38
CHAPTER 4-1 Cisco Subscriber Edge Services Manager Troubleshooting Guide OL-3888-03 4 Frequently Asked Questions This chapter provides answers to frequently asked questions (FAQs) about the Cisco Subscriber Edge Services Manager (SESM) solution. Topics are: SESM Logging FAQ, page 4-1 SESM AAA Server FAQ, page 4-3 SESM Web Portals FAQ, page 4-4 SESM Captive Portal FAQ, page 4-11 SESM Web Proxy FAQ, page 4-18 SESM RDP and RADIUS FAQ, page 4-28 SESM Java FAQ, page 4-36 SESM Performance FAQ, page 4-37 SESM Logging FAQ This section contains answers to frequently asked questions on SESM Logging. Enabling and Disabling Logging in SESM Applications Step 1 To enable or disable logging in SESM applications. open the following file: <SESM>/<application>/config/<application>.xml For example, If you need to enable or disable logging in NWSP, the location will be: <SESM>/nwsp/config/nwsp.xml Note Configuration files for ERP based applications (except RDP) are under <SESM>/tools/config/<application name>.xml

Frequently Asked Questions · Frequently Asked Questions This chapter provides answers to frequently asked questions (FAQs) about the Cisco Subscriber Edge ... Manager Administration

  • Upload
    others

  • View
    34

  • Download
    0

Embed Size (px)

Citation preview

Cisco Subscriber Edge SeOL-3888-03

C H A P T E R 4

Frequently Asked Questions

This chapter provides answers to frequently asked questions (FAQs) about the Cisco Subscriber Edge Services Manager (SESM) solution. Topics are:

• SESM Logging FAQ, page 4-1

• SESM AAA Server FAQ, page 4-3

• SESM Web Portals FAQ, page 4-4

• SESM Captive Portal FAQ, page 4-11

• SESM Web Proxy FAQ, page 4-18

• SESM RDP and RADIUS FAQ, page 4-28

• SESM Java FAQ, page 4-36

• SESM Performance FAQ, page 4-37

SESM Logging FAQThis section contains answers to frequently asked questions on SESM Logging.

Enabling and Disabling Logging in SESM Applications

Step 1 To enable or disable logging in SESM applications. open the following file:

<SESM>/<application>/config/<application>.xml

For example, If you need to enable or disable logging in NWSP, the location will be:

<SESM>/nwsp/config/nwsp.xml

Note Configuration files for ERP based applications (except RDP) are under <SESM>/tools/config/<application name>.xml

4-1rvices Manager Troubleshooting Guide

Chapter 4 Frequently Asked QuestionsSESM Logging FAQ

Step 2 Refer the Logger MBean:

<Configure jmxname="com.cisco.sesm:name=Logger" <Set name="debug" type="boolean">false</Set> <Set name="debugPatterns"></Set> <Set name="debugThreads"></Set> <Set name="debugVerbosity">LOW</Set> <Set name="logDateFormat">yyyyMMdd:HHmmss.SSS</Set> <Set name="logFile"><Property name="application.home" default="."/>/logs/yyyy_mm_dd.application.log</Set> <Set name="logFrame" type="boolean">false</Set> <Set name="logThread" type="boolean">false</Set> <Set name="logStack" type="boolean">false</Set> <Set name="logToErr" type="boolean">false</Set> <Set name="trace" type="boolean">true</Set> <Set name="warning" type="boolean">true</Set> </Configure>

Step 3 To turn on logging the next time you start the applications, change the debug property to true. To disable logging in the applications, reset the debug property to false. To modify the debug verbosity, set the debugVerbosity property to the required level – this can be either LOW, MED or MAX.

This change does not take effect until the applications are restarted. You can alter the logging levels dynamically through the SESM Applications section of the Logging screen in the SESM Application Manager. For more information on the Application Manager, see Cisco Subscriber Edge Services Manager Administration and Configuration Guide.

Enabling and Disabling Logging in Jetty Web Server

Step 1 To enable or disable logging in the Jetty Web Server, open the following file:

<SESM>/jetty/config/<application>.jetty.xml

For example, if you need to enable or disable Jetty debugs for NWSP, the location will be:

<SESM>/jetty/config/nwsp.jetty.xml

Step 2 Refer to the following section:

<Configure jmxname="org.mortbay.jetty:Debug=0" > <Set name="debug" type="boolean">false</Set> <Set name="debugPatterns"></Set> <Set name="verbose" type="int">0</Set> <Set name="suppressStack" type="boolean">false</Set> <Set name="suppressWarnings" type="boolean">false</Set> </Configure>

Step 3 To enable logging in the Jetty Web Server, set the debug property to true. To disable logging in Jetty, reset the debug property to false.

This change does not take effect until the application is restarted. You can alter the logging levels dynamically through the Jetty Web Servers section of the Logging screen in the SESM Application Manager. For more information on the Application Manager, see Cisco Subscriber Edge Services Manager Administration and Configuration Guide.

4-2Cisco Subscriber Edge Services Manager Troubleshooting Guide

OL-3888-03

Chapter 4 Frequently Asked QuestionsSESM AAA Server FAQ

SESM AAA Server FAQThis section contains answers to frequently asked questions on SESM AAA Server.

Configuring AAA Server to Include Attribute 18 Values in Access-Reject Responses

RADIUS Attribute 18 is also referred to as the Reply-Message attribute. SESM currently includes a RADIUS filter which can be applied to RADIUS responses and configured to add attributes and values when these responses contain a particular response code (For example, 3 in the case of Access-Reject). This filter is not used by the SESM RADIUS server by default but can be configured for use by following these steps.

Step 1 Open <SESM>/tools/config/aaa.xml in a text editor.

Step 2 Add the AddAVsFilter as a handler.

Within the config, locate the following section

<Set name="handlers"><Array class="com.cisco.sesm.erp.ERPHandler"> <Item> <New class="com.cisco.sesm.erp.radius.AaaHandler"> <Set name="name">AAA</Set> <Set name="aaaFilename"><SystemProperty name="application.home" default="."/>/config/aaa.properties</Set> </New> </Item>

Immediately after the </Item> tag add the following -

<Item> <New class="com.cisco.sesm.erp.radius.AddAVsFilter"> <Set name="name">AVFilter</Set> <Set name="nextHandler">AAA</Set> <Set name="responseCodes"> <Array class="java.lang.Integer"> <Item type="int">3</Item> </Array> </Set> <Set name="AVs"> <Array class="java.lang.String"> <Item>Reply-Message:somemessage</Item> </Array> </Set> </New> </Item>

Step 3 Configure the required Attribute 18 message.

In the configuration snippet given above, the attribute 18 message is currently set to be somemessage. Change this to the appropriate attribute 18/Reply-Message you want returned. In the same configuration snippet, it is specified that this attribute will be added to Access-Reject messages by the highlighted value 3. Three is the decimal RADIUS code for Access-Reject.

4-3Cisco Subscriber Edge Services Manager Troubleshooting Guide

OL-3888-03

Chapter 4 Frequently Asked QuestionsSESM Web Portals FAQ

Step 4 Configure the RADIUS Listener to use the AddAVsFilter.

After the AddAVsFilter has been configured, ensure the single RADIUS listener used by the AAA server is making use of this handler, before it calls the standard AaaHandler.

Locate in config the following section:

<Set name="listeners"> <Array class="com.cisco.sesm.erp.ERPListener"> <Item> <New class="com.cisco.sesm.erp.radius.RADIUSListener"> <Set name="handler">AAA</Set> </New> </Item> </Array></Set>

Change the <Set name="handler">AAA</Set> to <Set name="handler">AVFilter</Set> (this matches the name set when you added the AddAVsFilter handler configuration in step 2). Listeners tend to be automatically named after their first configured handler, so this has the effect of changing the listeners name to "AVFilter". Therefore you need to update the remaining configuration for the listener.

Locate the line

<Configure jmxname="com.cisco.sesm:name=AAA,RADIUSListener=AAA,component=ThreadPool">

and change the highlighted RADIUSListener=AAA to be RADIUSListener=AVFilter.

Locate the line

<Configure jmxname="com.cisco.sesm:name=AAA,RADIUSListener=AAA,component=RADIUSServerSocket">

and change the highlighted RADIUSListener=AAA to be RADIUSListener=AVFilter.

SESM Web Portals FAQThis section contains answers to frequently asked questions on SESM Web Portals.

Enabling and Disabling Single Sign-OnSESM web portals have Single Sign-On enabled after installation. To disable this feature:

Step 1 Open the following file:

<SESM>/<application>/config/<application>.xml.

For example, If NWSP is the SESM application you wish to modify then:

<SESM>/nwsp/config/nwsp.xml

Step 2 Locate the following line in the SESM MBean:

<Set name="singleSignOn" type="boolean">true</Set>

Step 3 Change the boolean property to false.

4-4Cisco Subscriber Edge Services Manager Troubleshooting Guide

OL-3888-03

Chapter 4 Frequently Asked QuestionsSESM Web Portals FAQ

This change does not take effect until the applications are restarted. To enable the Single Sign-On again, simply re-set the Boolean to “true”.

Configuring Confirmation While Logging On to or Logging Off from a ServiceThe SESM web portal can be configured to have a confirmation screen presented to the subscriber before connecting to, or disconnecting from, a service.

