updates all of the
SCE devices in the domain.
CE as Subscriber
An MPLS-VPN based subscriber can be defined to handle the traffic of a specifc Customer Edge (CE)
router. The BGP community field is used to correlate the private IP routes with the CE router. The
subscriber is configured with a list of communities within the VPN using the syntax
‘community@VPN’.
When the BGP LEG analyzes the BGP session, it also extracts the community field, and adds all the IP
routes in the BGP message to the subscriber that contains the same community field. This functionality
takes place in addition to adding the VPN information to the SM as described in BGP LEG Scenario,
page 28-4.
This module describes the process for installing and uninstalling the SM MPLS/VPN BGP LEG.
The SM MPLS/VPN BGP LEG is an external component that should be installed on the SM. The SM
MPLS/VPN BGP LEG distribution is part of the SM LEG distribution.
The SM MPLS/VPN BGP LEG installation package includes a set of configuration files and the
Command-Line Utility (CLU).
The SM MPLS/VPN BGP LEG can be installed only on Red Hat Linux platforms.
• Package Contents, page 29-1
• Installing the MPLS/VPN BGP LEG Software, page 29-2
• Adding a VCS Resource to the BGP LEG, page 29-2
• Removing a VCS Resource from the BGP LEG, page 29-3
Package Contents
The following tables describe the contents of the SM MPLS/VPN BGP LEG distribution package
supplied by Cisco:
Note The arguments line might seem shorter than the actual full argument value, which is perfectly
acceptable.
Note The BGP LEG will be inactivated if there are no VCS resources. To activate the BGP LEG, there must
be at least one resource.
This module provides the configuration instructions to configure the MPLS/VPN BGP LEG
The SM MPLS/VPN BGP LEG is configured using the configuration file p3bgpleg.cfg file, which
resides in the sm-inst-dir/sm/server/root/config directory (sm-inst-dir refers to the SM installation
directory). The configuration file is loaded only upon the SM MPLS/VPN BGP LEG startup.
The configuration file holds the IP addresses of the PEs from which the routing information is gathered.
When you reload the configuration file, all the BGP connections terminate and the BGP LEG waits for
connections to be re-established from the IP addresses configured in the configuration file.
The configuration file consists of sections headed by a bracketed section title such as [General] for the
general configuration section. Each section consists of one or more parameters having the format
parameter=value. The number sign ("#") at the beginning of a line signifies that it is a comment.
• Configuring the MPLS/VPN BGP LEG Settings, page 30-1
• Configuration File Example, page 30-2
• Configuring the SM for the MPLS/VPN BGP LEG, page 30-2
The [PE.xxxxxxxx] section holds the PE or Route Reflector information. Each PE section must include
a unique PE/Route Reflector name. The section contains the following parameters:
• access
Defines the IP address or addresses that the PE/Route Reflector accesses (in dotted notation). It is
mandatory to configure at least one access IP address. Additional IP addresses, if needed, should be
on the same line, separated by comma. The same IP address cannot appear in two PE sections.
• as-num
Defines the autonomous system number connected to the PE/Route Reflector. This parameter is not
required. If not specified, the as-num defined in the [General] section is used.
This module describes the MPLS/VPN BGP LEG command-line utility (CLU).
Operation Description
--start Starts the BGP LEG
--stop Stops the BGP LEG
--restart Restarts the BGP LEG
--status Displays a short status line for each PE/RR
--show Displays a detailed status for a specific PE/RR
--show-all Displays a detailed status for each PE/RR
--refresh Sends a refresh request to specific PE/RR to
receive updated information on all routes
--refresh-all Sends a refresh request to all PE/RR to receive
updated information on all routes. Use this
operation when the PE/RR is disconnected from
the LEG and you want to make sure that all the
BGP information is propagated to the SCE
devices. The refresh is for new information only;
obsolete labels are not checked for validity.
Operation Description
--force-sync Used together with --refresh-all. Sends a refresh
request to all PE/RR to receive updated
information on all routes, and then synchronizes
this information with all SCE devices. After this
operation is completed, the SCE devices are
updated with the BGP information. Use this
operation when the PE/RR is disconnected from
the LEG and you want to make sure that all the
BGP information is propagated to the SCE
devices. This operation also makes sure that
obsolete labels are removed from the SCE devices.
