Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 1 ISG Session timers S.Akshaya Kumar

Published byEdmund Warren Modified over 9 years ago

Similar presentations

Presentation on theme: "Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 1 ISG Session timers S.Akshaya Kumar"— Presentation transcript:

1 Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 1 ISG Session timers S.Akshaya Kumar (sakskuma@cisco.com)sakskuma@cisco.com Network Consulting Engineer WWSP WiFi

2 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2 Portal AAA DHCP IP Packet Session-start event posted 2 ISG session creation 3 PBHK service applied (*) 4a Access-Request username = mac 4b Access-Reject 5 OpenGarden and L4R services applied (*) 2 6 Authentication Timer started (*) assumes that the definition of PBHK, L4R and OpenGarden are already available on the ISG class type control always event session-start 10 service-policy type service name PBHK_SRV 20 authorize aaa list IP_AUTHOR_LIST password cisco123 identifier mac-addr 30 service-policy type service name OG_SRV 40 service-policy type service name L4R_SRV 50 set-timer AUTHEN_TMR 10 2 3 4a 5 6 interface GigabitEthernet 0/0.1 encapsulation dot1Q 10 ip address... service-policy type control IP_SESSION_RULE1 ip subscriber l2-connected initiator unclassified-mac policy-map type control IP_SESSION_RULE1 2 Client obtains IP address independent of the ISG 1

3 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3 Portal AAA DHCP http://www.cisco.com 7 L4Redirect to Portal 8 HTTP Redirect. User self-registers 9 CoA Req. Account Logon username, password 11b Access-Accept service: BASIC_HSI_SRV Access-Request username, password Account- Logon event posted Service-start event posted 11a 12b Access-Accept BASIC_HSI_SRV definition Access-Request BASIC_HSI_SRV, srvpwd 12a 13 BASIC_HSI_SRV is applied 15 L4R and OpenGarden services are unapplied 10a CoA Ack. Account Logon http://www.cisco.com 16 10c 11a 15 14 Accounting-Request (Start) and Response Simplified call flow 10b 11c aaa author subscriber-service default SERVER_GRP1 subscriber service password servicecisco class type control always event account-logon 10 authenticate aaa list IP_AUTHEN_LIST 20 service-policy type service unapply name L4R_SRV 30 service-policy type service unapply name OG_SRV ! class type control BASIC_HSI_SRV_CM event service-start 10 service-policy type service identifier service- name Service-Name: “ BASIC_HSI_SRV ” Service-Password:“servicecisco” Attr 28: idle-timeout = 600 AVPair: “subscriber:accounting-list= IP_ACCNT_LIST” ServiceInfo: QU;256000;D;768000; 12a 12b 11c

4 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4 1) Manage Walk-by users - Unauth-timer set-timer name-of-timer minutes ! class-map type control match-all UNAUTH_TIMER_CM match timer UNAUTH_TIMER match authen-status unauthenticated ! policy-map type control RULE class type control UNAUTH_TIMER_CM event timed-policy-expiry 10 service disconnect class type control always event session-start 70 set-timer UNAUTH_TIMER 10 !

5 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5 Session Termination ICMP/ARP keepalive failure Keepalive failure ICMP Keepalives used for routed sessions ARP keepalives used for l2-connected sessions Web Portal Web Logoff RADIUS CoA Account-Logoff IP Sessions

6 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6 2) Idle timer Sets the maximum number of consecutive seconds of idle connection allowed to the user before the session terminates. This attribute value becomes the per-user "session-timeout.“ Configuration to implement either at Broadhop (or) with CLI -local in ISG Broadhop CPAR vsa cisco generic 1 string "subscriber:idle-timeout- direction=inbound" attribute 28 numeric 3600 CLI class-map type traffic match-any SESS_CM policy-map type service SESS_DFLT_SERV class type traffic SESS_CM timeout idle duration-in-seconds [both | inbound] accounting aaa list SESS_ACCNT_LIST

7 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7 3) Web Logoff timer Upon a account-logoff event, disconnect after a 10 second delay. This should ensure that the client TCP sessions close before disconnection policy-map type control RULE class type control always event account-logoff 10 service disconnect delay 10 !