To modify these features:

Step 1 Open the following file:

<SESM>/<application>/config/<application>.xml

For example, If NWSP is the SESM application you wish to modify, then:

<SESM>/nwsp/config/nwsp.xml

Step 2 Locate the following in the WebAppMBean:

<Set name="confirmAtServiceLogon" type="boolean">FALSE</Set><Set name="confirmAtServiceLogoff" type="boolean">TRUE</Set>

The configuration above is the default after a SESM installation, and will result in a confirmation screen being presented to users when they attempt to disconnect from a service.

Step 3 Modify the boolean property to TRUE or FALSE as required to modify the default configuration.

This change does not take effect until the application is restarted.

Configuring Confirmation While Logging Off from Subscriber AccountThe SESM web portal can be configured to have a confirmation screen presented to the subscriber before he logs out.

To modify this feature:

Step 1 Open the following file:

<SESM>/<application>/config/<application>.xml

For example, If NWSP is the SESM application you wish to modify, then:

<SESM>/nwsp/config/nwsp.xml

Step 2 Locate the following in the WebAppMBean:

<Set name="confirmAtAccountLogoff" type="boolean">TRUE</Set>

This is the default configuration after a SESM Installation, and will result in a confirmation screen being presented to subscribers before they log out.

Step 3 Change the boolean property to FALSE, to disable this feature. This change does not take effect until the application is restarted. To enable this feature again, reset the boolean property to TRUE.

4-5Cisco Subscriber Edge Services Manager Troubleshooting Guide

OL-3888-03

Chapter 4 Frequently Asked QuestionsSESM Web Portals FAQ

Configuring User Credential LengthThe SESM web portal can be configured to enforce a minimum and maximum length for usernames and passwords (used when creating sub-accounts and when subscribers decide to change passwords).

To modify this feature:

Step 1 Open the following file:

<SESM>/<application>/config/<application>.xml

For example, If NWSP is the SESM application you wish to modify, then:

<SESM>/nwsp/config/nwsp.xml

Step 2 Locate the following in the WebAppMBean:

<!-- Minimum length for usernames. --><Set name="usernameMinLength" type="int">1</Set><!-- Maximum length for usernames. --><Set name="usernameMaxLength" type="int">30</Set><!-- Minimum length for passwords. --><Set name="passwordMinLength" type="int">1</Set><!-- Maximum length for passwords. --><Set name="passwordMaxLength" type="int">30</Set>

Step 3 Modify the appropriate values to enforce minimum and maximum length for usernames and passwords. For example, to enforce a minimum password and username length of 6 characters:

<!-- Minimum length for usernames. --><Set name="usernameMinLength" type="int">6</Set><!-- Maximum length for usernames. --><Set name="usernameMaxLength" type="int">30</Set><!-- Minimum length for passwords. --><Set name="passwordMinLength" type="int">6</Set><!-- Maximum length for passwords. --><Set name="passwordMaxLength" type="int">30</Set>

This change does not take effect until the application is restarted.

Refreshing the Web Portal Service ListSometimes auto-connect services appear as though they have not successfully connected after a subscriber has logged on to the Web Portal. This is because SESM presents subscribers their service-list before the service has finished being connected.

To refresh the service-list after users log-in:

Step 1 Open the following file:

<SESM>/nwsp/webapp/WEB-INF/web.xml

4-6Cisco Subscriber Edge Services Manager Troubleshooting Guide

OL-3888-03

Chapter 4 Frequently Asked QuestionsSESM Web Portals FAQ

Step 2 Refer to the following Servlet definition:

<servlet> <servlet-name>RefreshDelay</servlet-name> <description> Sets the request attribute "refreshDelay" for the page refresh delay in seconds, if the initialisation parameter is a string representation of a non-zero integer. The purpose of a page refresh is to correctly display any delayed service connections. Replace the following parameter value by eg 5 so that the home page refreshes after 5 seconds. </description> <servlet-class>com.cisco.sesm.webapp.decorator.RefreshDelayDecorator</servlet-class> <init-param> <param-name>refreshDelay</param-name> <param-value>0</param-value> </init-param> <load-on-startup>1</load-on-startup> </servlet>

Step 3 Modify the “refreshDelay” property to a suitable number of seconds so that the subscriber's service list page in SESM is refreshed after they have logged in to the application. For example, five seconds.

<servlet> <servlet-name>RefreshDelay</servlet-name> <description> Sets the request attribute "refreshDelay" for the page refresh delay in seconds, if the initialisation parameter is a string representation of a non-zero integer. The purpose of a page refresh is to correctly display any delayed service connections. Replace the following parameter value by eg 5 so that the home page refreshes after 5 seconds. </description> <servlet-class>com.cisco.sesm.webapp.decorator.RefreshDelayDecorator</servlet-class> <init-param> <param-name>refreshDelay</param-name> <param-value>5</param-value> </init-param> <load-on-startup>1</load-on-startup> </servlet>

This change does not take effect until the applications are restarted.

Enabling Port-Bundle Host-KeySESM applications do not need to maintain a list of SSG/client-subnet mappings if they are run with Port-Bundle Host-Key.

To convert a SESM application to running with Port-Bundle Host-Key from using the IP Host-Key (and associated SSG / client subnet mappings):

Step 1 Open the following file:

<SESM>/<application>/config/<application>.xml

For example, If NWSP is the SESM application you wish to modify, then:

<SESM>/nwsp/config/nwsp.xml

4-7Cisco Subscriber Edge Services Manager Troubleshooting Guide

OL-3888-03

Chapter 4 Frequently Asked QuestionsSESM Web Portals FAQ

Step 2 Remove SSG/client subnet mappings.

A SESM application that was installed with PBHK disabled will have at least one line similar to the one below in the SSGMBean (note that there may be several lines within comment delimiters. Ensure the line is outside any comment):

<Call name="setSubnetAttribute"><Arg>10.0.0.0</Arg><Arg>255.0.0.0</Arg><Arg>IP</Arg><Arg>192.168.10.1</Arg></Call>

Remove this line, and any other SSG/client-subnet mappings.

Step 3 Set the Bundle Length.

A SESM application that was installed with PBHK disabled will have a Bundle Length set to zero in the SSGMBean. Within the same file, refer to the following line:

<Call name="setGlobalAttribute"><Arg>BUNDLE_LENGTH</Arg><Arg>0</Arg></Call>

To enable PBHK, set the Bundle length to match that on the SSG (default on the SSG is 4).

<Call name="setGlobalAttribute"><Arg>BUNDLE_LENGTH</Arg><Arg>4</Arg></Call>

Note If you are using the Captive Portal application then you will also need to make these changes to the captiveportal.xml file.

PBHK will be enabled when the application is restarted.

Enabling IP Host-KeyTo convert a SESM application from running with Port-Bundle Host-Key (PBHK) to use the IP Host-Key (and associated SSG / client subnet mappings):

Step 1 Open the following file:

<SESM>/<application>/config/<application>.xml

For example, If NWSP is the SESM application you wish to modify, then:

<SESM>/nwsp/config/nwsp.xml

Step 2 Set bundle-length to Zero.

To disable PBHK, you have to set the BUNDLE_LENGTH attribute to zero in the application configuration file.

a. Locate the following in the the SSGMBean:

<Call name="setGlobalAttribute"><Arg>BUNDLE_LENGTH</Arg><Arg>4</Arg></Call>

b. Change the BUNDLE_LENGTH to zero:

<Call name="setGlobalAttribute"><Arg>BUNDLE_LENGTH</Arg><Arg>0</Arg></Call>

4-8Cisco Subscriber Edge Services Manager Troubleshooting Guide

OL-3888-03

Chapter 4 Frequently Asked QuestionsSESM Web Portals FAQ

Step 3 Add SSG/Client-subnet mappings.

When PBHK is disabled, the applications need to have a mapping of SSG IP addresses and the subscribers IP ranges that are associated with those SSGs. This is to ensure that the applications send RADIUS packets for a particular subscriber to the appropriate SSG.

You now need to add an SSG/Client-subnet mapping, which is done by inserting a line such as the one below within the SSGMBean (put this line below the BUNDLE_LENGTH line that was discussed in Step 1):

<Call name="setSubnetAttribute"><Arg>10.0.0.0</Arg><Arg>255.0.0.0</Arg><Arg>IP</Arg><Arg>192.168.10.1</Arg></Call>

This line maps subscribers on the 10.0.0.0/8 network to the SSG at 192.168.10.1. To add additional mappings for that SSG, simply add another line to the file:

<Call name="setSubnetAttribute"><Arg>10.0.0.0</Arg><Arg>255.0.0.0</Arg><Arg>IP</Arg><Arg>192.168.10.1</Arg></Call> <Call name="setSubnetAttribute"><Arg>20.0.0.0</Arg><Arg>255.0.0.0</Arg><Arg>IP</Arg><Arg>192.168.10.1</Arg></Call>

To add a mapping for a second SSG, simply add another line with a different SSG IP address and client address range:

<Call name="setSubnetAttribute"><Arg>10.0.0.0</Arg><Arg>255.0.0.0</Arg><Arg>IP</Arg><Arg>192.168.10.1</Arg></Call> <Call name="setSubnetAttribute"><Arg>20.0.0.0</Arg><Arg>255.0.0.0</Arg><Arg>IP</Arg><Arg>192.168.10.1</Arg></Call> <Call name="setSubnetAttribute"><Arg>30.0.0.0</Arg><Arg>255.0.0.0</Arg><Arg>IP</Arg><Arg>192.168.20.1</Arg></Call>

Note If you are using Captive Portal in your network, you must make these changes to the captiveportal.xml file too.