--load-config Loads the configuration file to the BGP LEG. This
operation also restarts the BGP LEG.
--help Displays the available p3bgp commands
SOAP LEG
CH A P T E R 32
About the SOAP LEG
Query Interface
The SOAP installation package includes a WSDL file. This WSDL file defines the SOAP LEG query to
the external server:
QuerySubscriberOut querySubscriber(QuerySubscriberIn subIn)
The QuerySubsriberIn parameter contains the following data:
• subscriberId—Contains the ID of the subscriber
• mappings—Contains the Network IDs of the subscriber
• keys/values—May contain additional data that the external server may need in order to perform the
query
The Web Server responds to the query and SOAP LEG analyzes the results. The output of the Web Server
(QuerySubscriberOut) consists of the following elements:
• subscriberId—Contains the ID of the subscriber
• mappings—Contains the Network IDs of the subscriber
• keys/values—May contain additional data that the SOAP LEG may need in order to determine the
package value
• propertyKeys/propertyValues—May contain subscriber properties; for example, packageId or
monitor.
Note that keys and values are used internally by the LEG for the package association procedure and are
not passed to the SM when the subscriber is logged in.
Upon receiving a reply from the Web Server, the SOAP LEG adds the query output values to the query
input values. Following this, if the SOAP LEG is configured to do so, the LEG uses this data as the input
for the package association procedure. See Information about Configuring the Package Association,
page 34-2.
Secure Requests
The SOAP LEG is able to issue a secure request to the external server using the UsernameToken profile
as defined in the WS-Security specification. Specifically, it attaches username and password to every
SOAP request it sends. For further information on configuring the username and password, see Using
the SOAP LEG CLU, page 35-1.
Common Topologies
You can use the SOAP LEG in any SM topology, providing it is possible to supply the LEG with the
information it needs in order to perform the query to the policy server and determine the subscriber
policy.
The following figures show the most common topologies.
The following figure shows the topology with the SM API:
SM
SM
CORE
1. Login
DHCP sniffer
LEG
2. handleSubscriber
SOAP
server
3. Query subscriber
4. Login
SOAP LEG 210083
The SM API performs a login operation to the SM (1). The SM identifies that the SOAP LEG needs be
activated, and therefore it does not perform a subscriber login at this stage. TheSM core passes the
information received from the SM API to the SOAP LEG (2). The SOAP LEG queries the SOAP server
and identifies the relevant packageId based on the configuration, input parameters, and the query results
(3). The SOAP LEG then performs a login operation to the SM (4).
The following figure shows the topology with the DHCP Sniffer LEG:
DHCP
CMTS SCE server
1. DHCP traffic
2. DHCP RDRs
SM
SM
CORE
3. Login
DHCP sniffer
LEG
4. handleSubscriber
SOAP
server
5. Query subscriber
6. Login
SOAP LEG
210081
The DHCP traffic passes through the SCE (1), which sends a DHCP RDR to the DHCP Sniffer LEG (2).
The DHCP Sniffer LEG extracts the relevant information and performs a login operation to the SM (3).
The SM identifies that the SOAP LEG needs to be activated, and therefore it does not perform a
subscriber login operation at this stage. The SM core passes the information received from the DHCP
Sniffer LEG to the SOAP LEG (4). The SOAP LEG queries the SOAP server and identifies the relevant
packageId based on all the information received and the query results (5). The SOAP LEG then performs
a login operation to the SM (6).
