Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 1

ISG Session timers

S.Akshaya Kumar (sakskuma@cisco.com)

Network Consulting Engineer WWSP WiFi

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

Portal AAADHCP

IP Packet

Session-start event posted

2 ISG session creation

3 PBHK service applied (*)

4aAccess-Request username = mac

4bAccess-Reject

5 OpenGarden and L4R services applied (*)

2

6 Authentication Timer started

(*) assumes that the definition of PBHK, L4R and OpenGarden are already available on the ISG

class type control always event session-start 10 service-policy type service name PBHK_SRV 20 authorize aaa list IP_AUTHOR_LIST password cisco123 identifier mac-addr 30 service-policy type service name OG_SRV 40 service-policy type service name L4R_SRV 50 set-timer AUTHEN_TMR 10

23

4a

5

6

interface GigabitEthernet 0/0.1 encapsulation dot1Q 10 ip address ... service-policy type control IP_SESSION_RULE1 ip subscriber l2-connected

initiator unclassified-mac

policy-map type control IP_SESSION_RULE1

2

Client obtains IP address independent

of the ISG

1

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3

PortalPortal AAAAAADHCPDHCPhttp://www.cisco.com

7 L4Redirect to Portal8

HTTP Redirect. User self-registers9

CoA Req. Account Logon username, password

11bAccess-Accept service: BASIC_HSI_SRV

Access-Request username, password

Account-Logon event

posted

Service-start event posted

11a

12bAccess-Accept BASIC_HSI_SRV definition

Access-Request BASIC_HSI_SRV, srvpwd

12a

13 BASIC_HSI_SRV is applied

15 L4R and OpenGarden services are unapplied

10a

CoA Ack. Account Logon

http://www.cisco.com16

10c

11a

15

14Accounting-Request (Start) and Response

Simplified call flow

10b

10b

11c

aaa author subscriber-service default SERVER_GRP1subscriber service password servicecisco

class type control always event account-logon 10 authenticate aaa list IP_AUTHEN_LIST 20 service-policy type service unapply

name L4R_SRV 30 service-policy type service unapply

name OG_SRV!class type control BASIC_HSI_SRV_CM event service-start 10 service-policy type service identifier service-

name

Service-Name: “BASIC_HSI_SRV”Service-Password: “servicecisco”Attr 28: idle-timeout = 600AVPair: “subscriber:accounting-list= IP_ACCNT_LIST”ServiceInfo: QU;256000;D;768000;

12a

12b

11c

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4

1) Manage Walk-by users - Unauth-timerset-timer name-of-timer minutes

!

class-map type control match-all UNAUTH_TIMER_CM

match timer UNAUTH_TIMER

match authen-status unauthenticated

!

policy-map type control RULE

class type control UNAUTH_TIMER_CM event timed-policy-expiry

10 service disconnect

class type control always event session-start

70 set-timer UNAUTH_TIMER 10

!

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5

Session Termination

ICMP/ARP keepalive failure

Keepalive failure

ICMP Keepalives used for routed sessionsARP keepalives used for l2-connected sessions

WebPortal

Web Logoff

Web LogoffRADIUS CoAAccount-Logoff

IP Sessions

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6

2) Idle timerSets the maximum number of consecutive seconds of idle connection allowed to the user before the session terminates.

This attribute value becomes the per-user "session-timeout.“

Configuration to implement either at Broadhop (or) with CLI -local in ISG

BroadhopCPAR

vsa cisco generic 1 string "subscriber:idle-timeout- direction=inbound" attribute 28 numeric 3600

CLI class-map type traffic match-any SESS_CMpolicy-map type service SESS_DFLT_SERV class type traffic SESS_CM timeout idle duration-in-seconds [both | inbound]  accounting aaa list SESS_ACCNT_LIST

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7

3) Web Logoff timer

Upon a account-logoff event, disconnect after a 10 second delay. This should ensure that the client TCP sessions close before disconnection

policy-map type control RULE

class type control always event account-logoff

10 service disconnect delay 10

!

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8

4) KeepAlive with idle timerConfigures the allowable idle period, maximum number of attempts to connect, the interval between attempts, and the communication protocol to be used.

–The ranges and defaults are as follows:

– Idle period: range is 5 to10 seconds; default is 10 seconds.

– Attempts: range is 3 to 10; default is 5.

– Interval: default is 1 to 10 seconds.

– Protocol: for Layer 2 connections, the default is ARP; for routed connections, the default is ICMP.

– Broadcast option: by default this option is disabled.

Configuration to implement either at Broadhop (or) with CLI -local in ISG

BroadhopCPAR

Cisco-Avpair = "subscriber:keepalive = [idle period1] [attempts Max-retries] [interval period2] [protocol ICMP[broadcast] | ARP}“

CLI policy-map type service KEEPALIVE_SERVICE keepalive idle 300 attempts 3 protocol <ARP|ICMP>

Thank you.