This change does not take effect until the application is restarted.

Modifying AAA Server AttributesTo modify the RADIUS server IP address and RADIUS secrets that are used by the SESM applications when they are communicating with the AAA servers:

Step 1 Open the following file:

<SESM>/<application>/config/<application>.xml

For example, If NWSP is the SESM application you wish to modify, then:

<SESM>/nwsp/config/nwsp.xml

4-9Cisco Subscriber Edge Services Manager Troubleshooting Guide

OL-3888-03

Chapter 4 Frequently Asked QuestionsSESM Web Portals FAQ

Step 2 Locate the following section:

<Configure jmxname="com.cisco.sesm:name=AAA,connection=ServiceProfile"> <Set name="throttle" type="int">256</Set> <Set name="timeOut" type="int">4000</Set> <Set name="maxRetries" type="int">3</Set> <Set name="primaryIP">192.168.99.1</Set> <Set name="primaryPort" type="int">1812</Set> <Set name="secret">cisco</Set> <Set name="secondaryIP">192.168.99.2</Set> <Set name="secondaryPort" type="int">1812</Set> <Set name="servicePassword">servicecisco</Set> <Set name="serviceGroupPassword">groupcisco</Set> </Configure>

Modify the primaryIP and secondaryIP attributes to change the RADIUS server the portal is using. The RADIUS shared secrets and service passwords can also be modified in this section of the file.

Restricting the RADIUS Source PortsYou can restrict the ports that the SESM applications use in order to make the system more secure. To do this:

Step 1 Open the following file:

<SESM>/<application>/config/<application>.xml

For example, If NWSP is the SESM application you wish to modify, then:

<SESM>/nwsp/config/nwsp.xml

Step 2 Locate the following section:

<!-- - If we need to restrict the range of source ports used, then use entries like the following <Call name="setGlobalAttribute"><Arg>MIN_LOCAL_PORT</Arg><Arg>50000</Arg></Call> <Call name="setGlobalAttribute"><Arg>MAX_LOCAL_PORT</Arg><Arg>50999</Arg></Call> -->

This feature is disabled by default, as it is contained within a set of comment de-limiters (<!-- -->).

Step 3 Remove the comment de-limiters, and set the MIN_LOCAL_PORT and MAX_LOCAL_PORT values appropriately to enable the feature:

<!-- - If we need to restrict the range of source ports used, then use entries like the following -->

<Call name="setGlobalAttribute"><Arg>MIN_LOCAL_PORT</Arg><Arg>50000</Arg></Call> <Call name="setGlobalAttribute"><Arg>MAX_LOCAL_PORT</Arg><Arg>50999</Arg></Call>

Setting MAX_LOCAL_PORT as less than or equal to MIN_LOCAL_PORT will cause an error.

This change does not take effect until the application is restarted.

4-10Cisco Subscriber Edge Services Manager Troubleshooting Guide

OL-3888-03

Chapter 4 Frequently Asked QuestionsSESM Captive Portal FAQ

SESM Captive Portal FAQThis section contains answers to frequently asked questions on the SESM Captive Portal.

Ports and Associated TCP RedirectionsThe SESM Captive Portal application listens on several different ports for the various types of redirections performed by the SSG. The default ports and the types of redirections are outlined below:

An example SSG configuration, that has been constructed to align the SSG’s TCP redirects to these ports, is available in a SESM installation in the following file:

<SESM>/captiveportal/config/ssgconfig.txt

Enabling / Disabling RedirectionsTo disable the Captive Portal redirections:

Step 1 Open the following file:

<SESM>/captiveportal/config/captiveportal.xml

Step 2 Refer to the following section:

<Set name="userRedirectOn" type="boolean">true</Set><Set name="initialCaptivateOn" type="boolean">true</Set><Set name="advertisingCaptivateOn" type="boolean">true</Set><Set name="serviceRedirectOn" type="boolean">true</Set>

Table 4-1 Ports and TCP Redirections

Default Port Type of Redirection

Port 8090 Unauthenticated User Redirection.

Port 8091 Initial Captivation.

Port 8092 Advertisement Captivation.

Port 8093 Default Service Redirect.

Port 8094 Named Service Redirect 1.

Port 8095 Named Service Redirect 2.

Port 8096 Named Service Redirect 3.

Port 8099 Secure Port.

Port 8101 Unauthenticated Web-Proxy User.

4-11Cisco Subscriber Edge Services Manager Troubleshooting Guide

OL-3888-03

Chapter 4 Frequently Asked QuestionsSESM Captive Portal FAQ

Step 3 To disable a specific type of redirection, advertising captivation in the example below, set the appropriate property to false:

<Set name="userRedirectOn" type="boolean">true</Set><Set name="initialCaptivateOn" type="boolean">true</Set><Set name="advertisingCaptivateOn" type="boolean">false</Set><Set name="serviceRedirectOn" type="boolean">true</Set>

If a request were to be made to a Captive Portal port that had been disabled in the manner above, the user would be redirected to the “errorURL” in the captiveportal.xml file:

<Set name="errorURL">http://<SystemProperty name="serviceportal.host" default="captiveportal"/>:<SystemProperty name="serviceportal.port" default="8080"/>/home</Set>

Modifying Unauthenticated User Redirection URLWhen the Captive Portal receives a request on the unauthenticated user port (8090), it will redirect the subscriber to the SESM web portal by default.

Step 1 Open the following file:

<SESM>/captiveportal/config/captiveportal.xml

Step 2 Refer to this section:

<Set name="userRedirectURL">http://<SystemProperty name="serviceportal.host" default="captiveportal"/>:<SystemProperty name="serviceportal.port" default="8080"/>/home</Set>

This line essentially redirects the user to the following URL, where “captiveportal” is the hostname of the SESM machine, and “8080” is the port that the SESM web portal is running:

http://captiveportal:8080/home

Step 3 Modify this URL to redirect unauthenticated users to a different URL, for example, http://www.yahoo.com/news_and_media :

<Set name="userRedirectURL">http://<SystemProperty name="serviceportal.host" default="www.yahoo.com"/>:<SystemProperty name="serviceportal.port" default="80"/>/news_and_media</Set>

It is important to realise that the server to which you redirect unauthenticated users must be available to them. This server is typically the SESM Subscriber Portal, residing on the default-network defined in the SSG. If Captive Portal is configured to redirect unauthenticated users to a server that is outside of the default-network, or an open-garden, then the SSG will TCP-redirect them back to Captive Portal.

Users will only be permitted to access the default-network, and any open-garden services, before authentication.

4-12Cisco Subscriber Edge Services Manager Troubleshooting Guide

OL-3888-03

Chapter 4 Frequently Asked QuestionsSESM Captive Portal FAQ

Modifying Initial Captivation URL, Initial Captivation Duration and Initial Captivation Delay

Redirection Inside the Default Network/Open Gardens

There are three configuration options for Initial Captivation; the initialCaptivateURL, the intialCaptivateDuration and the initialCaptivateDelay. By default, the Captive Portal will redirect a user that is subject to Initial Captivation to the SESM Message Portal for a duration of 15 seconds before they are redirected to their originally requested URL.

To view the default settings:

Step 1 Open the following file:

<SESM>/captiveportal/config/captiveportal.xml

Step 2 Refer to the following lines:

<Set name="initialCaptivateURL">http://<SystemProperty name="messageportal.host" default="captiveportal"/>:<SystemProperty name="messageportal.port" default="8085"/>/initial</Set> <Set name="initialCaptivateDuration">15</Set> <Set name="initialCaptivateDelay" type="int">0</Set>

Redirection Outside the Default Network/Open Gardens

Alternatively, the Captive Portal can be configured to redirect all users to a specific URL while they are subject to Initial Captivation – http://news.bbc.co.uk/ in the example below:

<Set name="initialCaptivateURL">http://<SystemProperty name="messageportal.host" default="news.bbc.co.uk"/>:<SystemProperty name="messageportal.port" default="80"/>/</Set>

The Captive Portal can also be configured to redirect a user to the Home URL in the user-profile, or to the location URL for the users given location, by substituting a keyword into the initialCaptivateURL parameter.

• personalURL—This will have the user redirected to their personal URL when they are subject to initial captivation.

• locationURL—This will have the user redirected to the location URL when they are subject to initial captivation.

For example:

<Set name="initialCaptivateURL">personalURL</Set>

When users are subject to initial captivation, they are only permitted to access the server defined in the initial captivation server-group on the SSG. To achieve redirections to servers other than the initial captiation server, you must:

• Shorten the captive duration on the SSG to its minimum; 1 second

• Introduce a delay in the Captive Portal’s HTTP redirection of the user to be greater than 1 second

4-13Cisco Subscriber Edge Services Manager Troubleshooting Guide

OL-3888-03

Chapter 4 Frequently Asked QuestionsSESM Captive Portal FAQ

This way, users will be captured, the redirection will pause for a short while (1 second) until the captive period has elapsed, and then redirect to the desired external URL.