The following figure shows the topology with the DHCP Lease Query LEG:
Figure 32-3 SOAP LEG Topology with DHCP Lease Query LEG
SCE
1. unknown traffic
2. pull
SM
SM
CORE DHCP
server
3. handle 4. Query
subscriber subscriber
5. Login
Lease query
LEG
8. Login 6. handle
subscriber
SOAP
server
7. Query subscriber
Unknown traffic passes through the SCE (1), which issues a pull request to the SM (2). The SM issues
an anonymous-pull-request to the DHCP Lease Query LEG (3). The DHCP Lease Query LEG then
queries the DHCP server (4), after which it performs a login operation to the SM (5). The SM identifies
that the SOAP LEG needs to be activated, and therefore it does not perform a subscriber login at this
stage. The SM Core passes all of the information received from the DHCP Lease Query LEG to the
SOAP LEG (6). The SOAP LEG queries the SOAP server and identifies the relevant packageId based
on the information received and the query results (7). The SOAP LEG then performs a login operation
to the SM (8).
This module describes the installation process for installing the SOAP LEG. It also describes the
uninstall procedure.
The SOAP LEG is an external component (PQI) that should be installed on the subscriber manager (SM).
The SOAP LEG distribution is part of the SM LEG distribution.
The SOAP LEG installation package includes a set of configuration files, a WSDL file containing a
query definition, and the Command-Line Utility (CLU).
Note After the installation of the PQI file, the SM will automatically restart.
Note It is recommended to familiarize yourself with these files immediately after the first installation and edit
them according to your specific needs. See Configuring the SOAP LEG for more information.
Note After the install process has successfully completed, the SM will automatically restart.
Note After the uninstall process has successfully completed, the SM will automatically restart.
Note After the uninstall process has successfully completed, the SM automatically restarts.
Step 3 Perform an upgrade of the SM as described in the Cisco SCMS Subscriber Manager User Guide.
Step 4 Install the new version of the SOAP LEG by running the p3inst CLU.
>p3inst --install -f <soapleg.pqi>
Step 5 Restore the configuration files of the SOAP LEG using the backup configuration files from Step 1.
Step 6 Load the new configuration of the SM by running the p3sm CLU.
>p3sm --load-config
This module provides the configuration instructions to configure the SOAP LEG.
The SOAP LEG is configured using two configuration files, soap_leg.cfg and soap_pkg.cfg, which
reside in the sm-inst-dir/sm/server/root/config directory (sm-inst-dir refers to the SM installation
directory). The configuration file is loaded only upon SCMS SM SOAP LEG startup.
The configuration files consist of sections headed by a bracketed section title; for example,
[SOAP-LEG] for the SOAP LEG configuration section. Each section consists of one or more parameters
having the format parameter=value. The number sign ("#") at the beginning of a line signifies that it is
a comment.
The general configuration of the SOAP LEG resides in soap_leg.cfg. The dynamic package association
configuration resides in soap_pkg.cfg.
• Information About Configuring the SOAP LEG Settings, page 34-1
• Information about Configuring the Package Association, page 34-2
• log_failed_queries
Defines whether the LEG will log messages that are issued for failed queries.
Possible values for this parameter are true and false.
The default value is true.
• log_all_queries
Defines whether the LEG will log messages for every query sent and any reply received.
Possible values for this parameter are true and false.
The default value is false.
The [Package] section in the configuration file contains the following parameter:
• pkg_cfg_file
Defines the configuration file to be used by the converter. The path must be relative to the config
directory.
The default value is soap_pkg.cfg.
• policy_name_format
This parameter is a comma-separated list that specifies the labels that contain the data from which
the policy name is comprised. The LEG converter searches for the labels within the received
arguments and concatenates them according to the specified order. A value of LABEL_A,
LABEL_B indicates that the SOAP LEG needs to concatenate values that reside under the
LABEL_A and LABEL_B labels.
There is no default value for this parameter.
• name_seperator_value
Defines the separator value to use when concatenating options.
The default value is '_'.
• default_value
Defines the default value to use when it is not possible to associate the created policy name with any
of the configured policy names.
There is no default value for this parameter.
• allow_login_with_no_policy
Defines whether a login can be performed when no policy is found for assignment.
Possible values for this parameter are true or false.
The default value is true.
• policy_property_name
Defines the package property key to use for policy assignment.
The default value is packageId.
Note The policy_property_name parameter is case sensitive and must be written exactly as defined by the
SCA BB Console. For example, packageId, upVlinkId, or downVlinkId.
• mapping_table.<key>=<value>
A set of values (key,value) used to map the package information determined by the SOAP LEG and
the package ID index that the SCA BB application uses.
