Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 1
ISG Session timers
S.Akshaya Kumar ([email protected])
Network Consulting Engineer WWSP WiFi
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Portal AAADHCP
IP Packet
Session-start event posted
2 ISG session creation
3 PBHK service applied (*)
4aAccess-Request username = mac
4bAccess-Reject
5 OpenGarden and L4R services applied (*)
2
6 Authentication Timer started
(*) assumes that the definition of PBHK, L4R and OpenGarden are already available on the ISG
class type control always event session-start 10 service-policy type service name PBHK_SRV 20 authorize aaa list IP_AUTHOR_LIST password cisco123 identifier mac-addr 30 service-policy type service name OG_SRV 40 service-policy type service name L4R_SRV 50 set-timer AUTHEN_TMR 10
23
4a
5
6
interface GigabitEthernet 0/0.1 encapsulation dot1Q 10 ip address ... service-policy type control IP_SESSION_RULE1 ip subscriber l2-connected
initiator unclassified-mac
policy-map type control IP_SESSION_RULE1
2
Client obtains IP address independent
of the ISG
1
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
PortalPortal AAAAAADHCPDHCPhttp://www.cisco.com
7 L4Redirect to Portal8
HTTP Redirect. User self-registers9
CoA Req. Account Logon username, password
11bAccess-Accept service: BASIC_HSI_SRV
Access-Request username, password
Account-Logon event
posted
Service-start event posted
11a
12bAccess-Accept BASIC_HSI_SRV definition
Access-Request BASIC_HSI_SRV, srvpwd
12a
13 BASIC_HSI_SRV is applied
15 L4R and OpenGarden services are unapplied
10a
CoA Ack. Account Logon
http://www.cisco.com16
10c
11a
15
14Accounting-Request (Start) and Response
Simplified call flow
10b
10b
11c
aaa author subscriber-service default SERVER_GRP1subscriber service password servicecisco
class type control always event account-logon 10 authenticate aaa list IP_AUTHEN_LIST 20 service-policy type service unapply
name L4R_SRV 30 service-policy type service unapply
name OG_SRV!class type control BASIC_HSI_SRV_CM event service-start 10 service-policy type service identifier service-
name
Service-Name: “BASIC_HSI_SRV”Service-Password: “servicecisco”Attr 28: idle-timeout = 600AVPair: “subscriber:accounting-list= IP_ACCNT_LIST”ServiceInfo: QU;256000;D;768000;
12a
12b
11c
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
1) Manage Walk-by users - Unauth-timerset-timer name-of-timer minutes
!
class-map type control match-all UNAUTH_TIMER_CM
match timer UNAUTH_TIMER
match authen-status unauthenticated
!
policy-map type control RULE
class type control UNAUTH_TIMER_CM event timed-policy-expiry
10 service disconnect
class type control always event session-start
70 set-timer UNAUTH_TIMER 10
!
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Session Termination
ICMP/ARP keepalive failure
Keepalive failure
ICMP Keepalives used for routed sessionsARP keepalives used for l2-connected sessions
WebPortal
Web Logoff
Web LogoffRADIUS CoAAccount-Logoff
IP Sessions
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
2) Idle timerSets the maximum number of consecutive seconds of idle connection allowed to the user before the session terminates.
This attribute value becomes the per-user "session-timeout.“
Configuration to implement either at Broadhop (or) with CLI -local in ISG
BroadhopCPAR
vsa cisco generic 1 string "subscriber:idle-timeout- direction=inbound" attribute 28 numeric 3600
CLI class-map type traffic match-any SESS_CMpolicy-map type service SESS_DFLT_SERV class type traffic SESS_CM timeout idle duration-in-seconds [both | inbound] accounting aaa list SESS_ACCNT_LIST
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
3) Web Logoff timer
Upon a account-logoff event, disconnect after a 10 second delay. This should ensure that the client TCP sessions close before disconnection
policy-map type control RULE
class type control always event account-logoff
10 service disconnect delay 10
!
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
4) KeepAlive with idle timerConfigures the allowable idle period, maximum number of attempts to connect, the interval between attempts, and the communication protocol to be used.
–The ranges and defaults are as follows:
– Idle period: range is 5 to10 seconds; default is 10 seconds.
– Attempts: range is 3 to 10; default is 5.
– Interval: default is 1 to 10 seconds.
– Protocol: for Layer 2 connections, the default is ARP; for routed connections, the default is ICMP.
– Broadcast option: by default this option is disabled.
Configuration to implement either at Broadhop (or) with CLI -local in ISG
BroadhopCPAR
Cisco-Avpair = "subscriber:keepalive = [idle period1] [attempts Max-retries] [interval period2] [protocol ICMP[broadcast] | ARP}“
CLI policy-map type service KEEPALIVE_SERVICE keepalive idle 300 attempts 3 protocol <ARP|ICMP>
Thank you.