This delay in Captive Portal is activated by editing the following line:

<Set name="initialCaptivateDelay" type="int">0</Set>

The value of this delay should just exceed the duration on the SSG, and since the Captive Portal delay is measured in milliseconds, this can be set to:

<Set name="initialCaptivateDelay" type="int">1100</Set>

Users that are redirected outside of the default network are not truly captive using this method.

Modifying Advertising Captivation URL, Advertising Captivation Duration and Advertising Captivation Delay

Redirection Inside the Default Network/Open Gardens

There are three configuration options for Advertisment Captivation – the advertisingCaptivateURL, the advertisingCaptivateDuration and the advertisingCaptivateDelay. By default, the Captive Portal will redirect a user that is subject to Advertisement Captivation to the SESM Message Portal for a duration of 15 seconds before they are redirected back to their originally requested URL.

To view the default settings:

Step 1 Open the following file:

<SESM>/captiveportal/config/captiveportal.xml

Step 2 Refer to the following lines:

<Set name="advertisingCaptivateURL">http://<SystemProperty name="messageportal.host" default="captiveportal"/>:<SystemProperty name="messageportal.port" default="8085"/>/advertising</Set> <Set name="advertisingCaptivateDuration">15</Set>

<Set name="advertisingCaptivateDelay" type="int">0</Set>

Redirection Outside the Default Network/Open Gardens

Alternatively, Captive Portal can be configured to redirect all users to a specific URL while they are subject to Advertising Captivation: http://news.bbc.co.uk/ in the example below:

<Set name="initialCaptivateURL">http://<SystemProperty name="messageportal.host" default="news.bbc.co.uk"/>:<SystemProperty name="messageportal.port" default="80"/>/</Set>

Captive Portal can also be configured to redirect a user to the Home URL in the user-profile, or to the location URL for the users given location, by substituting a keyword into the advertisingCaptivateURL parameter.

• personalURL—This will have the user redirected to their personal URL when they are subject to advertising captivation

4-14Cisco Subscriber Edge Services Manager Troubleshooting Guide

OL-3888-03

Chapter 4 Frequently Asked QuestionsSESM Captive Portal FAQ

• locationURL—This will have the user redirected to the location URL when they are subject to advertising captivation

For example:

<Set name="advertisingCaptivateURL">locationURL</Set>

When users are subject to advertising captivation, they are only permitted to access the server defined in the advertising captivation server-group on the SSG. To achieve redirections to servers other than the advertising server, you must:

• Shorten the captive duration on the SSG to its minimum – 1 second

• Introduce a delay in the Captive Portal’s HTTP redirection of the user to be greater than 1 second

This way, users will be captured, the redirection will pause for a short while (1 second) until the captive period has elapsed, and then redirected to the desired external URL.

.This delay in Captive Portal is activated by editing the following line:

<Set name="advertisingCaptivateDelay" type="int">0</Set>

The value of this delay should just exceed the duration on the SSG, and since the Captive Portal delay is measured in milliseconds, this can be set to:

<Set name="advertisingCaptivateDelay" type="int">1100</Set>

Users that are redirected outside of the default network are not truly captive using this method.

Modifying Default Service Redirect URLCaptive Portal redirects users that are subject to a default service redirect to the SESM web portal.

To modify the default Service Redirect URL:

Step 1 Open the following file:

<SESM>/captiveportal/config/captiveportal.xml

Step 2 Locate this line:

<Set name="serviceRedirectDefaultURL">http://captiveportal:8080/serviceRedirect</Set>

Step 3 To have these users redirected to an alternative webserver, for example,Yahoo; modify as follows:

<Set name="serviceRedirectDefaultURL">http://www.yahoo.com</Set>

If users are service-redirected to Captive Portal, it can mean that they have no active services. As such, they will only be able to reach the Default-Network and any Open-Garden services. This should be taken into consideration when modifying the default service redirect URL.

Configuring Prepaid User Redirection in SSGSubscribers with prepaid internet access will be able to access the internet till their quota in the billing server is exhausted. However, when a subscriber's quota is exhausted, the SSG can do two things; either disconnect the service immediately, or do prepaid user redirection.

4-15Cisco Subscriber Edge Services Manager Troubleshooting Guide

OL-3888-03

Chapter 4 Frequently Asked QuestionsSESM Captive Portal FAQ

In prepaid user redirection, the subscriber's attempted access to the prepaid service will be redirected to a defined server group in the TCP-redirect configuration in SSG. This server group should redirect these users to the Captive Portal application, which will in turn HTTP-redirect the users to a web portal, where a recharge page will be displayed to the subscriber. SESM web portals include a recharge stub that can be customized in order to facilitate the recharge operation.

The following examples can be used to configure prepaid user redirection on an SSG that supports the feature:

Configure a default prepaid redirection group as follows:

ssg tcp-redirectserver-group PREPAID_REDIR_DEFAULTserver 10.0.1.4 8097!redirect prepaid-user to PREPAID_REDIR_SERVER

This example is given in a SESM install in captiveportal/config/ssgconfig.txt

You can also configure a prepaid redirection group on a per service basis instead of as default:

ssg tcp-redirectserver-group PREPAID_REDIR_SERVICE1server 10.0.1.4 8098

This example is given in a SESM install in captiveportal/config/ssgconfig.txt

Configure the per-service redirection in a service profile using the Z subattribute code. For example:

Z;PREPAID_REDIR_SERVICE1Service-Info = "..." where ... is the string you give here

This example is given in a SESM install in nwsp/config/aaa.properties.

Configuring Captive Portal for Prepaid User RedirectionsThe default Captive Portal application does not have a port configured to receive the prepaid user redirections that the SSG can send to it. As such, we need to edit manually.

Configuring Jetty to Receive Prepaid User Redirections

You need to have Jetty open another socket when it starts the Captive Portal, so that the application can receive and handle these requests. To configure an additional socket in Captive Portal:

Step 1 Open the following file:

<SESM>/jetty/config/captiveportal.jetty.xml

Step 2 Add another SESMSocketListener to the file. To do this, copy and paste an existing section of the config into this section of the configuration file:

<Call name="addListener"> <Arg><New class="com.cisco.sesm.jetty.SESMSocketListener"></New></Arg> </Call>

4-16Cisco Subscriber Edge Services Manager Troubleshooting Guide

OL-3888-03

Chapter 4 Frequently Asked QuestionsSESM Captive Portal FAQ

Step 3 Configure this new SESMSocketListner. Copy an existing configuration section to achieve this, as in the example below. Note that we’re configuring SESMSocketListener number 8 to be called ‘genericRedirect2’, and the port that we’re opening is 8097.

<Configure jmxname="org.mortbay.jetty:name=Jetty,Server=0,SESMSocketListener=8"> <Set name="port" type="int"><SystemProperty name="genericRedirect2.port" default="8097"/></Set> <Set name="minThreads" type="int">5</Set> <Set name="maxThreads" type="int">255</Set> <Set name="maxIdleTimeMs" type="int">60000</Set> </Configure>

Configuring Captive Portal to Handle Prepaid User Redirections

You need to add a generic redirection in the Captive Portal application configuration file which utilises this new port to handle prepaid user redirection.

Step 1 Open the following file:

<SESM>/captiveportal/config/captiveportal.xml

Step 2 Add a generic redirection:

<Call name="defineGenericRedirect"><Arg>8097</Arg><Arg>http://your-portal:port/recharge uri</Arg><Arg>CPURL=capturedURL</Arg></Call>

If you are using NWSP, configure captive portal to redirect to the NWSP recharge page, in captiveportal.xml:

<Call name="defineGenericRedirect"><Arg>8097</Arg><Arg> http://sesm:8080/recharge</Arg><Arg>CPURL=capturedURL</Arg>

</Call>

This has configured the Captive Portal to HTTP-redirect the prepaid users to the dummy ‘recharge’ page on the SESM web portal.

Billing Server RequirementsIn order for the SSG to invoke prepaid user redirection, the billing server must respond with an idle-timeout value which is greater than zero in the authorization response that it sends to the SSG when the subscriber has run out of quota.

There is an example below of the SSG debug information produced when users have exhausted their quota, and an idle-timeout is included in the RADIUS response to the SSG. When the SSG receives this, it will redirect traffic that is destined for the prepaid service to the configured server-group (PREPAID) for the duration of the idle-timeout, without disconnecting the service. Once this period has elapsed, the

4-17Cisco Subscriber Edge Services Manager Troubleshooting Guide

OL-3888-03

Chapter 4 Frequently Asked QuestionsSESM Web Proxy FAQ

SSG will attempt to re-authorise the user by asking the billing server for more quota. If the user has not added more quota to their account by this time, they will be subject to prepaid user redirection once again.