Note Every policy name is preceded by the mapping_table. key. For example:
mapping_table.PolicyLabel1=11
mapping_table.PolicyLabel2=12
The [SOAP.Policy Logging] section of the configuration file contains the following parameters:
• log_missing_policy_name
Defines whether log messages will be issued when no policy was found.
Possible values for this parameter are true or false.
The default value is false.
• log_all
Defines whether to write detailed user-log messages for all policy association events.
Possible values for this parameter are true or false.
• log_default_policy_assignment
Defines whether to write a user-log message for every assignment of the default value (as defined
in default_value)
Possible values for this parameter are true or false.
The default value is false.
This module describes the command-line utility (CLU) commands when the SOAP LEG software is
installed on the Subscriber Manager (SM).
Operation Description
--show Displays all of SOAP LEG configuration and
status
--show-statistics Displays statistics for the SOAP LEG including:
failed queries, queries sent, queries received
--show-version Displays the SOAP LEG version number
--set-username Sets the username and password to enable secure
queries via the SOAP communication protocol
--reset-username Resets the username to cancel the secure queries
Cisco WSDL
<?xml version="1.0" encoding="utf-8"?>
<wsdl:definitions xmlns:http="http://schemas.xmlsoap.org/wsdl/http/"
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
xmlns:s="http://www.w3.org/2001/XMLSchema"
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:tns="http://cisco.com/CiscoQuery"
xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/"
xmlns:mime="http://schemas.xmlsoap.org/wsdl/mime/"
targetNamespace="http://cisco.com/CiscoQuery"
xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">
<wsdl:types>
<s:schema elementFormDefault="qualified"
targetNamespace="http://cisco.com/CiscoQuery">
<s:complexType name="ArrayOfString">
<s:sequence>
<s:element minOccurs="0" maxOccurs="unbounded" name="string" nillable="true"
type="s:string" />
</s:sequence>
</s:complexType>
<s:element name="QuerySubscriberIn">
<s:complexType>
<s:sequence>
<s:element minOccurs="0" maxOccurs="1" name="subscriberId" type="s:string"/>
<s:element minOccurs="0" maxOccurs="1" name="mappings"
type="tns:ArrayOfString"/>
<s:element minOccurs="0" maxOccurs="1" name="keys" type="tns:ArrayOfString"/>
<s:element minOccurs="0" maxOccurs="1" name="values"
type="tns:ArrayOfString"/>
</s:sequence>
</s:complexType>
</s:element>
<s:element name="QuerySubscriberOut">
<s:complexType>
<s:sequence>
<s:element minOccurs="0" maxOccurs="1" name="subscriberId" type="s:string"/>
</s:schema>
</wsdl:types>
<wsdl:message name="QuerySubscriberSoapIn">
<wsdl:part name="parameters" element="tns:QuerySubscriberIn" />
</wsdl:message>
<wsdl:message name="QuerySubscriberSoapOut">
<wsdl:part name="parameters" element="tns:QuerySubscriberOut" />
</wsdl:message>
<wsdl:portType name="QueryServiceSoap">
<wsdl:operation name="QuerySubscriber">
<wsdl:input message="tns:QuerySubscriberSoapIn" />
<wsdl:output message="tns:QuerySubscriberSoapOut" />
</wsdl:operation>
</wsdl:portType>
<wsdl:operation name="QuerySubscriber">
<soap:operation soapAction="http://cisco.com/CiscoQuery/QuerySubscriber"
style="document" />
<wsdl:input>
<soap:body use="literal" />
</wsdl:input>
<wsdl:output>
<soap:body use="literal" />
</wsdl:output>
</wsdl:operation>
</wsdl:binding>
<wsdl:service name="QueryService">
<documentation xmlns="http://schemas.xmlsoap.org/wsdl/">Queries subscribers
data</documentation>
<wsdl:port name="QueryServiceSoap" binding="tns:QueryServiceSoap">
<soap:address location="http://localhost:8080/axis/services/QueryServiceSoap" />
</wsdl:port>
</wsdl:service>
</wsdl:definitions>