8 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8 4) KeepAlive with idle timer Configures the allowable idle period, maximum number of attempts to connect, the interval between attempts, and the communication protocol to be used. –The ranges and defaults are as follows: – Idle period: range is 5 to10 seconds; default is 10 seconds. – Attempts: range is 3 to 10; default is 5. – Interval: default is 1 to 10 seconds. – Protocol: for Layer 2 connections, the default is ARP; for routed connections, the default is ICMP. – Broadcast option: by default this option is disabled. Configuration to implement either at Broadhop (or) with CLI -local in ISG Broadhop CPAR Cisco-Avpair = "subscriber:keepalive = [idle period1] [attempts Max- retries] [interval period2] [protocol ICMP[broadcast] | ARP}“ CLIpolicy-map type service KEEPALIVE_SERVICE keepalive idle 300 attempts 3 protocol

9 Thank you.

Download ppt "Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 1 ISG Session timers S.Akshaya Kumar"

Similar presentations

Cisco Device Hardening Disabling Unused Cisco Router Network Services and Interfaces.

Cisco Device Hardening Disabling Unused Cisco Router Network Services and Interfaces.
Securing the Router Chris Cunningham.

Securing the Router Chris Cunningham.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Common Layer 2 Attacks and Countermeasures.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Common Layer 2 Attacks and Countermeasures.
Filtering and Security By Mohammad Shanehsaz June 2004.

Filtering and Security By Mohammad Shanehsaz June 2004.
Labcourse “Routerlab”

Labcourse “Routerlab”
© 2002, Cisco Systems, Inc. All rights reserved..

© 2002, Cisco Systems, Inc. All rights reserved..
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—7-1 Completing ISDN Calls Configuring Dial-on-Demand Routing.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—7-1 Completing ISDN Calls Configuring Dial-on-Demand Routing.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—6-1 Implementing Layer 3 High Availability Configuring Layer 3 Redundancy with HSRP.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—6-1 Implementing Layer 3 High Availability Configuring Layer 3 Redundancy with HSRP.
Understanding Layer 3 Redundancy. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 2 Upon completing this lesson, you will be able.

Understanding Layer 3 Redundancy. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 2 Upon completing this lesson, you will be able.
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.

Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.

Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.
1 CCNA 2 v3.1 Module 8. 2 TCP/IP Suite Error and Control Messages CCNA 2 Module 8.

1 CCNA 2 v3.1 Module 8. 2 TCP/IP Suite Error and Control Messages CCNA 2 Module 8.
Chapter 16 AAA. AAA Components  AAA server –Authenticates users accessing a device or network –Authorizes user to perform specific activities –Performs.

Chapter 16 AAA. AAA Components  AAA server –Authenticates users accessing a device or network –Authorizes user to perform specific activities –Performs.
Radius Dave Grizzanti Steve Curti. What is RADIUS? Remote Authentication Dial-In User Service (RADIUS) is a protocol for remote user authentication and.

Radius Dave Grizzanti Steve Curti. What is RADIUS? Remote Authentication Dial-In User Service (RADIUS) is a protocol for remote user authentication and.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: Network Protocols and Communications Introduction to Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: Network Protocols and Communications Introduction to Networks.
Chapter 18 RADIUS. RADIUS  Remote Authentication Dial-In User Service  Protocol used for communication between NAS and AAA server  Supports authentication,

Chapter 18 RADIUS. RADIUS  Remote Authentication Dial-In User Service  Protocol used for communication between NAS and AAA server  Supports authentication,
Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 20 RADIUS and Internet Authentication Service.

Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 20 RADIUS and Internet Authentication Service.
Router Hardening Nancy Grover, CISSP ISC2/ISSA Security Conference November 2004.

Router Hardening Nancy Grover, CISSP ISC2/ISSA Security Conference November 2004.
Course 201 – Administration, Content Inspection and SSL VPN

Course 201 – Administration, Content Inspection and SSL VPN
Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. CCNA ACLs Deepdive February, 2012 Jaskaran Kalsi Assoc. Technical Manager.

Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. CCNA ACLs Deepdive February, 2012 Jaskaran Kalsi Assoc. Technical Manager.

Similar presentations

Ads by Google