01:15:14: RADIUS: Received from id 21645/48 10.52.199.56:1812, Access-Accept, len 8301:15:14: RADIUS: authenticator 3C C9 E0 89 97 18 DD 2C - 8F D3 79 6A 13 20 7B B601:15:14: RADIUS: Service-Type [6] 6 Framed [2]01:15:14: RADIUS: Vendor, Cisco [26] 27 01:15:14: RADIUS: ssg-service-info [251] 21 "Nvideo-city-prepaid"01:15:14: RADIUS: Vendor, Cisco [26] 13 01:15:14: RADIUS: ssg-control-info [253] 7 "QT100"01:15:14: RADIUS: Vendor, Cisco [26] 11 01:15:14: RADIUS: ssg-control-info [253] 5 "QV0"01:15:14: RADIUS: Idle-Timeout [28] 6 60 01:15:14: RADIUS(00000000): Received from id 21645/4801:15:14: SSG-CTL-EVN: Creating radius packet01:15:14: SSG-CTL-EVN: Response is good01:15:14: SSG-CTL-EVN: Volume Quota = 0

01:15:14: SSG-CTL-EVN: Time Quota = 100

01:15:14: SSG-CTL-EVN: Idle timeout present, Value = 60

01:15:14: SSG-CTL-EVN: Initializing Quota timer for 100000 msec01:15:14: SSG-CTL-EVN: Starting Quota timer for 100000 mseconds01:15:14: SSG-CTL-EVN: Initializing volume reauth timer for 60 seconds

If the billing server simply replies with a quota value of zero, the prepaid service will be disconnected, and the user will be subject to default service redirection (if configured).

SESM Web Proxy FAQThis section contains answers to frequently asked questions on the SESM Web Proxy. All attribute changes described in this section are done by modifying the appropriate configuration file. These changes require the application to be restarted.

All attributes can also be changed via AgentView, running on port +100 (8190 by default for Captive Portal, 8202 by default for Web Proxy). Changes using AgentView take effect immediately, and will remain in the configuration file if the store operation is performed.

All attribute changes in the MBean for th proxy handler can be made in a separate configuration file, which is then polled. This requires the two configuration sections for the file poller to be uncommented and the corresponding configuration in the original file to be removed. Changes via file polling take effect each time the polled file has been updated and the configured polling interval has elapsed. The full Plug-and-Play solution needs the SSG, the SESM Captive Portal, Web Proxy and DNS Proxy applications to be correctly configured and running.

Configuring and Debugging SSGThe default configuration for SESM Captive Portal and Web Proxy is as follows:

• Port 8090 on Captive Portal for unauthenticated users

• Port 8101 on Captive Portal for authenticated proxy users

• Port 8102 on Web Proxy for authenticated proxy users with an active internet service.

4-18Cisco Subscriber Edge Services Manager Troubleshooting Guide

OL-3888-03

Chapter 4 Frequently Asked QuestionsSESM Web Proxy FAQ

The corrsponding configuration onthe SSG:

ssg tcp-redirect ! server-group UNAUTH_USER server <Captive Portal IP> 8090 ! redirect unauthenticated-user to UNAUTH_USER ! server-group WEBPROXY_UNAUTH server <Captive Portal IP> 8090 ! server-group WEBPROXY_AUTH server <Captive Portal IP> 8101 ! server-group WEBPROXY_SERVICE_8102 server <Web Proxy IP> 8102 ! redirect permanent http unauthenticated to WEBPROXY_UNAUTH redirect permanent http authenticated to WEBPROXY_AUTH !

SSG Debug Commands:

debug ssg tcp-redirect errorsdebug ssg tcp-redirect eventsdebug ssg tcp-redirect packetsdebug ssg tcp-redirect server eventsdebug ssg ctrl-errorsdebug ssg ctrl-eventsdebug ssg ctrl-packetsdebug ssg errorsdebug ssg eventsdebug radiusterminal monitor

Debugging for a client IP:

show ssg tcp-redirect mapping <client IP>

Detailed debugging for a client IP:

debug ip packet detail <acl>

Where on the SSG the config eg for <acl> = 101

access-list 101 permit ip host <client IP> anyaccess-list 101 permit ip host any <client IP>

4-19Cisco Subscriber Edge Services Manager Troubleshooting Guide

OL-3888-03

Chapter 4 Frequently Asked QuestionsSESM Web Proxy FAQ

Enabling accountWebProxy in Captive PortalCaptive Portal sends a message to the SSG to indicate that the request is from a proxy user only if accountWebProxy is set to true. By default it is set to false, as most deployments do not use Plug-and-Play. To switch on the full set of Plug-and-Play features in Captive Portal:

Step 1 Open the following file:

<SESM>/captiveportal/config/captiveportal.xml

Step 2 Refer to the following lines:

<!-- Enable the SSG Account Web Proxy feature --><Set name="accountWebProxy" type="boolean">false</Set>

Step 3 Change to:

<!-- Enable the SSG Account Web Proxy feature --><Set name="accountWebProxy" type="boolean">true</Set>

Setting sesmSessionEnabled in Captive PortalThe SESMSession is required to get locations for use in whitelists and blacklists. By default, use of the SESMSession is set to false, as most Plug-and-Play deployments use only a default whitelist or blacklist that is not location specific.

Step 1 Open the following file:

<SESM>/captiveportal/config/captiveportal.xml

Step 2 Refer to the following lines:

<!-- Set this to true if require location-based white/black lists.--><Set name="sesmSessionEnabled" type="boolean">false</Set>

Step 3 Change to:

<!-- Set this to true if require location-based white/black lists.--><Set name="sesmSessionEnabled" type="boolean">true</Set>

Configuring SESM HostsThe SESM web portal requires the remote address and remote port to be proxied to it to determine the correct session. The web proxy handler in Captive Portal and Web Proxy sends this information in the request header for standard proxy requests. They send it out-of-band as a separate request to /com.cisco.sesm.ProxyMetaData on the web portal for secure proxy requests, as SSL does not allow the request to be modified.

Both Captive Portal and Web Proxy need to be told which hosts to send this data to. The installation program automatically updates this list of hosts to include the web portal given in the install. It may be necessary to add other aliases and/or IP addresses.

4-20Cisco Subscriber Edge Services Manager Troubleshooting Guide

OL-3888-03

Chapter 4 Frequently Asked QuestionsSESM Web Proxy FAQ

Step 1 Open the following files:

<SESM>/captiveportal/config/captiveportal.xml<SESM>/webproxy/config/webproxy.xml

Step 2 Refer to the following lines:

<Set name="sesmHostList"> <Array class="java.lang.String"> <Item>mywebportal</Item> </Array> </Set>

Step 3 Change as follows:

<Set name="sesmHostList"> <Array class="java.lang.String"> <Item>mywebportal</Item> <Item>myalias</Item> <Item>x.x.x.x</Item> </Array> </Set>

There is no need to include the SESM hosts in the default white list, as they will always be proxied to, if sesmHostsAllowed is set to true, which it is by default.

The SESM web portal needs to know from which servers it can accept the proxy meta-data with remote address and port. The installation program will update the list of servers that do proxy handling to include the Captive Portal given in the install. The following configuration cannot be set via AgentView. It is essential to add the IP address of the Web Proxy if it is different from Captive Portal. It may be necessary to add any other public aliases.

Step 1 Open the following file:

<SESM>/mywebportal/webapp/WEB-INF/web-jetty.xml

Step 2 Refer to the following lines:

<Set name="sesmProxyList"> <Array type="java.lang.String"> <Item>captiveportal</Item> <Item>127.0.0.1</Item> <Item>localhost</Item> </Array> </Set>

Step 3 Change as follows:

<Set name="sesmProxyList"> <Array type="java.lang.String"> <Item>captiveportal</Item> <Item>a.b.c.d</Item> <Item>webproxyifondifferentmachine</Item> </Array> </Set>

where a.b.c.d is the IP address of the Captive Portal.

4-21Cisco Subscriber Edge Services Manager Troubleshooting Guide

OL-3888-03

Chapter 4 Frequently Asked QuestionsSESM Web Proxy FAQ

Configuring Whitelists in Captive Portal for Non-Proxy UsersFor non-proxy users you can configure transparent proxying by configuring proxy ports:

Step 1 Open the following file:

<SESM>/captiveportal/config/captiveportal.xml

Step 2 Refer to the following section:

<!-- The listener ports where transparent proxying will occur for non-proxy users according to the white/black lists. Uncomment the example below to allow this type of proxying for unauthenticated user redirection and default unauthorized service redirection. --><!--

<Set name="proxyPorts"> <Array class="java.lang.String"> <Item>8090</Item> <Item>8093</Item> </Array> </Set>

-->

Step 3 Ensure the following section is uncommented to allow transparent proxying of non-proxy requests on specific listener ports:

<Set name="proxyPorts"> <Array class="java.lang.String"> <Item>8090</Item> <Item>8093</Item> </Array> </Set>

The installation program updates these ports if they are different from the default values.By default Captive Portal proxies only proxy requests.

Editing Captive Portal WhiteListsThe Captive Portal application has default and location-specific whitelists, which are lists of hosts that the Captive Portal will permit unauthenticated users to access. If a location-specific whitelist is available, it will be used for the user in that location. In all other cases, the default whitelist is used. The default whitelist must include any Open Garden services in the deployment.

To edit the Captive Portal whitelist:

Step 1 Open the following file:

<SESM>/captiveportal/config/captiveportal.xml

4-22Cisco Subscriber Edge Services Manager Troubleshooting Guide

OL-3888-03

Chapter 4 Frequently Asked QuestionsSESM Web Proxy FAQ

Step 2 Refer to the following section:

<!-- <Set name="proxyHostsWhiteLists"> <New class="java.util.HashMap"> <Put name="default"> <Array class="java.lang.String"> <Item>.cisco.com</Item> </Array> </Put>

<Put name="london"> <Array class="java.lang.String"> <Item>www.visitlondon.com</Item> <Item>freeservices</Item> </Array> </Put> </New> </Set> -->

After installation, there are some example entries in the array that define the whitelists. To add an entry for ‘OPENGARDEN’ to the default white list and to remove the example location-specific white list, remember to uncomment (remove the <!-- and --> delimiters) the white lists:

<Set name="proxyHostsWhiteLists"> <New class="java.util.HashMap"> <Put name="default"> <Array class="java.lang.String"> <Item>.cisco.com</Item> <Item>OPENGARDEN</Item> </Array> </Put> </Set>

These changes will take effect when the Captive Portal is restarted.

Enabling WebProxy BlacklistsThe WebProxy application does not have blacklists configured by default. Blacklists are lists of hosts that the application shall not proxy for, and can be enabled by editing the following file.

Step 1 Open the following file:

<SESM>/webproxy/config/webproxy.xml

4-23Cisco Subscriber Edge Services Manager Troubleshooting Guide

OL-3888-03

Chapter 4 Frequently Asked QuestionsSESM Web Proxy FAQ

Step 2 Refer to the following section:

<!-- <Set name="proxyHostsBlackLists"> <New class="java.util.HashMap"> <Put name="default"> <Array class="java.lang.String"> <Item>.microsoft.com</Item> </Array> </Put> <Put name="london"> <Array class="java.lang.String"> <Item>www.manchester.com</Item> </Array> </Put> </New> </Set>

-->

Step 3 To enable the black lists, uncomment the configuration (remove the <!-- and --> delimiters).

<Set name="proxyHostsBlackLists"> <New class="java.util.HashMap"> <Put name="default"> <Array class="java.lang.String"> <Item>.microsoft.com</Item> </Array> </Put> <Put name="london"> <Array class="java.lang.String"> <Item>www.manchester.com</Item> </Array> </Put> </New> </Set>

Step 4 To add a host to the default black list and remove the example location-specific black list:

<Set name="proxyHostsBlackLists"> <New class="java.util.HashMap"> <Put name="default"> <Array class="java.lang.String"> <Item>.microsoft.com</Item> <Item>www.evilrules.com</Item> </Array> </Put> </New> </Set>

These changes will take effect when the Web Proxy is restarted.

Configuring PAC File Emulation in Captive PortalThe Captive Portal can be configured to intercept and respond to requests made by clients for a Proxy Automatic Configuration script. This is enabled by default. To modify this:

Step 1 Open the following file:

<SESM>/captiveportal/webapp/WEB-INF/web-jetty.xml

Step 2 Refer to the following section:

4-24Cisco Subscriber Edge Services Manager Troubleshooting Guide

OL-3888-03

Chapter 4 Frequently Asked QuestionsSESM Web Proxy FAQ

<Call name="mapResourceByExtension"> <Arg>pac</Arg><Arg>/webproxy.pac</Arg> </Call>

Step 3 To disable the feature, comment-out the section:

<!-- <Call name="mapResourceByExtension"> <Arg>pac</Arg><Arg>/webproxy.pac</Arg> </Call> -->

Alternatively, to create a different mapping for a different file extension (cfg in this example) modify as follows:

<Call name="mapResourceByExtension"> <Arg>pac</Arg><Arg>/webproxy.pac</Arg> </Call> <Call name="mapResourceByExtension"> <Arg>cfg</Arg><Arg>/webproxy.cfg</Arg> </Call>

SESM comes with the example webproxy.pac file. If you configure additional mappings for other file extensions, you must also create the appropriate file to associate them with – webproxy.cfg in the above example. These new files should be placed in the following location:

<SESM>/captiveportal/webapp/

Configuring a No-Proxy Message in Captive PortalThe Captive Portal can be configured to present a customisable message to web-proxy users. This feature is commented out by default. To enable this feature:

Step 1 Open the following file:

<SESM>/captiveportal/webapp/WEB-INF/web-jetty.xml

Step 2 Refer to the following line:

<!-- <Set name="noProxyResource">/noproxy.html</Set> -->

Step 3 To enable the feature, uncomment this line:

<Set name="noProxyResource">/noproxy.html</Set>

Step 4 Edit the following web page, to customize the message.

<SESM>/captiveportal/webapp/noproxy.html

Supported Browser VersionsInternet Explorer versions 5.0 or less are not supported, as these have known issues with proxying. It is recommended that you use the latest versions of browsers such as IE 6.0 SP2 or Netscape 7.2.

4-25Cisco Subscriber Edge Services Manager Troubleshooting Guide

OL-3888-03

Chapter 4 Frequently Asked QuestionsSESM Web Proxy FAQ

Connectivity IssuesEnsure that the servers that do proxy handling have internet connectivity. This is for the white lists for Captive Portal, and in general for Web Proxy. In particular, some lab firewalls may allow standard requests (80/8080), but block secure requests (443/8443).

Security IssuesEnsure that direct access to the Web Proxy is not possible (default port used is 8102). The recommended approach is to use an ACL on the SSG, or configure a firewall depending on setup.

Port-bundle Hostkey (PBHK) IssuesEnsure that the SSG is port-mapping for Captive Portal (ports 8090 to 8101) and Web Proxy (port 8102) as well. For example:

ssg port-map destination range 8443 to 8443 ip <SESM IP> destination range 8080 to 8102 ip <SESM IP>

The default bundle-length is 4. This allows a maximum of 16 simultaneous TCP-connections. It is recommended to experiment with higher values of bundle-length, such as 6, if experiencing performance issues.

The reason for the degraded performance is the large number of TCP-connections used with IE default proxy setting of using HTTP/1.0. To compensate for the increased bundle-length, increase the number of loopback addresses on the SSG so as to handle the same number of users.

ssg port-map destination range 8443 to 8443 ip <SESM IP> destination range 8080 to 8102 ip <SESM IP> source ip Loopback0 source ip Loopback1 …interface Loopback0 ip address 10.30.2.1 255.255.255.255!interface Loopback1 ip address 10.30.2.2 255.255.255.255!

Other SSG IssuesThis section contains answers to frequently asked questions on the SSG.

Bad Performance for Proxying

Ensure that the SSG is not limiting the max number of sessions for the server-group excessively. The following would cause proxying to be very slow.

server-group xxx max-session host 10

4-26Cisco Subscriber Edge Services Manager Troubleshooting Guide

OL-3888-03

Chapter 4 Frequently Asked QuestionsSESM Web Proxy FAQ

The reason for this is that the default proxy setting for IE is to use HTTP/1.0, which uses at least 16 connections. In practice, this may be quite a bit higher. If a limit for maximum number of sessions is to be set, a value of 50 has been shown to be suitable.

SSG Fails to Redirect Correctly for Proxy Users

Ensure that the SSG does not have ‘no ip route-cache cef’ in the configuration of the interfaces used. This will cause permanent proxy redirection to fail.

Accounting Does Not Work for PBHK and Proxying

The SSG DDTS CSCsa44594 has been raised for 12.3(5)B and 12.3(x)T. If you upgrade from 12.3(3)B make sure you have a version with DDTS CSCsa44594 resolved.

General Testing Issues

If you experience issues after authentication with setting up the Web Proxy, but have not yet blocked direct access to the Web Proxy (using ACL or firewall), then it is worth configuring your browser to use the Web Proxy as its proxy server. This way, no TCP-redirection in the SSG is needed, and the functioning of the web proxy can be tested, eg. for internet access.

Configuring the SSG to allow the SESM DNSproxyFor example:

ssg open-garden DNS

local-profile DNS attribute 26 9 251 "R10.52.199.110;255.255.255.255" attribute 26 9 251 "D10.52.199.110" attribute 26 9 251 "O*"!

Configuring the SESM DNSProxy ApplicationThe DNSProxy application is installed by default, and is started by running the following script:

<SESM>/tools/bin/startDNS.sh

The SESM DNS proxy always remains in use for non-proxy users, but is only used once by proxy users to lookup the configured proxy server in their browser.

To configure the DNS servers, that the DNSProxy application will use, to attempt to resolve requests, refer to the following file:

<SESM>/tools/config/dns.xml

This section defines the primary and secondary DNS servers:

<Item><New class="com.cisco.sesm.erp.dns.DNSDelegationHandler"><Set name="name">RESOLVER</Set>

4-27Cisco Subscriber Edge Services Manager Troubleshooting Guide

OL-3888-03

Chapter 4 Frequently Asked QuestionsSESM RDP and RADIUS FAQ

<Set name="port">53</Set><Set name="servers"><Array class="java.lang.String"><Item>151.99.125.2</Item><Item>151.99.125.3</Item></Array></Set><Set name="timeout">5000</Set><Set name="dump" type="boolean">true</Set></New></Item>

To configure the substitute IP that the DNSProxy application will insert in responses to un-resolvable requests, refer to the following file:

<SESM>/tools/config/dns.xml

This section defines the substitute IP address. The IP that is used here should be an upstream IP address.

<New class="com.cisco.sesm.erp.dns.DNSSubstituteIPHandler"><Set name="name">DNS</Set> <Set name="ResolverHandlerName">RESOLVER</Set><Set name="substituteIPAddress">127.0.0.1</Set><Set name="timeToLive">30</Set><Set name="dump">true</Set></New>

SESM RDP and RADIUS FAQThis section contains answers to frequently asked questions on SESM RDP and RADIUS.

RDP in Proxy ModeThe Radius Data Proxy (RDP) can be configured to proxy authentication and/or accounting and/or service requests to a configured proxy RADIUS server and forward the response from the Proxy back to the client.

Configuring Proxy Mode During SESM SPE Installation

For SESM SPE installations, this is the simplest way of configuring the RDP for Proxy Mode. At the Enter further values for RDP screen, select the Proxy Mode option.

4-28Cisco Subscriber Edge Services Manager Troubleshooting Guide

OL-3888-03

Chapter 4 Frequently Asked QuestionsSESM RDP and RADIUS FAQ

Figure 4-1 Enter Further Values for RDP Screen

If the Proxy Mode option is selected, the subsequent screen will request details of the Primary and Secondary Proxy RADIUS servers; IP-Address, Port and Shared Key.

4-29Cisco Subscriber Edge Services Manager Troubleshooting Guide

OL-3888-03

Chapter 4 Frequently Asked QuestionsSESM RDP and RADIUS FAQ

Configuring Proxy Mode by Editing rdp.xml

Step 1 Open the following file:

<install-directory>/rdp/config/rdp.xml

Step 2 Uncomment the following section of configuration:

<!-- installer:start proxy<Item><New class="com.cisco.sesm.erp.ERPFilter"><Set name="name">AUTHENTICATION</Set><Set name="nextHandler">PROXY</Set></New></Item>installer:end proxy -->

Step 3 Comment out the current authentication configuration, which by default will be DESS authentication:

<!-- installer:start dess auth --><Item><New class="com.cisco.sesm.rdp.DESSAuthenticationHandler"><Set name="name">AUTHENTICATION</Set>

<Set name="authAttributes"><Array class="java.lang.String"><Item>USER_PASSWORD</Item></Array></Set></New></Item><!-- installer:end dess auth -->

Step 4 Edit the PROXY radius configuration entering the IP address, Port and Shared Key of the Primary and Secondary PROXY RADIUS servers

<!-- Default PROXY radius socket configuration parameters --><Configure jmxname="com.cisco.sesm:name=RDP,PROXY=ProxyHandler,component=RADIUSClientSocket"><Set name="throttle" type="int">256</Set><Set name="timeOut" type="int">4000</Set><Set name="maxRetries" type="int">3</Set><Set name="primaryIP">127.0.0.1</Set><Set name="primaryPort" type="int">1814</Set><Set id="AAASecret" name="secret">cisco</Set><Set name="secondaryIP">127.0.0.2</Set><Set name="secondaryPort" type="int">1814</Set><Set name="accountingPortOffset" type="int">1</Set></Configure>

Step 5 Restart RDP.

4-30Cisco Subscriber Edge Services Manager Troubleshooting Guide

OL-3888-03

Chapter 4 Frequently Asked QuestionsSESM RDP and RADIUS FAQ

Configuring Proxy Mode for SESM RADIUS Installations

For SESM RADIUS installations, the RDP can be configured to proxy all RADIUS requests to a Proxy RADIUS server. A configuration for this type of deployment is already provided in the form of the SESM Proxy RADIUS server. It is necessary to modify the configuration of the SESM Proxy RADIUS server for the Proxy RADIUS server details. To configure the SESM Proxy RADIUS server, edit the file:

<install-directory>/tools/config/proxy.xml.

To start the SESM Proxy RADIUS server, run the command

<install-directory>/tools/bin/startProxy.sh <port-number>

Where port-number is the port on which the server will listen for RADIUS requests.

Using the RDP in RADIUS Mode deployments of SESMThe RDP can be configured to read all RADIUS profiles from a flat file instead of the SPE data store. A configuration for this type of deployment is already provided in the form of the SESM RADIUS server. By default, the RADIUS profiles will be read from the file:

<install-directory>/tools/config/aaa.properties

This is a Merit Users file. To use a different file, edit the SESM RADIUS server configuration file at

<install-directory>/tools/config/aaa.xml

To start the SESM RADIUS server, run the command

<install-directory>/tools/bin/startAAA.sh <port-number>

Where port-number is the port on which the server will listen for RADIUS requests

Add ServicesConfiguring the Add Services option will cause the RDP to add the subscriber’s subscribed services, as defined in the subscriber’s profile in the data store (LDAP or RDBMS), to the Authentication Request response. This is the default behaviour.

If the Add Services option is not configured, then the services, defined in the subscriber’s profile in the data store, will not be included in the response. This can be useful when the RDP is configured in Proxy mode and the Proxy RADIUS server provides the subscribed services. However, it should be noted that in this case, the service profiles themselves must nevertheless be defined in the data store.

If both Add Services is enabled and the Proxy RADIUS server includes services in its response, then the response from the RDP to the client will contain a combination of services, those from the data store and those received from the Proxy RADIUS server.

4-31Cisco Subscriber Edge Services Manager Troubleshooting Guide

OL-3888-03

Chapter 4 Frequently Asked QuestionsSESM RDP and RADIUS FAQ

Configuring Add Services

You can configure Add Services by editing the rdp.xml file. The default configuration will be add services. To modify the add services configuration:

Step 1 Open the following file:

<install-directory>/rdp/config/rdp.xml

Step 2 Uncomment the following section of the configuration:

<!-- installer:start no services<Item><New class="com.cisco.sesm.erp.ERPFilter"><Set name="name">AUTHORIZATION</Set><Set name="nextHandler">AUTHENTICATION</Set></New></Item>installer:end no services -->

Step 3 Comment out the current authorisation configuration, which by default will be add services:

<!-- installer:start add services --><Item><New class="com.cisco.sesm.rdp.DESSAuthorizationFilter"><Set name="name">AUTHORIZATION</Set><Set name="nextHandler">AUTHENTICATION</Set><Set name="addService" type="boolean">true</Set><Set name="addAutoService" type="boolean">true</Set><Set name="addGroup" type="boolean">true</Set></New></Item><!-- installer:end add services -->

Step 4 Restart RDP.

Note For SESM releases preceding SESM 3.3(1) you could configure Add Services as part of the installation procedure. Due to CSCuk51837, this can now be configured only after installation. Add Services set to true is the default configuration.

Using the Client ListWhen the Client List is used, the RDP will only respond to those clients defined in its Client List. All other requests will be silently discarded. If Client List is not used, the RDP responds to all requests. The Client List option may be selected during SESM installation. If selected, a subsequent screen will be displayed allowing the Hostname/IP-Address and Shared Secret, for just one client, to be configured.

There is a Client List for both the Authentication radius listener socket (AUTH) and Accounting radius listener socket (ACCOUNTING). Selecting the Client List option during SESM installation only affects AUTH.

The Client List may be enabled and/or extended at a later stage by editing <install-directory>/rdp/config/rdp.xml. The following is a Client List configuration.

<!-- installer:start client list

4-32Cisco Subscriber Edge Services Manager Troubleshooting Guide

OL-3888-03

Chapter 4 Frequently Asked QuestionsSESM RDP and RADIUS FAQ

<Set name="allowedClients"><Array class="java.lang.String"><Item>localhost:localsecret</Item></Array></Set>installer:end client list -->

If this is commented out, remove the comment lines from the Client List configuration and replace localhost and localsecret with the required values. The line “<Item>localhost:localsecret</Item>” may be repeated for each client. The RDP must then be restarted.

RDP HostnameDuring SESM installation, it is necessary to enter the Hostname or IP Address of the RDP.

If a specific Hostname/IP Address is used, then the RDP will only respond to requests sent to that host. This is an additional security feature for the case where the RDP is running on a machine with multiple interfaces, and it is known in advance which interface the RADIUS requests are expected to be received on. To disable this feature, use the IP Address 0.0.0.0. In this case, the RDP will respond to all requests regardless of the address to which they were sent.

During SESM installation, enter the IP Address 0.0.0.0 in the Hostname field of the RDP configuration screen. Alternatively, edit <install-directory>/rdp/config/rdp.xml. Search for the string “localIP” and modify it’s value accordingly.

Domain Based Proxy AuthenticationThe RDP can be configured to proxy authentication and/or accounting and/or Service requests to different Proxy RADIUS servers depending on the Domain of the user/service. See Cisco Subscriber Edge Services Manager Profile Management Guide for a description of Domain Based Proxy Authentication.

Domain Based Proxy Authentication is configured manually by editing the following file:

<install-directory>/rdp/config/rdp.xml

Having the RDP installed in Proxy Mode initially simplifies the configuration of Domain Based Proxy Authentication and is recommended.

See Cisco Subscriber Edge Services Manager Profile Management Guide for a detailed description on how to configure Domain Based Proxy Authentication.

SESM SPE Installations

In SESM SPE installations, where self care is required, the RDP can be configured to proxy authentication and/or accounting requests based on the domain of the user. However, Subscriber and Service profiles must be defined in the SPE data store, LDAP or RDBMS. This is because the web portal (NWSP) will still go to SPE to obtain the list of subscribed services and service profiles.

4-33Cisco Subscriber Edge Services Manager Troubleshooting Guide

OL-3888-03

Chapter 4 Frequently Asked QuestionsSESM RDP and RADIUS FAQ

RADIUS Mode Deployments of SESM

In RADIUS mode deployments of SESM, the RDP can be configured to proxy all RADIUS requests. A configuration for this type of deployment is already provided in the form of the SESM Proxy RADIUS server. It is necessary to modify the configuration of the SESM Proxy RADIUS server for the required Domain mappings and Proxy RADIUS server details. To configure the SESM Proxy RADIUS server, edit the file

<install-directory>/tools/config/proxy.xml.

For details of the configuration see the Configuring Domain Handler section in the Cisco Subscriber Edge Services Manager Profile Management Guide.

To start the SESM Proxy RADIUS server, run the command

<install-directory>/tools/bin/startProxy.sh <port-number>

Where port-number is the port on which the server will listen for RADIUS requests.

RDP Accounting Listener

The RDP has a separate listener for Accounting-Requests. This listener and associated handler cannot be configured during SESM installation and therefore any changes must be made by editing the file:

<install-directory>/rdp/config/rdp.xml

The following is the configuration for the Listener:

<Item><!-- ACCOUNTING radius Listener --><New class="com.cisco.sesm.erp.radius.RADIUSListener"><Set name="name">ACCOUNTING</Set>

<!-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ --><!-- Set the accounting request handler. This can be set to:AAA - handle the request locally by logging.PROXY - proxy the request to another server.DOMAINPROXY - proxy the request to another server selectedby domain name. --><!-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ --><Set name="handler">AAA</Set>

<!-- Set dump to true to dump all packets to stderr --><Set name="dump" type="boolean">false</Set></New></Item>

And the following is the configuration for the listener Socket

<!-- Configuration for the Accounting radius listener Socket --><Configure jmxname="com.cisco.sesm:name=RDP,RADIUSListener=ACCOUNTING,component=RADIUSServerSocket">

<Set name="secret">cisco</Set><Set name="localIP">0.0.0.0</Set><Set name="localPort" type="int"><SystemProperty name="accounting.portno" default="1813"/></Set>

<!-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ --><!-- Uncomment and customize the following section to define a- client access list. If defined each item defines an allowed- client by giving their hostname or IP address- and optionally followed by ':' and a local secret -->

4-34Cisco Subscriber Edge Services Manager Troubleshooting Guide

OL-3888-03

Chapter 4 Frequently Asked QuestionsSESM RDP and RADIUS FAQ

<!-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ --><!-- installer:start client list<Set name="allowedClients"><Array class="java.lang.String"><Item>localhost:localsecret</Item></Array></Set>installer:end client list --></Configure>

By default, the RDP is configured to listen to Accounting-Request on port 1813 and to respond with Accounting-Accept. See configurations above.

The behaviour can be changed to Proxy or Domain Based Proxy by selecting the respective handler.

The Accounting listener socket has an associated Client List which by default is commented out. See the Client List section.

When the RDP is configured to Proxy Accounting Requests, the port on which the requests will be forwarded will be the configured Authentication port plus 1.

This is determined by the value of the accountingPortOffset parameter which can be changed by editing <install-directory>/rdp/config/rdp.xml

<!-- Default PROXY radius socket configuration parameters --><Configure jmxname="com.cisco.sesm:name=RDP,PROXY=ProxyHandler,component=RADIUSClientSocket"><Set name="throttle" type="int">256</Set><Set name="timeOut" type="int">4000</Set><Set name="maxRetries" type="int">3</Set><Set name="primaryIP">127.0.0.1</Set><Set name="primaryPort" type="int">1814</Set><Set id="AAASecret" name="secret">cisco</Set><Set name="secondaryIP">127.0.0.2</Set><Set name="secondaryPort" type="int">1814</Set><Set name="accountingPortOffset" type="int">1</Set></Configure>

RDP CachingIn SPE mode deployments, user and service profiles are cached by the SPE component of the RDP. Consequently, if a user or service profile is modified, either by the user through the Self Care feature of the SESM Web Portal, or by an administrator using CDAT, then that change may not be immediately picked up by the RDP due to the SPE cache.

By default, the cache timeout is set to 10 minutes. This can be changed by editing the following section of configuration in the following file:

<install-directory>/rdp/config/dessauth.xml

<!-- All timeout values are in seconds --> <Set name="cacheSessionTimeout" type="int">600</Set> <Set name="cacheExpireInterval" type="int">600</Set> <Set name="cacheObjectTimeout" type="int">600</Set>

This affects all SESM applications that have an SPE component. Each SESM application has its own dessauth.xml file.

4-35Cisco Subscriber Edge Services Manager Troubleshooting Guide

OL-3888-03

Chapter 4 Frequently Asked QuestionsSESM Java FAQ

SESM Java FAQThis section contains answers to frequently asked questions on the Java version SESM applications use.

Discovering and Modifying the Java Version SESM Applications UseThe SESM applications require a Java Virtual Machine to be able to run. To determine what JVM a SESM installation is using when the applications are started, open the following file:

<SESM>/jetty/bin/start.sh

Refer to this line:

JDK_HOME=${JDK_HOME:=/usr/java1.4}

This line can be translated to say “If the environment variable JDK_HOME exists, that will be the location of the JVM that the SESM applications will use. If it does not exist, the applications will fall-back to using the JVM contained within /usr/java1.4”

If Enviornment Variable JDK_HOME Exists:

If the environment variable JDK_HOME exists, the applications will use the JVM located within JDK_HOME when they start up. To determine the exact version of the JVM that is being used, change directory to JDK_HOME/bin and run the following command:

My_Server> cd $JDK_HOME/binMy_Server > ./java -versionjava version "1.4.2"Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2-b28)Java HotSpot(TM) Client VM (build 1.4.2-b28, mixed mode)

If Enviornment Variable JDK_HOME Does Not Exist:

If the environment variable JDK_HOME does not exist, the applications will use the fall-back location of the JVM, which is /usr/java1.4 in the above example. To determine the exact version of the JVM, change directory to /usr/java1.4/bin and run the following command:

My_Server > cd /usr/java1.4/bin

My_Server > ./java -version

java version "1.4.2"

Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2-b28)

Java HotSpot(TM) Client VM (build 1.4.2-b28, mixed mode)

4-36Cisco Subscriber Edge Services Manager Troubleshooting Guide

OL-3888-03

Chapter 4 Frequently Asked QuestionsSESM Performance FAQ

To Specify the Location of a JVM:

To specify the location of your preferred JVM:

Step 1 Edit the following line in the start script:

JDK_HOME=${JDK_HOME:=/usr/java1.4}

Step 2 Change to, for example:

JDK_HOME=/opt/j2sdk_1_4_1_02

This modification overrides any settings of the environmental JDK_HOME variable. That is, the JVM that the SESM application uses is explicitly the JVM written in the script and it is not affected any more by the value of the environmental variable JDK_HOME.

SESM Performance FAQThis section contains answers to frequently asked questions on SESM performance issues.

Adding More RAM to the Java ProcessBy default, the SESM web portals have 64 Megabytes of memory allocated to them when they start up. To increase this amount to accommodate a greater number of subscribers using the portal:

Step 1 Open the following file:

<SESM>/jetty/bin/start.sh

Step 2 Refer to the following line:

$JAVA $SERVER -Xms64m -Xmx64m \

Step 3 To increase the memory to, for example 256 Megabytes:

$JAVA $SERVER –Xms256m –Xmx256m \

This change does not take effect until the applications are restarted.

Raising the Maximum Number of Threads in the Web-ServerThe Jetty web server that the SESM applications use is multi-threaded. When the web portals are running, they will have between 5 and 255 threads available to handle HTTP requests from subscribers. To modify the total number of threads available to the web portals:

Step 1 Open the following file:

<SESM>/jetty/config/nwsp.jetty.xml

Step 2 Refer to the following section:

4-37Cisco Subscriber Edge Services Manager Troubleshooting Guide

OL-3888-03

Chapter 4 Frequently Asked QuestionsSESM Performance FAQ

<Configure jmxname="org.mortbay.jetty:name=Jetty,Server=0,SESMSocketListener=0"> <Set name="port" type="int"><SystemProperty name="application.portno" default="8080"/></Set> <Set name="minThreads" type="int">5</Set> <Set name="maxThreads" type="int">255</Set> <Set name="maxIdleTimeMs" type="int">60000</Set> </Configure>

To increase the minimum number of threads to 10, and the maximum number to 500, change as follows:

<Configure jmxname="org.mortbay.jetty:name=Jetty,Server=0,SESMSocketListener=0"> <Set name="port" type="int"><SystemProperty name="application.portno" default="8080"/></Set> <Set name="minThreads" type="int">10</Set> <Set name="maxThreads" type="int">500</Set> <Set name="maxIdleTimeMs" type="int">60000</Set> </Configure>

This change does not take effect until the applications are restarted.

4-38Cisco Subscriber Edge Services Manager Troubleshooting Guide

OL-3888-03